@http-forge/core 0.2.9 → 0.2.10

package/README.md

@@ -13,15 +13,14 @@
 - 🚀 **Postman Collections** - Load and execute `.postman_collection.json` and `.forge.json` files
 - 📝 **JavaScript Scripting** - Pre-request and post-response scripts with full `pm.*` API (variables, assertions, execution flow, visualizer)
 - 🔄 **Dynamic Variables** - Built-in generators: `{{$randomInt}}`, `{{$timestamp}}`, `{{$uuid}}`, `{{$guid}}`, etc.
-- 🌍 **Environments** - Full variable scoping (globals, collection, environment, iterationData) with Postman-compatible cascade
+- 🌍 **Environments** - Full variable scoping (globals, collection, environment, session, iterationData)
 - 👁️ **File Watching** - Automatic reload on collection/environment file changes with notification callbacks
 - 🍪 **Cookie Persistence** - Automatic cookie storage and reuse, `pm.cookies.jar()` and `.toObject()`
 - 📊 **Test Assertions** - BDD-style testing with `pm.test()` (sync/async) and full Chai `expect()` chains
 - 🔐 **CryptoJS** - Full crypto library: hash, HMAC, AES/DES/TripleDES, PBKDF2, encoding helpers
 - 🎯 **Execution Flow** - `pm.setNextRequest()`, `pm.execution.skipRequest()` for suite runner flow control
 - 📈 **Visualizer** - `pm.visualizer.set(template, data)` for custom Handlebars-based HTML output
-- �️ **Sensitive Data Redaction** - Auto-redacts tokens, passwords, secrets from persisted history/result files
-- �🔌 **Extensible** - Custom interceptors, HTTP clients, and module loaders
+- 🔌 **Extensible** - Custom interceptors, HTTP clients, and module loaders
 
 **Ideal for:**
 - CI/CD pipeline integration (GitHub Actions, GitLab CI, Jenkins)
@@ -79,25 +78,6 @@ forge.setEnvironment({
 const result = await forge.execute(request, collection);
 ```
 
-### URL Path Parameters
-
-If your request URL uses Express-style route parameters, provide values using the request `params` field.
-
-```typescript
-const request = {
-    name: 'Redirect Test',
-    method: 'GET',
-    url: '{{baseUrl}}/redirect/:redirectNumber',
-    params: {
-        redirectNumber: '3'
-    }
-};
-
-const result = await forge.execute(request, collection);
-```
-
-The engine will substitute `:redirectNumber` before execution, while still resolving environment variables and dynamic template expressions.
-
 ### With Custom Configuration
 
 ```typescript
@@ -380,47 +360,6 @@ const entries = history.getAll();         // All requests
 const byId = history.getByRequestId(id);  // Specific request history
 ```
 
-### 🛡️ Sensitive Data Redaction
-
-History and result files automatically redact sensitive data before writing to disk. This prevents tokens, passwords, and credentials from being persisted in plaintext.
-
-```typescript
-import {
-    redactHeaders, redactUrl, redactBody,
-    redactHistoryEntry, redactFullResponse, redactFullResultDetails
-} from '@http-forge/core';
-
-// Redact sensitive headers
-redactHeaders({ 'Authorization': 'Bearer eyJ...', 'Content-Type': 'application/json' });
-// → { 'Authorization': '***', 'Content-Type': 'application/json' }
-
-// Any header containing 'token', 'cookie', 'secret' is redacted
-redactHeaders({ 'avs-token': 'abc123', 'telus-access-token-cookie': 'xyz' });
-// → { 'avs-token': '***', 'telus-access-token-cookie': '***' }
-
-// Redact sensitive URL query params
-redactUrl('https://api.example.com/auth?client_secret=abc&scope=read');
-// → 'https://api.example.com/auth?client_secret=***&scope=read'
-
-// Redact sensitive JSON body fields (recursive)
-redactBody({ user: 'admin', password: 'hunter2', data: { api_token: 'xyz' } });
-// → { user: 'admin', password: '***', data: { api_token: '***' } }
-
-// Redact URL-encoded form bodies
-redactBody('username=admin&password=secret&grant_type=password');
-// → 'username=admin&password=***&grant_type=***'
-```
-
-**Auto-detected patterns:**
-- **Headers**: `authorization`, `proxy-authorization`, `www-authenticate`, and any header containing `token`, `cookie`, `secret`, `credential`, `api-key`, `bearer`, `session-id`
-- **Fields/Params**: Any name containing `password`, `passwd`, `pwd`, `token`, `cookie`, `secret`, `credential`, `api_key`, `access_token`, `refresh_token`, `client_secret`, `private_key`, `auth_code`, `bearer`, `session_id`, `jwt`
-
-**Integration points:**
-- `RequestHistoryService.addEntry()` — redacts `sentRequest` (headers, body, URL) before saving
-- `RequestHistoryService.saveFullResponse()` — redacts response headers and cookies
-- `ResultStorageService.saveResult()` — redacts request/response headers and body in suite results
-- `originalConfig` (unresolved `{{variable}}` templates) is never redacted — only resolved values
-
 ## 📖 API Reference
 
 ### ForgeContainer
@@ -528,23 +467,14 @@ interface KeyValueEntry {
     format?: string;               // Semantic hint (e.g. "uuid", "date-time")
     enum?: string[];               // Allowed values
     deprecated?: boolean;
-    // Extended constraint fields for full OpenAPI 3.0 round-trip
-    // String constraints
+    // Extended constraint fields for full OpenAPI round-trip
     pattern?: string;              // Regex validation pattern
-    minLength?: number;
-    maxLength?: number;
-    // Numeric constraints (integer / number)
     minimum?: number;
     maximum?: number;
-    exclusiveMinimum?: boolean;    // OpenAPI 3.0: boolean modifier on minimum (strict >)
-    exclusiveMaximum?: boolean;    // OpenAPI 3.0: boolean modifier on maximum (strict <)
-    multipleOf?: number;
-    // Array constraints
-    minItems?: number;
-    maxItems?: number;
-    uniqueItems?: boolean;
-    // Common
-    nullable?: boolean;
+    exclusiveMinimum?: number;
+    exclusiveMaximum?: number;
+    minLength?: number;
+    maxLength?: number;
     oneOf?: Array<Record<string, any>>; // Merged constraint variants
 }
 ```
@@ -561,22 +491,13 @@ interface PathParamEntry {
     format?: string;
     enum?: string[];
     deprecated?: boolean;
-    // String constraints
     pattern?: string;
-    minLength?: number;
-    maxLength?: number;
-    // Numeric constraints
     minimum?: number;
     maximum?: number;
-    exclusiveMinimum?: boolean;    // OpenAPI 3.0: boolean modifier (strict >)
-    exclusiveMaximum?: boolean;    // OpenAPI 3.0: boolean modifier (strict <)
-    multipleOf?: number;
-    // Array constraints
-    minItems?: number;
-    maxItems?: number;
-    uniqueItems?: boolean;
-    // Common
-    nullable?: boolean;
+    exclusiveMinimum?: number;
+    exclusiveMaximum?: number;
+    minLength?: number;
+    maxLength?: number;
     oneOf?: Array<Record<string, any>>;
 }
 ```
@@ -587,20 +508,15 @@ The core library includes full OpenAPI 3.0.3 import and export with constraint p
 
 **Import** (`OpenApiImporter`):
 - Parses OpenAPI 3.0 YAML/JSON specs into `UnifiedCollection`
-- Extracts all parameter schema constraints: `type`, `format`, `pattern`, `enum`, `minimum`, `maximum`, `exclusiveMinimum`, `exclusiveMaximum` (booleans), `multipleOf`, `minLength`, `maxLength`, `minItems`, `maxItems`, `uniqueItems`, `nullable`
+- Extracts all parameter schema constraints (`pattern`, `minimum`, `maximum`, `exclusiveMinimum`, `exclusiveMaximum`, `minLength`, `maxLength`, `enum`, `format`)
 - Preserves `oneOf` schemas from merged parameters, deriving combined enum hints for UI display
-- Sets `hasMetadata` flag when any constraint or description field is present
 
 **Export** (`OpenApiExporter`):
 - Generates OpenAPI 3.0.3 specs from collections
-- `exclusiveMinimum`/`exclusiveMaximum` exported as booleans (OpenAPI 3.0 semantics)
-- **Collision-aware merging** via `mergeParameterSchema()`: When multiple requests normalize to the same path + HTTP method, they are merged into a single operation:
+- **Collision-aware merging**: When multiple requests normalize to the same path + HTTP method, they are merged into a single operation:
   - Descriptions are appended, tags are unioned
-  - **Existing has `oneOf`** → incoming constraints appended as a new variant
-  - **Incoming has `oneOf`** → existing schema wrapped as single variant, incoming variants flattened in
-  - **Both simple, same constraint kind** (both enum, both pattern, etc.) → merged in-place (union enum values, widen numeric ranges, alternation-join patterns)
-  - **Both simple, different constraint kinds** → wrapped in `oneOf` — each variant keeps its self-consistent schema
-  - `stripConstraints()` called after **all** merge branches to prevent stale fields (e.g. `enum`) leaking alongside `oneOf`
+  - Parameters with the **same constraint kind** (both enum, both pattern, etc.) are merged in-place (union enum values, widen numeric ranges, alternation-join patterns)
+  - Parameters with **different constraint kinds** are wrapped in `oneOf` — each variant keeps its self-consistent schema
 - All constraint fields round-trip without data loss
 
 ## 🛠️ Use Cases
@@ -795,23 +711,6 @@ MIT © Henry Huang
 
 ## 📝 Changelog
 
-### 0.2.7 (Session Scope Removal & Postman Parity)
-
-- ✅ **Session scope removed** — The separate "session" variable scope has been removed. `pm.environment.set()` now persists to workspace state (matching Postman's behavior). Variable resolution uses a Postman-compatible 5-scope cascade: `variables > iterationData > environmentVariables > collectionVariables > globals`.
-- ✅ **Request preparer extraVariables fix** — All request resolutions (params, query, headers, bearer auth, basic auth, API key) now use `extraVariables`. Previously only body and URL used them.
-- ✅ **Exported `ResolvedEnvironment` type** — Now part of the public API for downstream consumers.
-
-### 0.2.6 (Sensitive Data Redaction & Variable Propagation Fix)
-
-- ✅ **Sensitive data redaction** — History files, shared history, suite test results, and full response files automatically redact sensitive data before persisting to disk:
-  - Headers matching `authorization`, `proxy-authorization`, or containing `token`, `cookie`, `secret`, `credential`, `api-key`, `bearer`, `session-id`
-  - URL query params and JSON/form body fields matching `password`, `token`, `secret`, `api_key`, `client_secret`, `private_key`, `auth_code`, `jwt`, etc.
-  - Response `Set-Cookie` headers and cookies with sensitive names
-  - Unresolved `{{variable}}` templates in `originalConfig` are preserved — only resolved values redacted
-  - Exported functions: `redactHeaders()`, `redactUrl()`, `redactBody()`, `redactHistoryEntry()`, `redactFullResponse()`, `redactFullResultDetails()`
-- ✅ **Fixed `pm.environment.set()` propagation** — Post-response script `pm.environment.set()` now correctly propagates to `{{variable}}` resolution in subsequent collection runner requests. The session now uses live scope references instead of a disconnected snapshot.
-- ✅ **Cookie jar flush in collection runner** — `flush()` is now called in the `finally` block ensuring script-set cookies persist to the shared session store after a run completes.
-
 ### 0.2.5 (OpenAPI Constraint Round-Trip & Collision Merging)
 
 - ✅ **Full parameter constraint round-trip** — OpenAPI import/export now preserves all schema constraint fields: `pattern`, `minimum`, `maximum`, `exclusiveMinimum`, `exclusiveMaximum`, `minLength`, `maxLength`, and `oneOf` on both `KeyValueEntry` and `PathParamEntry`
@@ -850,7 +749,7 @@ MIT © Henry Huang
 - ✅ **Core request execution** with Postman collection support
 - ✅ **Dynamic variables** - 7 generators for on-the-fly value generation
 - ✅ **Postman-compatible scripting** - `pm.*` API with full feature parity
-- ✅ **Variable scoping** - globals, collection, environment, workspace-state persistence for `pm.environment.set()`
+- ✅ **Variable scoping** - globals, collection, environment, session, flow-level
 - ✅ **Cookie persistence** - automatic storage and reuse across request chains
 - ✅ **Pre-request & post-response scripts** with shared VM context
 - ✅ **Test assertions** with BDD-style `pm.test()` and expect chains