@harness-fe/runtime 3.0.1 → 3.2.0

package/dist/fetchPatch.js

@@ -1,311 +0,0 @@
-/**
- * fetch monkey-patch — captures URL/method/headers/body for request and
- * response, including streaming SSE responses, without changing
- * business-observable fetch behavior.
- *
- * Safety contract (do not weaken without updating the spec):
- *  1. Identity-preserving: replacement is a named `fetch`, with
- *     defineProperty'd name/length/toString so library fingerprint checks
- *     still pass. Response / Request instances are NOT wrapped.
- *  2. Error-isolated: capture failures are swallowed via `safeEmit`; they
- *     NEVER propagate to business code.
- *  3. No timing or value change: the original Promise is returned to the
- *     caller unchanged. body capture reads `response.clone()` on a side
- *     branch — the business path retains an untouched stream.
- *  4. Self-traffic guard: requests carrying `init.__hfeInternal === true`
- *     short-circuit to the original fetch. A URL denylist also skips HMR /
- *     dev-server traffic to prevent capture feedback loops.
- *  5. Bounded memory: bodies are capped at BODY_CAP per request. SSE
- *     streams stop accumulating and `cancel()` the cloned reader once
- *     the cap is hit.
- *
- * The patch is idempotent (re-install is a no-op) and returns a dispose
- * function that restores the original `window.fetch`.
- */
-const DEFAULT_BODY_CAP = 256 * 1024;
-const INTERNAL_FLAG = '__hfeInternal';
-const PATCHED_FLAG = '__hfePatched';
-const DEFAULT_DENYLIST = [/\/__hfe\//, /sockjs-node/, /\.hot-update\./];
-const SENSITIVE_HEADER = /^(authorization|cookie|x-api-key|x-auth-.+)$/i;
-/**
- * Install the fetch patch. Returns a dispose function that restores the
- * original window.fetch. Safe to call multiple times (subsequent calls
- * are no-ops while a patch is active).
- */
-export function installFetchPatch(opts) {
-    if (typeof window === 'undefined' || typeof window.fetch !== 'function') {
-        return () => { };
-    }
-    const original = window.fetch;
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    if (original[PATCHED_FLAG])
-        return () => { };
-    const bodyCap = opts.bodyCap ?? DEFAULT_BODY_CAP;
-    const denylist = opts.denylist ?? DEFAULT_DENYLIST;
-    const emit = (entry) => safeEmit(opts.onEntry, entry);
-    // Named function so .name === 'fetch'.
-    const patched = function fetch(input, init) {
-        // Self-traffic short-circuit — internal requests bypass capture.
-        if (init && init[INTERNAL_FLAG]) {
-            return original.call(this, input, init);
-        }
-        const meta = extractRequestMeta(input, init);
-        if (denylist.some((re) => re.test(meta.url))) {
-            return original.call(this, input, init);
-        }
-        const id = generateId();
-        const startedAt = performance.now();
-        const startedTs = Date.now();
-        // Emit request record eagerly (req body is read async — second emit
-        // updates the record once body is serialized; consumers join by id).
-        const reqRecord = {
-            ts: startedTs,
-            id,
-            phase: 'req',
-            method: meta.method,
-            url: meta.url,
-            requestHeaders: meta.headers,
-        };
-        emit(reqRecord);
-        cloneRequestBody(input, init, bodyCap).then(({ body, truncated }) => {
-            if (body === undefined && !truncated)
-                return;
-            emit({
-                ...reqRecord,
-                requestBody: body,
-                requestBodyTruncated: truncated || undefined,
-            });
-        }, () => {
-            /* serialization error — ignore, req already emitted */
-        });
-        const promise = original.call(this, input, init);
-        promise.then((response) => {
-            let cloned;
-            try {
-                cloned = response.clone();
-            }
-            catch {
-                emit({
-                    ts: Date.now(),
-                    id,
-                    phase: 'res',
-                    method: meta.method,
-                    url: meta.url,
-                    status: response.status,
-                    responseHeaders: headersToObject(response.headers),
-                    durationMs: performance.now() - startedAt,
-                });
-                return;
-            }
-            const finalize = (body, truncated) => {
-                emit({
-                    ts: Date.now(),
-                    id,
-                    phase: 'res',
-                    method: meta.method,
-                    url: meta.url,
-                    status: response.status,
-                    responseHeaders: headersToObject(response.headers),
-                    responseBody: body,
-                    responseBodyTruncated: truncated || undefined,
-                    durationMs: performance.now() - startedAt,
-                });
-            };
-            const ct = response.headers.get('content-type') ?? '';
-            if (isSSE(ct)) {
-                pumpSSE(cloned, bodyCap, finalize);
-            }
-            else if (isTextLike(ct)) {
-                readTextWithCap(cloned, bodyCap).then(({ body, truncated }) => finalize(maybeParseJson(body, ct), truncated), () => finalize(undefined, false));
-            }
-            else {
-                // Binary or unknown: only record size, do not pull bytes.
-                cloned.arrayBuffer().then((buf) => finalize(`[binary ${buf.byteLength}B]`, false), () => finalize(undefined, false));
-            }
-        }, (err) => {
-            emit({
-                ts: Date.now(),
-                id,
-                phase: 'res',
-                method: meta.method,
-                url: meta.url,
-                durationMs: performance.now() - startedAt,
-                error: err instanceof Error ? err.message : String(err),
-            });
-        });
-        return promise;
-    };
-    // Preserve fingerprint — library detection commonly inspects these.
-    try {
-        Object.defineProperty(patched, 'name', { value: 'fetch' });
-        Object.defineProperty(patched, 'length', { value: original.length });
-        Object.defineProperty(patched, 'toString', {
-            value: () => original.toString(),
-        });
-    }
-    catch {
-        /* sealed property — safe to skip */
-    }
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    patched[PATCHED_FLAG] = true;
-    window.fetch = patched;
-    return () => {
-        if (window.fetch === patched) {
-            window.fetch = original;
-        }
-    };
-}
-// ─── helpers ────────────────────────────────────────────────────────────────
-function generateId() {
-    try {
-        return crypto.randomUUID();
-    }
-    catch {
-        return `${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;
-    }
-}
-function extractRequestMeta(input, init) {
-    let url;
-    let method = 'GET';
-    let headers;
-    if (typeof input === 'string') {
-        url = input;
-    }
-    else if (input instanceof URL) {
-        url = input.toString();
-    }
-    else {
-        url = input.url;
-        method = input.method;
-        headers = headersToObject(input.headers);
-    }
-    if (init?.method)
-        method = init.method;
-    if (init?.headers) {
-        headers = { ...(headers ?? {}), ...(headersToObject(init.headers) ?? {}) };
-    }
-    return { url, method, headers };
-}
-function headersToObject(h) {
-    if (!h)
-        return undefined;
-    const out = {};
-    if (h instanceof Headers) {
-        h.forEach((v, k) => {
-            out[k] = v;
-        });
-    }
-    else if (Array.isArray(h)) {
-        for (const [k, v] of h)
-            out[k] = v;
-    }
-    else {
-        Object.assign(out, h);
-    }
-    return redactHeaders(out);
-}
-function redactHeaders(h) {
-    const out = {};
-    for (const [k, v] of Object.entries(h)) {
-        out[k] = SENSITIVE_HEADER.test(k) ? `[redacted ${String(v).length}]` : v;
-    }
-    return out;
-}
-async function cloneRequestBody(input, init, cap) {
-    if (init?.body !== undefined && init.body !== null) {
-        return serializeBodyInit(init.body, cap);
-    }
-    if (input instanceof Request && input.body) {
-        try {
-            const text = await input.clone().text();
-            return capText(text, cap);
-        }
-        catch {
-            return { truncated: false };
-        }
-    }
-    return { truncated: false };
-}
-function serializeBodyInit(body, cap) {
-    if (typeof body === 'string')
-        return capText(body, cap);
-    if (typeof FormData !== 'undefined' && body instanceof FormData) {
-        const obj = {};
-        body.forEach((v, k) => {
-            obj[k] = typeof v === 'string'
-                ? v
-                : `[File ${v.name} ${v.size}B]`;
-        });
-        return { body: obj, truncated: false };
-    }
-    if (typeof URLSearchParams !== 'undefined' && body instanceof URLSearchParams) {
-        return { body: body.toString(), truncated: false };
-    }
-    if (typeof Blob !== 'undefined' && body instanceof Blob) {
-        return { body: `[Blob ${body.size}B]`, truncated: false };
-    }
-    if (body instanceof ArrayBuffer) {
-        return { body: `[ArrayBuffer ${body.byteLength}B]`, truncated: false };
-    }
-    if (ArrayBuffer.isView(body)) {
-        return { body: `[${body.constructor.name} ${body.byteLength}B]`, truncated: false };
-    }
-    return { body: '[unknown body]', truncated: false };
-}
-function capText(text, cap) {
-    if (text.length > cap)
-        return { body: text.slice(0, cap), truncated: true };
-    return { body: text, truncated: false };
-}
-async function readTextWithCap(res, cap) {
-    const text = await res.text();
-    return capText(text, cap);
-}
-function maybeParseJson(text, contentType) {
-    if (!/json/i.test(contentType))
-        return text;
-    try {
-        return JSON.parse(text);
-    }
-    catch {
-        return text;
-    }
-}
-function isSSE(ct) {
-    return /text\/event-stream/i.test(ct);
-}
-function isTextLike(ct) {
-    return /json|text|xml|javascript|x-www-form-urlencoded/i.test(ct);
-}
-function pumpSSE(res, cap, done) {
-    if (!res.body || typeof res.body.getReader !== 'function') {
-        return done('', false);
-    }
-    const reader = res.body.getReader();
-    const dec = new TextDecoder();
-    let total = '';
-    let truncated = false;
-    const step = () => {
-        reader.read().then(({ done: end, value }) => {
-            if (end)
-                return done(total, truncated);
-            total += dec.decode(value, { stream: true });
-            if (total.length > cap) {
-                total = total.slice(0, cap);
-                truncated = true;
-                reader.cancel().catch(() => { });
-                return done(total, truncated);
-            }
-            step();
-        }, () => done(total, truncated));
-    };
-    step();
-}
-function safeEmit(fn, entry) {
-    try {
-        fn(entry);
-    }
-    catch {
-        /* swallow — capture must not break business */
-    }
-}

package/dist/xhrPatch.d.ts

@@ -1,26 +0,0 @@
-/**
- * XMLHttpRequest monkey-patch — captures URL/method/headers/body for
- * request and response WITHOUT replacing the XMLHttpRequest constructor.
- *
- * The previous implementation wrapped `window.XMLHttpRequest` with a new
- * constructor, which broke `xhr instanceof XMLHttpRequest` checks in
- * business code. This patch attaches per-instance metadata via a
- * non-enumerable Symbol key and overrides only prototype methods, leaving
- * the constructor and prototype chain native.
- *
- * Capture rules mirror fetchPatch.ts:
- *  - 256 KB body cap with content-type routing (json / text / binary)
- *  - Sensitive header redaction (Authorization / Cookie / x-api-key / x-auth-*)
- *  - Two events per request keyed by a shared `id` (`phase: 'req' | 'res'`)
- *  - Errors inside capture are swallowed via `safeEmit`
- *  - `__hfeInternal` opt-out via a magic header `x-hfe-internal: 1`
- *    (XHR has no init-style options bag like fetch)
- *  - Idempotent install + dispose() restores original prototype methods
- */
-import type { NetworkEntry } from '@harness-fe/protocol';
-export interface XhrPatchOptions {
-    onEntry: (entry: NetworkEntry) => void;
-    bodyCap?: number;
-    denylist?: RegExp[];
-}
-export declare function installXhrPatch(opts: XhrPatchOptions): () => void;

package/dist/xhrPatch.js

@@ -1,269 +0,0 @@
-/**
- * XMLHttpRequest monkey-patch — captures URL/method/headers/body for
- * request and response WITHOUT replacing the XMLHttpRequest constructor.
- *
- * The previous implementation wrapped `window.XMLHttpRequest` with a new
- * constructor, which broke `xhr instanceof XMLHttpRequest` checks in
- * business code. This patch attaches per-instance metadata via a
- * non-enumerable Symbol key and overrides only prototype methods, leaving
- * the constructor and prototype chain native.
- *
- * Capture rules mirror fetchPatch.ts:
- *  - 256 KB body cap with content-type routing (json / text / binary)
- *  - Sensitive header redaction (Authorization / Cookie / x-api-key / x-auth-*)
- *  - Two events per request keyed by a shared `id` (`phase: 'req' | 'res'`)
- *  - Errors inside capture are swallowed via `safeEmit`
- *  - `__hfeInternal` opt-out via a magic header `x-hfe-internal: 1`
- *    (XHR has no init-style options bag like fetch)
- *  - Idempotent install + dispose() restores original prototype methods
- */
-const DEFAULT_BODY_CAP = 256 * 1024;
-const PATCHED_FLAG = '__hfeXhrPatched';
-const META_KEY = Symbol.for('@harness-fe/xhr-meta');
-const INTERNAL_HEADER = 'x-hfe-internal';
-const SENSITIVE_HEADER = /^(authorization|cookie|x-api-key|x-auth-.+)$/i;
-export function installXhrPatch(opts) {
-    if (typeof XMLHttpRequest === 'undefined')
-        return () => { };
-    const proto = XMLHttpRequest.prototype;
-    if (proto[PATCHED_FLAG])
-        return () => { };
-    const bodyCap = opts.bodyCap ?? DEFAULT_BODY_CAP;
-    const denylist = opts.denylist ?? [];
-    const emit = (entry) => safeEmit(opts.onEntry, entry);
-    const origOpen = proto.open;
-    const origSetHeader = proto.setRequestHeader;
-    const origSend = proto.send;
-    const patchedOpen = function open(method, url, ...rest) {
-        const meta = {
-            id: generateId(),
-            method,
-            url: typeof url === 'string' ? url : url.toString(),
-            headers: {},
-            startedAt: 0,
-            startedTs: 0,
-            bodyCap,
-            internal: false,
-            skipped: denylist.some((re) => re.test(typeof url === 'string' ? url : url.toString())),
-            reqEmitted: false,
-        };
-        this[META_KEY] = meta;
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        return origOpen.call(this, method, url, ...rest);
-    };
-    const patchedSetHeader = function setRequestHeader(name, value) {
-        const meta = this[META_KEY];
-        if (meta) {
-            if (name.toLowerCase() === INTERNAL_HEADER) {
-                meta.internal = true;
-            }
-            else {
-                meta.headers[name] = value;
-            }
-        }
-        // Do NOT forward the internal sentinel to the server.
-        if (name.toLowerCase() === INTERNAL_HEADER)
-            return;
-        return origSetHeader.call(this, name, value);
-    };
-    const patchedSend = function send(body) {
-        const meta = this[META_KEY];
-        if (!meta || meta.internal || meta.skipped) {
-            return origSend.call(this, body ?? null);
-        }
-        meta.startedAt = performance.now();
-        meta.startedTs = Date.now();
-        // Emit req eagerly with headers; body added on second emit after
-        // serialization (mirrors fetchPatch behavior).
-        const reqRecord = {
-            ts: meta.startedTs,
-            id: meta.id,
-            phase: 'req',
-            method: meta.method,
-            url: meta.url,
-            requestHeaders: redactHeaders(meta.headers),
-        };
-        emit(reqRecord);
-        meta.reqEmitted = true;
-        const serialized = serializeBody(body, meta.bodyCap);
-        if (serialized.body !== undefined || serialized.truncated) {
-            emit({
-                ...reqRecord,
-                requestBody: serialized.body,
-                requestBodyTruncated: serialized.truncated || undefined,
-            });
-        }
-        this.addEventListener('loadend', () => {
-            const status = this.status;
-            const ct = safeGetResponseHeader(this, 'content-type') ?? '';
-            const respHeaders = parseAllResponseHeaders(this);
-            const isErr = status === 0;
-            const baseRes = {
-                ts: Date.now(),
-                id: meta.id,
-                phase: 'res',
-                method: meta.method,
-                url: meta.url,
-                status: isErr ? undefined : status,
-                responseHeaders: respHeaders,
-                durationMs: performance.now() - meta.startedAt,
-            };
-            if (isErr) {
-                emit({ ...baseRes, error: 'xhr error or aborted' });
-                return;
-            }
-            if (isTextLike(ct)) {
-                const text = safeReadResponseText(this);
-                if (text === undefined) {
-                    emit(baseRes);
-                    return;
-                }
-                const capped = capText(text, meta.bodyCap);
-                emit({
-                    ...baseRes,
-                    responseBody: /json/i.test(ct) ? safeParseJson(capped.body) : capped.body,
-                    responseBodyTruncated: capped.truncated || undefined,
-                });
-            }
-            else {
-                // Binary or unknown → don't pull bytes, just record size when available.
-                const len = Number(safeGetResponseHeader(this, 'content-length') ?? '0') || 0;
-                emit({
-                    ...baseRes,
-                    responseBody: len ? `[binary ${len}B]` : '[binary]',
-                });
-            }
-        });
-        return origSend.call(this, body ?? null);
-    };
-    proto.open = patchedOpen;
-    proto.setRequestHeader = patchedSetHeader;
-    proto.send = patchedSend;
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    proto[PATCHED_FLAG] = true;
-    return () => {
-        // Only restore if we still own the patch — don't clobber a later patch.
-        if (proto.open !== patchedOpen)
-            return;
-        proto.open = origOpen;
-        proto.setRequestHeader = origSetHeader;
-        proto.send = origSend;
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        delete proto[PATCHED_FLAG];
-    };
-}
-// ─── helpers ────────────────────────────────────────────────────────────────
-function generateId() {
-    try {
-        return crypto.randomUUID();
-    }
-    catch {
-        return `${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;
-    }
-}
-function redactHeaders(h) {
-    const out = {};
-    for (const [k, v] of Object.entries(h)) {
-        out[k] = SENSITIVE_HEADER.test(k) ? `[redacted ${String(v).length}]` : v;
-    }
-    return out;
-}
-function serializeBody(body, cap) {
-    if (body === undefined || body === null)
-        return { truncated: false };
-    if (typeof body === 'string')
-        return capText(body, cap);
-    if (typeof FormData !== 'undefined' && body instanceof FormData) {
-        const obj = {};
-        body.forEach((v, k) => {
-            obj[k] = typeof v === 'string'
-                ? v
-                : `[File ${v.name} ${v.size}B]`;
-        });
-        return { body: obj, truncated: false };
-    }
-    if (typeof URLSearchParams !== 'undefined' && body instanceof URLSearchParams) {
-        return { body: body.toString(), truncated: false };
-    }
-    if (typeof Blob !== 'undefined' && body instanceof Blob) {
-        return { body: `[Blob ${body.size}B]`, truncated: false };
-    }
-    if (body instanceof ArrayBuffer) {
-        return { body: `[ArrayBuffer ${body.byteLength}B]`, truncated: false };
-    }
-    if (ArrayBuffer.isView(body)) {
-        return {
-            body: `[${body.constructor.name} ${body.byteLength}B]`,
-            truncated: false,
-        };
-    }
-    if (typeof Document !== 'undefined' && body instanceof Document) {
-        return { body: '[Document]', truncated: false };
-    }
-    return { body: '[unknown body]', truncated: false };
-}
-function capText(text, cap) {
-    if (text.length > cap)
-        return { body: text.slice(0, cap), truncated: true };
-    return { body: text, truncated: false };
-}
-function safeGetResponseHeader(xhr, name) {
-    try {
-        return xhr.getResponseHeader(name);
-    }
-    catch {
-        return null;
-    }
-}
-function parseAllResponseHeaders(xhr) {
-    let raw;
-    try {
-        raw = xhr.getAllResponseHeaders();
-    }
-    catch {
-        return undefined;
-    }
-    if (!raw)
-        return undefined;
-    const out = {};
-    for (const line of raw.split('\r\n')) {
-        const idx = line.indexOf(':');
-        if (idx < 0)
-            continue;
-        const k = line.slice(0, idx).trim();
-        const v = line.slice(idx + 1).trim();
-        if (k)
-            out[k] = v;
-    }
-    return Object.keys(out).length ? redactHeaders(out) : undefined;
-}
-function safeReadResponseText(xhr) {
-    try {
-        // responseType must be '' or 'text' to access responseText.
-        if (xhr.responseType !== '' && xhr.responseType !== 'text')
-            return undefined;
-        return xhr.responseText;
-    }
-    catch {
-        return undefined;
-    }
-}
-function safeParseJson(text) {
-    try {
-        return JSON.parse(text);
-    }
-    catch {
-        return text;
-    }
-}
-function isTextLike(ct) {
-    return /json|text|xml|javascript|x-www-form-urlencoded/i.test(ct);
-}
-function safeEmit(fn, entry) {
-    try {
-        fn(entry);
-    }
-    catch {
-        /* swallow */
-    }
-}