@adobe-commerce/aio-toolkit 1.2.5 → 1.2.7

package/dist/index.js

@@ -38,6 +38,7 @@ __export(index_exports, {
   AdminUiSdk: () => AdminUiSdk,
   AdobeAuth: () => adobe_auth_default,
   AdobeCommerceClient: () => adobe_commerce_client_default,
+  AmazonSQSClient: () => amazon_sqs_client_default,
   BasicAuthConnection: () => basic_auth_connection_default,
   BearerToken: () => bearer_token_default,
   CreateEvents: () => create_events_default,
@@ -55,6 +56,7 @@ __export(index_exports, {
   InfiniteLoopBreaker: () => infinite_loop_breaker_default,
   IoEventsGlobals: () => IoEventsGlobals,
   JsonMessageProcessor: () => JsonMessageProcessor,
+  LogSanitizer: () => LogSanitizer,
   Oauth1aConnection: () => oauth1a_connection_default,
   OnboardCommerce: () => onboard_commerce_default,
   OnboardEvents: () => onboard_events_default,
@@ -213,7 +215,7 @@ var validator_default = Validator;
 
 // src/framework/telemetry/index.ts
 var import_aio_sdk = require("@adobe/aio-sdk");
-var import_aio_lib_telemetry3 = require("@adobe/aio-lib-telemetry");
+var import_aio_lib_telemetry4 = require("@adobe/aio-lib-telemetry");
 
 // src/framework/telemetry/new-relic/index.ts
 var import_aio_lib_telemetry2 = require("@adobe/aio-lib-telemetry");
@@ -767,6 +769,334 @@ __name(_NewRelicTelemetry, "NewRelicTelemetry");
 var NewRelicTelemetry = _NewRelicTelemetry;
 var new_relic_default = NewRelicTelemetry;
 
+// src/framework/telemetry/grafana/index.ts
+var import_aio_lib_telemetry3 = require("@adobe/aio-lib-telemetry");
+
+// src/framework/telemetry/grafana/validator/index.ts
+var _GrafanaTelemetryValidator = class _GrafanaTelemetryValidator {
+  /**
+   * Checks if Grafana telemetry is configured
+   *
+   * Returns true when:
+   * - ENABLE_TELEMETRY is explicitly set to true
+   * - GRAFANA_TELEMETRY is explicitly set to true
+   *
+   * This method does NOT validate configuration completeness —
+   * it only checks whether the provider should be active.
+   *
+   * @param params - Runtime parameters to check
+   * @returns true if Grafana telemetry is enabled, false otherwise
+   *
+   * @example
+   * ```typescript
+   * const validator = new GrafanaTelemetryValidator();
+   * const params = { ENABLE_TELEMETRY: true, GRAFANA_TELEMETRY: true };
+   * if (validator.isConfigured(params)) {
+   *   // Grafana telemetry is enabled, proceed with initialization
+   * }
+   * ```
+   */
+  isConfigured(params) {
+    return params.ENABLE_TELEMETRY === true && params.GRAFANA_TELEMETRY === true;
+  }
+  /**
+   * Validates Grafana-specific parameters
+   *
+   * IMPORTANT: Only call this method after isConfigured() returns true.
+   *
+   * Validation rules by mode:
+   * - GRAFANA_DEV=true   → all parameters optional; localhost defaults are used
+   * - GRAFANA_CLOUD=true → GRAFANA_ENDPOINT, GRAFANA_SERVICE_NAME, GRAFANA_INSTANCE_ID,
+   *                        and GRAFANA_API_KEY are all required
+   * - Default (tunnel)   → GRAFANA_ENDPOINT and GRAFANA_SERVICE_NAME are required;
+   *                        no credentials needed
+   *
+   * @param params - Runtime parameters to validate
+   * @throws {TelemetryInputError} If required parameters are missing for the selected mode
+   *
+   * @example Dev mode — all optional
+   * ```typescript
+   * validator.validateConfiguration({ GRAFANA_DEV: true }); // passes
+   * ```
+   *
+   * @example Grafana Cloud — credentials required
+   * ```typescript
+   * validator.validateConfiguration({
+   *   GRAFANA_CLOUD: true,
+   *   GRAFANA_ENDPOINT: 'https://otlp-gateway-prod-us-east-0.grafana.net/otlp',
+   *   GRAFANA_SERVICE_NAME: 'my-app',
+   *   GRAFANA_INSTANCE_ID: '123456',
+   *   GRAFANA_API_KEY: 'glc_xxx',
+   * }); // passes
+   * ```
+   *
+   * @example Tunnel (deployed) mode — endpoint + service name required
+   * ```typescript
+   * validator.validateConfiguration({
+   *   GRAFANA_ENDPOINT: 'https://abc123.trycloudflare.com',
+   *   GRAFANA_SERVICE_NAME: 'my-app',
+   * }); // passes
+   * ```
+   */
+  validateConfiguration(params) {
+    if (params.GRAFANA_DEV === true) {
+      return;
+    }
+    if (!params.GRAFANA_ENDPOINT) {
+      throw new TelemetryInputError(
+        "GRAFANA_ENDPOINT is required when GRAFANA_DEV is not true. Provide a reachable OTLP/HTTP collector URL."
+      );
+    }
+    if (!params.GRAFANA_SERVICE_NAME) {
+      throw new TelemetryInputError(
+        "GRAFANA_SERVICE_NAME is required when GRAFANA_DEV is not true."
+      );
+    }
+    if (params.GRAFANA_CLOUD === true) {
+      if (!params.GRAFANA_INSTANCE_ID) {
+        throw new TelemetryInputError(
+          "GRAFANA_INSTANCE_ID is required when GRAFANA_CLOUD is true."
+        );
+      }
+      if (!params.GRAFANA_API_KEY) {
+        throw new TelemetryInputError("GRAFANA_API_KEY is required when GRAFANA_CLOUD is true.");
+      }
+    }
+  }
+};
+__name(_GrafanaTelemetryValidator, "GrafanaTelemetryValidator");
+var GrafanaTelemetryValidator = _GrafanaTelemetryValidator;
+
+// src/framework/telemetry/grafana/index.ts
+var import_otel2 = require("@adobe/aio-lib-telemetry/otel");
+var DEFAULT_DEV_URL = "http://localhost:4318";
+var DEFAULT_SERVICE_NAME = "app-builder-app";
+var _GrafanaTelemetry = class _GrafanaTelemetry {
+  constructor() {
+    this.validator = new GrafanaTelemetryValidator();
+    this.successChecker = new SuccessChecker();
+  }
+  /**
+   * Checks if Grafana telemetry can be initialized
+   *
+   * Returns true when ENABLE_TELEMETRY=true and GRAFANA_TELEMETRY=true.
+   *
+   * @param params - Runtime parameters to check
+   * @returns true if Grafana telemetry is enabled and can be initialized
+   *
+   * @example
+   * ```typescript
+   * const telemetry = new GrafanaTelemetry();
+   * if (telemetry.canInitialize(params)) {
+   *   // Grafana is configured, use it
+   * } else {
+   *   // Skip to next provider
+   * }
+   * ```
+   */
+  canInitialize(params) {
+    return this.validator.isConfigured(params);
+  }
+  /**
+   * Get the OpenTelemetry instrumentation configuration for Grafana
+   *
+   * Builds and returns the complete instrumentation configuration:
+   * - Service name (from GRAFANA_SERVICE_NAME or default)
+   * - Preset simple instrumentations
+   * - Adobe I/O Runtime resource attributes
+   * - OTLP/HTTP exporters (localhost in dev, GRAFANA_ENDPOINT in deployed)
+   * - Success/failure detection for actions
+   *
+   * @returns Complete entrypoint instrumentation configuration
+   * @throws {TelemetryInputError} If GRAFANA_ENDPOINT or GRAFANA_SERVICE_NAME is missing in non-dev mode
+   */
+  getConfig() {
+    return {
+      ...(0, import_aio_lib_telemetry3.defineTelemetryConfig)((params) => {
+        this.validator.validateConfiguration(params);
+        const serviceName = params.GRAFANA_DEV === true ? params.GRAFANA_SERVICE_NAME || DEFAULT_SERVICE_NAME : params.GRAFANA_SERVICE_NAME;
+        return {
+          sdkConfig: {
+            serviceName,
+            instrumentations: (0, import_aio_lib_telemetry3.getPresetInstrumentations)("simple"),
+            resource: (0, import_aio_lib_telemetry3.getAioRuntimeResource)(),
+            ...this.buildExportersConfig(params)
+          }
+        };
+      }),
+      isSuccessful: this.successChecker.execute.bind(this.successChecker)
+    };
+  }
+  /**
+   * Build OTLP/HTTP exporters for traces, metrics, and logs
+   *
+   * Selects the collector base URL and optional auth header based on mode:
+   * - GRAFANA_DEV=true   → http://localhost:4318, no auth
+   * - GRAFANA_CLOUD=true → GRAFANA_ENDPOINT with Basic auth (instance ID + API key)
+   * - Default (tunnel)   → GRAFANA_ENDPOINT, no auth
+   *
+   * All three signal types share the same factory that appends the signal-specific
+   * path (/v1/traces, /v1/metrics, /v1/logs) to the base URL.
+   *
+   * @param params - Runtime parameters
+   * @returns Configuration object with traceExporter, metricReaders, logRecordProcessors
+   * @private
+   */
+  buildExportersConfig(params) {
+    const exportUrl = (params.GRAFANA_DEV === true ? DEFAULT_DEV_URL : params.GRAFANA_ENDPOINT).replace(/\/$/, "");
+    const authHeader = params.GRAFANA_CLOUD === true ? {
+      Authorization: `Basic ${Buffer.from(
+        `${params.GRAFANA_INSTANCE_ID}:${params.GRAFANA_API_KEY}`
+      ).toString("base64")}`
+    } : void 0;
+    const makeExporterConfig = /* @__PURE__ */ __name((path) => authHeader ? { url: `${exportUrl}/${path}`, headers: authHeader } : { url: `${exportUrl}/${path}` }, "makeExporterConfig");
+    return {
+      traceExporter: new import_otel2.OTLPTraceExporterProto(makeExporterConfig("v1/traces")),
+      metricReaders: [
+        new import_otel2.PeriodicExportingMetricReader({
+          exporter: new import_otel2.OTLPMetricExporterProto(makeExporterConfig("v1/metrics"))
+        })
+      ],
+      logRecordProcessors: [
+        new import_otel2.SimpleLogRecordProcessor(new import_otel2.OTLPLogExporterProto(makeExporterConfig("v1/logs")))
+      ]
+    };
+  }
+  /**
+   * Initialize telemetry instrumentation for a runtime action
+   *
+   * Wraps the provided action with OpenTelemetry instrumentation using
+   * the Grafana LGTM stack as the backend.
+   *
+   * @param action - The runtime action function to instrument
+   * @returns The instrumented action function with Grafana telemetry enabled
+   * @throws {TelemetryInputError} If required configuration is missing
+   *
+   * @example
+   * ```typescript
+   * async function myAction(params: Record<string, unknown>) {
+   *   return { statusCode: 200, body: { success: true } };
+   * }
+   *
+   * const telemetry = new GrafanaTelemetry();
+   * export const main = telemetry.initialize(myAction);
+   * ```
+   */
+  initialize(action) {
+    return (0, import_aio_lib_telemetry3.instrumentEntrypoint)(action, this.getConfig());
+  }
+};
+__name(_GrafanaTelemetry, "GrafanaTelemetry");
+var GrafanaTelemetry = _GrafanaTelemetry;
+var grafana_default = GrafanaTelemetry;
+
+// src/framework/telemetry/helpers/log-sanitizer/types.ts
+var EXACT_SENSITIVE_KEYS = /* @__PURE__ */ new Set([
+  "authorization",
+  "x-api-key",
+  "cookie",
+  "set-cookie"
+]);
+var SENSITIVE_KEY_SUFFIXES = [
+  "_api_key",
+  "_secret",
+  "_token",
+  "_password",
+  "_key",
+  "-token",
+  "-secret",
+  "-key"
+];
+
+// src/framework/telemetry/helpers/log-sanitizer/index.ts
+var _LogSanitizer = class _LogSanitizer {
+  constructor(additionalSensitiveKeys = /* @__PURE__ */ new Set(), maxDepth = 10) {
+    this.additionalSensitiveKeys = additionalSensitiveKeys;
+    this.maxDepth = maxDepth;
+  }
+  /**
+   * Parses the `SENSITIVE_KEYS` runtime param into a `ReadonlySet<string>`.
+   *
+   * Accepts three forms:
+   * - **Array** — each string element becomes a key (`["my_key", "x-secret"]`)
+   * - **Comma-separated string** — split on `,`, each trimmed segment becomes a key (`"my_key, x-secret"`)
+   * - **Single string** — treated as one key (`"my_key"`)
+   *
+   * Non-string array elements and non-string / non-array values are silently ignored.
+   * All keys are lowercased for case-insensitive matching.
+   *
+   * @param raw - The raw `params.SENSITIVE_KEYS` value
+   * @returns A set of lowercased key strings safe to pass to the constructor
+   */
+  static parseSensitiveKeys(raw) {
+    if (Array.isArray(raw)) {
+      return new Set(
+        raw.filter((v) => typeof v === "string").map((v) => v.trim().toLowerCase()).filter(Boolean)
+      );
+    }
+    if (typeof raw === "string") {
+      return new Set(
+        raw.split(",").map((s) => s.trim().toLowerCase()).filter(Boolean)
+      );
+    }
+    return /* @__PURE__ */ new Set();
+  }
+  /**
+   * Sanitizes `data` and returns a deep copy with sensitive values replaced.
+   *
+   * @param data - The value to sanitize
+   * @returns A sanitized deep copy of `data`
+   */
+  execute(data) {
+    return this.sanitize(data, this.maxDepth);
+  }
+  /**
+   * Returns `true` when `key` should have its value replaced with `"[REDACTED]"`.
+   *
+   * Matches exact keys from {@link EXACT_SENSITIVE_KEYS} and the caller's
+   * `additionalSensitiveKeys`, then falls back to suffix matching via
+   * {@link SENSITIVE_KEY_SUFFIXES}. All comparisons are case-insensitive.
+   *
+   * @param key - Object property name to evaluate
+   */
+  isSensitiveKey(key) {
+    const lower = key.toLowerCase();
+    if (EXACT_SENSITIVE_KEYS.has(lower) || this.additionalSensitiveKeys.has(lower)) {
+      return true;
+    }
+    return SENSITIVE_KEY_SUFFIXES.some((suffix) => lower.endsWith(suffix));
+  }
+  /**
+   * Recursively sanitizes `data` up to `depth` levels deep.
+   *
+   * Arrays are mapped element-by-element; plain objects have each value checked
+   * with {@link isSensitiveKey} and replaced or recursed accordingly. All other
+   * value types (primitives, `null`, `undefined`) are returned unchanged.
+   * When `depth` reaches zero the node is returned as-is to cap recursion.
+   *
+   * @param data  - Value to sanitize
+   * @param depth - Remaining recursion budget
+   */
+  sanitize(data, depth) {
+    if (depth === 0 || data === null || data === void 0) {
+      return data;
+    }
+    if (Array.isArray(data)) {
+      return data.map((item) => this.sanitize(item, depth - 1));
+    }
+    if (typeof data === "object") {
+      const sanitized = {};
+      for (const [key, value] of Object.entries(data)) {
+        sanitized[key] = this.isSensitiveKey(key) ? "[REDACTED]" : this.sanitize(value, depth - 1);
+      }
+      return sanitized;
+    }
+    return data;
+  }
+};
+__name(_LogSanitizer, "LogSanitizer");
+var LogSanitizer = _LogSanitizer;
+
 // src/framework/telemetry/index.ts
 var _Telemetry = class _Telemetry {
   /**
@@ -885,7 +1215,7 @@ var _Telemetry = class _Telemetry {
       level: this.params?.LOG_LEVEL || "info"
     });
     if (this.params?.ENABLE_TELEMETRY === true) {
-      const helpers = (0, import_aio_lib_telemetry3.getInstrumentationHelpers)();
+      const helpers = (0, import_aio_lib_telemetry4.getInstrumentationHelpers)();
       baseLogger = helpers.logger;
     }
     const metadata = {};
@@ -898,38 +1228,24 @@ var _Telemetry = class _Telemetry {
     if (actionType && actionType !== "") {
       metadata["action.type"] = actionType;
     }
+    const logSanitizer = new LogSanitizer(
+      LogSanitizer.parseSensitiveKeys(this.params?.SENSITIVE_KEYS)
+    );
     if (Object.keys(metadata).length === 0) {
+      this.logger = baseLogger;
       return baseLogger;
     }
+    const sanitizeAndMerge = /* @__PURE__ */ __name((message) => {
+      if (typeof message === "object" && message !== null) {
+        return logSanitizer.execute({ ...metadata, ...message });
+      }
+      return message;
+    }, "sanitizeAndMerge");
     const wrapper = {
-      debug: /* @__PURE__ */ __name((message) => {
-        if (typeof message === "object" && message !== null) {
-          baseLogger.debug({ ...metadata, ...message });
-        } else {
-          baseLogger.debug(message);
-        }
-      }, "debug"),
-      info: /* @__PURE__ */ __name((message) => {
-        if (typeof message === "object" && message !== null) {
-          baseLogger.info({ ...metadata, ...message });
-        } else {
-          baseLogger.info(message);
-        }
-      }, "info"),
-      warn: /* @__PURE__ */ __name((message) => {
-        if (typeof message === "object" && message !== null) {
-          baseLogger.warn({ ...metadata, ...message });
-        } else {
-          baseLogger.warn(message);
-        }
-      }, "warn"),
-      error: /* @__PURE__ */ __name((message) => {
-        if (typeof message === "object" && message !== null) {
-          baseLogger.error({ ...metadata, ...message });
-        } else {
-          baseLogger.error(message);
-        }
-      }, "error")
+      debug: /* @__PURE__ */ __name((message) => baseLogger.debug(sanitizeAndMerge(message)), "debug"),
+      info: /* @__PURE__ */ __name((message) => baseLogger.info(sanitizeAndMerge(message)), "info"),
+      warn: /* @__PURE__ */ __name((message) => baseLogger.warn(sanitizeAndMerge(message)), "warn"),
+      error: /* @__PURE__ */ __name((message) => baseLogger.error(sanitizeAndMerge(message)), "error")
     };
     this.logger = {
       ...baseLogger,
@@ -992,7 +1308,7 @@ var _Telemetry = class _Telemetry {
    */
   getCurrentSpan() {
     if (this.params?.ENABLE_TELEMETRY === true) {
-      const helpers = (0, import_aio_lib_telemetry3.getInstrumentationHelpers)();
+      const helpers = (0, import_aio_lib_telemetry4.getInstrumentationHelpers)();
       return helpers?.currentSpan || null;
     }
     return null;
@@ -1030,7 +1346,7 @@ var _Telemetry = class _Telemetry {
    * ```
    */
   instrument(spanName, fn) {
-    return (0, import_aio_lib_telemetry3.instrument)(fn, {
+    return (0, import_aio_lib_telemetry4.instrument)(fn, {
       spanConfig: {
         spanName
       }
@@ -1041,7 +1357,7 @@ var _Telemetry = class _Telemetry {
    *
    * Attempts to initialize telemetry providers in the following order:
    * 1. New Relic (if NEW_RELIC_TELEMETRY=true)
-   * 2. Grafana (if GRAFANA_TELEMETRY=true) - Future support
+   * 2. Grafana LGTM (if GRAFANA_TELEMETRY=true)
    * 3. Original action (no telemetry)
    *
    * Telemetry initialization is deferred to runtime when params are available.
@@ -1056,13 +1372,30 @@ var _Telemetry = class _Telemetry {
    * @param action - The runtime action function to instrument
    * @returns The instrumented action ready for export
    *
-   * @example
+   * @example New Relic provider
    * ```typescript
    * const telemetry = new Telemetry();
    * export const main = telemetry.initialize(myAction);
    * // Environment: ENABLE_TELEMETRY=true, NEW_RELIC_TELEMETRY=true
    * // Result: Uses New Relic telemetry with full distributed tracing
    * ```
+   *
+   * @example Grafana LGTM provider (dev mode)
+   * ```typescript
+   * const telemetry = new Telemetry();
+   * export const main = telemetry.initialize(myAction);
+   * // Environment: ENABLE_TELEMETRY=true, GRAFANA_TELEMETRY=true, GRAFANA_DEV=true
+   * // Result: Sends all signals to http://localhost:4318 (Grafana LGTM Docker stack)
+   * ```
+   *
+   * @example Grafana LGTM provider (deployed mode)
+   * ```typescript
+   * const telemetry = new Telemetry();
+   * export const main = telemetry.initialize(myAction);
+   * // Environment: ENABLE_TELEMETRY=true, GRAFANA_TELEMETRY=true,
+   * //              GRAFANA_ENDPOINT=https://abc123.trycloudflare.com
+   * // Result: Sends all signals to the Cloudflare tunnel URL
+   * ```
    */
   initialize(action) {
     return async (params) => {
@@ -1080,6 +1413,19 @@ var _Telemetry = class _Telemetry {
           );
         }
       }
+      const grafanaTelemetry = new grafana_default();
+      if (grafanaTelemetry.canInitialize(params)) {
+        try {
+          const instrumentedAction = grafanaTelemetry.initialize(action);
+          return await instrumentedAction(params);
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : "Telemetry initialization failed";
+          return response_default.error(
+            500 /* INTERNAL_ERROR */,
+            `Telemetry configuration error: ${errorMessage}`
+          );
+        }
+      }
       return action(params);
     };
   }
@@ -1190,6 +1536,7 @@ var _RuntimeAction = class _RuntimeAction {
       }
       telemetry.setParams(params);
       const logger = telemetry.createLogger(name);
+      const logSanitizer = new LogSanitizer(LogSanitizer.parseSensitiveKeys(params.SENSITIVE_KEYS));
       try {
         logger.debug({
           message: `${_RuntimeAction.getActionTypeName()} execution started`
@@ -1197,13 +1544,13 @@ var _RuntimeAction = class _RuntimeAction {
         logger.debug(
           JSON.stringify({
             message: `${_RuntimeAction.getActionTypeName()} headers received`,
-            headers: params.__ow_headers || {}
+            headers: logSanitizer.execute(params.__ow_headers || {})
           })
         );
         logger.debug(
           JSON.stringify({
             message: `${_RuntimeAction.getActionTypeName()} body received`,
-            body: params.__ow_body || {}
+            body: logSanitizer.execute(params.__ow_body || {})
           })
         );
         const validationError = _RuntimeAction.validateRequestWithInstrumentation(
@@ -1229,7 +1576,7 @@ var _RuntimeAction = class _RuntimeAction {
         logger.debug(
           JSON.stringify({
             message: `${_RuntimeAction.getActionTypeName()} execution completed`,
-            result
+            result: logSanitizer.execute(result)
           })
         );
         return result;
@@ -1487,17 +1834,18 @@ var _EventConsumerAction = class _EventConsumerAction {
     const eventConsumerAction = /* @__PURE__ */ __name(async (params) => {
       params.action_type = "event-consumer-action";
       const logger = telemetry.createLogger(name);
+      const logSanitizer = new LogSanitizer(LogSanitizer.parseSensitiveKeys(params.SENSITIVE_KEYS));
       try {
         logger.debug({
           message: "Event consumer action execution started"
         });
         logger.debug({
           message: "Event consumer action headers received",
-          headers: params.__ow_headers || {}
+          headers: logSanitizer.execute(params.__ow_headers || {})
         });
         logger.debug({
           message: "Event consumer action parameters received",
-          parameters: params
+          parameters: logSanitizer.execute(params)
         });
         const errorMessage = _EventConsumerAction.validateWithInstrumentation(
           name,
@@ -1523,7 +1871,7 @@ var _EventConsumerAction = class _EventConsumerAction {
         );
         logger.debug({
           message: "Event consumer action execution completed",
-          result
+          result: logSanitizer.execute(result)
         });
         return result;
       } catch (error) {
@@ -2151,13 +2499,14 @@ var _OpenwhiskAction = class _OpenwhiskAction {
     const openwhiskAction = /* @__PURE__ */ __name(async (params) => {
       params.action_type = "openwhisk-action";
       const logger = telemetry.createLogger(name);
+      const logSanitizer = new LogSanitizer(LogSanitizer.parseSensitiveKeys(params.SENSITIVE_KEYS));
       try {
         logger.debug({
           message: "OpenWhisk action execution started"
         });
         logger.debug({
           message: "OpenWhisk action parameters received",
-          params
+          params: logSanitizer.execute(params)
         });
         const result = await _OpenwhiskAction.executeActionWithInstrumentation(
           name,
@@ -2169,7 +2518,7 @@ var _OpenwhiskAction = class _OpenwhiskAction {
         );
         logger.debug({
           message: "OpenWhisk action execution completed",
-          result
+          result: logSanitizer.execute(result)
         });
         return result;
       } catch (error) {
@@ -11940,6 +12289,213 @@ __name(_RabbitMQClient, "RabbitMQClient");
 var RabbitMQClient = _RabbitMQClient;
 var rabbit_mq_client_default = RabbitMQClient;
 
+// src/integration/amazon-sqs-client/index.ts
+var import_crypto5 = require("crypto");
+var import_client_sqs = require("@aws-sdk/client-sqs");
+
+// src/integration/amazon-sqs-client/types.ts
+var SQS_MAX_BATCH_SIZE = 10;
+var DEFAULT_VISIBILITY_TIMEOUT = 30;
+var DEFAULT_WAIT_TIME_SECONDS = 0;
+var DEFAULT_MESSAGE_GROUP_ID = "default";
+
+// src/integration/amazon-sqs-client/index.ts
+var _AmazonSQSClient = class _AmazonSQSClient {
+  /**
+   * @param config - AWS region, IAM credentials, target queue URL, and optional
+   *   consumer/FIFO settings (visibilityTimeout, waitTimeSeconds, messageGroupId).
+   */
+  constructor(config) {
+    this.queueUrl = config.queueUrl;
+    this.isFifo = config.queueUrl.endsWith(".fifo");
+    this.visibilityTimeout = config.visibilityTimeout ?? DEFAULT_VISIBILITY_TIMEOUT;
+    this.waitTimeSeconds = config.waitTimeSeconds ?? DEFAULT_WAIT_TIME_SECONDS;
+    this.messageGroupId = config.messageGroupId ?? DEFAULT_MESSAGE_GROUP_ID;
+    this.client = new import_client_sqs.SQSClient({
+      region: config.region,
+      credentials: {
+        accessKeyId: config.accessKeyId,
+        secretAccessKey: config.secretAccessKey
+      }
+    });
+  }
+  /**
+   * Publishes all `payloads` to the bound queue in batches of 10 (the SQS hard limit
+   * per `SendMessageBatch` call). Failed entries reported by SQS within a successful
+   * batch response are tracked individually in `stats.errors`. Transport errors
+   * (thrown exceptions) are captured per-batch so a single failing batch does not
+   * abort the rest.
+   *
+   * For FIFO queues (URL ends in `.fifo`), every entry is stamped with:
+   * - `MessageGroupId` — the value set at construction time (`config.messageGroupId`,
+   *   defaulting to `'default'`).
+   * - `MessageDeduplicationId` — a unique `randomUUID()` per entry, ensuring
+   *   at-most-once delivery within the 5-minute SQS deduplication window regardless
+   *   of whether content-based deduplication is enabled on the queue.
+   *
+   * @param payloads - Array of string message bodies to send.
+   * @returns Counts of published and failed messages plus per-failure details.
+   */
+  async publish(payloads) {
+    const stats = { published: 0, failed: 0, errors: [] };
+    if (payloads.length === 0) return stats;
+    const chunks = this.chunk(payloads, SQS_MAX_BATCH_SIZE);
+    let globalIndex = 0;
+    for (const chunk of chunks) {
+      await this.sendBatch(chunk, globalIndex, stats);
+      globalIndex += chunk.length;
+    }
+    return stats;
+  }
+  /**
+   * Pulls up to `batchSize` messages from the bound queue and processes each
+   * one via `handler`.
+   *
+   * Processing steps:
+   * 1. Receive messages in ReceiveMessage loops (≤ 10 per call) until `batchSize`
+   *    messages are accumulated or the queue returns empty.
+   * 2. Invoke `handler` concurrently for all received messages.
+   * 3. Delete every message whose handler resolved successfully.
+   *    Messages whose handler threw are left in the queue and become visible again
+   *    after the configured `visibilityTimeout` (set at construction time).
+   *
+   * @param batchSize - Total number of messages to pull per invocation.
+   * @param handler - Callback invoked with the SQS MessageId and raw body string.
+   * @returns Receive / process / delete / fail counts plus per-error details.
+   * @throws Propagates SQS transport errors (receive, delete) to the caller.
+   */
+  async consume(batchSize, handler) {
+    const stats = {
+      received: 0,
+      processed: 0,
+      deleted: 0,
+      failed: 0,
+      errors: []
+    };
+    const messages = await this.receiveMessages(batchSize);
+    stats.received = messages.length;
+    if (messages.length === 0) return stats;
+    const toDelete = [];
+    await Promise.all(
+      messages.map(async (msg) => {
+        stats.processed++;
+        try {
+          await handler(msg.MessageId ?? "", msg.Body ?? "");
+          toDelete.push(msg);
+        } catch (error) {
+          stats.failed++;
+          stats.errors.push({ messageId: msg.MessageId ?? "", error });
+        }
+      })
+    );
+    if (toDelete.length > 0) {
+      await this.deleteMessages(toDelete);
+      stats.deleted += toDelete.length;
+    }
+    return stats;
+  }
+  /**
+   * Loops ReceiveMessage calls until `batchSize` messages are accumulated
+   * or the queue returns an empty response (queue drained).
+   *
+   * The first call uses `this.waitTimeSeconds` (enabling long polling when > 0).
+   * Subsequent fill-up calls always use waitTimeSeconds = 0 to avoid blocking —
+   * if the first call returned messages the queue is clearly non-empty.
+   */
+  async receiveMessages(batchSize) {
+    const messages = [];
+    let isFirstCall = true;
+    while (messages.length < batchSize) {
+      const remaining = batchSize - messages.length;
+      const maxMessages = Math.min(remaining, SQS_MAX_BATCH_SIZE);
+      const response = await this.client.send(
+        new import_client_sqs.ReceiveMessageCommand({
+          QueueUrl: this.queueUrl,
+          MaxNumberOfMessages: maxMessages,
+          VisibilityTimeout: this.visibilityTimeout,
+          WaitTimeSeconds: isFirstCall ? this.waitTimeSeconds : 0
+        })
+      );
+      isFirstCall = false;
+      const received = response.Messages ?? [];
+      if (received.length === 0) break;
+      messages.push(...received);
+      if (received.length < maxMessages) break;
+    }
+    return messages;
+  }
+  /**
+   * Deletes messages from the queue after successful processing.
+   * Uses DeleteMessageBatch (≤ 10 per call).
+   */
+  async deleteMessages(messages) {
+    const chunks = this.chunk(messages, SQS_MAX_BATCH_SIZE);
+    for (const chunk of chunks) {
+      const entries = chunk.map((msg, i) => ({
+        Id: String(i),
+        ReceiptHandle: msg.ReceiptHandle ?? ""
+      }));
+      await this.client.send(
+        new import_client_sqs.DeleteMessageBatchCommand({ QueueUrl: this.queueUrl, Entries: entries })
+      );
+    }
+  }
+  /**
+   * Sends a single publish batch via `SendMessageBatchCommand`.
+   * `globalOffset` generates unique, stable entry IDs across consecutive batches
+   * (SQS requires unique IDs within each request, not globally).
+   * For FIFO queues, each entry is stamped with a `MessageGroupId` and a unique
+   * `MessageDeduplicationId` (randomUUID).
+   * Per-entry SQS failures are captured in `stats.errors`; transport exceptions
+   * mark all entries in the chunk as failed without re-throwing.
+   */
+  async sendBatch(chunk, globalOffset, stats) {
+    const entries = chunk.map((payload, i) => ({
+      Id: String(globalOffset + i),
+      MessageBody: payload,
+      ...this.isFifo && {
+        MessageGroupId: this.messageGroupId,
+        MessageDeduplicationId: (0, import_crypto5.randomUUID)()
+      }
+    }));
+    try {
+      const response = await this.client.send(
+        new import_client_sqs.SendMessageBatchCommand({ QueueUrl: this.queueUrl, Entries: entries })
+      );
+      const successful = response.Successful ?? [];
+      const failed = response.Failed ?? [];
+      stats.published += successful.length;
+      for (const failure of failed) {
+        const entryIndex = Number(failure.Id) - globalOffset;
+        const payload = chunk[entryIndex] ?? "";
+        const error = new Error(
+          `SQS batch entry failed [Id=${failure.Id}] Code=${failure.Code}: ${failure.Message ?? "unknown"}`
+        );
+        stats.failed++;
+        stats.errors.push({ payload, error });
+      }
+    } catch (error) {
+      for (const payload of chunk) {
+        stats.failed++;
+        stats.errors.push({ payload, error });
+      }
+    }
+  }
+  /**
+   * Splits `items` into sequential chunks of at most `size` elements.
+   */
+  chunk(items, size) {
+    const chunks = [];
+    for (let i = 0; i < items.length; i += size) {
+      chunks.push(items.slice(i, i + size));
+    }
+    return chunks;
+  }
+};
+__name(_AmazonSQSClient, "AmazonSQSClient");
+var AmazonSQSClient = _AmazonSQSClient;
+var amazon_sqs_client_default = AmazonSQSClient;
+
 // src/commerce/adobe-commerce-client/index.ts
 var import_got = __toESM(require("got"));
 var _AdobeCommerceClient = class _AdobeCommerceClient {
@@ -12934,6 +13490,7 @@ var AdminUiSdk = _AdminUiSdk;
   AdminUiSdk,
   AdobeAuth,
   AdobeCommerceClient,
+  AmazonSQSClient,
   BasicAuthConnection,
   BearerToken,
   CreateEvents,
@@ -12951,6 +13508,7 @@ var AdminUiSdk = _AdminUiSdk;
   InfiniteLoopBreaker,
   IoEventsGlobals,
   JsonMessageProcessor,
+  LogSanitizer,
   Oauth1aConnection,
   OnboardCommerce,
   OnboardEvents,