@reproapp/node-sdk 0.0.4 → 0.0.6

package/test/circular-capture.test.js

@@ -94,7 +94,7 @@ async function main() {
             }
         });
     });
-    await new Promise((resolve) => setTimeout(resolve, 120));
+    await new Promise((resolve) => setTimeout(resolve, 500));
 
     const exitEvent = collectTraceEvents(posts).find((event) => event?.fn === 'circularFn' && event?.type === 'exit');
     assert(exitEvent, 'expected circularFn exit trace');

package/test/disable-subtree.test.js

@@ -121,7 +121,7 @@ async function runScenario(disableRules) {
     });
 
     // Allow flush timers to send payloads.
-    await new Promise(r => setTimeout(r, 120));
+    await new Promise(r => setTimeout(r, 500));
 
     return collectTraceFnsFromPosts(posts);
 }

package/test/kafka-runtime-privacy-policy.test.js

@@ -1,7 +1,10 @@
 const assert = require('assert');
+process.env.REPRO_SDK_BACKGROUND_MAX_DEFER_MS = '50';
+
+const { EventEmitter } = require('events');
 const { normalizeRuntimePrivacyPolicy } = require('../dist/privacy');
 const { flushIngestQueue } = require('../dist/ingest/client');
-const { initReproTracing, __reproTestHooks } = require('../dist');
+const { initReproTracing, reproMiddleware, __reproTestHooks } = require('../dist');
 
 const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
 
@@ -162,7 +165,13 @@ async function testKafkaConsumerTraceUsesConsumeTraceId() {
                 offset: '42',
                 timestamp: '1778965503962',
                 key: Buffer.from('case-1'),
-                value: Buffer.from('hello'),
+                value: Buffer.from(JSON.stringify({
+                    eventId: 'evt-kafka-consumed',
+                    payload: {
+                        marker: 'FULL_KAFKA_CONSUMED_VALUE_MARKER',
+                        repeated: 'x'.repeat(12 * 1024),
+                    },
+                })),
                 headers: {
                     'x-bug-session-id': Buffer.from('S_kafka_trace'),
                     'x-bug-action-id': Buffer.from('A_kafka_trace'),
@@ -183,6 +192,13 @@ async function testKafkaConsumerTraceUsesConsumeTraceId() {
         assert(consumeRequest, 'expected Kafka consume request event');
         assert.strictEqual(consumeRequest.payload.request.body.parentTraceId, 'parent-http-trace');
         assert.strictEqual(consumeRequest.payload.request.body.parentRequestRid, 'parent-request-rid');
+        assert.strictEqual(consumeRequest.payload.request.body.messageKey, 'case-1');
+        assert.strictEqual(consumeRequest.payload.request.body.value.eventId, 'evt-kafka-consumed');
+        assert.strictEqual(consumeRequest.payload.request.body.value.payload.marker, 'FULL_KAFKA_CONSUMED_VALUE_MARKER');
+        assert.strictEqual(consumeRequest.payload.request.body.value.payload.repeated, 'x'.repeat(12 * 1024));
+        assert(consumeRequest.payload.request.body.rawValue.includes('FULL_KAFKA_CONSUMED_VALUE_MARKER'));
+        assert.strictEqual(consumeRequest.payload.request.body.message.value.payload.repeated, 'x'.repeat(12 * 1024));
+        assertNoLargeJsonPreviewArtifacts(consumeRequest.payload.request.body);
 
         const traceFns = events
             .filter((event) => event.event_type === 'trace_batch')
@@ -195,17 +211,246 @@ async function testKafkaConsumerTraceUsesConsumeTraceId() {
     }
 }
 
-async function testOversizedKafkaTraceArgsKeepBoundedPreview() {
-    const secret = 'sk_live_privacy_large_preview_secret';
+function makeOpenTaggedReqRes(sessionId, actionId) {
+    const req = new EventEmitter();
+    req.method = 'GET';
+    req.url = '/long-running';
+    req.headers = {
+        'x-bug-session-id': sessionId,
+        'x-bug-action-id': actionId,
+        'x-bug-request-start': String(Date.now()),
+    };
+    req.body = {};
+    req.params = {};
+    req.query = {};
+
+    const res = new EventEmitter();
+    res.statusCode = 200;
+    res.getHeader = () => undefined;
+    res.setHeader = () => {};
+    res.json = function (body) { this.body = body; this.emit('finish'); return body; };
+    res.send = function (body) { this.body = body; this.emit('finish'); return body; };
+    res.write = () => true;
+    res.end = () => { res.emit('finish'); return true; };
+
+    return { req, res };
+}
+
+async function testKafkaTraceFlushIsNotBlockedForeverByActiveHttpRequest() {
+    const tracer = initReproTracing({ instrument: false, functionLogs: false });
+    const capturedBodies = [];
+    const originalFetch = global.fetch;
+    global.fetch = async (_url, init) => {
+        capturedBodies.push(JSON.parse(String(init?.body ?? '{}')));
+        return { ok: true };
+    };
+
+    const cfg = {
+        tenantId: 'TENANT_test',
+        appId: 'APP_test',
+        appSecret: 'secret',
+        captureHeaders: false,
+        privacy: { environment: 'dev' },
+        ingestBase: 'http://127.0.0.1:65535',
+    };
+    const { req, res } = makeOpenTaggedReqRes('S_stuck_http', 'A_stuck_http');
+
+    try {
+        await new Promise((resolve, reject) => {
+            void reproMiddleware(cfg)(req, res, (err) => {
+                if (err) reject(err);
+                else resolve();
+            });
+        });
+
+        const wrapped = __reproTestHooks.wrapKafkaEachMessageHandlerForTest(
+            async () => {
+                tracer.tracer.enter('backgroundConsumerWork', { file: '/app/consumer.ts', line: 30 }, { args: ['ok'] });
+                tracer.tracer.exit(
+                    { fn: 'backgroundConsumerWork', file: '/app/consumer.ts', line: 30 },
+                    { returnValue: 'done' },
+                );
+            },
+            cfg,
+            { __repro_group_id: 'group-a' },
+        );
+
+        await wrapped({
+            topic: 'privacy-lab.events',
+            partition: 0,
+            message: {
+                offset: '43',
+                timestamp: '1778965503963',
+                key: Buffer.from('case-2'),
+                value: Buffer.from('hello'),
+                headers: {
+                    'x-bug-session-id': Buffer.from('S_kafka_background_flush'),
+                    'x-bug-action-id': Buffer.from('A_kafka_background_flush'),
+                },
+            },
+        });
+
+        await waitFor(() => capturedBodies.some((body) => {
+            const events = Array.isArray(body.events) ? body.events : [];
+            return events.some((event) => {
+                if (event.event_type !== 'trace_batch') return false;
+                const trace = Array.isArray(event.payload?.trace) ? event.payload.trace : [];
+                return trace.some((traceEvent) => traceEvent.fn === 'backgroundConsumerWork');
+            });
+        }));
+    } finally {
+        res.emit('close');
+        await sleep(100);
+        await flushIngestQueue();
+        global.fetch = originalFetch;
+    }
+}
+
+async function testLargeHttpResponseBodyIsCapturedWithoutDroppingRequest() {
+    const marker = 'OVERSIZED_HTTP_RESPONSE_MARKER';
+    const capturedBodies = [];
+    const originalFetch = global.fetch;
+    global.fetch = async (_url, init) => {
+        capturedBodies.push(JSON.parse(String(init?.body ?? '{}')));
+        return { ok: true };
+    };
+
+    const cfg = {
+        tenantId: 'TENANT_test',
+        appId: 'APP_test',
+        appSecret: 'secret',
+        captureHeaders: false,
+        privacy: { environment: 'dev' },
+        ingestBase: 'http://127.0.0.1:65535',
+    };
+    const { req, res } = makeOpenTaggedReqRes('S_large_response', 'A_large_response');
+    req.url = '/large-response';
+
+    try {
+        await new Promise((resolve, reject) => {
+            void reproMiddleware(cfg)(req, res, (err) => {
+                if (err) reject(err);
+                else resolve();
+            });
+        });
+        res.json({
+            ok: true,
+            payload: `${marker}:${'x'.repeat(12 * 1024)}`,
+        });
+
+        await waitFor(() => capturedBodies.some((body) => {
+            const text = JSON.stringify(body);
+            return text.includes('"event_type":"backend_request"') &&
+                text.includes(marker);
+        }));
+        const text = JSON.stringify(capturedBodies);
+        assert(text.includes(marker), text);
+        assert(!text.includes('respBodyMaterialization'), text);
+        assert(!text.includes('inline_value_omitted_too_large'), text);
+        assertNoLargeJsonPreviewArtifacts(capturedBodies);
+    } finally {
+        await flushIngestQueue();
+        global.fetch = originalFetch;
+    }
+}
+
+async function testKafkaProducerCapturesFullPublishedMessageValue() {
+    const capturedBodies = [];
+    const originalFetch = global.fetch;
+    global.fetch = async (_url, init) => {
+        capturedBodies.push(JSON.parse(String(init?.body ?? '{}')));
+        return { ok: true };
+    };
+
+    try {
+        const cfg = {
+            tenantId: 'TENANT_test',
+            appId: 'APP_test',
+            appSecret: 'secret',
+            captureHeaders: false,
+            privacy: { environment: 'dev' },
+            ingestBase: 'http://127.0.0.1:65535',
+            resolveContext: () => ({ sid: 'S_kafka_publish', aid: 'A_kafka_publish' }),
+        };
+        const producer = {
+            async send(payload) {
+                return [{ topicName: payload.topic, partition: 0, baseOffset: '12', errorCode: 0 }];
+            },
+        };
+        __reproTestHooks.patchKafkaProducerInstanceForTest(producer, cfg);
+
+        await producer.send({
+            topic: 'privacy-lab.events',
+            messages: [
+                {
+                    key: Buffer.from('case-published'),
+                    value: Buffer.from(JSON.stringify({
+                        eventId: 'evt-kafka-published',
+                        payload: {
+                            marker: 'FULL_KAFKA_PUBLISHED_VALUE_MARKER',
+                            repeated: 'y'.repeat(12 * 1024),
+                        },
+                    })),
+                },
+            ],
+        });
+
+        await waitFor(() => capturedBodies.some((body) => {
+            const text = JSON.stringify(body);
+            return text.includes('"event_type":"backend_request"') &&
+                text.includes('FULL_KAFKA_PUBLISHED_VALUE_MARKER');
+        }));
+        await flushIngestQueue();
+
+        const events = capturedBodies.flatMap((body) => Array.isArray(body.events) ? body.events : []);
+        const publishRequest = events.find((event) => event.event_type === 'backend_request');
+        assert(publishRequest, 'expected Kafka publish request event');
+        const message = publishRequest.payload.request.body.messages[0];
+        assert.strictEqual(message.key, 'case-published');
+        assert.strictEqual(message.value.eventId, 'evt-kafka-published');
+        assert.strictEqual(message.value.payload.marker, 'FULL_KAFKA_PUBLISHED_VALUE_MARKER');
+        assert.strictEqual(message.value.payload.repeated, 'y'.repeat(12 * 1024));
+        assert(message.rawValue.includes('FULL_KAFKA_PUBLISHED_VALUE_MARKER'));
+        assertNoLargeJsonPreviewArtifacts(publishRequest.payload.request.body);
+    } finally {
+        await flushIngestQueue();
+        global.fetch = originalFetch;
+    }
+}
+
+function assertNoLargeJsonPreviewArtifacts(value) {
+    const text = JSON.stringify(value);
+    assert(!text.includes('__type":"json-string'), text);
+    assert(!text.includes('__truncatedKeys'), text);
+    assert(!text.includes('__truncatedItems'), text);
+    assert(!text.includes('__truncatedEntries'), text);
+    assert(!text.includes('"__truncated"'), text);
+    assert(!text.includes('more chars'), text);
+    assert(!text.includes('more items'), text);
+    assert(!text.includes('Materialization'), text);
+    assert(!text.includes('ValueCapture'), text);
+}
+
+function assertJsonBuiltinPayloadOmitted(event) {
+    assert.strictEqual(event.args, undefined, JSON.stringify(event));
+    assert.strictEqual(event.returnValue, undefined, JSON.stringify(event));
+    assert.strictEqual(event.argsMaterialization, undefined, JSON.stringify(event));
+    assert.strictEqual(event.returnValueMaterialization, undefined, JSON.stringify(event));
+    assert.strictEqual(event.argsValueCapture, undefined, JSON.stringify(event));
+    assert.strictEqual(event.returnValueCapture, undefined, JSON.stringify(event));
+}
+
+async function testJsonBuiltinTracePayloadsAreOmitted() {
     const largeJson = JSON.stringify({
         eventId: 'evt-large',
         eventType: 'privacy-lab.case.observed',
+        wideObject: Object.fromEntries(Array.from({ length: 30 }, (_, index) => [`k${index}`, `v${index}`])),
         providerResponse: {
             credentials: {
-                apiKey: secret,
-                webhookSecret: 'whsec_large_preview_secret',
+                apiKey: 'not-a-real-key-for-test',
+                webhookSecret: 'not-a-real-webhook-secret-for-test',
             },
-            rawNarrative: `large narrative ${'x'.repeat(9000)}`,
+            rawNarrative: `large narrative ${'x'.repeat(2500)}`,
         },
         structuredSnapshot: {
             subject: {
@@ -242,12 +487,29 @@ async function testOversizedKafkaTraceArgsKeepBoundedPreview() {
     );
 
     assert.strictEqual(parseSink.length, 1);
-    assert(parseSink[0].args, 'expected oversized JSON.parse args to keep a bounded preview');
-    assert.strictEqual(parseSink[0].args[0].__type, 'json-string');
-    assert(parseSink[0].args[0].parsed.providerResponse, JSON.stringify(parseSink[0].args[0]));
-    assert.strictEqual(parseSink[0].argsMaterialization.reason, 'inline_value_too_large');
-    assert.strictEqual(parseSink[0].argsMaterialization.preview, 'bounded');
-    assert(!JSON.stringify(parseSink[0]).includes(secret), JSON.stringify(parseSink[0]));
+    assert.strictEqual(parseSink[0].fn, 'JSON.parse');
+    assertJsonBuiltinPayloadOmitted(parseSink[0]);
+    assertNoLargeJsonPreviewArtifacts(parseSink[0]);
+
+    const stringifySink = [];
+    await __reproTestHooks.recordKafkaTraceEventAsyncForTest(
+        {
+            type: 'exit',
+            fn: 'JSON.stringify',
+            file: '/app/privacy-lab-drills.service.ts',
+            line: 79,
+            args: [envelope],
+            returnValue: largeJson,
+        },
+        stringifySink,
+        cfg,
+        maskReq,
+    );
+
+    assert.strictEqual(stringifySink.length, 1);
+    assert.strictEqual(stringifySink[0].fn, 'JSON.stringify');
+    assertJsonBuiltinPayloadOmitted(stringifySink[0]);
+    assertNoLargeJsonPreviewArtifacts(stringifySink[0]);
 
     const consumedSink = [];
     await __reproTestHooks.recordKafkaTraceEventAsyncForTest(
@@ -264,18 +526,189 @@ async function testOversizedKafkaTraceArgsKeepBoundedPreview() {
     );
 
     assert.strictEqual(consumedSink.length, 1);
-    assert(consumedSink[0].args, 'expected oversized recordConsumedEvent args to keep a bounded preview');
+    assert(consumedSink[0].args, 'expected recordConsumedEvent args to be captured normally');
+    assert.strictEqual(consumedSink[0].argsMaterialization, undefined);
     assert.strictEqual(consumedSink[0].args[1], 'privacy-lab-case');
+    assert.strictEqual(consumedSink[0].args[0].wideObject.k29, 'v29');
     assert(consumedSink[0].args[0].providerResponse, JSON.stringify(consumedSink[0].args[0]));
-    assert.strictEqual(consumedSink[0].args[2].__type, 'json-string');
-    assert.strictEqual(consumedSink[0].argsMaterialization.reason, 'inline_value_too_large');
-    assert(!JSON.stringify(consumedSink[0]).includes(secret), JSON.stringify(consumedSink[0]));
+    assert.strictEqual(typeof consumedSink[0].args[2], 'string');
+    const parsedConsumedRawMessage = JSON.parse(consumedSink[0].args[2]);
+    assert.strictEqual(parsedConsumedRawMessage.wideObject.k29, 'v29');
+    assert.strictEqual(parsedConsumedRawMessage.providerResponse.credentials.apiKey, '[dropped]');
+    assert.strictEqual(parsedConsumedRawMessage.providerResponse.credentials.webhookSecret, '[dropped]');
+    assert.strictEqual(parsedConsumedRawMessage.providerResponse.rawNarrative, envelope.providerResponse.rawNarrative);
+    assertNoLargeJsonPreviewArtifacts(consumedSink[0]);
+}
+
+async function testLargeStringTraceValuesAreCapturedInlineWithoutTruncation() {
+    const hugeMarker = 'HUGE_INLINE_VALUE_MARKER';
+    const hugeJson = JSON.stringify({
+        eventId: 'evt-huge',
+        eventType: 'privacy-lab.case.observed',
+        providerResponse: {
+            credentials: {
+                apiKey: 'not-a-real-key-for-huge-test',
+                webhookSecret: 'not-a-real-webhook-secret-for-huge-test',
+            },
+            rawNarrative: `${hugeMarker}:${'x'.repeat(140 * 1024)}`,
+        },
+    });
+    const cfg = {
+        tenantId: 'TENANT_test',
+        appId: 'APP_test',
+        appSecret: 'secret',
+        captureHeaders: false,
+        privacy: { environment: 'dev' },
+    };
+    const maskReq = {
+        method: 'KAFKA_CONSUME',
+        path: 'kafka://privacy-lab.events',
+        key: 'KAFKA_CONSUME privacy-lab.events',
+    };
+
+    const sink = [];
+    await __reproTestHooks.recordKafkaTraceEventAsyncForTest(
+        {
+            type: 'enter',
+            fn: 'parseGatewayPayload',
+            file: '/app/privacy-lab-drills.service.ts',
+            line: 77,
+            args: [hugeJson],
+        },
+        sink,
+        cfg,
+        maskReq,
+    );
+
+    assert.strictEqual(sink.length, 1);
+    assert.strictEqual(sink[0].fn, 'parseGatewayPayload');
+    assert.strictEqual(typeof sink[0].args[0], 'string');
+    assert(sink[0].args[0].includes(hugeMarker), JSON.stringify(sink[0]));
+    assert(sink[0].args[0].includes('x'.repeat(140 * 1024)), JSON.stringify(sink[0]));
+    assert.strictEqual(sink[0].argsMaterialization, undefined, JSON.stringify(sink[0]));
+    assert.strictEqual(sink[0].argsValueCapture, undefined, JSON.stringify(sink[0]));
+    assertNoLargeJsonPreviewArtifacts(sink[0]);
+}
+
+async function testLargeStructuredTraceValuesAreCapturedInlineWithoutTruncation() {
+    const hugeMarker = 'HUGE_STRUCTURED_TRACE_VALUE_MARKER';
+    const hugeEnvelope = {
+        eventId: 'evt-huge-structured',
+        eventType: 'privacy-lab.case.observed',
+        providerResponse: {
+            credentials: {
+                apiKey: 'not-a-real-key-for-structured-test',
+                webhookSecret: 'not-a-real-webhook-secret-for-structured-test',
+            },
+            rawNarrative: `${hugeMarker}:${'x'.repeat(40 * 1024)}`,
+        },
+        structuredSnapshot: {
+            subject: {
+                email: 'avery.debugson@example.com',
+            },
+        },
+    };
+    const cfg = {
+        tenantId: 'TENANT_test',
+        appId: 'APP_test',
+        appSecret: 'secret',
+        captureHeaders: false,
+        privacy: { environment: 'dev' },
+    };
+    const maskReq = {
+        method: 'KAFKA_CONSUME',
+        path: 'kafka://privacy-lab.events',
+        key: 'KAFKA_CONSUME privacy-lab.events',
+    };
+
+    const sink = [];
+    await __reproTestHooks.recordKafkaTraceEventAsyncForTest(
+        {
+            type: 'enter',
+            fn: 'recordConsumedEvent',
+            file: '/app/privacy-lab-drills.service.ts',
+            line: 78,
+            args: [hugeEnvelope, 'privacy-lab-case', JSON.stringify(hugeEnvelope)],
+        },
+        sink,
+        cfg,
+        maskReq,
+    );
+
+    assert.strictEqual(sink.length, 1);
+    assert.strictEqual(sink[0].fn, 'recordConsumedEvent');
+    assert(sink[0].args, 'expected args to be stored inline');
+    assert.strictEqual(sink[0].args[0].providerResponse.rawNarrative, `${hugeMarker}:${'x'.repeat(40 * 1024)}`);
+    assert.strictEqual(typeof sink[0].args[2], 'string');
+    const parsedRawArg = JSON.parse(sink[0].args[2]);
+    assert.strictEqual(parsedRawArg.providerResponse.rawNarrative, `${hugeMarker}:${'x'.repeat(40 * 1024)}`);
+    assert.strictEqual(parsedRawArg.providerResponse.credentials.apiKey, '[dropped]');
+    assert.strictEqual(parsedRawArg.providerResponse.credentials.webhookSecret, '[dropped]');
+    assert.strictEqual(sink[0].argsMaterialization, undefined, JSON.stringify(sink[0]));
+    assert.strictEqual(sink[0].argsValueCapture, undefined, JSON.stringify(sink[0]));
+    assertNoLargeJsonPreviewArtifacts(sink[0]);
+}
+
+async function testLargeTraceReturnValueIsCapturedInlineWithoutTruncation() {
+    const hugeMarker = 'HUGE_STRUCTURED_TRACE_RETURN_MARKER';
+    const hugeResponse = {
+        id: 'drill-1',
+        structuredSnapshot: {
+            credentials: {
+                apiKey: 'not-a-real-key-for-return-test',
+                bearerToken: 'Bearer not-a-real-token-for-return-test',
+                webhookSecret: 'not-a-real-webhook-secret-for-return-test',
+                connectionString: 'postgres://user:password@example.test:5432/app',
+            },
+            payload: `${hugeMarker}:${'x'.repeat(40 * 1024)}`,
+        },
+    };
+    const cfg = {
+        tenantId: 'TENANT_test',
+        appId: 'APP_test',
+        appSecret: 'secret',
+        captureHeaders: false,
+        privacy: { environment: 'dev' },
+    };
+    const maskReq = {
+        method: 'POST',
+        path: '/api/privacy-lab-drills/run',
+        key: 'POST /api/privacy-lab-drills/run',
+    };
+
+    const sink = [];
+    await __reproTestHooks.recordKafkaTraceEventAsyncForTest(
+        {
+            type: 'exit',
+            fn: 'toDrillResponse',
+            file: '/app/privacy-lab-drills.service.ts',
+            line: 210,
+            returnValue: hugeResponse,
+        },
+        sink,
+        cfg,
+        maskReq,
+    );
+
+    assert.strictEqual(sink.length, 1);
+    assert.strictEqual(sink[0].fn, 'toDrillResponse');
+    assert(sink[0].returnValue, 'expected return value to be stored inline');
+    assert.strictEqual(sink[0].returnValue.structuredSnapshot.payload, `${hugeMarker}:${'x'.repeat(40 * 1024)}`);
+    assert.strictEqual(sink[0].returnValueMaterialization, undefined, JSON.stringify(sink[0]));
+    assert.strictEqual(sink[0].returnValueCapture, undefined, JSON.stringify(sink[0]));
+    assertNoLargeJsonPreviewArtifacts(sink[0]);
 }
 
 async function main() {
     await testKafkaIntegrationConfigUsesStartupLoadedPrivacyPolicy();
     await testKafkaConsumerTraceUsesConsumeTraceId();
-    await testOversizedKafkaTraceArgsKeepBoundedPreview();
+    await testKafkaProducerCapturesFullPublishedMessageValue();
+    await testKafkaTraceFlushIsNotBlockedForeverByActiveHttpRequest();
+    await testLargeHttpResponseBodyIsCapturedWithoutDroppingRequest();
+    await testJsonBuiltinTracePayloadsAreOmitted();
+    await testLargeStringTraceValuesAreCapturedInlineWithoutTruncation();
+    await testLargeStructuredTraceValuesAreCapturedInlineWithoutTruncation();
+    await testLargeTraceReturnValueIsCapturedInlineWithoutTruncation();
     console.log('kafka runtime privacy policy wiring OK');
 }
 

package/test/runtime-privacy-materialization.test.js

@@ -0,0 +1,76 @@
+const assert = require('node:assert');
+const { __reproTestHooks } = require('../dist/index.js');
+
+async function withTimeout(promise, ms) {
+    let timeout;
+    try {
+        return await Promise.race([
+            promise,
+            new Promise((_, reject) => {
+                timeout = setTimeout(() => reject(new Error(`timed out after ${ms}ms`)), ms);
+            }),
+        ]);
+    } finally {
+        if (timeout) clearTimeout(timeout);
+    }
+}
+
+async function main() {
+    const mongooseLikeDoc = {
+        $__: {},
+        toObject() {
+            return {
+                _id: '6a0e53c8aba8240c69b27d7b',
+                caseId: 'privacy-lab-debug-root',
+                payload: {
+                    rawMessage: '{"eventType":"privacy-lab.case.observed"}',
+                    nested: {
+                        reviewerEmail: 'privacy.operator@example.com',
+                    },
+                },
+            };
+        },
+    };
+    mongooseLikeDoc.$__.owner = mongooseLikeDoc;
+    mongooseLikeDoc.$__.cache = {
+        veryLargeInternalValue: 'x'.repeat(10000),
+    };
+
+    const materialized = await withTimeout(
+        __reproTestHooks.materializeInlinePrivacyValueAsyncForTest(
+            'db.query',
+            {
+                op: 'insertOne',
+                doc: mongooseLikeDoc,
+            },
+            {
+                appId: 'APP_test',
+                appSecret: 'secret',
+                tenantId: 'TENANT_test',
+            },
+            {
+                method: 'POST',
+                path: '/api/privacy-lab-drills/run',
+                key: 'POST /api/privacy-lab-drills/run',
+            },
+            null,
+            null,
+            null,
+        ),
+        1000,
+    );
+
+    assert.strictEqual(materialized.skipped, undefined);
+    assert.strictEqual(materialized.value.doc.$__, undefined);
+    assert.strictEqual(materialized.value.doc.caseId, 'privacy-lab-debug-root');
+    assert.strictEqual(materialized.value.doc.payload.rawMessage, '{"eventType":"privacy-lab.case.observed"}');
+    assert.match(materialized.value.doc.payload.nested.reviewerEmail, /^email_tok_[a-f0-9]+$/);
+    assert.deepStrictEqual(Object.keys(materialized.value.doc).sort(), ['_id', 'caseId', 'payload']);
+
+    console.log('runtime privacy materialization OK');
+}
+
+main().catch((error) => {
+    console.error(error);
+    process.exit(1);
+});