@ogcio/o11y-sdk-node 0.4.0 → 0.4.1

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [0.4.1](https://github.com/ogcio/o11y/compare/@ogcio/o11y-sdk-node@v0.4.0...@ogcio/o11y-sdk-node@v0.4.1) (2025-09-03)
+
+
+### Bug Fixes
+
+* nested attributes redaction node sdk AB[#30826](https://github.com/ogcio/o11y/issues/30826) ([#198](https://github.com/ogcio/o11y/issues/198)) ([b926ba5](https://github.com/ogcio/o11y/commit/b926ba54097fd6028c8aa78cbe1c276ce2cc2166))
+
 ## [0.4.0](https://github.com/ogcio/o11y/compare/@ogcio/o11y-sdk-node@v0.3.1...@ogcio/o11y-sdk-node@v0.4.0) (2025-09-02)
 
 

package/dist/lib/exporter/pii-exporter-decorator.js

@@ -1,5 +1,5 @@
 import { OTLPExporterBase } from "@opentelemetry/otlp-exporter-base";
-import { _cleanLogBodyPII, _cleanObjectPII, _cleanStringPII, } from "../internals/redaction/pii-detection.js";
+import { _cleanStringPII, _recursiveObjectClean, } from "../internals/redaction/pii-detection.js";
 import { redactors, } from "../internals/redaction/redactors/index.js";
 export class PIIExporterDecorator extends OTLPExporterBase {
     _exporter;
@@ -67,22 +67,22 @@ export class PIIExporterDecorator extends OTLPExporterBase {
         Object.assign(span, {
             name: _cleanStringPII(span.name, "trace", this._redactors),
             attributes: span.attributes &&
-                _cleanObjectPII(span.attributes, "trace", this._redactors),
+                _recursiveObjectClean(span.attributes, "trace", this._redactors),
             resource: {
                 attributes: span?.resource?.attributes &&
-                    _cleanObjectPII(span.resource.attributes, "trace", this._redactors),
+                    _recursiveObjectClean(span.resource.attributes, "trace", this._redactors),
             },
             links: span?.links?.map((link) => {
                 Object.assign(link, {
                     attributes: link?.attributes &&
-                        _cleanObjectPII(link.attributes, "trace", this._redactors),
+                        _recursiveObjectClean(link.attributes, "trace", this._redactors),
                 });
             }),
             events: span?.events?.map((event) => {
                 Object.assign(event, {
                     name: _cleanStringPII(event.name, "trace", this._redactors),
                     attributes: event?.attributes &&
-                        _cleanObjectPII(event.attributes, "trace", this._redactors),
+                        _recursiveObjectClean(event.attributes, "trace", this._redactors),
                 });
                 return event;
             }),
@@ -91,12 +91,12 @@ export class PIIExporterDecorator extends OTLPExporterBase {
     _redactLogRecord(log) {
         return {
             ...log,
-            body: _cleanLogBodyPII(log.body, this._redactors),
+            body: _recursiveObjectClean(log.body, "log", this._redactors),
             attributes: log.attributes &&
-                _cleanObjectPII(log.attributes, "log", this._redactors),
+                _recursiveObjectClean(log.attributes, "log", this._redactors),
             resource: log.resource && {
                 ...log.resource,
-                attributes: _cleanObjectPII(log.resource.attributes, "log", this._redactors),
+                attributes: _recursiveObjectClean(log.resource.attributes, "log", this._redactors),
             },
         };
     }
@@ -104,7 +104,7 @@ export class PIIExporterDecorator extends OTLPExporterBase {
         Object.assign(metric, {
             resource: {
                 attributes: metric?.resource?.attributes &&
-                    _cleanObjectPII(metric.resource.attributes, "metric", this._redactors),
+                    _recursiveObjectClean(metric.resource.attributes, "metric", this._redactors),
             },
         });
     }

package/dist/lib/internals/redaction/pii-detection.d.ts

@@ -1,23 +1,25 @@
 import type { AnyValue } from "@opentelemetry/api-logs";
 import { Redactor } from "./redactors/index.js";
-import { AttributeValue } from "@opentelemetry/api";
 export type PIISource = "trace" | "log" | "metric";
+/**
+ * Checks whether a string contains URI-encoded components.
+ *
+ * @param {string} value - The string to inspect.
+ * @returns {boolean} `true` if the string is encoded, `false` otherwise.
+ */
+export declare function _containsEncodedComponents(value: string): boolean;
 /**
  * Cleans a string by redacting configured PIIs and emitting metrics for redacted values.
  *
  * If the string is URL-encoded, it will be decoded before redaction.
- * Metrics are emitted for:
- * - each domain found in redacted email addresses.
- * - IPv4|IPv6 addresses redacted.
  *
  * @template T
  *
- * @param {T} value - The input value to sanitize.
+ * @param {string} value - The input value to sanitize.
  * @param {"trace" | "log"} source - The source context of the input, used in metrics.
  * @param {Redactor[]} redactors - The string processors containing the redaction logic.
  *
- * @returns {T} The cleaned string with any configured PII replaced by `[REDACTED PII_TYPE]`.
+ * @returns {string} The cleaned string with any configured PII replaced by `[REDACTED PII_TYPE]`.
  */
-export declare function _cleanStringPII<T extends AnyValue>(value: T, source: PIISource, redactors: Redactor[]): T;
-export declare function _cleanObjectPII(entry: object, source: PIISource, redactors: Redactor[]): Record<string, AttributeValue>;
-export declare function _cleanLogBodyPII<T extends AnyValue>(value: T, redactors: Redactor[]): T;
+export declare function _cleanStringPII(value: string, source: PIISource, redactors: Redactor[]): string;
+export declare function _recursiveObjectClean<T extends AnyValue>(value: T, source: PIISource, redactors: Redactor[]): T;

package/dist/lib/internals/redaction/pii-detection.js

@@ -6,34 +6,36 @@ const encoder = new TextEncoder();
  * @param {string} value - The string to inspect.
  * @returns {boolean} `true` if the string is encoded, `false` otherwise.
  */
-function _containsEncodedComponents(value) {
+export function _containsEncodedComponents(value) {
     try {
-        return decodeURI(value) !== decodeURIComponent(value);
+        const decodedURIComponent = decodeURIComponent(value);
+        if (decodeURI(value) !== decodedURIComponent) {
+            return true;
+        }
+        if (value !== decodedURIComponent) {
+            return (encodeURIComponent(decodedURIComponent) === value ||
+                encodeURI(decodedURIComponent) === value);
+        }
     }
     catch {
         return false;
     }
+    return false;
 }
 /**
  * Cleans a string by redacting configured PIIs and emitting metrics for redacted values.
  *
  * If the string is URL-encoded, it will be decoded before redaction.
- * Metrics are emitted for:
- * - each domain found in redacted email addresses.
- * - IPv4|IPv6 addresses redacted.
  *
  * @template T
  *
- * @param {T} value - The input value to sanitize.
+ * @param {string} value - The input value to sanitize.
  * @param {"trace" | "log"} source - The source context of the input, used in metrics.
  * @param {Redactor[]} redactors - The string processors containing the redaction logic.
  *
- * @returns {T} The cleaned string with any configured PII replaced by `[REDACTED PII_TYPE]`.
+ * @returns {string} The cleaned string with any configured PII replaced by `[REDACTED PII_TYPE]`.
  */
 export function _cleanStringPII(value, source, redactors) {
-    if (Array.isArray(value)) {
-        return value.map((v) => _cleanStringPII(v, source, redactors));
-    }
     if (typeof value !== "string") {
         return value;
     }
@@ -45,18 +47,9 @@ export function _cleanStringPII(value, source, redactors) {
     }
     return redactors.reduce((redactedValue, currentRedactor) => currentRedactor(redactedValue, source, kind), decodedValue);
 }
-export function _cleanObjectPII(entry, source, redactors) {
-    if (!entry) {
-        return entry;
-    }
-    return Object.fromEntries(Object.entries(entry).map(([k, v]) => [
-        k,
-        _cleanStringPII(v, source, redactors),
-    ]));
-}
-export function _cleanLogBodyPII(value, redactors) {
+export function _recursiveObjectClean(value, source, redactors) {
     if (typeof value === "string") {
-        return _cleanStringPII(value, "log", redactors);
+        return _cleanStringPII(value, source, redactors);
     }
     if (typeof value === "number" ||
         typeof value === "boolean" ||
@@ -66,7 +59,7 @@ export function _cleanLogBodyPII(value, redactors) {
     if (value instanceof Uint8Array) {
         try {
             const decoded = decoder.decode(value);
-            const sanitized = _cleanStringPII(decoded, "log", redactors);
+            const sanitized = _cleanStringPII(decoded, source, redactors);
             return encoder.encode(sanitized);
         }
         catch {
@@ -74,12 +67,12 @@ export function _cleanLogBodyPII(value, redactors) {
         }
     }
     if (Array.isArray(value)) {
-        return value.map((value) => _cleanLogBodyPII(value, redactors));
+        return value.map((value) => _recursiveObjectClean(value, source, redactors));
     }
     if (typeof value === "object") {
         const sanitized = {};
         for (const [key, val] of Object.entries(value)) {
-            sanitized[key] = _cleanLogBodyPII(val, redactors);
+            sanitized[key] = _recursiveObjectClean(val, source, redactors);
         }
         return sanitized;
     }

package/dist/lib/internals/redaction/redactors/ip.js

@@ -1,7 +1,7 @@
 import { _getPIICounterRedactionMetric } from "../../shared-metrics.js";
 // Generous IP address matchers (might match some invalid addresses like 192.168.01.1)
-const IPV4_REGEX = /(?<!\d)(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}(?!\d)/gi;
-const IPV6_REGEX = /(?<![0-9a-f:])((?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:[0-9A-Fa-f]{1,4}:){1,7}:|:(?::[0-9A-Fa-f]{1,4}){1,7}|(?:[0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}|(?:[0-9A-Fa-f]{1,4}:){1,5}(?::[0-9A-Fa-f]{1,4}){1,2}|(?:[0-9A-Fa-f]{1,4}:){1,4}(?::[0-9A-Fa-f]{1,4}){1,3}|(?:[0-9A-Fa-f]{1,4}:){1,3}(?::[0-9A-Fa-f]{1,4}){1,4}|(?:[0-9A-Fa-f]{1,4}:){1,2}(?::[0-9A-Fa-f]{1,4}){1,5}|[0-9A-Fa-f]{1,4}:(?::[0-9A-Fa-f]{1,4}){1,6}|:(?::[0-9A-Fa-f]{1,4}){1,7}:?|(?:[0-9A-Fa-f]{1,4}:){1,4}:(?:25[0-5]|2[0-4]\d|1\d\d|\d{1,2})(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|\d{1,2})){3})(?![0-9a-f:])/gi;
+const IPV4_REGEX = /(?<!\d)(?:%[0-9A-Fa-f]{2})?(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}(?:%[0-9A-Fa-f]{2})?(?!\d)/gi;
+const IPV6_REGEX = /(?<![0-9a-f:])(?:%[0-9A-Fa-f]{2})?((?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:[0-9A-Fa-f]{1,4}:){1,7}:|:(?::[0-9A-Fa-f]{1,4}){1,7}|(?:[0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}|(?:[0-9A-Fa-f]{1,4}:){1,5}(?::[0-9A-Fa-f]{1,4}){1,2}|(?:[0-9A-Fa-f]{1,4}:){1,4}(?::[0-9A-Fa-f]{1,4}){1,3}|(?:[0-9A-Fa-f]{1,4}:){1,3}(?::[0-9A-Fa-f]{1,4}){1,4}|(?:[0-9A-Fa-f]{1,4}:){1,2}(?::[0-9A-Fa-f]{1,4}){1,5}|[0-9A-Fa-f]{1,4}:(?::[0-9A-Fa-f]{1,4}){1,6}|:(?::[0-9A-Fa-f]{1,4}){1,7}:?|(?:[0-9A-Fa-f]{1,4}:){1,4}:(?:25[0-5]|2[0-4]\d|1\d\d|\d{1,2})(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|\d{1,2})){3})(?:%[0-9A-Fa-f]{2})?(?![0-9a-f:])/gi;
 /**
  * Redacts all ip addresses in the input string and collects metadata.
  *

package/dist/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@ogcio/o11y-sdk-node",
-    "version": "0.4.0",
+    "version": "0.4.1",
     "description": "Opentelemetry standard instrumentation SDK for NodeJS based project",
     "main": "dist/index.js",
     "type": "module",

package/lib/exporter/pii-exporter-decorator.ts

@@ -8,9 +8,8 @@ import {
 import { ReadableSpan, SpanExporter } from "@opentelemetry/sdk-trace-base";
 import { NodeSDKConfig } from "../index.js";
 import {
-  _cleanLogBodyPII,
-  _cleanObjectPII,
   _cleanStringPII,
+  _recursiveObjectClean,
 } from "../internals/redaction/pii-detection.js";
 import {
   Redactor,
@@ -114,17 +113,21 @@ export class PIIExporterDecorator
       name: _cleanStringPII(span.name, "trace", this._redactors),
       attributes:
         span.attributes &&
-        _cleanObjectPII(span.attributes, "trace", this._redactors),
+        _recursiveObjectClean(span.attributes, "trace", this._redactors),
       resource: {
         attributes:
           span?.resource?.attributes &&
-          _cleanObjectPII(span.resource.attributes, "trace", this._redactors),
+          _recursiveObjectClean(
+            span.resource.attributes,
+            "trace",
+            this._redactors,
+          ),
       },
       links: span?.links?.map((link) => {
         Object.assign(link, {
           attributes:
             link?.attributes &&
-            _cleanObjectPII(link.attributes, "trace", this._redactors),
+            _recursiveObjectClean(link.attributes, "trace", this._redactors),
         });
       }),
       events: span?.events?.map((event) => {
@@ -132,7 +135,7 @@ export class PIIExporterDecorator
           name: _cleanStringPII(event.name, "trace", this._redactors),
           attributes:
             event?.attributes &&
-            _cleanObjectPII(event.attributes, "trace", this._redactors),
+            _recursiveObjectClean(event.attributes, "trace", this._redactors),
         });
         return event;
       }),
@@ -142,13 +145,13 @@ export class PIIExporterDecorator
   private _redactLogRecord(log: ReadableLogRecord): ReadableLogRecord {
     return {
       ...log,
-      body: _cleanLogBodyPII(log.body, this._redactors),
+      body: _recursiveObjectClean(log.body, "log", this._redactors),
       attributes:
         log.attributes &&
-        _cleanObjectPII(log.attributes, "log", this._redactors),
+        _recursiveObjectClean(log.attributes, "log", this._redactors),
       resource: log.resource && {
         ...log.resource,
-        attributes: _cleanObjectPII(
+        attributes: _recursiveObjectClean(
           log.resource.attributes,
           "log",
           this._redactors,
@@ -162,7 +165,7 @@ export class PIIExporterDecorator
       resource: {
         attributes:
           metric?.resource?.attributes &&
-          _cleanObjectPII(
+          _recursiveObjectClean(
             metric.resource.attributes,
             "metric",
             this._redactors,

package/lib/internals/redaction/pii-detection.ts

@@ -1,6 +1,5 @@
 import type { AnyValue, AnyValueMap } from "@opentelemetry/api-logs";
 import { Redactor } from "./redactors/index.js";
-import { AttributeValue } from "@opentelemetry/api";
 
 const decoder = new TextDecoder();
 const encoder = new TextEncoder();
@@ -13,41 +12,44 @@ export type PIISource = "trace" | "log" | "metric";
  * @param {string} value - The string to inspect.
  * @returns {boolean} `true` if the string is encoded, `false` otherwise.
  */
-function _containsEncodedComponents(value: string): boolean {
+export function _containsEncodedComponents(value: string): boolean {
   try {
-    return decodeURI(value) !== decodeURIComponent(value);
+    const decodedURIComponent = decodeURIComponent(value);
+    if (decodeURI(value) !== decodedURIComponent) {
+      return true;
+    }
+
+    if (value !== decodedURIComponent) {
+      return (
+        encodeURIComponent(decodedURIComponent) === value ||
+        encodeURI(decodedURIComponent) === value
+      );
+    }
   } catch {
     return false;
   }
+
+  return false;
 }
 
 /**
  * Cleans a string by redacting configured PIIs and emitting metrics for redacted values.
  *
  * If the string is URL-encoded, it will be decoded before redaction.
- * Metrics are emitted for:
- * - each domain found in redacted email addresses.
- * - IPv4|IPv6 addresses redacted.
  *
  * @template T
  *
- * @param {T} value - The input value to sanitize.
+ * @param {string} value - The input value to sanitize.
  * @param {"trace" | "log"} source - The source context of the input, used in metrics.
  * @param {Redactor[]} redactors - The string processors containing the redaction logic.
  *
- * @returns {T} The cleaned string with any configured PII replaced by `[REDACTED PII_TYPE]`.
+ * @returns {string} The cleaned string with any configured PII replaced by `[REDACTED PII_TYPE]`.
  */
-export function _cleanStringPII<T extends AnyValue>(
-  value: T,
+export function _cleanStringPII(
+  value: string,
   source: PIISource,
   redactors: Redactor[],
-): T {
-  if (Array.isArray(value)) {
-    return value.map((v) =>
-      _cleanStringPII<typeof v>(v, source, redactors),
-    ) as T;
-  }
-
+): string {
   if (typeof value !== "string") {
     return value;
   }
@@ -59,37 +61,20 @@ export function _cleanStringPII<T extends AnyValue>(
     decodedValue = decodeURIComponent(value);
     kind = "url";
   }
-
   return redactors.reduce(
     (redactedValue: string, currentRedactor): string =>
       currentRedactor(redactedValue, source, kind),
     decodedValue,
-  ) as T;
-}
-
-export function _cleanObjectPII(
-  entry: object,
-  source: PIISource,
-  redactors: Redactor[],
-): Record<string, AttributeValue> {
-  if (!entry) {
-    return entry;
-  }
-
-  return Object.fromEntries(
-    Object.entries(entry).map(([k, v]) => [
-      k,
-      _cleanStringPII(v, source, redactors),
-    ]),
   );
 }
 
-export function _cleanLogBodyPII<T extends AnyValue>(
+export function _recursiveObjectClean<T extends AnyValue>(
   value: T,
+  source: PIISource,
   redactors: Redactor[],
 ): T {
   if (typeof value === "string") {
-    return _cleanStringPII(value, "log", redactors);
+    return _cleanStringPII(value, source, redactors) as T;
   }
 
   if (
@@ -103,7 +88,7 @@ export function _cleanLogBodyPII<T extends AnyValue>(
   if (value instanceof Uint8Array) {
     try {
       const decoded = decoder.decode(value);
-      const sanitized = _cleanStringPII(decoded, "log", redactors);
+      const sanitized = _cleanStringPII(decoded, source, redactors);
       return encoder.encode(sanitized) as T;
     } catch {
       return value;
@@ -111,13 +96,15 @@ export function _cleanLogBodyPII<T extends AnyValue>(
   }
 
   if (Array.isArray(value)) {
-    return value.map((value) => _cleanLogBodyPII(value, redactors)) as T;
+    return value.map((value) =>
+      _recursiveObjectClean(value, source, redactors),
+    ) as T;
   }
 
   if (typeof value === "object") {
     const sanitized: AnyValueMap = {};
     for (const [key, val] of Object.entries(value)) {
-      sanitized[key] = _cleanLogBodyPII(val, redactors);
+      sanitized[key] = _recursiveObjectClean(val, source, redactors);
     }
     return sanitized as T;
   }

package/lib/internals/redaction/redactors/ip.ts

@@ -2,9 +2,9 @@ import { _getPIICounterRedactionMetric } from "../../shared-metrics.js";
 
 // Generous IP address matchers (might match some invalid addresses like 192.168.01.1)
 const IPV4_REGEX =
-  /(?<!\d)(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}(?!\d)/gi;
+  /(?<!\d)(?:%[0-9A-Fa-f]{2})?(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}(?:%[0-9A-Fa-f]{2})?(?!\d)/gi;
 const IPV6_REGEX =
-  /(?<![0-9a-f:])((?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:[0-9A-Fa-f]{1,4}:){1,7}:|:(?::[0-9A-Fa-f]{1,4}){1,7}|(?:[0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}|(?:[0-9A-Fa-f]{1,4}:){1,5}(?::[0-9A-Fa-f]{1,4}){1,2}|(?:[0-9A-Fa-f]{1,4}:){1,4}(?::[0-9A-Fa-f]{1,4}){1,3}|(?:[0-9A-Fa-f]{1,4}:){1,3}(?::[0-9A-Fa-f]{1,4}){1,4}|(?:[0-9A-Fa-f]{1,4}:){1,2}(?::[0-9A-Fa-f]{1,4}){1,5}|[0-9A-Fa-f]{1,4}:(?::[0-9A-Fa-f]{1,4}){1,6}|:(?::[0-9A-Fa-f]{1,4}){1,7}:?|(?:[0-9A-Fa-f]{1,4}:){1,4}:(?:25[0-5]|2[0-4]\d|1\d\d|\d{1,2})(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|\d{1,2})){3})(?![0-9a-f:])/gi;
+  /(?<![0-9a-f:])(?:%[0-9A-Fa-f]{2})?((?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:[0-9A-Fa-f]{1,4}:){1,7}:|:(?::[0-9A-Fa-f]{1,4}){1,7}|(?:[0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}|(?:[0-9A-Fa-f]{1,4}:){1,5}(?::[0-9A-Fa-f]{1,4}){1,2}|(?:[0-9A-Fa-f]{1,4}:){1,4}(?::[0-9A-Fa-f]{1,4}){1,3}|(?:[0-9A-Fa-f]{1,4}:){1,3}(?::[0-9A-Fa-f]{1,4}){1,4}|(?:[0-9A-Fa-f]{1,4}:){1,2}(?::[0-9A-Fa-f]{1,4}){1,5}|[0-9A-Fa-f]{1,4}:(?::[0-9A-Fa-f]{1,4}){1,6}|:(?::[0-9A-Fa-f]{1,4}){1,7}:?|(?:[0-9A-Fa-f]{1,4}:){1,4}:(?:25[0-5]|2[0-4]\d|1\d\d|\d{1,2})(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|\d{1,2})){3})(?:%[0-9A-Fa-f]{2})?(?![0-9a-f:])/gi;
 
 /**
  * Redacts all ip addresses in the input string and collects metadata.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ogcio/o11y-sdk-node",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "Opentelemetry standard instrumentation SDK for NodeJS based project",
   "main": "dist/index.js",
   "type": "module",

package/test/internals/pii-detection.test.ts

@@ -1,10 +1,12 @@
 import { describe, expect, it, vi, beforeEach } from "vitest";
 import {
   _cleanStringPII,
-  _cleanLogBodyPII,
+  _containsEncodedComponents,
+  _recursiveObjectClean,
 } from "../../lib/internals/redaction/pii-detection.js";
 import * as sharedMetrics from "../../lib/internals/shared-metrics.js";
 import { emailRedactor } from "../../lib/internals/redaction/redactors/email";
+import { ipRedactor } from "../../lib/internals/redaction/redactors/ip";
 
 describe("PII Detection Utils", () => {
   const mockMetricAdd = vi.fn();
@@ -32,7 +34,7 @@ describe("PII Detection Utils", () => {
       );
     });
 
-    it("redacts PII in URL-encoded string", () => {
+    it("redacts email in URL-encoded string", () => {
       const input = "user%40gmail.com";
       const output = _cleanStringPII(input, "log", [emailRedactor]);
 
@@ -46,6 +48,21 @@ describe("PII Detection Utils", () => {
       );
     });
 
+    it("redacts ip in URL-encoded string", () => {
+      const input = "%20127.0.0.1";
+      const output = _cleanStringPII(input, "log", [ipRedactor]);
+
+      expect(output).toBe(" [REDACTED IPV4]");
+      expect(mockMetricAdd).toHaveBeenCalledWith(
+        1,
+        expect.objectContaining({
+          pii_format: "url",
+          pii_type: "IPv4",
+          redaction_source: "log",
+        }),
+      );
+    });
+
     it("handles strings without PII unchanged", () => {
       const input = "hello world";
       const output = _cleanStringPII(input, "log", [emailRedactor]);
@@ -54,16 +71,10 @@ describe("PII Detection Utils", () => {
       expect(mockMetricAdd).not.toHaveBeenCalled();
     });
 
-    it("handles array of strings", () => {
-      const input = ["one@gmail.com", "two@example.com"];
-      const output = _cleanStringPII(input, "log", [emailRedactor]);
-
-      expect(output).toEqual(["[REDACTED EMAIL]", "[REDACTED EMAIL]"]);
-      expect(mockMetricAdd).toHaveBeenCalledTimes(2);
-    });
-
     it("ignores non-string input", () => {
+      // @ts-expect-error
       expect(_cleanStringPII(1234, "trace", [emailRedactor])).toBe(1234);
+      // @ts-expect-error
       expect(_cleanStringPII(true, "trace", [emailRedactor])).toBe(true);
       expect(
         _cleanStringPII(undefined, "trace", [emailRedactor]),
@@ -72,12 +83,22 @@ describe("PII Detection Utils", () => {
     });
   });
 
-  describe("_cleanLogBodyPII", () => {
+  describe("_recursiveObjectClean", () => {
     it("cleans string PII", () => {
-      const result = _cleanLogBodyPII("demo@abc.com", [emailRedactor]);
+      const result = _recursiveObjectClean("demo@abc.com", "log", [
+        emailRedactor,
+      ]);
       expect(result).toBe("[REDACTED EMAIL]");
     });
 
+    it("cleans array of strings", () => {
+      const input = ["one@gmail.com", "two@example.com"];
+      const output = _recursiveObjectClean(input, "log", [emailRedactor]);
+
+      expect(output).toEqual(["[REDACTED EMAIL]", "[REDACTED EMAIL]"]);
+      expect(mockMetricAdd).toHaveBeenCalledTimes(2);
+    });
+
     it("cleans deeply nested object", () => {
       const input = {
         user: {
@@ -89,7 +110,7 @@ describe("PII Detection Utils", () => {
         status: "active",
       };
 
-      const result = _cleanLogBodyPII(input, [emailRedactor]);
+      const result = _recursiveObjectClean(input, "log", [emailRedactor]);
 
       expect(result).toEqual({
         user: {
@@ -105,7 +126,7 @@ describe("PII Detection Utils", () => {
     it("cleans Uint8Array input", () => {
       const str = "admin@gmail.com";
       const buffer = new TextEncoder().encode(str);
-      const result = _cleanLogBodyPII(buffer, [emailRedactor]);
+      const result = _recursiveObjectClean(buffer, "log", [emailRedactor]);
       const decoded = new TextDecoder().decode(result as Uint8Array);
 
       expect(decoded).toBe("[REDACTED EMAIL]");
@@ -113,7 +134,7 @@ describe("PII Detection Utils", () => {
 
     it("skips malformed Uint8Array decode", () => {
       const corrupted = new Uint8Array([0xff, 0xfe, 0xfd]);
-      const result = _cleanLogBodyPII(corrupted, [emailRedactor]);
+      const result = _recursiveObjectClean(corrupted, "log", [emailRedactor]);
 
       // Should return a Uint8Array, but unmodified/redaction should not happen
       expect(result).toBeInstanceOf(Uint8Array);
@@ -121,8 +142,9 @@ describe("PII Detection Utils", () => {
     });
 
     it("cleans arrays of values", () => {
-      const result = _cleanLogBodyPII(
+      const result = _recursiveObjectClean(
         ["bob@abc.com", 123, { nested: "jane@example.com" }],
+        "log",
         [emailRedactor],
       );
 
@@ -134,10 +156,110 @@ describe("PII Detection Utils", () => {
     });
 
     it("passes null and boolean through", () => {
-      expect(_cleanLogBodyPII(null, [emailRedactor])).toBeNull();
-      expect(_cleanLogBodyPII(undefined, [emailRedactor])).toBeUndefined();
-      expect(_cleanLogBodyPII(true, [emailRedactor])).toBe(true);
-      expect(_cleanLogBodyPII(false, [emailRedactor])).toBe(false);
+      expect(_recursiveObjectClean(null, "log", [emailRedactor])).toBeNull();
+      expect(
+        _recursiveObjectClean(undefined, "log", [emailRedactor]),
+      ).toBeUndefined();
+      expect(_recursiveObjectClean(true, "log", [emailRedactor])).toBe(true);
+      expect(_recursiveObjectClean(false, "log", [emailRedactor])).toBe(false);
+    });
+  });
+
+  describe("_containsEncodedComponents", () => {
+    describe("should return true for properly URL encoded strings", () => {
+      it.each([
+        ["hello%20world", "Space encoded as %20"],
+        ["test%2Bvalue", "Plus sign encoded as %2B"],
+        ["path%2Fto%2Ffile", "Forward slashes encoded"],
+        ["user%40domain.com", "@ symbol encoded"],
+        ["100%25%20off", "Percent and space encoded"],
+        ["a%3Db%26c%3Dd", "Query parameters (a=b&c=d)"],
+        ["caf%C3%A9", "UTF-8 encoded (café)"],
+        ["price%3A%20%2410", "Colon, space, dollar ($10)"],
+        ["%22quoted%22", "Double quotes encoded"],
+        ["https%3A%2F%2Fexample.com", "Full URL encoded"],
+        ["file%20name.txt", "filename encoded"],
+        ["search%3Fq%3Dhello%20world", "Query string encoded"],
+        ["%3C%3E%26%22%27", "HTML special chars encoded (<>&\"')"],
+        ["%E2%9C%93", "UTF-8 checkmark (✓) encoded"],
+        ["test%2b", "Lowercase hex"],
+        ["%E4%B8%AD%E6%96%87", "Chinese characters encoded"],
+      ])('should detect "%s" as URL encoded (%s)', (input, description) => {
+        expect(_containsEncodedComponents(input)).toBe(true);
+      });
+    });
+
+    describe("should return false for non-URL encoded strings", () => {
+      it.each([
+        ["test", "Simple ASCII string"],
+        ["hello world", "Unencoded space"],
+        ["user@domain.com", "Unencoded email"],
+        ["simple123", "Alphanumeric only"],
+        ["", "Empty string"],
+        ["25%%", "Literal percent signs"],
+        ["100% off", "Percent without hex digits"],
+        ["test%2", "Incomplete percent encoding"],
+        ["hello%ZZ", "Invalid hex digits"],
+        ["test%2G", "Invalid hex digit G"],
+        ["bad%encoding%here", "Percent without hex pairs"],
+        ["hello%20world and more", "Partially encoded string"],
+        ["hello%20world%21%20how%20are%20you", "Overly encoded string"],
+        ["café", "Unicode characters (unencoded)"],
+        ["hello+world", "Plus sign (form encoding style)"],
+        ["test%", "Trailing percent"],
+        ["hello%20world%", "Encoded content with trailing percent"],
+        ["%", "Single percent"],
+        ["%%", "Double percent"],
+        ["normal text with % symbols", "Text with percent but no encoding"],
+        ["price: $100%", "Currency with percent"],
+        ["file.txt", "Simple filename"],
+        ["path/to/file", "Unencoded path"],
+        ["query?param=value", "Unencoded query string"],
+        ["hello%world", "Percent without following hex"],
+        ["test%1", "Single hex digit after percent"],
+        ["hello%zz", "Non-hex characters after percent"],
+      ])('should not detect "%s" as URL encoded (%s)', (input, description) => {
+        expect(_containsEncodedComponents(input)).toBe(false);
+      });
+    });
+
+    describe("Error handling", () => {
+      it.each([
+        ["%C0%80", "Overlong UTF-8 encoding (security concern)"],
+        ["%ED%A0%80", "UTF-8 surrogate (invalid)"],
+        ["%FF%FE", "Invalid UTF-8 sequence"],
+        ["test%20%ZZ", "Mix of valid and invalid encoding"],
+      ])('should handle "%s" (%s)', (input, description) => {
+        // These should not throw errors
+        expect(() => _containsEncodedComponents(input)).not.toThrow();
+
+        // Most of these should return false due to invalid sequences
+        // or security-related encoding issues
+        const result = _containsEncodedComponents(input);
+        expect(typeof result).toBe("boolean");
+      });
+    });
+
+    describe("real-world url examples", () => {
+      it.each([
+        [
+          "https%3A%2F%2Fgoogle.com%2Fsearch%3Fq%3Djavascript",
+          "Encoded Google search URL",
+        ],
+        ["The%20quick%20brown%20fox", "Sentence with spaces encoded"],
+        [
+          "/api/user?body=here%20are%20all%20my%20secrets",
+          "contextually encoded API path",
+        ],
+        ["redirect_uri=https%3A%2F%2Fapp.com%2Fcallback", "OAuth redirect URI"],
+        ["data%3Atext%2Fplain%3Bbase64%2CSGVsbG8%3D", "Data URL encoded"],
+      ])('real-world case: "%s" (%s)', (input, description) => {
+        const result = _containsEncodedComponents(input);
+
+        // Verify the function doesn't crash
+        expect(typeof result).toBe("boolean");
+        expect(result).toBe(true);
+      });
     });
   });
 });

package/test/internals/redactors/ip.test.ts

@@ -67,9 +67,13 @@ describe("IP Redaction utils", () => {
       ${"256.1.1.1"}                                  | ${"256.1.1.1"}
       ${"0.0.0.0!"}                                   | ${"[REDACTED IPV4]!"}
       ${"text0.0.0.0"}                                | ${"text[REDACTED IPV4]"}
+      ${"%A00.0.0.0"}                                 | ${"[REDACTED IPV4]"}
+      ${"0.0.0.0%20"}                                 | ${"[REDACTED IPV4]"}
       ${"0.0.text0.0"}                                | ${"0.0.text0.0"}
       ${"2001:0db8::1"}                               | ${"[REDACTED IPV6]"}
       ${"::1"}                                        | ${"[REDACTED IPV6]"}
+      ${"%20::1"}                                     | ${"[REDACTED IPV6]"}
+      ${"::1%A0"}                                     | ${"[REDACTED IPV6]"}
       ${"text::1"}                                    | ${"text[REDACTED IPV6]"}
       ${"::1text"}                                    | ${"[REDACTED IPV6]text"}
       ${"sentence ending with f::1"}                  | ${"sentence ending with [REDACTED IPV6]"}