@ciq-dev/neoiq-foundation-node 1.0.1-beta.0 → 1.0.1-beta.2

package/dist/index.js

@@ -24,8 +24,8 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 //#endregion
 const zod = __toESM(require("zod"));
 const async_hooks = __toESM(require("async_hooks"));
-const pino = __toESM(require("pino"));
 const __opentelemetry_api = __toESM(require("@opentelemetry/api"));
+const pino = __toESM(require("pino"));
 const __opentelemetry_sdk_node = __toESM(require("@opentelemetry/sdk-node"));
 const __opentelemetry_auto_instrumentations_node = __toESM(require("@opentelemetry/auto-instrumentations-node"));
 const __opentelemetry_exporter_trace_otlp_grpc = __toESM(require("@opentelemetry/exporter-trace-otlp-grpc"));
@@ -38,6 +38,7 @@ const crypto = __toESM(require("crypto"));
 const axios = __toESM(require("axios"));
 const axios_retry = __toESM(require("axios-retry"));
 const opossum = __toESM(require("opossum"));
+const node_stream = __toESM(require("node:stream"));
 
 //#region src/config.ts
 const AutoInstrumentationConfigSchema = zod.z.object({
@@ -81,6 +82,11 @@ const RequestLoggingConfigSchema = zod.z.object({
 	maxBodySize: zod.z.number().default(10 * 1024),
 	redactHeaders: zod.z.array(zod.z.string()).optional()
 }).partial();
+const RedactionConfigSchema = zod.z.object({ additionalPaths: zod.z.array(zod.z.string()).default([]) }).partial();
+const ShutdownConfigSchema = zod.z.object({
+	flushOnCrash: zod.z.boolean().default(false),
+	flushTimeoutMs: zod.z.number().min(100).default(5e3)
+}).partial();
 const FoundationConfigSchema = zod.z.object({
 	serviceName: zod.z.string().min(1, "serviceName is required"),
 	serviceVersion: zod.z.string().default(process.env.SERVICE_VERSION || "1.0.0"),
@@ -93,7 +99,9 @@ const FoundationConfigSchema = zod.z.object({
 	features: FeaturesConfigSchema.default({}),
 	otel: OtelConfigSchema.default({}),
 	logging: LoggingConfigSchema.default({}),
-	requestLogging: RequestLoggingConfigSchema.default({})
+	requestLogging: RequestLoggingConfigSchema.default({}),
+	redaction: RedactionConfigSchema.default({}),
+	shutdown: ShutdownConfigSchema.default({})
 });
 /** Parse and validate configuration */
 function parseConfig(input) {
@@ -111,33 +119,247 @@ function getDefaultOtelEndpoint() {
 
 //#endregion
 //#region src/features/context.ts
+const BAGGAGE_CORRELATION_KEY = "correlation.id";
+function setBaggageCorrelationId(correlationId) {
+	const currentBaggage = __opentelemetry_api.propagation.getBaggage(__opentelemetry_api.context.active());
+	const baggage = (currentBaggage ?? __opentelemetry_api.propagation.createBaggage()).setEntry(BAGGAGE_CORRELATION_KEY, { value: correlationId });
+	return __opentelemetry_api.propagation.setBaggage(__opentelemetry_api.context.active(), baggage);
+}
+function getBaggageCorrelationId() {
+	const baggage = __opentelemetry_api.propagation.getBaggage(__opentelemetry_api.context.active());
+	return baggage?.getEntry(BAGGAGE_CORRELATION_KEY)?.value;
+}
 /** Create a new context manager instance */
 function createContextManager() {
 	const als = new async_hooks.AsyncLocalStorage();
 	return {
-		getContext: () => als.getStore(),
-		run(context$3, fn) {
-			return als.run(context$3, fn);
+		getContext() {
+			const alsCtx = als.getStore();
+			if (!alsCtx) return void 0;
+			const baggageCorrelationId = getBaggageCorrelationId();
+			if (baggageCorrelationId && baggageCorrelationId !== alsCtx.correlationId) return {
+				...alsCtx,
+				correlationId: baggageCorrelationId
+			};
+			return alsCtx;
+		},
+		run(context$2, fn) {
+			if (context$2.correlationId) {
+				const otelCtx = setBaggageCorrelationId(context$2.correlationId);
+				return __opentelemetry_api.context.with(otelCtx, () => als.run(context$2, fn));
+			}
+			return als.run(context$2, fn);
 		},
 		get(key) {
+			if (key === "correlationId") return getBaggageCorrelationId() ?? als.getStore()?.correlationId;
 			return als.getStore()?.[key];
 		},
 		update(updates) {
 			const current = als.getStore();
 			if (!current) return void 0;
+			if (updates.correlationId) setBaggageCorrelationId(updates.correlationId);
 			Object.assign(current, updates);
 			return current;
+		},
+		setContextValue(key, value) {
+			const current = als.getStore();
+			if (!current) return;
+			if (!current.contextData) current.contextData = {};
+			current.contextData[key] = value;
+		},
+		getContextValue(key) {
+			return als.getStore()?.contextData?.[key];
+		},
+		getContextData() {
+			return als.getStore()?.contextData ?? {};
+		},
+		setContextData(data) {
+			const current = als.getStore();
+			if (!current) return;
+			current.contextData = {
+				...current.contextData ?? {},
+				...data
+			};
+		},
+		clearContextData() {
+			const current = als.getStore();
+			if (!current) return;
+			current.contextData = {};
 		}
 	};
 }
 
+//#endregion
+//#region src/features/redaction.ts
+/**
+* Log Redaction & PII Sanitization
+*
+* Two-layer approach:
+* - Layer A: Pino native `redact` (fast-redact) for key-based redaction on every log call.
+*   Compiled at init, near-zero runtime cost.
+* - Layer B: Deep-traverse sanitizer for value-pattern detection (JWTs, AWS keys, etc.).
+*   Only used for request/response body logging — NOT on every log call.
+*/
+const PLACEHOLDER = "[REDACTED]";
+/**
+* Key names that Pino's fast-redact will censor automatically.
+* Supports wildcards: '*.password' matches nested keys one level deep.
+*/
+const REDACT_PATHS = [
+	"password",
+	"passwd",
+	"pass",
+	"pwd",
+	"secret",
+	"secretKey",
+	"secret_key",
+	"token",
+	"accessToken",
+	"access_token",
+	"refreshToken",
+	"refresh_token",
+	"idToken",
+	"id_token",
+	"apiKey",
+	"api_key",
+	"apiSecret",
+	"api_secret",
+	"authorization",
+	"auth",
+	"credentials",
+	"privateKey",
+	"private_key",
+	"cookie",
+	"setCookie",
+	"set_cookie",
+	"creditCard",
+	"credit_card",
+	"cardNumber",
+	"card_number",
+	"ccNumber",
+	"cc_number",
+	"cvv",
+	"cvc",
+	"securityCode",
+	"security_code",
+	"accountNumber",
+	"account_number",
+	"ssn",
+	"socialSecurity",
+	"social_security",
+	"dateOfBirth",
+	"date_of_birth",
+	"dob",
+	"*.password",
+	"*.secret",
+	"*.token",
+	"*.apiKey",
+	"*.api_key",
+	"*.authorization",
+	"*.cookie",
+	"*.credentials",
+	"*.creditCard",
+	"*.cardNumber",
+	"*.cvv",
+	"*.ssn",
+	"*.privateKey",
+	"*.private_key"
+];
+/**
+* Value patterns that indicate a secret regardless of the key name.
+* Used only for body sanitization (Layer B).
+*/
+const VALUE_PATTERNS = [
+	{
+		label: "jwt",
+		pattern: /^eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]+$/
+	},
+	{
+		label: "aws_access_key",
+		pattern: /(?:^|[^A-Za-z0-9])AKIA[0-9A-Z]{16}(?:$|[^A-Za-z0-9])/
+	},
+	{
+		label: "stripe_key",
+		pattern: /^[sr]k_(live|test)_[A-Za-z0-9]{10,}$/
+	},
+	{
+		label: "openai_key",
+		pattern: /^sk-[A-Za-z0-9_-]{20,}$/
+	},
+	{
+		label: "github_token",
+		pattern: /^gh[ps]_[A-Za-z0-9]{36,}$/
+	},
+	{
+		label: "pem_private_key",
+		pattern: /-----BEGIN\s+(RSA\s+|EC\s+)?PRIVATE\s+KEY-----/
+	},
+	{
+		label: "connection_string",
+		pattern: /^[a-zA-Z][a-zA-Z0-9+.-]*:\/\/[^:]+:[^@]+@/
+	},
+	{
+		label: "bearer_token",
+		pattern: /^Bearer\s+\S{10,}$/i
+	}
+];
+const SENSITIVE_KEYS = new Set(REDACT_PATHS.filter((p) => !p.includes("*")).map((k) => k.toLowerCase()));
+const MAX_DEPTH = 10;
+const MAX_KEYS = 200;
+function mask(value) {
+	if (typeof value !== "string" || value.length <= 8) return PLACEHOLDER;
+	return `${value.slice(0, 4)}${"*".repeat(Math.min(value.length - 8, 20))}${value.slice(-4)}`;
+}
+function isSensitiveValue(value) {
+	return VALUE_PATTERNS.some((p) => p.pattern.test(value));
+}
+function sanitizeValue(value, depth) {
+	if (depth > MAX_DEPTH) return value;
+	if (typeof value === "string" && isSensitiveValue(value)) return mask(value);
+	if (Array.isArray(value)) return value.map((item) => sanitizeValue(item, depth + 1));
+	if (value !== null && typeof value === "object") return sanitizeObject(value, depth + 1);
+	return value;
+}
+function sanitizeObject(obj, depth) {
+	if (depth > MAX_DEPTH) return obj;
+	const keys = Object.keys(obj);
+	if (keys.length > MAX_KEYS) return obj;
+	const result = {};
+	for (const key of keys) {
+		const value = obj[key];
+		if (SENSITIVE_KEYS.has(key.toLowerCase())) result[key] = typeof value === "string" ? mask(value) : PLACEHOLDER;
+		else result[key] = sanitizeValue(value, depth);
+	}
+	return result;
+}
+/**
+* Deep-traverse sanitizer for request/response bodies.
+* Checks both key names (deny-list) and value patterns (JWT, AWS keys, etc.).
+* NOT intended for every log call — use Pino native `redact` for that.
+*/
+function sanitizeBody(body) {
+	if (body === null || body === void 0) return body;
+	if (typeof body === "string") return isSensitiveValue(body) ? mask(body) : body;
+	if (typeof body !== "object") return body;
+	if (Array.isArray(body)) return body.map((item) => sanitizeValue(item, 0));
+	return sanitizeObject(body, 0);
+}
+/** Build the Pino `redact` config object for fast-redact integration */
+function buildPinoRedactConfig(additionalPaths = []) {
+	return {
+		paths: [...REDACT_PATHS, ...additionalPaths],
+		censor: PLACEHOLDER
+	};
+}
+
 //#endregion
 //#region src/features/logging.ts
 /** Create a structured logger with automatic trace context injection */
 function createLogger(options) {
-	const { serviceName, serviceVersion, environment, level, prettyPrint, contextManager } = options;
+	const { serviceName, serviceVersion, environment, level, prettyPrint, contextManager, additionalRedactPaths = [] } = options;
 	const pinoLogger = (0, pino.default)({
 		level,
+		redact: buildPinoRedactConfig(additionalRedactPaths),
 		base: {
 			service: serviceName,
 			version: serviceVersion,
@@ -147,11 +369,17 @@ function createLogger(options) {
 			const span = __opentelemetry_api.trace.getActiveSpan();
 			const spanContext = span?.spanContext();
 			const ctx = contextManager?.getContext();
-			return {
-				traceId: spanContext?.traceId || ctx?.traceId,
-				spanId: spanContext?.spanId || ctx?.spanId,
-				correlationId: ctx?.correlationId
+			const traceId = spanContext?.traceId || ctx?.traceId;
+			const spanId = spanContext?.spanId || ctx?.spanId;
+			const correlationId = ctx?.correlationId;
+			const contextData = ctx?.contextData;
+			const result = {
+				trace_id: traceId,
+				span_id: spanId,
+				correlation_id: correlationId
 			};
+			if (contextData && Object.keys(contextData).length > 0) result.context = contextData;
+			return result;
 		},
 		formatters: { level: (label) => ({ level: label }) },
 		transport: prettyPrint ? {
@@ -185,7 +413,10 @@ function createFallbackLogger(serviceName = "unknown") {
 			...obj,
 			msg
 		};
-		console[level === "debug" ? "log" : level](JSON.stringify(logObj));
+		const payload = JSON.stringify(logObj);
+		if (level === "warn") console.warn(payload);
+		else if (level === "error") console.error(payload);
+		else console.log(payload);
 	};
 	const fallback = {
 		debug: (obj, msg) => log("debug", obj, msg),
@@ -209,12 +440,26 @@ function getGlobalLogger() {
 //#region src/features/tracing.ts
 let sdk = null;
 let isInitialized$1 = false;
+const MONITORED_MODULES = [
+	"pg",
+	"mongodb",
+	"ioredis",
+	"mysql2",
+	"express",
+	"@grpc/grpc-js"
+];
+function warnPreloadedModules() {
+	for (const mod of MONITORED_MODULES) try {
+		if (require.resolve(mod) in (require.cache || {})) console.warn(`[neoiq-foundation] "${mod}" was imported before tracing init. Auto-instrumentation may not work for this module. Use node -r @ciq-dev/neoiq-foundation-node/bootstrap or call createFoundation() first.`);
+	} catch {}
+}
 /** Initialize OpenTelemetry tracing */
 function setupTracing(options) {
 	if (isInitialized$1) {
 		console.warn("[neoiq-foundation] Tracing already initialized");
 		return;
 	}
+	warnPreloadedModules();
 	const { serviceName, serviceVersion, environment, endpoint = getDefaultOtelEndpoint(), autoInstrumentation = {} } = options;
 	const resource = (0, __opentelemetry_resources.resourceFromAttributes)({
 		[__opentelemetry_semantic_conventions.ATTR_SERVICE_NAME]: serviceName,
@@ -371,7 +616,6 @@ function createObservabilityPlugin(options) {
 		const maxBodySize = requestLogging.maxBodySize ?? 10 * 1024;
 		const headersToRedact = requestLogging.redactHeaders ?? DEFAULT_REDACT_HEADERS;
 		const runInContext = contextManager ? (ctx, fn) => contextManager.run(ctx, fn) : (_ctx, fn) => fn();
-		const tracer = tracingEnabled ? __opentelemetry_api.trace.getTracer("neoiq-foundation-node") : null;
 		let requestCounter;
 		let requestDuration;
 		let requestErrors;
@@ -388,22 +632,12 @@ function createObservabilityPlugin(options) {
 			}
 			const correlationId = request.headers["x-request-id"] || (0, crypto.randomUUID)();
 			reply.header("x-request-id", correlationId);
-			let span;
 			let traceId = "";
 			let spanId = "";
-			if (tracer) {
-				const parentContext = __opentelemetry_api.propagation.extract(__opentelemetry_api.context.active(), request.headers);
-				span = tracer.startSpan(`${request.method} ${request.routeOptions?.url || request.url}`, {
-					kind: 1,
-					attributes: {
-						"http.method": request.method,
-						"http.url": request.url,
-						"http.route": request.routeOptions?.url || request.url,
-						"http.user_agent": request.headers["user-agent"] || "",
-						"http.correlation_id": correlationId
-					}
-				}, parentContext);
-				const spanContext = span.spanContext();
+			const activeSpan = tracingEnabled ? __opentelemetry_api.trace.getActiveSpan() : void 0;
+			if (activeSpan) {
+				activeSpan.setAttribute("http.correlation_id", correlationId);
+				const spanContext = activeSpan.spanContext();
 				traceId = spanContext.traceId;
 				spanId = spanContext.spanId;
 			}
@@ -413,12 +647,12 @@ function createObservabilityPlugin(options) {
 				spanId,
 				startTime: Date.now()
 			};
-			request.__span = span;
 			request.__requestContext = requestContext;
 			runInContext(requestContext, () => {
 				const logData = {
-					correlationId,
-					traceId: traceId || void 0,
+					correlation_id: correlationId,
+					trace_id: traceId || void 0,
+					span_id: spanId || void 0,
 					method: request.method,
 					url: request.url,
 					ip: request.ip,
@@ -437,8 +671,8 @@ function createObservabilityPlugin(options) {
 			}
 			runInContext(ctx, () => {
 				logger.debug({
-					correlationId: ctx.correlationId,
-					body: truncateBody(request.body, maxBodySize)
+					correlation_id: ctx.correlationId,
+					body: sanitizeBody(truncateBody(request.body, maxBodySize))
 				}, "Request body");
 				done();
 			});
@@ -451,16 +685,15 @@ function createObservabilityPlugin(options) {
 			}
 			runInContext(ctx, () => {
 				logger.debug({
-					correlationId: ctx.correlationId,
+					correlation_id: ctx.correlationId,
 					statusCode: reply.statusCode,
-					body: truncateBody(payload, maxBodySize)
+					body: sanitizeBody(truncateBody(payload, maxBodySize))
 				}, "Response body");
 				done(null, payload);
 			});
 		});
 		fastify.addHook("onResponse", (request, reply, done) => {
 			const ctx = request.__requestContext;
-			const span = request.__span;
 			if (!ctx) {
 				done();
 				return;
@@ -474,7 +707,7 @@ function createObservabilityPlugin(options) {
 			};
 			runInContext(ctx, () => {
 				logger.info({
-					correlationId: ctx.correlationId,
+					correlation_id: ctx.correlationId,
 					method: request.method,
 					statusCode: reply.statusCode,
 					durationMs
@@ -484,35 +717,35 @@ function createObservabilityPlugin(options) {
 					requestDuration.record(durationMs, labels);
 					if (reply.statusCode >= 400) requestErrors.add(1, labels);
 				}
-				if (span) {
-					span.setStatus({ code: reply.statusCode < 400 ? __opentelemetry_api.SpanStatusCode.OK : __opentelemetry_api.SpanStatusCode.ERROR });
-					span.setAttribute("http.status_code", reply.statusCode);
-					span.setAttribute("http.response_time_ms", durationMs);
-					span.end();
+				if (tracingEnabled) {
+					const activeSpan = __opentelemetry_api.trace.getActiveSpan();
+					if (activeSpan) activeSpan.setAttribute("http.response_time_ms", durationMs);
 				}
 				done();
 			});
 		});
 		fastify.addHook("onError", (request, _reply, error, done) => {
 			const ctx = request.__requestContext;
-			const span = request.__span;
 			if (!ctx) {
 				done();
 				return;
 			}
 			runInContext(ctx, () => {
 				logger.error({
-					correlationId: ctx.correlationId,
+					correlation_id: ctx.correlationId,
 					method: request.method,
 					url: request.url,
 					error: error.message
 				}, "Request failed");
-				if (span) {
-					span.setStatus({
-						code: __opentelemetry_api.SpanStatusCode.ERROR,
-						message: error.message
-					});
-					span.recordException(error);
+				if (tracingEnabled) {
+					const activeSpan = __opentelemetry_api.trace.getActiveSpan();
+					if (activeSpan) {
+						activeSpan.setStatus({
+							code: __opentelemetry_api.SpanStatusCode.ERROR,
+							message: error.message
+						});
+						activeSpan.recordException(error);
+					}
 				}
 				done();
 			});
@@ -642,17 +875,54 @@ function createHttpClient(options) {
 		breaker.on("open", () => logger.warn({ targetService: serviceName }, "Circuit breaker OPEN"));
 		breaker.on("halfOpen", () => logger.info({ targetService: serviceName }, "Circuit breaker HALF-OPEN"));
 		breaker.on("close", () => logger.info({ targetService: serviceName }, "Circuit breaker CLOSED"));
+		const originalRequest = client.request.bind(client);
+		client.request = (config) => breaker.fire(config);
+		client.get = (url, config) => breaker.fire({
+			...config,
+			method: "GET",
+			url
+		});
+		client.post = (url, data, config) => breaker.fire({
+			...config,
+			method: "POST",
+			url,
+			data
+		});
+		client.put = (url, data, config) => breaker.fire({
+			...config,
+			method: "PUT",
+			url,
+			data
+		});
+		client.delete = (url, config) => breaker.fire({
+			...config,
+			method: "DELETE",
+			url
+		});
+		client.patch = (url, data, config) => breaker.fire({
+			...config,
+			method: "PATCH",
+			url,
+			data
+		});
+		client.__originalRequest = originalRequest;
 	}
 	return client;
 }
 
 //#endregion
 //#region src/foundation.ts
+const deprecationWarnings = new Set();
+function warnDeprecation(oldPath, newPath) {
+	if (deprecationWarnings.has(oldPath)) return;
+	deprecationWarnings.add(oldPath);
+	console.warn(`[neoiq-foundation] DEPRECATED: foundation.${oldPath}() is deprecated. Use foundation.${newPath}() instead. This alias will be removed in the next major version.`);
+}
 /** Create a fully configured observability foundation */
 function createFoundation(input) {
 	const startTime = Date.now();
 	const config = parseConfig(input);
-	const { serviceName, serviceVersion, environment, features: featuresConfig, otel, logging: loggingConfig, requestLogging: requestLoggingConfig } = config;
+	const { serviceName, serviceVersion, environment, features: featuresConfig, otel, logging: loggingConfig, requestLogging: requestLoggingConfig, redaction: redactionConfig, shutdown: shutdownConfig } = config;
 	const features = {
 		tracing: featuresConfig.tracing ?? true,
 		metrics: featuresConfig.metrics ?? true,
@@ -668,7 +938,8 @@ function createFoundation(input) {
 			environment,
 			level: loggingConfig.level ?? "info",
 			prettyPrint: loggingConfig.prettyPrint ?? environment === "development",
-			contextManager
+			contextManager,
+			additionalRedactPaths: redactionConfig.additionalPaths
 		});
 		setGlobalLogger(logger);
 	} catch (err) {
@@ -740,17 +1011,137 @@ function createFoundation(input) {
 		environment,
 		features
 	}, "Foundation initialized");
-	const foundation = {
-		config,
+	if (shutdownConfig.flushOnCrash) {
+		const flushTimeoutMs = shutdownConfig.flushTimeoutMs ?? 5e3;
+		const crashFlush = (origin, err) => {
+			const error = err instanceof Error ? err : new Error(String(err));
+			logger.error({
+				error: error.message,
+				stack: error.stack,
+				origin
+			}, "Process crash detected, flushing telemetry");
+			const flushPromises = [];
+			if (features.tracing && isTracingEnabled()) flushPromises.push(shutdownTracing());
+			if (features.metrics && isMetricsEnabled()) flushPromises.push(shutdownMetrics());
+			const timeout = new Promise((resolve) => setTimeout(resolve, flushTimeoutMs));
+			Promise.race([Promise.allSettled(flushPromises), timeout]).finally(() => {
+				process.exit(1);
+			});
+		};
+		process.on("uncaughtException", (err) => crashFlush("uncaughtException", err));
+		process.on("unhandledRejection", (reason) => crashFlush("unhandledRejection", reason));
+		logger.info({ flushTimeoutMs }, "Crash-flush handlers registered");
+	}
+	const traceInSpan = async (name, fn) => {
+		const tracer = tracerInstance || getTracer(serviceName);
+		return new Promise((resolve, reject) => {
+			tracer.startActiveSpan(name, async (span) => {
+				try {
+					const result = await fn();
+					span.setStatus({ code: __opentelemetry_api.SpanStatusCode.OK });
+					span.end();
+					resolve(result);
+				} catch (err) {
+					const error = err;
+					span.setStatus({
+						code: __opentelemetry_api.SpanStatusCode.ERROR,
+						message: error.message
+					});
+					span.recordException(error);
+					span.end();
+					logger.error({
+						span: name,
+						error: error.message
+					}, "Span failed");
+					reject(error);
+				}
+			});
+		});
+	};
+	const observability = {
 		logger,
-		context: contextManager,
 		tracer: tracerInstance,
 		meter: meterInstance,
-		features,
 		getTracer: (name) => getTracer(name || serviceName),
 		getMeter: (name, version) => getMeter(name, version),
 		getTraceContext,
 		getActiveSpan,
+		trace: traceInSpan
+	};
+	const httpModule = { createClient: (options) => createHttpClient({
+		...options,
+		foundation
+	}) };
+	const buildHealthStatus = () => {
+		const tracingUp = !features.tracing || !tracingError && isTracingEnabled();
+		const metricsUp = !features.metrics || !metricsError && isMetricsEnabled();
+		const loggingUp = !loggingError;
+		const allUp = tracingUp && metricsUp && loggingUp;
+		const anyDown = features.tracing && tracingError || features.metrics && metricsError || loggingError;
+		return {
+			status: allUp ? "healthy" : anyDown ? "degraded" : "unhealthy",
+			timestamp: new Date().toISOString(),
+			service: serviceName,
+			version: serviceVersion,
+			uptime: Math.floor((Date.now() - startTime) / 1e3),
+			components: {
+				tracing: {
+					enabled: features.tracing,
+					status: !features.tracing ? "disabled" : tracingError ? "down" : "up",
+					message: tracingError
+				},
+				metrics: {
+					enabled: features.metrics,
+					status: !features.metrics ? "disabled" : metricsError ? "down" : "up",
+					message: metricsError
+				},
+				logging: {
+					enabled: features.logging,
+					status: loggingError ? "down" : "up",
+					message: loggingError
+				}
+			}
+		};
+	};
+	const shutdownFn = async () => {
+		logger.info({}, "Shutting down foundation...");
+		const promises = [];
+		if (features.tracing && isTracingEnabled()) promises.push(shutdownTracing());
+		if (features.metrics && isMetricsEnabled()) promises.push(shutdownMetrics());
+		await Promise.all(promises);
+		logger.info({}, "Foundation shutdown complete");
+	};
+	const isReadyFn = () => {
+		if (features.tracing && !tracingError && !isTracingEnabled()) return false;
+		if (features.metrics && !metricsError && !isMetricsEnabled()) return false;
+		return true;
+	};
+	const safeRunFn = async (fn, fallback) => {
+		try {
+			return await fn();
+		} catch (err) {
+			const error = err;
+			logger.error({
+				error: error.message,
+				stack: error.stack
+			}, "safeRun caught error");
+			return fallback;
+		}
+	};
+	const lifecycle = {
+		health: buildHealthStatus,
+		isReady: isReadyFn,
+		shutdown: shutdownFn,
+		safeRun: safeRunFn
+	};
+	const foundation = {
+		config,
+		features,
+		observability,
+		http: httpModule,
+		lifecycle,
+		logger,
+		context: contextManager,
 		fastifyPlugin: createObservabilityPlugin({
 			serviceName,
 			logger,
@@ -759,91 +1150,47 @@ function createFoundation(input) {
 			metricsEnabled: features.metrics && !metricsError,
 			requestLogging: requestLoggingConfig
 		}),
-		createHttpClient: (options) => createHttpClient({
-			...options,
-			foundation
-		}),
-		shutdown: async () => {
-			logger.info({}, "Shutting down foundation...");
-			const promises = [];
-			if (features.tracing && isTracingEnabled()) promises.push(shutdownTracing());
-			if (features.metrics && isMetricsEnabled()) promises.push(shutdownMetrics());
-			await Promise.all(promises);
-			logger.info({}, "Foundation shutdown complete");
+		tracer: tracerInstance,
+		meter: meterInstance,
+		getTracer: (name) => {
+			warnDeprecation("getTracer", "observability.getTracer");
+			return observability.getTracer(name);
+		},
+		getMeter: (name, version) => {
+			warnDeprecation("getMeter", "observability.getMeter");
+			return observability.getMeter(name, version);
+		},
+		getTraceContext: () => {
+			warnDeprecation("getTraceContext", "observability.getTraceContext");
+			return observability.getTraceContext();
+		},
+		getActiveSpan: () => {
+			warnDeprecation("getActiveSpan", "observability.getActiveSpan");
+			return observability.getActiveSpan();
+		},
+		createHttpClient: (options) => {
+			warnDeprecation("createHttpClient", "http.createClient");
+			return httpModule.createClient(options);
+		},
+		shutdown: () => {
+			warnDeprecation("shutdown", "lifecycle.shutdown");
+			return lifecycle.shutdown();
 		},
 		isReady: () => {
-			if (features.tracing && !tracingError && !isTracingEnabled()) return false;
-			if (features.metrics && !metricsError && !isMetricsEnabled()) return false;
-			return true;
+			warnDeprecation("isReady", "lifecycle.isReady");
+			return lifecycle.isReady();
 		},
 		health: () => {
-			const tracingUp = !features.tracing || !tracingError && isTracingEnabled();
-			const metricsUp = !features.metrics || !metricsError && isMetricsEnabled();
-			const loggingUp = !loggingError;
-			const allUp = tracingUp && metricsUp && loggingUp;
-			const anyDown = features.tracing && tracingError || features.metrics && metricsError || loggingError;
-			return {
-				status: allUp ? "healthy" : anyDown ? "degraded" : "unhealthy",
-				timestamp: new Date().toISOString(),
-				service: serviceName,
-				version: serviceVersion,
-				uptime: Math.floor((Date.now() - startTime) / 1e3),
-				components: {
-					tracing: {
-						enabled: features.tracing,
-						status: !features.tracing ? "disabled" : tracingError ? "down" : "up",
-						message: tracingError
-					},
-					metrics: {
-						enabled: features.metrics,
-						status: !features.metrics ? "disabled" : metricsError ? "down" : "up",
-						message: metricsError
-					},
-					logging: {
-						enabled: features.logging,
-						status: loggingError ? "down" : "up",
-						message: loggingError
-					}
-				}
-			};
+			warnDeprecation("health", "lifecycle.health");
+			return lifecycle.health();
 		},
-		trace: async (name, fn) => {
-			const tracer = tracerInstance || getTracer(serviceName);
-			return new Promise((resolve, reject) => {
-				tracer.startActiveSpan(name, async (span) => {
-					try {
-						const result = await fn();
-						span.setStatus({ code: __opentelemetry_api.SpanStatusCode.OK });
-						span.end();
-						resolve(result);
-					} catch (err) {
-						const error = err;
-						span.setStatus({
-							code: __opentelemetry_api.SpanStatusCode.ERROR,
-							message: error.message
-						});
-						span.recordException(error);
-						span.end();
-						logger.error({
-							span: name,
-							error: error.message
-						}, "Span failed");
-						reject(error);
-					}
-				});
-			});
+		trace: (name, fn) => {
+			warnDeprecation("trace", "observability.trace");
+			return observability.trace(name, fn);
 		},
-		safeRun: async (fn, fallback) => {
-			try {
-				return await fn();
-			} catch (err) {
-				const error = err;
-				logger.error({
-					error: error.message,
-					stack: error.stack
-				}, "safeRun caught error");
-				return fallback;
-			}
+		safeRun: (fn, fallback) => {
+			warnDeprecation("safeRun", "lifecycle.safeRun");
+			return lifecycle.safeRun(fn, fallback);
 		}
 	};
 	return foundation;
@@ -851,14 +1198,269 @@ function createFoundation(input) {
 /** Alias for createFoundation */
 const setupObservability = createFoundation;
 
+//#endregion
+//#region src/integrations/object-store/aws-s3.ts
+async function loadAwsS3() {
+	try {
+		const clientMod = await import("@aws-sdk/client-s3");
+		const presignerMod = await import("@aws-sdk/s3-request-presigner");
+		return {
+			S3Client: clientMod.S3Client,
+			PutObjectCommand: clientMod.PutObjectCommand,
+			GetObjectCommand: clientMod.GetObjectCommand,
+			HeadObjectCommand: clientMod.HeadObjectCommand,
+			DeleteObjectCommand: clientMod.DeleteObjectCommand,
+			ListObjectsV2Command: clientMod.ListObjectsV2Command,
+			getSignedUrl: presignerMod.getSignedUrl
+		};
+	} catch (err) {
+		const e = err;
+		throw new Error(`AWS SDK not available. Install optional peer deps: @aws-sdk/client-s3 and @aws-sdk/s3-request-presigner. Original error: ${e.message}`);
+	}
+}
+function normalizeBody(body) {
+	return body;
+}
+/**
+* AwsS3ObjectStore - wraps AWS S3 behind the provider-agnostic `ObjectStore` interface.
+*
+* This implementation uses dynamic imports so `neoiq-foundation-node` can be used without AWS SDK.
+*/
+var AwsS3ObjectStore = class {
+	provider = "aws-s3";
+	clientPromise;
+	awsPromise = loadAwsS3();
+	constructor(options = {}) {
+		if (options.client) {
+			this.clientPromise = Promise.resolve(options.client);
+			return;
+		}
+		this.clientPromise = (async () => {
+			const aws = await this.awsPromise;
+			return new aws.S3Client(options.clientOptions ?? {});
+		})();
+	}
+	async client() {
+		return this.clientPromise;
+	}
+	async putObject(ref, body, options = {}) {
+		const aws = await this.awsPromise;
+		const s3 = await this.client();
+		const res = await s3.send(new aws.PutObjectCommand({
+			Bucket: ref.bucket,
+			Key: ref.key,
+			Body: normalizeBody(body),
+			ContentType: options.contentType,
+			CacheControl: options.cacheControl,
+			Metadata: options.metadata
+		}));
+		return {
+			etag: res?.ETag,
+			versionId: res?.VersionId
+		};
+	}
+	async getObject(ref) {
+		const aws = await this.awsPromise;
+		const s3 = await this.client();
+		const res = await s3.send(new aws.GetObjectCommand({
+			Bucket: ref.bucket,
+			Key: ref.key
+		}));
+		if (!res?.Body) {
+			const err = new Error(`S3 GetObject returned empty body: ${ref.bucket}/${ref.key}`);
+			err.code = "EMPTY_BODY";
+			throw err;
+		}
+		return {
+			body: res.Body,
+			contentType: res.ContentType,
+			contentLength: res.ContentLength,
+			etag: res.ETag,
+			versionId: res.VersionId,
+			metadata: res.Metadata,
+			lastModified: res.LastModified
+		};
+	}
+	async headObject(ref) {
+		const aws = await this.awsPromise;
+		const s3 = await this.client();
+		try {
+			const res = await s3.send(new aws.HeadObjectCommand({
+				Bucket: ref.bucket,
+				Key: ref.key
+			}));
+			return {
+				exists: true,
+				contentType: res.ContentType,
+				contentLength: res.ContentLength,
+				etag: res.ETag,
+				versionId: res.VersionId,
+				metadata: res.Metadata,
+				lastModified: res.LastModified
+			};
+		} catch (err) {
+			const e = err;
+			const name = String(e?.name || "");
+			const httpStatus = e?.$metadata?.httpStatusCode;
+			if (httpStatus === 404 || name.includes("NotFound") || name.includes("NoSuchKey")) return { exists: false };
+			throw err;
+		}
+	}
+	async deleteObject(ref) {
+		const aws = await this.awsPromise;
+		const s3 = await this.client();
+		await s3.send(new aws.DeleteObjectCommand({
+			Bucket: ref.bucket,
+			Key: ref.key
+		}));
+	}
+	async listObjects(options) {
+		const aws = await this.awsPromise;
+		const s3 = await this.client();
+		const res = await s3.send(new aws.ListObjectsV2Command({
+			Bucket: options.bucket,
+			Prefix: options.prefix,
+			ContinuationToken: options.continuationToken,
+			MaxKeys: options.maxKeys
+		}));
+		return {
+			objects: (res?.Contents ?? []).map((o) => ({
+				key: o.Key,
+				size: o.Size,
+				etag: o.ETag,
+				lastModified: o.LastModified
+			})),
+			nextContinuationToken: res?.NextContinuationToken
+		};
+	}
+	async presignGetObject(ref, options) {
+		const aws = await this.awsPromise;
+		const s3 = await this.client();
+		return aws.getSignedUrl(s3, new aws.GetObjectCommand({
+			Bucket: ref.bucket,
+			Key: ref.key,
+			ResponseContentType: options.responseContentType
+		}), { expiresIn: options.expiresInSeconds });
+	}
+	async presignPutObject(ref, options) {
+		const aws = await this.awsPromise;
+		const s3 = await this.client();
+		return aws.getSignedUrl(s3, new aws.PutObjectCommand({
+			Bucket: ref.bucket,
+			Key: ref.key,
+			ContentType: options.contentType
+		}), { expiresIn: options.expiresInSeconds });
+	}
+};
+
+//#endregion
+//#region src/integrations/object-store/in-memory.ts
+function toBuffer(body) {
+	if (typeof body === "string") return Buffer.from(body);
+	if (Buffer.isBuffer(body)) return body;
+	if (body instanceof Uint8Array) return Buffer.from(body);
+	return new Promise((resolve, reject) => {
+		const chunks = [];
+		body.on("data", (chunk) => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
+		body.on("end", () => resolve(Buffer.concat(chunks)));
+		body.on("error", reject);
+	});
+}
+function simpleEtag(buf) {
+	return `mem-${buf.length}-${buf.subarray(0, 8).toString("hex")}`;
+}
+/**
+* InMemoryObjectStore - useful for local dev, unit tests, and as a safe default.
+* NOTE: presign* methods are not meaningful here and will throw.
+*/
+var InMemoryObjectStore = class {
+	provider = "in-memory";
+	buckets = new Map();
+	bucketMap(bucket) {
+		let m = this.buckets.get(bucket);
+		if (!m) {
+			m = new Map();
+			this.buckets.set(bucket, m);
+		}
+		return m;
+	}
+	async putObject(ref, body, options = {}) {
+		const buf = await toBuffer(body);
+		const obj = {
+			body: buf,
+			contentType: options.contentType,
+			cacheControl: options.cacheControl,
+			metadata: options.metadata,
+			etag: simpleEtag(buf),
+			lastModified: new Date()
+		};
+		this.bucketMap(ref.bucket).set(ref.key, obj);
+		return { etag: obj.etag };
+	}
+	async getObject(ref) {
+		const obj = this.bucketMap(ref.bucket).get(ref.key);
+		if (!obj) {
+			const err = new Error(`Object not found: ${ref.bucket}/${ref.key}`);
+			err.code = "OBJECT_NOT_FOUND";
+			throw err;
+		}
+		return {
+			body: node_stream.Readable.from(obj.body),
+			contentType: obj.contentType,
+			contentLength: obj.body.length,
+			etag: obj.etag,
+			metadata: obj.metadata,
+			lastModified: obj.lastModified
+		};
+	}
+	async headObject(ref) {
+		const obj = this.bucketMap(ref.bucket).get(ref.key);
+		if (!obj) return { exists: false };
+		return {
+			exists: true,
+			contentType: obj.contentType,
+			contentLength: obj.body.length,
+			etag: obj.etag,
+			metadata: obj.metadata,
+			lastModified: obj.lastModified
+		};
+	}
+	async deleteObject(ref) {
+		this.bucketMap(ref.bucket).delete(ref.key);
+	}
+	async listObjects(options) {
+		const { bucket, prefix = "" } = options;
+		const map = this.bucketMap(bucket);
+		const objects = [...map.entries()].filter(([key]) => key.startsWith(prefix)).map(([key, obj]) => ({
+			key,
+			size: obj.body.length,
+			etag: obj.etag,
+			lastModified: obj.lastModified
+		})).sort((a, b) => a.key.localeCompare(b.key));
+		return { objects };
+	}
+	async presignGetObject(_ref, _options) {
+		throw new Error("InMemoryObjectStore does not support presigned URLs");
+	}
+	async presignPutObject(_ref, _options) {
+		throw new Error("InMemoryObjectStore does not support presigned URLs");
+	}
+};
+
 //#endregion
 exports.AutoInstrumentationConfigSchema = AutoInstrumentationConfigSchema
+exports.AwsS3ObjectStore = AwsS3ObjectStore
 exports.FeaturesConfigSchema = FeaturesConfigSchema
 exports.FoundationConfigSchema = FoundationConfigSchema
+exports.InMemoryObjectStore = InMemoryObjectStore
 exports.LoggingConfigSchema = LoggingConfigSchema
 exports.OtelConfigSchema = OtelConfigSchema
+exports.REDACT_PATHS = REDACT_PATHS
+exports.RedactionConfigSchema = RedactionConfigSchema
 exports.RequestLoggingConfigSchema = RequestLoggingConfigSchema
+exports.ShutdownConfigSchema = ShutdownConfigSchema
 exports.SpanStatusCode = __opentelemetry_api.SpanStatusCode
+exports.buildPinoRedactConfig = buildPinoRedactConfig
 exports.context = __opentelemetry_api.context
 exports.createContextManager = createContextManager
 exports.createFallbackLogger = createFallbackLogger
@@ -877,6 +1479,7 @@ exports.isTracingEnabled = isTracingEnabled
 exports.metrics = __opentelemetry_api.metrics
 exports.parseConfig = parseConfig
 exports.propagation = __opentelemetry_api.propagation
+exports.sanitizeBody = sanitizeBody
 exports.setGlobalLogger = setGlobalLogger
 exports.setupMetrics = setupMetrics
 exports.setupObservability = setupObservability