@http-forge/core 0.2.7 → 0.2.9

package/README.md

@@ -13,14 +13,15 @@
 - 🚀 **Postman Collections** - Load and execute `.postman_collection.json` and `.forge.json` files
 - 📝 **JavaScript Scripting** - Pre-request and post-response scripts with full `pm.*` API (variables, assertions, execution flow, visualizer)
 - 🔄 **Dynamic Variables** - Built-in generators: `{{$randomInt}}`, `{{$timestamp}}`, `{{$uuid}}`, `{{$guid}}`, etc.
-- 🌍 **Environments** - Full variable scoping (globals, collection, environment, session, iterationData)
+- 🌍 **Environments** - Full variable scoping (globals, collection, environment, iterationData) with Postman-compatible cascade
 - 👁️ **File Watching** - Automatic reload on collection/environment file changes with notification callbacks
 - 🍪 **Cookie Persistence** - Automatic cookie storage and reuse, `pm.cookies.jar()` and `.toObject()`
 - 📊 **Test Assertions** - BDD-style testing with `pm.test()` (sync/async) and full Chai `expect()` chains
 - 🔐 **CryptoJS** - Full crypto library: hash, HMAC, AES/DES/TripleDES, PBKDF2, encoding helpers
 - 🎯 **Execution Flow** - `pm.setNextRequest()`, `pm.execution.skipRequest()` for suite runner flow control
 - 📈 **Visualizer** - `pm.visualizer.set(template, data)` for custom Handlebars-based HTML output
-- 🔌 **Extensible** - Custom interceptors, HTTP clients, and module loaders
+- �️ **Sensitive Data Redaction** - Auto-redacts tokens, passwords, secrets from persisted history/result files
+- �🔌 **Extensible** - Custom interceptors, HTTP clients, and module loaders
 
 **Ideal for:**
 - CI/CD pipeline integration (GitHub Actions, GitLab CI, Jenkins)
@@ -379,6 +380,47 @@ const entries = history.getAll();         // All requests
 const byId = history.getByRequestId(id);  // Specific request history
 ```
 
+### 🛡️ Sensitive Data Redaction
+
+History and result files automatically redact sensitive data before writing to disk. This prevents tokens, passwords, and credentials from being persisted in plaintext.
+
+```typescript
+import {
+    redactHeaders, redactUrl, redactBody,
+    redactHistoryEntry, redactFullResponse, redactFullResultDetails
+} from '@http-forge/core';
+
+// Redact sensitive headers
+redactHeaders({ 'Authorization': 'Bearer eyJ...', 'Content-Type': 'application/json' });
+// → { 'Authorization': '***', 'Content-Type': 'application/json' }
+
+// Any header containing 'token', 'cookie', 'secret' is redacted
+redactHeaders({ 'avs-token': 'abc123', 'telus-access-token-cookie': 'xyz' });
+// → { 'avs-token': '***', 'telus-access-token-cookie': '***' }
+
+// Redact sensitive URL query params
+redactUrl('https://api.example.com/auth?client_secret=abc&scope=read');
+// → 'https://api.example.com/auth?client_secret=***&scope=read'
+
+// Redact sensitive JSON body fields (recursive)
+redactBody({ user: 'admin', password: 'hunter2', data: { api_token: 'xyz' } });
+// → { user: 'admin', password: '***', data: { api_token: '***' } }
+
+// Redact URL-encoded form bodies
+redactBody('username=admin&password=secret&grant_type=password');
+// → 'username=admin&password=***&grant_type=***'
+```
+
+**Auto-detected patterns:**
+- **Headers**: `authorization`, `proxy-authorization`, `www-authenticate`, and any header containing `token`, `cookie`, `secret`, `credential`, `api-key`, `bearer`, `session-id`
+- **Fields/Params**: Any name containing `password`, `passwd`, `pwd`, `token`, `cookie`, `secret`, `credential`, `api_key`, `access_token`, `refresh_token`, `client_secret`, `private_key`, `auth_code`, `bearer`, `session_id`, `jwt`
+
+**Integration points:**
+- `RequestHistoryService.addEntry()` — redacts `sentRequest` (headers, body, URL) before saving
+- `RequestHistoryService.saveFullResponse()` — redacts response headers and cookies
+- `ResultStorageService.saveResult()` — redacts request/response headers and body in suite results
+- `originalConfig` (unresolved `{{variable}}` templates) is never redacted — only resolved values
+
 ## 📖 API Reference
 
 ### ForgeContainer
@@ -753,6 +795,23 @@ MIT © Henry Huang
 
 ## 📝 Changelog
 
+### 0.2.7 (Session Scope Removal & Postman Parity)
+
+- ✅ **Session scope removed** — The separate "session" variable scope has been removed. `pm.environment.set()` now persists to workspace state (matching Postman's behavior). Variable resolution uses a Postman-compatible 5-scope cascade: `variables > iterationData > environmentVariables > collectionVariables > globals`.
+- ✅ **Request preparer extraVariables fix** — All request resolutions (params, query, headers, bearer auth, basic auth, API key) now use `extraVariables`. Previously only body and URL used them.
+- ✅ **Exported `ResolvedEnvironment` type** — Now part of the public API for downstream consumers.
+
+### 0.2.6 (Sensitive Data Redaction & Variable Propagation Fix)
+
+- ✅ **Sensitive data redaction** — History files, shared history, suite test results, and full response files automatically redact sensitive data before persisting to disk:
+  - Headers matching `authorization`, `proxy-authorization`, or containing `token`, `cookie`, `secret`, `credential`, `api-key`, `bearer`, `session-id`
+  - URL query params and JSON/form body fields matching `password`, `token`, `secret`, `api_key`, `client_secret`, `private_key`, `auth_code`, `jwt`, etc.
+  - Response `Set-Cookie` headers and cookies with sensitive names
+  - Unresolved `{{variable}}` templates in `originalConfig` are preserved — only resolved values redacted
+  - Exported functions: `redactHeaders()`, `redactUrl()`, `redactBody()`, `redactHistoryEntry()`, `redactFullResponse()`, `redactFullResultDetails()`
+- ✅ **Fixed `pm.environment.set()` propagation** — Post-response script `pm.environment.set()` now correctly propagates to `{{variable}}` resolution in subsequent collection runner requests. The session now uses live scope references instead of a disconnected snapshot.
+- ✅ **Cookie jar flush in collection runner** — `flush()` is now called in the `finally` block ensuring script-set cookies persist to the shared session store after a run completes.
+
 ### 0.2.5 (OpenAPI Constraint Round-Trip & Collision Merging)
 
 - ✅ **Full parameter constraint round-trip** — OpenAPI import/export now preserves all schema constraint fields: `pattern`, `minimum`, `maximum`, `exclusiveMinimum`, `exclusiveMaximum`, `minLength`, `maxLength`, and `oneOf` on both `KeyValueEntry` and `PathParamEntry`
@@ -791,7 +850,7 @@ MIT © Henry Huang
 - ✅ **Core request execution** with Postman collection support
 - ✅ **Dynamic variables** - 7 generators for on-the-fly value generation
 - ✅ **Postman-compatible scripting** - `pm.*` API with full feature parity
-- ✅ **Variable scoping** - globals, collection, environment, session, flow-level
+- ✅ **Variable scoping** - globals, collection, environment, workspace-state persistence for `pm.environment.set()`
 - ✅ **Cookie persistence** - automatic storage and reuse across request chains
 - ✅ **Pre-request & post-response scripts** with shared VM context
 - ✅ **Test assertions** with BDD-style `pm.test()` and expect chains

package/dist/index.d.ts

@@ -18,7 +18,7 @@
  */
 export { ForgeContainer } from './container';
 export type { ForgeContainerOptions, StorageFormat } from './container';
-export { ServiceContainer, ServiceIdentifiers, getServiceContainer, registerCoreServices } from './di';
+export { getServiceContainer, registerCoreServices, ServiceContainer, ServiceIdentifiers } from './di';
 export type { PlatformAdapters, ServiceIdentifier } from './di';
 export * from './types/console-service';
 export * from './types/platform';
@@ -32,7 +32,7 @@ export { PersistentCookieJar } from './infrastructure/cookie/persistent-cookie-j
 export { FetchHttpClient } from './infrastructure/http/fetch-http-client';
 export { HttpRequestService } from './infrastructure/http/http-request-service';
 export { InterceptorChain, LoggingRequestInterceptor, RetryErrorInterceptor, TimingResponseInterceptor } from './infrastructure/http/interceptor-chain';
-export type { IErrorInterceptor, IInterceptorChain, IRequestInterceptor, IResponseInterceptor, InterceptorContext } from './infrastructure/http/interceptor-chain';
+export type { IErrorInterceptor, IInterceptorChain, InterceptorContext, IRequestInterceptor, IResponseInterceptor } from './infrastructure/http/interceptor-chain';
 export type { IHttpRequestService } from './infrastructure/http/interfaces';
 export { mergeRequestSettings } from './infrastructure/http/merge-request-settings';
 export { DEFAULT_REQUEST_SETTINGS, NodeHttpClient } from './infrastructure/http/native-http-client';
@@ -41,7 +41,7 @@ export type { IRequestPreprocessor } from './infrastructure/http/request-preproc
 export { UrlBuilder } from './infrastructure/http/url-builder';
 export type { IUrlBuilder } from './infrastructure/http/url-builder';
 export * from './infrastructure/script/interfaces';
-export { ModuleLoader, createLodashShim, createModuleLoader, createMomentShim } from './infrastructure/script/module-loader';
+export { createLodashShim, createModuleLoader, createMomentShim, ModuleLoader } from './infrastructure/script/module-loader';
 export type { ModuleLoaderOptions } from './infrastructure/script/module-loader';
 export { RequestScriptSession } from './infrastructure/script/request-script-session';
 export type { SessionDependencies } from './infrastructure/script/request-script-session';
@@ -50,6 +50,8 @@ export { createExpectChain, createResponseObject } from './infrastructure/script
 export type { ExpectChain, ResponseAssertions, ScriptResponse } from './infrastructure/script/script-factories';
 export { concatenateScripts, createScriptConsole, createTestFunction, formatConsoleOutput, hasChanged, normalizeHeaders } from './infrastructure/script/script-utils';
 export type { ConsoleMessage } from './infrastructure/script/script-utils';
+export { applyExtractionPlan, buildExtractionPlan, detectSensitiveData, redactBody, redactFullResponse, redactFullResultDetails, redactHeaders, redactHistoryEntry, redactUrl } from './infrastructure/security/sensitive-data-redactor';
+export type { SensitiveDataWarning, SensitiveExtraction } from './infrastructure/security/sensitive-data-redactor';
 export { CollectionLoader } from './infrastructure/collection/collection-loader';
 export type { LoadOptions } from './infrastructure/collection/collection-loader';
 export { CollectionLoaderFactory } from './infrastructure/collection/collection-loader-factory';
@@ -59,8 +61,8 @@ export { FolderCollectionStore } from './infrastructure/collection/folder-collec
 export * from './infrastructure/collection/folder-io';
 export { generateSlug } from './infrastructure/collection/folder-io';
 export { ParserRegistry } from './infrastructure/collection/parser-registry';
-export type { Collection, ICollectionService } from './types/collection';
 export { JsonCollectionLoader } from './infrastructure/collection/json-collection-loader';
+export type { Collection, ICollectionService } from './types/collection';
 export { EnvironmentConfigService } from './infrastructure/environment/environment-config-service';
 export { isSystemEnvironmentFile, loadEnvironmentsFromFolder } from './infrastructure/environment/environment-file-loader';
 export type { EnvironmentEntry, EnvironmentFolderData } from './infrastructure/environment/environment-file-loader';
@@ -68,9 +70,9 @@ export { EnvironmentResolver } from './infrastructure/environment/environment-re
 export type { Environment, EnvironmentStoreConfig } from './infrastructure/environment/environment-resolver';
 export { ForgeEnv } from './infrastructure/environment/forge-env';
 export type { IForgeEnv } from './infrastructure/environment/forge-env';
-export type { IEnvironmentConfigService } from './types/environment-config';
-export { VariableInterpolator, VariableResolver, createVariableResolver } from './infrastructure/environment/variable-interpolator';
+export { createVariableResolver, VariableInterpolator, VariableResolver } from './infrastructure/environment/variable-interpolator';
 export type { VariableResolverConfig } from './infrastructure/environment/variable-interpolator';
+export type { IEnvironmentConfigService, ResolvedEnvironment } from './types/environment-config';
 export { CollectionRequestExecutor } from './infrastructure/execution/collection-request-executor';
 export * from './infrastructure/execution/collection-request-executor-interfaces';
 export { RequestExecutor } from './infrastructure/execution/request-executor';
@@ -94,8 +96,8 @@ export { CONFIG_FILES, ConfigService, DEFAULT_CONFIG, ROOT_DIRECTORIES } from '.
 export type { EnvironmentsConfig, HttpForgeConfig, IConfigService, ProxyConfig, RequestConfig, RestClientExportConfig, RunnerConfig, ScriptsConfig, StorageConfig } from './infrastructure/config';
 export { DEFAULT_SUITE_CONFIG } from './infrastructure/test-suite/interfaces';
 export type { ErrorSummary, IStatisticsService, ITestSuiteService, RequestStatistics, RunStatistics, RunSummary, SuiteConfig, SuiteRequest, TestSuite } from './infrastructure/test-suite/interfaces';
-export { HTTP_METHOD_MAP, HTTP_METHOD_REVERSE, buildResultFileName, expandSummary } from './infrastructure/test-suite/result-storage';
-export type { FullResultDetails, IResultStorageService, IndexPage, RecentError, RequestStats, ResultSummary, RunConfig, RunManifest, RunStats } from './infrastructure/test-suite/result-storage';
+export { buildResultFileName, expandSummary, HTTP_METHOD_MAP, HTTP_METHOD_REVERSE } from './infrastructure/test-suite/result-storage';
+export type { FullResultDetails, IndexPage, IResultStorageService, RecentError, RequestStats, ResultSummary, RunConfig, RunManifest, RunStats } from './infrastructure/test-suite/result-storage';
 export { ResultStorageService } from './infrastructure/test-suite/result-storage-service';
 export { StatisticsService } from './infrastructure/test-suite/statistics-service';
 export { TestSuiteService } from './infrastructure/test-suite/test-suite-service';
@@ -109,7 +111,7 @@ export { exportCollectionToRestClient, getRestClientExportFolder, writeEnvFile,
 export { DataFileParser } from './infrastructure/platform/data-file-parser';
 export type { IDataFileParser } from './infrastructure/platform/data-file-parser';
 export { NodeFileSystem } from './infrastructure/platform/node-file-system';
-export { DYNAMIC_VARIABLES, augmentWithDynamicVars, resolveDynamicVariable, resolveDynamicVariablesInString } from './utils/dynamic-variables';
+export { augmentWithDynamicVars, DYNAMIC_VARIABLES, resolveDynamicVariable, resolveDynamicVariablesInString } from './utils/dynamic-variables';
 export { evaluateExpression, isExpression } from './utils/expression-evaluator';
 export { applyFilterChain, parseFilterChain } from './utils/filter-engine';
 export { deepClone, formatBytes, formatDuration, generateId, generateUUID, isPlainObject, mergeHeadersCaseInsensitive, safeJsonParse, sanitizeName } from './utils/helpers';