@runtime-digital-twin/sdk 1.0.0 → 1.0.2

package/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2025-2026 Wraith On-Call Engineer Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

package/README.md

@@ -209,6 +209,21 @@ import {
 
 See the [Quickstart Guide](../../QUICKSTART.md) for complete examples.
 
+## Changelog
+
+### v1.1.0
+- Enhanced trace upload with automatic retry
+- Improved CORS support for browser-based services
+- Better error handling and logging
+- Support for demo mode autofix integration
+
+### v1.0.0
+- Initial release
+- Fastify tracing plugin
+- Database query capture
+- HTTP client wrapping
+- Trace bundle writing
+
 ## License
 
 MIT

package/dist/http-wrapper.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"http-wrapper.d.ts","sourceRoot":"","sources":["../src/http-wrapper.ts"],"names":[],"mappings":"AAwBA;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAAC,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;CAAE,GAAG,IAAI,EACvI,MAAM,EAAE,MAAM,GAAG,IAAI,QAQtB;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI;IACjC,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAAC,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;IACxI,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAMA;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,aAAa,EAAE,OAAO,KAAK,GAAG,OAAO,KAAK,CA2dnE"}
+{"version":3,"file":"http-wrapper.d.ts","sourceRoot":"","sources":["../src/http-wrapper.ts"],"names":[],"mappings":"AAwBA;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAAC,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;CAAE,GAAG,IAAI,EACvI,MAAM,EAAE,MAAM,GAAG,IAAI,QAQtB;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI;IACjC,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAAC,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;IACxI,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAMA;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,aAAa,EAAE,OAAO,KAAK,GAAG,OAAO,KAAK,CA0gBnE"}

package/dist/http-wrapper.js

@@ -64,10 +64,53 @@ function wrapFetch(originalFetch) {
                     // - If peerService is null → route to mock server (stub)
                     if (peerService) {
                         if (subgraphServices.includes(peerService)) {
-                            // Call is to a service in subgraph - should route to actual service
-                            // TODO: Implement actual service routing (requires service discovery/URL mapping)
-                            // For now, route to mock server as fallback
-                            shouldRouteToMock = true;
+                            // Call is to a service in subgraph - route to actual service
+                            // Check for service URL mapping via environment variables
+                            const serviceUrlEnv = process.env[`${peerService.toUpperCase().replace(/-/g, '_')}_URL`];
+                            const serviceUrls = process.env.SERVICE_URLS || '';
+                            // Parse SERVICE_URLS: "service-a:http://localhost:3001,service-b:http://localhost:3002"
+                            // Note: Split on first ':' only to handle URLs with colons
+                            const urlMap = new Map();
+                            if (serviceUrls) {
+                                for (const mapping of serviceUrls.split(',')) {
+                                    const colonIndex = mapping.indexOf(':');
+                                    if (colonIndex > 0) {
+                                        const service = mapping.substring(0, colonIndex).trim();
+                                        const url = mapping.substring(colonIndex + 1).trim();
+                                        if (service && url) {
+                                            urlMap.set(service, url);
+                                        }
+                                    }
+                                }
+                            }
+                            const serviceUrl = serviceUrlEnv || urlMap.get(peerService);
+                            if (serviceUrl) {
+                                // Route to actual service
+                                try {
+                                    const path = urlObj.pathname + urlObj.search;
+                                    const fullUrl = new URL(path, serviceUrl).toString();
+                                    // Get trace context for propagation
+                                    const { bundle, spanId } = getTraceContext();
+                                    // Make request to actual service with trace headers
+                                    const enhancedInit = {
+                                        ...init,
+                                        headers: {
+                                            ...(init?.headers || {}),
+                                            ...(bundle?.traceId ? { 'x-trace-id': bundle.traceId } : {}),
+                                            ...(spanId ? { 'x-span-id': spanId } : {}),
+                                        },
+                                    };
+                                    return await originalFetch(fullUrl, enhancedInit);
+                                }
+                                catch (error) {
+                                    console.warn(`[SDK] Failed to route to ${peerService}: ${error}`);
+                                    shouldRouteToMock = true;
+                                }
+                            }
+                            else {
+                                // No service URL configured, route to mock
+                                shouldRouteToMock = true;
+                            }
                         }
                         else if (stubServices.includes(peerService)) {
                             // Call is to a stubbed service - route to mock server

package/dist/redaction.d.ts

@@ -55,6 +55,7 @@ export declare function createRedactedValue(originalValue: string, includeHash?:
 export declare function loadRedactionConfig(configPath?: string): RedactionConfig;
 /**
  * Set global redaction config
+ * SECURITY: Redaction cannot be disabled - any attempt to set enabled: false will throw an error
  */
 export declare function setRedactionConfig(config: Partial<RedactionConfig>): void;
 /**
@@ -63,38 +64,47 @@ export declare function setRedactionConfig(config: Partial<RedactionConfig>): vo
 export declare function getRedactionConfig(): RedactionConfig;
 /**
  * Reset redaction config to defaults
+ * SECURITY: Always ensures enabled = true
  */
 export declare function resetRedactionConfig(): void;
 /**
  * Check if a header name should be redacted
+ * SECURITY: Redaction is always enabled - enabled check removed for enforcement
  */
 export declare function shouldRedactHeader(headerName: string): boolean;
 /**
  * Check if a query param should be redacted
+ * SECURITY: Redaction is always enabled - enabled check removed for enforcement
  */
 export declare function shouldRedactQueryParam(paramName: string): boolean;
 /**
  * Redact headers in a headers object
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 export declare function redactHeaders(headers: Record<string, string | string[] | undefined>): Record<string, string | string[] | undefined>;
 /**
  * Redact query parameters
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 export declare function redactQueryParams(query: Record<string, any>): Record<string, any>;
 /**
  * Redact sensitive fields from a body object (recursive)
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 export declare function redactBodyObject(body: any): any;
 /**
  * Redact patterns from a body string
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 export declare function redactBodyPatterns(body: string): string;
 /**
  * Redact a body (handles both string and object)
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 export declare function redactBody(body: string | object | null | undefined): string | object | null | undefined;
 /**
  * Redact a URL (query params)
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 export declare function redactUrl(url: string): string;
 /**

package/dist/redaction.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"redaction.d.ts","sourceRoot":"","sources":["../src/redaction.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH;;GAEG;AACH,MAAM,MAAM,iBAAiB,GACzB,QAAQ,GACR,YAAY,GACZ,cAAc,GACd,aAAa,CAAC;AAElB;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,iBAAiB,CAAC;IACxB,oDAAoD;IACpD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,oDAAoD;IACpD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qDAAqD;IACrD,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,+CAA+C;IAC/C,OAAO,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,KAAK,EAAE,aAAa,EAAE,CAAC;IACvB,sCAAsC;IACtC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,iEAAiE;IACjE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAkJD;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,MAAM,EACb,IAAI,GAAE,MAAoC,GACzC,MAAM,CAMR;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,aAAa,EAAE,MAAM,EACrB,WAAW,GAAE,OAAc,EAC3B,IAAI,CAAC,EAAE,MAAM,GACZ,MAAM,CAMR;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,eAAe,CAwCxE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,IAAI,CAQzE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,eAAe,CAEpD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAiB9D;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAiBjE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GACrD,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAwB/C;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GACzB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAsBrB;AAsBD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,GAAG,GAAG,GAAG,CAkC/C;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAwBvD;AAED;;GAEG;AACH,wBAAgB,UAAU,CACxB,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,GACvC,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CA6BpC;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CA6B7C;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAYhE;AAED;;GAEG;AACH,eAAO,MAAM,iBAAiB,UAA4B,CAAC;AAC3D,eAAO,MAAM,sBAAsB,UAAiC,CAAC;AACrE,eAAO,MAAM,qBAAqB,UAAgC,CAAC"}
+{"version":3,"file":"redaction.d.ts","sourceRoot":"","sources":["../src/redaction.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH;;GAEG;AACH,MAAM,MAAM,iBAAiB,GACzB,QAAQ,GACR,YAAY,GACZ,cAAc,GACd,aAAa,CAAC;AAElB;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,iBAAiB,CAAC;IACxB,oDAAoD;IACpD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,oDAAoD;IACpD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qDAAqD;IACrD,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,+CAA+C;IAC/C,OAAO,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,KAAK,EAAE,aAAa,EAAE,CAAC;IACvB,sCAAsC;IACtC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,iEAAiE;IACjE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAoOD;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,MAAM,EACb,IAAI,GAAE,MAAoC,GACzC,MAAM,CAMR;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,aAAa,EAAE,MAAM,EACrB,WAAW,GAAE,OAAc,EAC3B,IAAI,CAAC,EAAE,MAAM,GACZ,MAAM,CAMR;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,eAAe,CAiDxE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,IAAI,CAiBzE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,eAAe,CAEpD;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAM3C;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAkB9D;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAkBjE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GACrD,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAyB/C;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GACzB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAuBrB;AAsBD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,GAAG,GAAG,GAAG,CAmC/C;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAyBvD;AAED;;;GAGG;AACH,wBAAgB,UAAU,CACxB,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,GACvC,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CA8BpC;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CA8B7C;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAYhE;AAED;;GAEG;AACH,eAAO,MAAM,iBAAiB,UAA4B,CAAC;AAC3D,eAAO,MAAM,sBAAsB,UAAiC,CAAC;AACrE,eAAO,MAAM,qBAAqB,UAAgC,CAAC"}

package/dist/redaction.js

@@ -66,8 +66,10 @@ const DEFAULT_SENSITIVE_QUERY_PARAMS = [
 ];
 /**
  * Default sensitive body field names (case-insensitive)
+ * Includes PII (Personally Identifiable Information) fields for GDPR/compliance
  */
 const DEFAULT_SENSITIVE_BODY_FIELDS = [
+    // Authentication & Secrets
     "password",
     "passwd",
     "pwd",
@@ -84,20 +86,86 @@ const DEFAULT_SENSITIVE_BODY_FIELDS = [
     "secretKey",
     "client_secret",
     "clientSecret",
-    "ssn",
-    "social_security",
+    "pin",
+    // Financial Information
     "credit_card",
     "creditCard",
     "card_number",
     "cardNumber",
     "cvv",
     "cvc",
-    "pin",
+    "bank_account",
+    "bankAccount",
+    "routing_number",
+    "routingNumber",
+    // PII - Personal Identifiers
+    "ssn",
+    "social_security",
+    "social_security_number",
+    "tax_id",
+    "taxId",
+    "driver_license",
+    "driverLicense",
+    "passport",
+    "national_id",
+    "nationalId",
+    // PII - Contact Information
+    "email",
+    "email_address",
+    "emailAddress",
+    "phone",
+    "phone_number",
+    "phoneNumber",
+    "mobile",
+    "mobile_number",
+    "mobileNumber",
+    "telephone",
+    "address",
+    "street_address",
+    "streetAddress",
+    "home_address",
+    "homeAddress",
+    "billing_address",
+    "billingAddress",
+    "shipping_address",
+    "shippingAddress",
+    // PII - Personal Details
+    "first_name",
+    "firstName",
+    "last_name",
+    "lastName",
+    "full_name",
+    "fullName",
+    "name",
+    "date_of_birth",
+    "dateOfBirth",
+    "dob",
+    "birth_date",
+    "birthDate",
+    "age",
+    "gender",
+    "race",
+    "ethnicity",
+    // PII - Location
+    "city",
+    "state",
+    "province",
+    "zip",
+    "zip_code",
+    "zipCode",
+    "postal_code",
+    "postalCode",
+    "country",
+    "latitude",
+    "longitude",
+    "coordinates",
 ];
 /**
  * Default body patterns to redact (regex)
+ * Includes PII pattern detection for comprehensive data protection
  */
 const DEFAULT_SENSITIVE_BODY_PATTERNS = [
+    // Authentication tokens
     // Bearer tokens
     /Bearer\s+[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]*/g,
     // JWT tokens
@@ -106,8 +174,21 @@ const DEFAULT_SENSITIVE_BODY_PATTERNS = [
     /(?:api[_-]?key|apikey)[=:]["']?[A-Za-z0-9\-_]{20,}["']?/gi,
     // AWS access keys
     /AKIA[0-9A-Z]{16}/g,
+    // Financial Information
     // Credit card numbers (basic pattern)
     /\b(?:\d{4}[- ]?){3}\d{4}\b/g,
+    // PII - Email addresses (pattern-based detection)
+    /\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\b/g,
+    // PII - Phone numbers (US and international formats)
+    /\b\+?[\d\s\-()]{10,}\b/g,
+    // PII - Social Security Numbers (US format)
+    /\b\d{3}-\d{2}-\d{4}\b/g,
+    /\b\d{9}\b/g, // 9 consecutive digits (potential SSN)
+    // PII - Dates that might be DOB (MM/DD/YYYY, YYYY-MM-DD, etc.)
+    /\b(0[1-9]|1[0-2])[\/\-](0[1-9]|[12]\d|3[01])[\/\-]\d{4}\b/g,
+    /\b\d{4}[\/\-](0[1-9]|1[0-2])[\/\-](0[1-9]|[12]\d|3[01])\b/g,
+    // PII - IP addresses (may contain sensitive location data)
+    /\b(?:\d{1,3}\.){3}\d{1,3}\b/g,
 ];
 /**
  * Build default redaction rules
@@ -150,11 +231,12 @@ function buildDefaultRules() {
 }
 /**
  * Default redaction configuration
+ * SECURITY: Redaction is ALWAYS enabled and cannot be disabled for compliance
  */
 const DEFAULT_CONFIG = {
-    enabled: true,
+    enabled: true, // Always true - cannot be changed
     rules: buildDefaultRules(),
-    hashSalt: "rdt-redaction-salt-v1",
+    hashSalt: process.env.REDACTION_SALT || process.env.REDACTION_HASH_SALT || "rdt-redaction-salt-v1",
 };
 /**
  * Global redaction config (can be overridden)
@@ -201,14 +283,20 @@ function loadRedactionConfig(configPath) {
                 if (config.redaction) {
                     const userConfig = config.redaction;
                     // Merge with defaults
+                    // SECURITY: Always enforce enabled = true, ignore user attempts to disable
                     const mergedConfig = {
-                        enabled: userConfig.enabled ?? true,
+                        enabled: true, // Always true - cannot be disabled
                         rules: userConfig.overrideDefaults
                             ? userConfig.rules || []
                             : [...buildDefaultRules(), ...(userConfig.rules || [])],
                         overrideDefaults: userConfig.overrideDefaults,
                         hashSalt: userConfig.hashSalt || DEFAULT_CONFIG.hashSalt,
                     };
+                    // Warn if user tried to disable redaction
+                    if (userConfig.enabled === false) {
+                        console.warn('[Redaction] Attempted to disable redaction in config file. ' +
+                            'Redaction is always enabled for security compliance. Ignoring enabled: false.');
+                    }
                     return mergedConfig;
                 }
             }
@@ -221,11 +309,18 @@ function loadRedactionConfig(configPath) {
 }
 /**
  * Set global redaction config
+ * SECURITY: Redaction cannot be disabled - any attempt to set enabled: false will throw an error
  */
 function setRedactionConfig(config) {
+    // SECURITY: Prevent disabling redaction for compliance
+    if (config.enabled === false) {
+        throw new Error('Redaction cannot be disabled for security and compliance requirements. ' +
+            'All sensitive data must be redacted before storage.');
+    }
     globalConfig = {
         ...DEFAULT_CONFIG,
         ...config,
+        enabled: true, // Always enforce enabled = true
         rules: config.overrideDefaults
             ? config.rules || []
             : [...buildDefaultRules(), ...(config.rules || [])],
@@ -239,16 +334,22 @@ function getRedactionConfig() {
 }
 /**
  * Reset redaction config to defaults
+ * SECURITY: Always ensures enabled = true
  */
 function resetRedactionConfig() {
-    globalConfig = { ...DEFAULT_CONFIG, rules: buildDefaultRules() };
+    globalConfig = {
+        ...DEFAULT_CONFIG,
+        enabled: true, // Always enforce enabled
+        rules: buildDefaultRules()
+    };
 }
 /**
  * Check if a header name should be redacted
+ * SECURITY: Redaction is always enabled - enabled check removed for enforcement
  */
 function shouldRedactHeader(headerName) {
-    if (!globalConfig.enabled)
-        return false;
+    // SECURITY: Redaction is always enabled - removed bypass check
+    // if (!globalConfig.enabled) return false; // REMOVED - cannot bypass
     const lowerName = headerName.toLowerCase();
     for (const rule of globalConfig.rules) {
         if (rule.type !== "header")
@@ -267,10 +368,11 @@ function shouldRedactHeader(headerName) {
 }
 /**
  * Check if a query param should be redacted
+ * SECURITY: Redaction is always enabled - enabled check removed for enforcement
  */
 function shouldRedactQueryParam(paramName) {
-    if (!globalConfig.enabled)
-        return false;
+    // SECURITY: Redaction is always enabled - removed bypass check
+    // if (!globalConfig.enabled) return false; // REMOVED - cannot bypass
     const lowerName = paramName.toLowerCase();
     for (const rule of globalConfig.rules) {
         if (rule.type !== "query_param")
@@ -289,10 +391,11 @@ function shouldRedactQueryParam(paramName) {
 }
 /**
  * Redact headers in a headers object
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 function redactHeaders(headers) {
-    if (!globalConfig.enabled)
-        return headers;
+    // SECURITY: Redaction is always enabled - removed bypass check
+    // if (!globalConfig.enabled) return headers; // REMOVED - cannot bypass
     const redacted = {};
     for (const [key, value] of Object.entries(headers)) {
         if (value === undefined) {
@@ -311,10 +414,11 @@ function redactHeaders(headers) {
 }
 /**
  * Redact query parameters
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 function redactQueryParams(query) {
-    if (!globalConfig.enabled)
-        return query;
+    // SECURITY: Redaction is always enabled - removed bypass check
+    // if (!globalConfig.enabled) return query; // REMOVED - cannot bypass
     const redacted = {};
     for (const [key, value] of Object.entries(query)) {
         if (shouldRedactQueryParam(key)) {
@@ -352,10 +456,11 @@ function shouldRedactBodyField(fieldName) {
 }
 /**
  * Redact sensitive fields from a body object (recursive)
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 function redactBodyObject(body) {
-    if (!globalConfig.enabled)
-        return body;
+    // SECURITY: Redaction is always enabled - removed bypass check
+    // if (!globalConfig.enabled) return body; // REMOVED - cannot bypass
     if (body === null || body === undefined) {
         return body;
     }
@@ -382,10 +487,11 @@ function redactBodyObject(body) {
 }
 /**
  * Redact patterns from a body string
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 function redactBodyPatterns(body) {
-    if (!globalConfig.enabled)
-        return body;
+    // SECURITY: Redaction is always enabled - removed bypass check
+    // if (!globalConfig.enabled) return body; // REMOVED - cannot bypass
     let result = body;
     for (const rule of globalConfig.rules) {
         if (rule.type !== "body_pattern" || !rule.pattern)
@@ -405,10 +511,11 @@ function redactBodyPatterns(body) {
 }
 /**
  * Redact a body (handles both string and object)
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 function redactBody(body) {
-    if (!globalConfig.enabled)
-        return body;
+    // SECURITY: Redaction is always enabled - removed bypass check
+    // if (!globalConfig.enabled) return body; // REMOVED - cannot bypass
     if (body === null || body === undefined) {
         return body;
     }
@@ -436,10 +543,11 @@ function redactBody(body) {
 }
 /**
  * Redact a URL (query params)
+ * SECURITY: Redaction is always enforced - enabled check removed
  */
 function redactUrl(url) {
-    if (!globalConfig.enabled)
-        return url;
+    // SECURITY: Redaction is always enabled - removed bypass check
+    // if (!globalConfig.enabled) return url; // REMOVED - cannot bypass
     try {
         const urlObj = new URL(url, "http://placeholder");
         const redactedParams = new URLSearchParams();

package/dist/trace-bundle-writer.d.ts

@@ -32,19 +32,17 @@ export declare function createTrace(options: CreateTraceOptions): Promise<TraceB
  * Helper to process body content and store as blob
  * Applies redaction to sensitive fields before storing
  * NOTE: Always stores bodies as blobs so they can be retrieved during replay
+ * SECURITY: Redaction is ALWAYS enforced - skipRedaction option removed
  */
-export declare function processBody(body: string | Buffer | object | null | undefined, writeBlobFn: (content: string | object) => Promise<string>, options?: {
-    skipRedaction?: boolean;
-}): Promise<{
+export declare function processBody(body: string | Buffer | object | null | undefined, writeBlobFn: (content: string | object) => Promise<string>): Promise<{
     bodyHash: string | null;
     bodyBlob: string | null;
 }>;
 /**
  * Filter headers based on allowlist and apply redaction
+ * SECURITY: Redaction is ALWAYS enforced - skipRedaction option removed
  */
-export declare function filterHeaders(headers: Record<string, string | string[] | undefined>, allowlist?: string[], options?: {
-    skipRedaction?: boolean;
-}): Record<string, string>;
+export declare function filterHeaders(headers: Record<string, string | string[] | undefined>, allowlist?: string[]): Record<string, string>;
 /**
  * Generate span ID (exported for use in middleware)
  */

package/dist/trace-bundle-writer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"trace-bundle-writer.d.ts","sourceRoot":"","sources":["../src/trace-bundle-writer.ts"],"names":[],"mappings":"AAYA,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACzD,QAAQ,EAAE,CAAC,cAAc,CAAC,EAAE;QAC1B,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrB;AAED,OAAO,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAM3D,OAAO,EAAE,4BAA4B,EAAE,CAAC;AAWxC;;GAEG;AACH,iBAAS,cAAc,IAAI,MAAM,CAEhC;AAgBD;;GAEG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,WAAW,CAAC,CAkLtB;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CACzB,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,EACjD,WAAW,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,EAC1D,OAAO,CAAC,EAAE;IAAE,aAAa,CAAC,EAAE,OAAO,CAAA;CAAE,GACpC,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CAiC7D;AAEH;;GAEG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,EACtD,SAAS,CAAC,EAAE,MAAM,EAAE,EACpB,OAAO,CAAC,EAAE;IAAE,aAAa,CAAC,EAAE,OAAO,CAAA;CAAE,GACpC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAyCxB;AAED;;GAEG;AACH,OAAO,EAAE,cAAc,EAAE,CAAC"}
+{"version":3,"file":"trace-bundle-writer.d.ts","sourceRoot":"","sources":["../src/trace-bundle-writer.ts"],"names":[],"mappings":"AAYA,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACzD,QAAQ,EAAE,CAAC,cAAc,CAAC,EAAE;QAC1B,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrB;AAED,OAAO,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAM3D,OAAO,EAAE,4BAA4B,EAAE,CAAC;AAWxC;;GAEG;AACH,iBAAS,cAAc,IAAI,MAAM,CAEhC;AAgBD;;GAEG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,WAAW,CAAC,CAkLtB;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CACzB,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,EACjD,WAAW,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GAEzD,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CA+B7D;AAEH;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,EACtD,SAAS,CAAC,EAAE,MAAM,EAAE,GAEnB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAqCxB;AAED;;GAEG;AACH,OAAO,EAAE,cAAc,EAAE,CAAC"}

package/dist/trace-bundle-writer.js

@@ -190,8 +190,11 @@ async function createTrace(options) {
  * Helper to process body content and store as blob
  * Applies redaction to sensitive fields before storing
  * NOTE: Always stores bodies as blobs so they can be retrieved during replay
+ * SECURITY: Redaction is ALWAYS enforced - skipRedaction option removed
  */
-function processBody(body, writeBlobFn, options) {
+function processBody(body, writeBlobFn
+// SECURITY: Removed skipRedaction option - redaction is always enforced
+) {
     if (!body) {
         return Promise.resolve({ bodyHash: null, bodyBlob: null });
     }
@@ -205,15 +208,13 @@ function processBody(body, writeBlobFn, options) {
     else {
         bodyStr = String(body);
     }
-    // Apply redaction unless explicitly skipped
-    if (!options?.skipRedaction) {
-        const redacted = (0, redaction_1.redactBody)(bodyStr);
-        if (typeof redacted === "string") {
-            bodyStr = redacted;
-        }
-        else if (redacted !== null && redacted !== undefined) {
-            bodyStr = JSON.stringify(redacted);
-        }
+    // SECURITY: Redaction is ALWAYS applied - no bypass option
+    const redacted = (0, redaction_1.redactBody)(bodyStr);
+    if (typeof redacted === "string") {
+        bodyStr = redacted;
+    }
+    else if (redacted !== null && redacted !== undefined) {
+        bodyStr = JSON.stringify(redacted);
     }
     const hash = computeHash(bodyStr);
     const hashFormatted = formatHash(hash);
@@ -226,8 +227,11 @@ function processBody(body, writeBlobFn, options) {
 }
 /**
  * Filter headers based on allowlist and apply redaction
+ * SECURITY: Redaction is ALWAYS enforced - skipRedaction option removed
  */
-function filterHeaders(headers, allowlist, options) {
+function filterHeaders(headers, allowlist
+// SECURITY: Removed skipRedaction option - redaction is always enforced
+) {
     if (!allowlist || allowlist.length === 0) {
         // Default allowlist: common headers that are safe to capture
         const defaultAllowlist = [
@@ -241,7 +245,7 @@ function filterHeaders(headers, allowlist, options) {
             "x-request-id",
             "x-correlation-id",
         ];
-        return filterHeaders(headers, defaultAllowlist, options);
+        return filterHeaders(headers, defaultAllowlist);
     }
     const filtered = {};
     const lowerAllowlist = allowlist.map((h) => h.toLowerCase());
@@ -252,16 +256,13 @@ function filterHeaders(headers, allowlist, options) {
             filtered[key] = Array.isArray(value) ? value.join(", ") : String(value);
         }
     }
-    // Apply redaction unless explicitly skipped
-    if (!options?.skipRedaction) {
-        const redacted = (0, redaction_1.redactHeaders)(filtered);
-        const result = {};
-        for (const [key, value] of Object.entries(redacted)) {
-            if (value !== undefined) {
-                result[key] = Array.isArray(value) ? value.join(", ") : String(value);
-            }
+    // SECURITY: Redaction is ALWAYS applied - no bypass option
+    const redacted = (0, redaction_1.redactHeaders)(filtered);
+    const result = {};
+    for (const [key, value] of Object.entries(redacted)) {
+        if (value !== undefined) {
+            result[key] = Array.isArray(value) ? value.join(", ") : String(value);
         }
-        return result;
     }
-    return filtered;
+    return result;
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@runtime-digital-twin/sdk",
-  "version": "1.0.0",
-  "description": "SDK for capturing runtime behavior - automatic incident response and debugging",
+  "version": "1.0.2",
+  "description": "SDK for capturing runtime behavior - automatic incident response and debugging with enhanced autofix support",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "exports": {
@@ -38,7 +38,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/your-org/WraithOnCallEngineer.git",
+    "url": "git+https://github.com/alakhanpal23/Wraith-2.git",
     "directory": "packages/sdk"
   },
   "keywords": [