@xera-ai/core 0.4.4 → 0.5.0

package/src/bin-internal/exec.ts

@@ -2,6 +2,7 @@ import { existsSync, mkdirSync } from 'node:fs';
 import { join } from 'node:path';
 import { chromium } from '@playwright/test';
 import { runAuthSetup, runPlaywright, stagePlaywrightState } from '@xera-ai/web';
+import { readMeta } from '../artifact/meta';
 import { generateRunId, resolveArtifactPaths } from '../artifact/paths';
 import { needsRefresh } from '../auth/refresh';
 import { readAuthState } from '../auth/state';
@@ -42,16 +43,48 @@ export async function execCmd(argv: string[]): Promise<number> {
 
   const t0 = Date.now();
   try {
+    const meta = readMeta(paths.metaPath);
+    const adapter = meta?.adapter ?? 'web';
+
+    if (adapter === 'http') {
+      if (!config.http) {
+        throw new Error('http adapter requires http config block');
+      }
+      const env = process.env['XERA_ENV'] ?? config.http.defaultEnv;
+      const { HttpAdapter } = await import('@xera-ai/http');
+      const result = await HttpAdapter.execute({
+        ticketDir: paths.ticketDir,
+        config,
+        runId,
+        env,
+      });
+      log.log({
+        step: 'exec.complete',
+        runId,
+        outcome: result.outcome,
+        elapsedMs: Date.now() - t0,
+      });
+      console.log(`[xera:exec] runId=${runId} outcome=${result.outcome}`);
+      // Exit 3 means "test failed" (expected vs infra error); lock released in finally
+      return result.outcome === 'PASS' ? 0 : 3;
+    }
+
+    // adapter === 'web' — existing path below unchanged
+    if (!config.web) {
+      throw new Error('web adapter requires web config block');
+    }
+    const webConfig = config.web;
+
     // Auth refresh per role declared in xera.config.ts
-    if (config.web.auth.strategy === 'storageState' && config.web.auth.setupScript) {
+    if (webConfig.auth.strategy === 'storageState' && webConfig.auth.setupScript) {
       const browser = await chromium.launch();
       try {
-        for (const [roleName, roleCreds] of Object.entries(config.web.auth.roles)) {
+        for (const [roleName, roleCreds] of Object.entries(webConfig.auth.roles)) {
           const entry = readAuthState(paths.authDir, roleName);
           if (
             needsRefresh(entry, {
-              ttl: config.web.auth.ttl,
-              refreshBuffer: config.web.auth.refreshBuffer,
+              ttl: webConfig.auth.ttl,
+              refreshBuffer: webConfig.auth.refreshBuffer,
             })
           ) {
             const email = process.env[roleCreds.envEmail];
@@ -65,7 +98,7 @@ export async function execCmd(argv: string[]): Promise<number> {
             await runAuthSetup({
               role: roleName,
               creds: { email, password },
-              setupScriptPath: join(cwd, config.web.auth.setupScript),
+              setupScriptPath: join(cwd, webConfig.auth.setupScript),
               authDir: paths.authDir,
               browser,
             });
@@ -80,8 +113,8 @@ export async function execCmd(argv: string[]): Promise<number> {
     // Stage Playwright storageState files at predictable paths
     // (.xera/.auth/.cache/<role>.json) — generated spec.ts references these
     // via test.use({ storageState }) when an authenticated session is needed.
-    if (config.web.auth.strategy === 'storageState') {
-      for (const roleName of Object.keys(config.web.auth.roles)) {
+    if (webConfig.auth.strategy === 'storageState') {
+      for (const roleName of Object.keys(webConfig.auth.roles)) {
         if (readAuthState(paths.authDir, roleName)) {
           stagePlaywrightState(paths.authDir, roleName);
         }
@@ -101,8 +134,8 @@ export async function execCmd(argv: string[]): Promise<number> {
     const runDir = paths.runPath(runId).runDir;
     mkdirSync(runDir, { recursive: true });
 
-    const envName = process.env.XERA_ENV ?? config.web.defaultEnv;
-    const baseURL = config.web.baseUrl[envName] ?? config.web.baseUrl[config.web.defaultEnv]!;
+    const envName = process.env.XERA_ENV ?? webConfig.defaultEnv;
+    const baseURL = webConfig.baseUrl[envName] ?? webConfig.baseUrl[webConfig.defaultEnv]!;
 
     const reportJsonPath = join(runDir, 'report.json');
 

package/src/bin-internal/graph-record.ts

@@ -261,6 +261,9 @@ export async function graphRecordCmd(argv: string[]): Promise<number> {
         'FLAKY',
         'PASS',
         'TEST_OUTDATED',
+        'CONTRACT_DRIFT',
+        'RATE_LIMITED',
+        'AUTH_EXPIRED',
       ];
       if (!validClass.includes(from) || !validClass.includes(to)) {
         console.error(

package/src/bin-internal/index.ts

@@ -1,3 +1,4 @@
+import { authSetupCmd } from './auth-setup';
 import { disputesCmd } from './disputes';
 import { doctorCmd } from './doctor';
 import { evalDeterministicCmd } from './eval-deterministic';
@@ -25,6 +26,7 @@ import { validateFeatureCmd } from './validate-feature';
 import { verifyPromptsCmd } from './verify-prompts';
 
 const COMMANDS: Record<string, (argv: string[]) => Promise<number>> = {
+  'auth-setup': authSetupCmd,
   disputes: disputesCmd,
   doctor: doctorCmd,
   'eval-deterministic': evalDeterministicCmd,

package/src/bin-internal/normalize.ts

@@ -1,6 +1,6 @@
 import { existsSync, readdirSync } from 'node:fs';
 import { join } from 'node:path';
-import { normalizeRun } from '@xera-ai/web';
+import { readMeta } from '../artifact/meta';
 import { resolveArtifactPaths } from '../artifact/paths';
 
 export async function normalizeCmd(argv: string[]): Promise<number> {
@@ -26,6 +26,18 @@ export async function normalizeCmd(argv: string[]): Promise<number> {
     console.error(`[xera:normalize] runs/${runId} missing`);
     return 1;
   }
+
+  const meta = readMeta(paths.metaPath);
+  const adapter = meta?.adapter ?? 'web';
+
+  if (adapter === 'http') {
+    const { normalizeHttpRun } = await import('@xera-ai/http');
+    await normalizeHttpRun({ runId, runDir });
+    console.log(`[xera:normalize] wrote normalized.json (http)`);
+    return 0;
+  }
+
+  const { normalizeRun } = await import('@xera-ai/web');
   const r = await normalizeRun({ runId, runDir });
   console.log(
     `[xera:normalize] wrote normalized.json (scrubbed_fields_count=${r.scrubbed_fields_count})`,

package/src/bin-internal/report.ts

@@ -1,8 +1,14 @@
 import { existsSync, readFileSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
+import { readMeta } from '../artifact/meta';
 import { resolveArtifactPaths } from '../artifact/paths';
+import { readAuthState } from '../auth/state';
 import { aggregateScenarios } from '../classifier/aggregate';
+import { type AuthFileSummary, classifyAuthExpired } from '../classifier/auth-expired';
+import { classifyContractDrift } from '../classifier/contract-drift';
+import { classifyRateLimited } from '../classifier/rate-limited';
 import type { ScenarioClassification } from '../classifier/types';
+import { loadConfig } from '../config/load';
 import type { OutdatedDecision } from '../graph/classify';
 import { enhanceClassification } from '../graph/classify';
 import { deriveSnapshot, loadAllEvents } from '../graph/store';
@@ -22,10 +28,96 @@ export async function reportCmd(argv: string[]): Promise<number> {
     console.error('[xera:report] usage: report <TICKET> --input=<classifier-output.json>');
     return 1;
   }
-  const paths = resolveArtifactPaths(process.cwd(), ticket);
+  const cwd = process.cwd();
+  const paths = resolveArtifactPaths(cwd, ticket);
   const input = JSON.parse(readFileSync(inputArg.slice('--input='.length), 'utf8')) as ReportInput;
 
-  const aggregated = aggregateScenarios(input.scenarios);
+  // v0.7: apply deterministic HTTP classifier rules before aggregation.
+  // When adapter === 'http', scan normalized.json http.calls for rate-limit,
+  // auth-expired, and contract-drift signals and override failing scenario classes.
+  interface HttpRuleOverride {
+    class: ScenarioClassification['class'];
+    rationale: string;
+  }
+  let httpRuleOverride: HttpRuleOverride | null = null;
+
+  const meta = readMeta(paths.metaPath);
+  if (meta?.adapter === 'http') {
+    const config = await loadConfig(cwd);
+    if (config.http) {
+      const normalizedPath = join(paths.ticketDir, 'runs', input.runId, 'normalized.json');
+      if (existsSync(normalizedPath)) {
+        const norm = JSON.parse(readFileSync(normalizedPath, 'utf8')) as {
+          http?: {
+            calls?: Array<{ method: string; url: string; status: number; respBody?: unknown }>;
+          };
+        };
+        const calls = norm.http?.calls ?? [];
+
+        // RATE_LIMITED
+        const rate = classifyRateLimited({ calls });
+        if (rate) httpRuleOverride = rate;
+
+        // AUTH_EXPIRED — needs auth files
+        if (!httpRuleOverride) {
+          const authFiles: Record<string, AuthFileSummary> = {};
+          const httpAuthDir = join(cwd, '.xera', '.auth', 'http');
+          for (const role of Object.keys(config.http.auth.roles)) {
+            const entry = readAuthState(httpAuthDir, role);
+            if (entry) {
+              const p = entry.payload as {
+                token: string;
+                type: 'bearer' | 'apiKey' | 'basic' | 'cookie';
+              };
+              if (typeof p.token === 'string' && typeof p.type === 'string') {
+                authFiles[role] = {
+                  token: p.token,
+                  type: p.type as AuthFileSummary['type'],
+                  expires_at: entry.expires_at,
+                };
+              }
+            }
+          }
+          const authExp = classifyAuthExpired({ calls, authFiles });
+          if (authExp) httpRuleOverride = authExp;
+        }
+
+        // CONTRACT_DRIFT — needs openapi
+        if (!httpRuleOverride && config.http.spec) {
+          const { loadOpenApi } = await import('@xera-ai/http');
+          const openapi = await loadOpenApi(config.http.spec);
+          if (openapi) {
+            const drift = classifyContractDrift({
+              calls: calls.map((c) => ({
+                method: c.method,
+                url: c.url,
+                status: c.status,
+                respBody: c.respBody,
+              })),
+              openapi,
+            });
+            if (drift) httpRuleOverride = drift;
+          }
+        }
+      }
+    }
+  }
+
+  // Apply override: if a deterministic rule fired, stamp every FAIL scenario with it.
+  const scenariosForAggregation: ScenarioClassification[] = httpRuleOverride
+    ? input.scenarios.map((s) =>
+        s.outcome === 'FAIL'
+          ? {
+              ...s,
+              class: httpRuleOverride.class,
+              rationale: httpRuleOverride.rationale,
+              confidence: 'high' as const,
+            }
+          : s,
+      )
+    : input.scenarios;
+
+  const aggregated = aggregateScenarios(scenariosForAggregation);
 
   // v0.6.1: TEST_OUTDATED enhancement.
   // The /xera-report skill writes outdated-decisions.json BEFORE invoking this subcommand,

package/src/bin-internal/verify-prompts.ts

@@ -8,7 +8,8 @@ export interface CheckResult {
 
 const IN_SCOPE_PROMPTS = [
   'feature-from-story.md',
-  'script-from-feature.md',
+  'script-from-feature-web.md',
+  'script-from-feature-http.md',
   'heal-locator.md',
   'extract-areas.md',
   'similarity-match.md',

package/src/classifier/aggregate.ts

@@ -2,6 +2,9 @@ import type { ClassifyOutput, Confidence, ScenarioClassification } from './types
 
 const CLASS_PRIORITY: Array<ClassifyOutput['overall']> = [
   'REAL_BUG',
+  'CONTRACT_DRIFT',
+  'AUTH_EXPIRED',
+  'RATE_LIMITED',
   'TEST_OUTDATED',
   'TEST_BUG',
   'SELECTOR_DRIFT',

package/src/classifier/auth-expired.ts

@@ -0,0 +1,44 @@
+import type { ClassifyResult, HttpCallSummary } from './rate-limited';
+
+export interface AuthFileSummary {
+  token: string;
+  type: 'bearer' | 'apiKey' | 'basic' | 'cookie';
+  expires_at: string;
+}
+
+export interface ClassifyAuthExpiredInput {
+  calls: readonly HttpCallSummary[];
+  authFiles: Record<string, AuthFileSummary>;
+}
+
+function jwtExpPast(jwt: string, now: number): boolean {
+  const parts = jwt.split('.');
+  if (parts.length !== 3) return false;
+  try {
+    const payloadB64 = parts[1];
+    if (!payloadB64) return false;
+    const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf8')) as {
+      exp?: number;
+    };
+    return typeof payload.exp === 'number' && payload.exp * 1000 < now;
+  } catch {
+    return false;
+  }
+}
+
+export function classifyAuthExpired(input: ClassifyAuthExpiredInput): ClassifyResult | null {
+  const has401 = input.calls.some((c) => c.status === 401);
+  if (!has401) return null;
+  const now = Date.now();
+  for (const [role, entry] of Object.entries(input.authFiles)) {
+    const fileExpired = new Date(entry.expires_at).getTime() < now;
+    const jwtExpired = entry.type === 'bearer' && jwtExpPast(entry.token, now);
+    if (fileExpired || jwtExpired) {
+      return {
+        class: 'AUTH_EXPIRED',
+        rationale: `HTTP 401 captured; auth file for role '${role}' is past expiry. Run: bun run xera:auth-setup --role ${role}`,
+      };
+    }
+  }
+  return null;
+}

package/src/classifier/contract-drift.ts

@@ -0,0 +1,111 @@
+import type { ClassifyResult } from './rate-limited';
+
+export interface OpenAPISchema {
+  type?: 'object' | 'array' | 'string' | 'integer' | 'number' | 'boolean' | 'null';
+  properties?: Record<string, OpenAPISchema>;
+  required?: readonly string[];
+  items?: OpenAPISchema;
+}
+
+interface OpenAPIOperation {
+  responses?: Record<string, { content?: Record<string, { schema?: OpenAPISchema }> }>;
+  requestBody?: { content?: Record<string, { schema?: OpenAPISchema }> };
+}
+
+export interface OpenAPIDocument {
+  paths: Record<
+    string,
+    Partial<Record<'get' | 'post' | 'put' | 'patch' | 'delete', OpenAPIOperation>>
+  >;
+}
+
+export interface ContractDriftCall {
+  method: string;
+  url: string;
+  status: number;
+  respBody: unknown;
+}
+
+export interface ClassifyContractDriftInput {
+  calls: readonly ContractDriftCall[];
+  openapi: OpenAPIDocument | null;
+}
+
+function matchPath(specPaths: readonly string[], actualUrl: string): string | null {
+  const path = actualUrl.split('?')[0] ?? actualUrl;
+  for (const tmpl of specPaths) {
+    const re = new RegExp(`^${tmpl.replace(/\{[^}]+\}/g, '[^/]+')}$`);
+    if (re.test(path)) return tmpl;
+  }
+  return null;
+}
+
+function matchesSchema(body: unknown, schema: OpenAPISchema | undefined): boolean {
+  if (!schema) return true;
+  if (schema.type === 'object') {
+    if (typeof body !== 'object' || body === null || Array.isArray(body)) return false;
+    const obj = body as Record<string, unknown>;
+    for (const req of schema.required ?? []) {
+      if (!(req in obj)) return false;
+    }
+    return true;
+  }
+  if (schema.type === 'array') return Array.isArray(body);
+  if (schema.type === 'string') return typeof body === 'string';
+  if (schema.type === 'integer' || schema.type === 'number') return typeof body === 'number';
+  if (schema.type === 'boolean') return typeof body === 'boolean';
+  if (schema.type === 'null') return body === null;
+  return true;
+}
+
+const VERBS = ['get', 'post', 'put', 'patch', 'delete'] as const;
+type Verb = (typeof VERBS)[number];
+
+function isVerb(s: string): s is Verb {
+  return (VERBS as readonly string[]).includes(s);
+}
+
+export function classifyContractDrift(input: ClassifyContractDriftInput): ClassifyResult | null {
+  if (input.openapi === null) return null;
+  const specPaths = Object.keys(input.openapi.paths);
+
+  for (const call of input.calls) {
+    const tmpl = matchPath(specPaths, call.url);
+    if (!tmpl) {
+      return {
+        class: 'CONTRACT_DRIFT',
+        rationale: `Endpoint ${call.method} ${call.url} not found in OpenAPI`,
+      };
+    }
+    const methodLower = call.method.toLowerCase();
+    if (!isVerb(methodLower)) {
+      return {
+        class: 'CONTRACT_DRIFT',
+        rationale: `Method ${call.method} not supported by classifier for ${tmpl}`,
+      };
+    }
+    const pathItem = input.openapi.paths[tmpl];
+    const op = pathItem?.[methodLower];
+    if (!op) {
+      return {
+        class: 'CONTRACT_DRIFT',
+        rationale: `${call.method} not defined for ${tmpl} in OpenAPI`,
+      };
+    }
+    const respDef = op.responses?.[String(call.status)];
+    if (!respDef) {
+      return {
+        class: 'CONTRACT_DRIFT',
+        rationale: `Status ${call.status} not enumerated for ${call.method} ${tmpl} in OpenAPI`,
+      };
+    }
+    const schema = respDef.content?.['application/json']?.schema;
+    if (!matchesSchema(call.respBody, schema)) {
+      return {
+        class: 'CONTRACT_DRIFT',
+        rationale: `Response body for ${call.method} ${tmpl} (${call.status}) does not match OpenAPI schema`,
+      };
+    }
+  }
+  return null;
+}

package/src/classifier/rate-limited.ts

@@ -0,0 +1,25 @@
+import type { Classification } from '../artifact/status';
+
+export interface HttpCallSummary {
+  method: string;
+  url: string;
+  status: number;
+}
+
+export interface ClassifyResult {
+  class: Classification;
+  rationale: string;
+}
+
+export interface ClassifyRateLimitedInput {
+  calls: readonly HttpCallSummary[];
+}
+
+export function classifyRateLimited(input: ClassifyRateLimitedInput): ClassifyResult | null {
+  const hit = input.calls.find((c) => c.status === 429);
+  if (!hit) return null;
+  return {
+    class: 'RATE_LIMITED',
+    rationale: `Captured HTTP 429 on ${hit.method} ${hit.url}`,
+  };
+}

package/src/config/schema.ts

@@ -31,6 +31,37 @@ const WebSchema = z
     path: ['defaultEnv'],
   });
 
+const HttpAuthRoleSchema = z.object({
+  tokenEnv: z.string().optional(),
+  userEnv: z.string().optional(),
+  passEnv: z.string().optional(),
+  tokenUrl: z.string().url().optional(),
+  clientIdEnv: z.string().optional(),
+  clientSecretEnv: z.string().optional(),
+  scope: z.string().optional(),
+});
+
+const HttpAuthSchema = z.object({
+  strategy: z.enum(['bearer', 'apiKey', 'basic', 'oauth-cc', 'custom', 'none']).default('none'),
+  ttl: z.string().default('8h'),
+  refreshBuffer: z.string().default('30m'),
+  roles: z.record(z.string(), HttpAuthRoleSchema).default({}),
+});
+
+const HttpSchema = z
+  .object({
+    baseUrl: z.record(z.string(), z.string().url()).refine((m) => Object.keys(m).length > 0, {
+      message: 'baseUrl must have at least one environment',
+    }),
+    defaultEnv: z.string(),
+    spec: z.string().optional(),
+    auth: HttpAuthSchema.prefault({}),
+  })
+  .refine((h) => h.baseUrl[h.defaultEnv] !== undefined, {
+    message: 'defaultEnv must exist in baseUrl map',
+    path: ['defaultEnv'],
+  });
+
 const JiraSchema = z.object({
   baseUrl: z.string().url(),
   projectKeys: z.array(z.string().min(1)).min(1),
@@ -80,13 +111,25 @@ const RunSchema = z
   })
   .prefault({});
 
-export const XeraConfigSchema = z.object({
-  jira: JiraSchema,
-  web: WebSchema,
-  ai: AISchema,
-  reporting: ReportingSchema,
-  run: RunSchema.prefault({}),
-  adapters: z.array(z.string().min(1)).min(1).default(['web']),
-});
+export const XeraConfigSchema = z
+  .object({
+    jira: JiraSchema,
+    web: WebSchema.optional(),
+    http: HttpSchema.optional(),
+    ai: AISchema,
+    reporting: ReportingSchema,
+    run: RunSchema.prefault({}),
+    adapters: z
+      .array(z.enum(['web', 'http']))
+      .min(1)
+      .default(['web']),
+  })
+  .refine((c) => c.web !== undefined || c.http !== undefined, {
+    message: 'At least one of `web` or `http` must be configured',
+  })
+  .refine((c) => c.adapters.every((a) => (a === 'web' ? c.web : c.http) !== undefined), {
+    message: 'Every adapter in `adapters` must have a corresponding config block',
+    path: ['adapters'],
+  });
 
 export type XeraConfig = z.infer<typeof XeraConfigSchema>;

package/src/graph/schema.ts

@@ -78,6 +78,9 @@ const classification = z.enum([
   'FLAKY',
   'PASS',
   'TEST_OUTDATED',
+  'CONTRACT_DRIFT',
+  'RATE_LIMITED',
+  'AUTH_EXPIRED',
 ]);
 
 const runClassified = z

package/src/graph/types.ts

@@ -12,7 +12,10 @@ export type Classification =
   | 'SELECTOR_DRIFT'
   | 'FLAKY'
   | 'PASS'
-  | 'TEST_OUTDATED';
+  | 'TEST_OUTDATED'
+  | 'CONTRACT_DRIFT'
+  | 'RATE_LIMITED'
+  | 'AUTH_EXPIRED';
 
 export interface TicketFetchedPayload {
   ticketId: string;

package/src/index.ts

@@ -8,6 +8,7 @@ export * from './auth/encrypt';
 export * from './auth/key';
 export * from './auth/refresh';
 export * from './auth/state';
+export type { OpenAPIDocument, OpenAPISchema } from './classifier/contract-drift';
 export * from './config/define';
 export * from './config/load';
 export * from './config/schema';
@@ -17,3 +18,4 @@ export * from './jira/retry';
 export * from './jira/types';
 export * from './lock/file-lock';
 export * from './logging/ndjson-logger';
+export * from './scrub';

package/src/scrub/index.ts

@@ -0,0 +1 @@
+export * from './rules';

package/src/scrub/rules.ts

@@ -0,0 +1,69 @@
+export const SENSITIVE_HEADERS: readonly string[] = [
+  'authorization',
+  'cookie',
+  'set-cookie',
+  'x-api-key',
+  'x-auth-token',
+  'x-csrf-token',
+  'proxy-authorization',
+];
+
+export const SENSITIVE_BODY_KEYS: readonly RegExp[] = [
+  /password/i,
+  /passwd/i,
+  /token/i,
+  /secret/i,
+  /api[-_]?key/i,
+  /access[-_]?key/i,
+  /private[-_]?key/i,
+  /authorization/i,
+  /credit[-_]?card/i,
+  /card[-_]?number/i,
+  /cvv/i,
+];
+
+export const JWT_RE = /\beyJ[A-Za-z0-9_-]{7,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{5,}\b/;
+export const CREDIT_CARD_RE = /\b(?:\d{4}[-\s]?){3}\d{4}\b/;
+export const EMAIL_RE = /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/;
+// E.164-ish phone with optional + and separators. Conservative: require at least 7 digits.
+export const PHONE_RE = /(?:\+?\d[\d\s().-]{6,}\d)/;
+
+const JWT_RE_G = new RegExp(JWT_RE.source, 'g');
+const CREDIT_CARD_RE_G = new RegExp(CREDIT_CARD_RE.source, 'g');
+export const EMAIL_RE_G = new RegExp(EMAIL_RE.source, 'g');
+export const PHONE_RE_G = new RegExp(PHONE_RE.source, 'g');
+
+const REDACTED = '[REDACTED]';
+
+export function scrubHeaders(headers: Record<string, string>): Record<string, string> {
+  const out: Record<string, string> = {};
+  for (const [k, v] of Object.entries(headers)) {
+    out[k] = SENSITIVE_HEADERS.includes(k.toLowerCase()) ? REDACTED : v;
+  }
+  return out;
+}
+
+export function scrubBodyJson(body: unknown): unknown {
+  if (Array.isArray(body)) return body.map(scrubBodyJson);
+  if (body && typeof body === 'object') {
+    const out: Record<string, unknown> = {};
+    for (const [k, v] of Object.entries(body)) {
+      if (SENSITIVE_BODY_KEYS.some((re) => re.test(k))) {
+        out[k] = REDACTED;
+      } else {
+        out[k] = scrubBodyJson(v);
+      }
+    }
+    return out;
+  }
+  if (typeof body === 'string') return scrubFreeText(body);
+  return body;
+}
+
+export function scrubFreeText(s: string): string {
+  return s
+    .replace(JWT_RE_G, REDACTED)
+    .replace(CREDIT_CARD_RE_G, REDACTED)
+    .replace(EMAIL_RE_G, REDACTED)
+    .replace(PHONE_RE_G, REDACTED);
+}