@zintrust/trace 0.4.76 → 0.4.79

package/README.md

@@ -9,7 +9,7 @@ Works with both `zin s` (Node.js) and `zin s --wg` (Cloudflare Workers).
 ## Installation
 
 ```bash
-yarn add @zintrust/trace
+npm install @zintrust/trace
 ```
 
 Run the provided migrations to create the three required tables (`zin_trace_entries`, `zin_trace_entries_tags`, `zin_trace_monitoring`):
@@ -63,7 +63,44 @@ Why this is the preferred path:
 - The core runtime can then lazy-load the trace only after databases and the kernel are ready.
 - The plugin activates trace runtime logic only; the dashboard route stays inactive until you register it yourself.
 
-With the stock ZinTrust bootstrap, `TRACE_ENABLED=true` plus the plugin import above activates the watchers and storage integration. Dashboard UI/routes are a separate route-level opt-in.
+With the stock ZinTrust bootstrap, `TRACE_ENABLED=true` plus the plugin import above activates the watchers and storage integration. Dashboard UI/routes are still a separate opt-in unless you also set `TRACE_AUTO_MOUNT=true`.
+
+### Optional: configure filters in `config/trace.ts`
+
+If you prefer project-owned trace configuration over env-only setup, put the filter rules directly in `config/trace.ts`.
+
+```ts
+// config/trace.ts
+import { Env } from '@config/env';
+import type { TraceConfigOverrides } from '@zintrust/trace';
+
+export default {
+  enabled: Env.getBool('TRACE_ENABLED', false),
+  connection: Env.get('TRACE_DB_CONNECTION', '') || undefined,
+  pruneAfterHours: Env.getInt('TRACE_PRUNE_HOURS', 24),
+  slowQueryThreshold: Env.getInt('TRACE_SLOW_QUERY_MS', 100),
+  logMinLevel: Env.get('TRACE_LOG_LEVEL', 'info') as TraceConfigOverrides['logMinLevel'],
+  watchers: {
+    request: {
+      get: { exclude: ['report'] },
+      post: { include: ['auth'] },
+      patch: { include: ['profile'] },
+      delete: { exclude: ['internal'] },
+    },
+    log: { exclude: ['healthcheck'] },
+    exception: { include: ['trace'] },
+    cache: { include: ['session:'] },
+  },
+  redaction: {
+    keys: ['password', 'token', 'secret'],
+    headers: ['authorization', 'cookie'],
+    body: ['password', 'token', 'secret'],
+    query: [],
+  },
+} satisfies TraceConfigOverrides;
+```
+
+All include/exclude matching is contains-based, so a term like `report` matches `/reports/daily`, `monthly-report`, or any other trace content containing that fragment.
 
 ### 3. Mount the dashboard
 
@@ -98,6 +135,19 @@ registerTraceRoutes(router, TraceStorage.resolveStorage(db), {
 
 If you need a manual late bootstrap instead of plugin-driven activation, you can still import `@zintrust/trace/register` yourself, but that is the advanced path rather than the default project setup.
 
+### 4. Optional stock-bootstrap auto-mount
+
+If you want core to expose the trace dashboard without editing your route file, opt in explicitly:
+
+```env
+TRACE_ENABLED=true
+TRACE_AUTO_MOUNT=true
+TRACE_BASE_PATH=/trace
+TRACE_MIDDLEWARE=auth,admin
+```
+
+When `TRACE_AUTO_MOUNT=true`, ZinTrust calls `registerTraceDashboard(...)` during bootstrap using `TRACE_BASE_PATH` and the optional comma-separated `TRACE_MIDDLEWARE` list. Keep this off if you want route ownership to stay fully in application code.
+
 ## CLI commands
 
 When the optional package is installed, ZinTrust auto-registers these commands:
@@ -111,6 +161,14 @@ zin trace:clear
 
 `zin trace:status` reports the active connection, retention window, current entry counts, and the expected dashboard URL derived from your current env and route choices.
 
+### Monitoring tags
+
+The Monitoring page lets you save a short list of tags that you filter by often.
+
+- Add tags like `auth`, `checkout`, `queue:emails`, or `nightly-sync` once, then click them later to jump straight to matching entries.
+- Monitoring tags are just saved dashboard shortcuts. Removing a monitoring tag does not delete trace entries or strip tags from stored data.
+- Use short, exact tag names. The dashboard filters entries by the exact tag value you click.
+
 ---
 
 ## Watchers
@@ -164,6 +222,16 @@ const config = TraceConfig.merge({
     // disable specific watchers
     redis: false,
     view: false,
+    request: {
+      get: { exclude: ['report'] },
+      post: { include: ['auth'] },
+    },
+    log: {
+      exclude: ['healthcheck'],
+    },
+    exception: {
+      include: ['trace'],
+    },
   },
   redaction: {
     body: ['password', 'secret', 'token'],
@@ -184,18 +252,36 @@ ExceptionWatcher.register({ storage, config, db });
 
 `TraceConfig.merge(overrides?)` accepts the following options:
 
-| Option               | Type                                                | Default                            | Description                                                          |
-| -------------------- | --------------------------------------------------- | ---------------------------------- | -------------------------------------------------------------------- |
-| `enabled`            | `boolean`                                           | `false`                            | Master switch — no watchers activate when `false`                    |
-| `connection`         | `string \| undefined`                               | `undefined`                        | Named DB connection for storing entries; uses `'default'` if omitted |
-| `pruneAfterHours`    | `number`                                            | `24`                               | Entries older than this are pruned                                   |
-| `slowQueryThreshold` | `number`                                            | `100`                              | Queries taking longer (ms) are flagged as slow                       |
-| `logMinLevel`        | `'debug' \| 'info' \| 'warn' \| 'error' \| 'fatal'` | `'info'`                           | Minimum log severity captured                                        |
-| `ignoreRoutes`       | `string[]`                                          | `['/trace', '/health', '/ping']`   | Routes excluded from HTTP watcher                                    |
-| `watchers`           | `Record<string, boolean>`                           | `{}`                               | Per-watcher enable/disable flags (`false` = disabled)                |
-| `redaction.headers`  | `string[]`                                          | `['authorization', 'cookie', ...]` | Request header names to redact                                       |
-| `redaction.body`     | `string[]`                                          | `['password', 'token', ...]`       | Request body keys to redact                                          |
-| `redaction.query`    | `string[]`                                          | `[]`                               | Query-string keys to redact                                          |
+| Option               | Type                                                | Default                            | Description                                                                  |
+| -------------------- | --------------------------------------------------- | ---------------------------------- | ---------------------------------------------------------------------------- |
+| `enabled`            | `boolean`                                           | `false`                            | Master switch — no watchers activate when `false`                            |
+| `connection`         | `string \| undefined`                               | `undefined`                        | Named DB connection for storing entries; uses `'default'` if omitted         |
+| `pruneAfterHours`    | `number`                                            | `24`                               | Entries older than this are pruned                                           |
+| `slowQueryThreshold` | `number`                                            | `100`                              | Queries taking longer (ms) are flagged as slow                               |
+| `logMinLevel`        | `'debug' \| 'info' \| 'warn' \| 'error' \| 'fatal'` | `'info'`                           | Minimum log severity captured                                                |
+| `ignoreRoutes`       | `string[]`                                          | `['/trace', '/health', '/ping']`   | Routes excluded from HTTP watcher                                            |
+| `watchers`           | `Record<string, boolean \| { include?, exclude? }>` | `{}`                               | Per-watcher enable/disable flags plus contains-based include/exclude filters |
+| `redaction.keys`     | `string[]`                                          | common auth/card/session keys      | Extra sensitive keys redacted recursively before trace persistence           |
+| `redaction.headers`  | `string[]`                                          | `['authorization', 'cookie', ...]` | Request header names to redact                                               |
+| `redaction.body`     | `string[]`                                          | `['password', 'token', ...]`       | Request body keys to redact                                                  |
+| `redaction.query`    | `string[]`                                          | `[]`                               | Query-string keys to redact                                                  |
+
+Request watcher filters can also be scoped per method. Matching is contains-based against the stored trace content, so values like `report`, `auth`, or `trace` match any request or entry whose content includes those fragments.
+
+```ts
+const config = TraceConfig.merge({
+  watchers: {
+    request: {
+      get: { exclude: ['report'] },
+      post: { include: ['auth'] },
+      patch: { include: ['profile'] },
+    },
+    log: { exclude: ['healthcheck'] },
+    exception: { include: ['trace'] },
+    cache: { include: ['session:'] },
+  },
+});
+```
 
 ---
 
@@ -275,7 +361,7 @@ import {
 ## Security considerations
 
 - **Always** protect the dashboard with middleware (e.g. `middleware: ['admin']`). `@zintrust/trace/ui` exports `registerTraceDashboard(...)` and `registerTraceRoutes(...)`, and neither applies any authentication by default.
-- Sensitive fields in request headers and body are redacted using the `redaction` config before being stored. Review and extend the default redaction lists to match your application's data model.
+- Sensitive fields are redacted using the `redaction` config before they are stored. Review and extend the default `redaction.keys`, `redaction.headers`, `redaction.body`, and `redaction.query` lists to match your application's data model.
 - Use a **dedicated database connection** (`TRACE_DB_CONNECTION`) in production so trace writes cannot impact your primary DB connection pool.
 - Keep `TRACE_ENABLED=false` (or unset) in production unless actively investigating an issue.
 

package/dist/build-manifest.json

@@ -1,14 +1,14 @@
 {
   "name": "@zintrust/trace",
-  "version": "0.4.75",
-  "buildDate": "2026-04-07T17:29:43.050Z",
+  "version": "0.4.77",
+  "buildDate": "2026-04-08T09:26:55.306Z",
   "buildEnvironment": {
-    "node": "v25.6.1",
+    "node": "v22.22.1",
     "platform": "darwin",
     "arch": "arm64"
   },
   "git": {
-    "commit": "29c16e36",
+    "commit": "f37a0c05",
     "branch": "release"
   },
   "package": {
@@ -22,8 +22,8 @@
   },
   "files": {
     "build-manifest.json": {
-      "size": 12606,
-      "sha256": "3014938fc1038e55af4fee3be217c1bc269119354e32a89d7e5c5bfcdbd327a4"
+      "size": 14438,
+      "sha256": "967934d372f36722143e02cd66b98dae1904122d34754fa8267bf3133725e1b2"
     },
     "cli-register.d.ts": {
       "size": 255,
@@ -34,12 +34,12 @@
       "sha256": "c6de87d0a73df7ac66e18ecdc6f758b2652ec3abe9698e43620cf41135b33e4b"
     },
     "config.d.ts": {
-      "size": 372,
-      "sha256": "e5ab491ec7f04a89fb13f9c89a410d9f0c49f1c1f081a9754747527c8c97dcd0"
+      "size": 470,
+      "sha256": "b034cbef0c71fb868071363624ef7a9f8d7acc20f8be8c895dd5db5a75e81f37"
     },
     "config.js": {
-      "size": 1227,
-      "sha256": "4cafd0b6eb1218131fbf2abc7d053a863c31eb0a32055f8e97b4d4818d546caf"
+      "size": 5862,
+      "sha256": "2692029ea79d7454f920fcdd6466cd6ee443a7029f36597a213585ed869f9af7"
     },
     "context.d.ts": {
       "size": 596,
@@ -70,24 +70,24 @@
       "sha256": "4862b41e0477f01afa0dbb446d4553b65c22ed774cd1e2db3489059ced392f94"
     },
     "dashboard/ui.js": {
-      "size": 60952,
-      "sha256": "e23e82d187f834bfe270f89926cc9411e0745ddac50a96b048084ca333ece862"
+      "size": 64493,
+      "sha256": "061c304bad22631db4ad795457c0eb5064f060f534d5050e2e14c6a1c01a2c1b"
     },
     "index.d.ts": {
-      "size": 2227,
-      "sha256": "c0c856fbfdea4b500129e82674634970bb687adbfc1e88833a17996ce49522df"
+      "size": 2370,
+      "sha256": "4cfee97f40d9dd12f5ea37996bee548a5964ee2cbe45c4e844bf5a119d9470d3"
     },
     "index.js": {
-      "size": 2978,
-      "sha256": "d8304fc1d431fce445a3c2aed2635effbcae124299790a5999079ab86a885aaa"
+      "size": 3237,
+      "sha256": "d610de7775e31196a8acca02425c407e64bfdb69977290443664d36eaa022426"
     },
     "migrations/20260331000001_create_zin_trace_entries_table.d.ts": {
       "size": 304,
       "sha256": "7d99b4d7c02855d6e68ad87e39dffff5fec83a406bdf2414665c23ba3ce8711d"
     },
     "migrations/20260331000001_create_zin_trace_entries_table.js": {
-      "size": 952,
-      "sha256": "fa4065ba8fafbbf4294ad8f0e2fa51c923e39ac9ee4e91e17f6c4e686687bb1b"
+      "size": 955,
+      "sha256": "6aa54f3a6a95a78714e9b14d7f6adb4e94e9420e4e17ac467b43fef12bbc2583"
     },
     "migrations/20260331000002_create_zin_trace_entries_tags_table.d.ts": {
       "size": 304,
@@ -105,13 +105,21 @@
       "size": 522,
       "sha256": "dd80ea1fdfe6ea7f57330b2dff530d97ee8054081436f41bbf234b814cb1df19"
     },
+    "migrations/20260407193000_widen_trace_created_at_for_sql.d.ts": {
+      "size": 335,
+      "sha256": "6e9c826a08a983927d9e801b2740f58d0cf6fbf7bff02ee5c1fd01227f73b741"
+    },
+    "migrations/20260407193000_widen_trace_created_at_for_sql.js": {
+      "size": 1185,
+      "sha256": "1de9d8e4a91ffeaed4a0bc5cf942e428cd76bdb6b65bc67fa76ef62f3c99e94d"
+    },
     "migrations/index.d.ts": {
       "size": 280,
       "sha256": "0ba7bc9421754ff489f6947463c13e7e9c80558eb6611a818f3baab3b518a502"
     },
     "migrations/index.js": {
-      "size": 386,
-      "sha256": "9c6729e47f61ec3e7678678ee44926ffd4dbb7d47017ea2b25f063346ffdd04f"
+      "size": 500,
+      "sha256": "6118c5f4e01ecd73208425253caa3a17e4304ff6f9f00ac7afc18785684e9e85"
     },
     "plugin.d.ts": {
       "size": 16,
@@ -126,8 +134,8 @@
       "sha256": "71d366165dd36f1675aa253a76262b226fb6c62e5ab632746b8aea61c0c625fc"
     },
     "register.js": {
-      "size": 6594,
-      "sha256": "52569e73b6b6a441e8aa816ec01b343c09976fab4e8daf0680db5a92f1a343e4"
+      "size": 10601,
+      "sha256": "4e25cf1a5206578c0c1ad77febc258215d97d0468facc51d01a9259c0634757d"
     },
     "storage/DebuggerStorage.d.ts": {
       "size": 517,
@@ -137,13 +145,37 @@
       "size": 7442,
       "sha256": "5ecce0fcfcf695df587a7b90a7a5c7efd2e64ad13c9f2d104b392f89f34f0dc4"
     },
+    "storage/TraceContentRedaction.d.ts": {
+      "size": 207,
+      "sha256": "2fd7b317c5ee87d8ecaa6467a75959499673ef374fec3ecfaa7911c4f3d5c83c"
+    },
+    "storage/TraceContentRedaction.js": {
+      "size": 1083,
+      "sha256": "127aa026f155c47361d3b44021138157cb2743f5e02e044ce6df66cc693cc3cb"
+    },
+    "storage/TraceEntryFiltering.d.ts": {
+      "size": 196,
+      "sha256": "a1158cedb4e4e749658127086e138e47886422366a697619d6ea9bd3338066e6"
+    },
+    "storage/TraceEntryFiltering.js": {
+      "size": 422,
+      "sha256": "f9174cf9d4d09785c7c71930ded64b12e12a6e5765c8d1462cd3ecb9669f6b58"
+    },
     "storage/TraceStorage.d.ts": {
       "size": 517,
       "sha256": "c9c215aaa414f7b0c1fec6c82b054fc52bdf97af58f96f35c7f96672fb859c31"
     },
     "storage/TraceStorage.js": {
-      "size": 7442,
-      "sha256": "5ecce0fcfcf695df587a7b90a7a5c7efd2e64ad13c9f2d104b392f89f34f0dc4"
+      "size": 9089,
+      "sha256": "e4e05dc45411f0b7f0deacd9567d2b83325566cb69b885ebec848bcfcc43b338"
+    },
+    "storage/TraceWriteDiagnostics.d.ts": {
+      "size": 581,
+      "sha256": "5f49df97a830ad895653fa4a18b3a1b31ca4a5066d6f8150ee02dca013e16397"
+    },
+    "storage/TraceWriteDiagnostics.js": {
+      "size": 4162,
+      "sha256": "06ba6979f5053956f7a5f9ec8dc301864f36276a2c74b0bf63cf733ad7c5eac2"
     },
     "storage/index.d.ts": {
       "size": 100,
@@ -154,8 +186,8 @@
       "sha256": "d916e8e3abb1b1087f6b184851b0e6265e53380d7857b008e745d566aad15d44"
     },
     "types.d.ts": {
-      "size": 6938,
-      "sha256": "562c69ecad5866c46f6889145e2fe93d4a0dbb2eb37397cb91a06d99a3fa93c0"
+      "size": 7687,
+      "sha256": "c1c5f5140d157d66355c65c774f055af2dccc470c9ee9fe403bbb96fbf4447d0"
     },
     "types.js": {
       "size": 696,
@@ -177,6 +209,14 @@
       "size": 534,
       "sha256": "0c506812967c17548162ce0f28d96089b023865883ee8cfd0824a94084580afb"
     },
+    "utils/entryFilter.d.ts": {
+      "size": 183,
+      "sha256": "a7809e98f76b4e326262c26b0e43e278b1c50ac0b35fee145e3e6006357dc700"
+    },
+    "utils/entryFilter.js": {
+      "size": 3279,
+      "sha256": "0ce8c5955411194447a16bd79c2f0a33ba60f63b2bd010ac33772718f02f0124"
+    },
     "utils/familyHash.d.ts": {
       "size": 60,
       "sha256": "c94f85390c52470df6946a39576c720ea92c89797ae62fff913191c45580248f"
@@ -186,12 +226,12 @@
       "sha256": "f60526423e69fa5c461b0f5d8dac90b1f0c18149609cd1109226f1c8d985f223"
     },
     "utils/redact.d.ts": {
-      "size": 366,
-      "sha256": "7fa4b2a84023d0851aa3e8769cb7689180a4f7bbbcdc85c27c9dd4e36510b1b5"
+      "size": 449,
+      "sha256": "b72d01ebac46a984d314905b14de5b05c3f9c27141e460c5305dd16e347f5a13"
     },
     "utils/redact.js": {
-      "size": 1623,
-      "sha256": "88feb439d34ce10ed8aa15e942fbd7627ff15eb1844ad7774779452987a30ad8"
+      "size": 2646,
+      "sha256": "4e82eaa3bb48f9d621b70f69519b0615d992068eb9f836beaf6df6c2382c2cff"
     },
     "utils/requestFilter.d.ts": {
       "size": 195,
@@ -238,8 +278,8 @@
       "sha256": "f1b3a3253e7265c7b56a74ba674cd23426ea5227a33abb1bde0d941e2a02e894"
     },
     "watchers/CommandWatcher.js": {
-      "size": 1400,
-      "sha256": "5c1b2a1f090493ecb09c0c32bc0cedb0422e256fae0dbfbb65c032802a193b18"
+      "size": 1442,
+      "sha256": "5e4ae33bf9088b60c3999580b9d4662162a319cc51fb80ee07da7571f6d98863"
     },
     "watchers/DumpWatcher.d.ts": {
       "size": 308,
@@ -278,16 +318,16 @@
       "sha256": "1b48661bff79b2f72464c978ad7e6dcf011197ca4a3014e64e99b70437b3e5a1"
     },
     "watchers/HttpClientWatcher.js": {
-      "size": 1585,
-      "sha256": "f1b71876adca3aff24bb0ccb3977672fab37c9babfb0088da1f44fa8eb1bca1e"
+      "size": 1627,
+      "sha256": "65e910145f4d24f06643a847a1d75bc60034a629a5da61097ba9324d1d1c7ddd"
     },
     "watchers/HttpWatcher.d.ts": {
       "size": 96,
       "sha256": "ce9a95a670f755193fd74ce721dbfa4b30f20c879a6566ebb35229b3b2435429"
     },
     "watchers/HttpWatcher.js": {
-      "size": 2631,
-      "sha256": "7f2e735930dca72dbf34675c6f484b6a2a65259f935c809c0084881f980ec001"
+      "size": 5557,
+      "sha256": "9f86966178485e2aab46ce03785c7c512feb641dbf5d0dda22d51f3f259d374e"
     },
     "watchers/JobWatcher.d.ts": {
       "size": 441,
@@ -302,8 +342,8 @@
       "sha256": "f3ddc5f8b58c6c86ac6b464dd48e5a55e79ab2bf2e735feacffc7480e4ccc0c4"
     },
     "watchers/LogWatcher.js": {
-      "size": 1670,
-      "sha256": "15b0ce1344465b6526e1db1d92434eb8813e274b1b0b4fb9197dc68b7af92ea0"
+      "size": 1768,
+      "sha256": "a7e769d504d5528068e9349f28d703606d21404d3976f7cdb131cee417420ff6"
     },
     "watchers/MailWatcher.d.ts": {
       "size": 214,

package/dist/config.d.ts

@@ -5,5 +5,6 @@ import type { ITraceConfig, TraceConfigOverrides } from './types';
 export declare const TraceConfig: Readonly<{
     defaults(): ITraceConfig;
     merge(overrides?: TraceConfigOverrides): ITraceConfig;
+    getRedactionFields: (config: ITraceConfig, key: keyof ITraceConfig["redaction"]) => string[];
     isWatcherEnabled: (config: ITraceConfig, key: keyof ITraceConfig["watchers"]) => boolean;
 }>;

package/dist/config.js

@@ -1,3 +1,78 @@
+const mergeStringLists = (base, override) => {
+    const merged = new Set();
+    for (const value of [...base, ...(override ?? [])]) {
+        if (typeof value !== 'string')
+            continue;
+        const normalized = value.trim();
+        if (normalized !== '')
+            merged.add(normalized);
+    }
+    return [...merged];
+};
+const isObjectValue = (value) => {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+};
+const mergeFilterRule = (base, override) => {
+    const include = mergeStringLists(base?.include ?? [], override?.include);
+    const exclude = mergeStringLists(base?.exclude ?? [], override?.exclude);
+    if (include.length === 0 && exclude.length === 0)
+        return undefined;
+    return Object.freeze({
+        ...(include.length > 0 ? { include } : {}),
+        ...(exclude.length > 0 ? { exclude } : {}),
+    });
+};
+const mergeWatcherToggle = (base, override) => {
+    if (override === undefined)
+        return base;
+    if (override === false || override === true)
+        return override;
+    const baseRule = isObjectValue(base) ? base : undefined;
+    return mergeFilterRule(baseRule, override);
+};
+const REQUEST_METHOD_KEYS = ['all', 'get', 'post', 'put', 'patch', 'delete'];
+const mergeRequestWatcherToggle = (base, override) => {
+    if (override === undefined)
+        return base;
+    if (override === false || override === true)
+        return override;
+    const baseConfig = isObjectValue(base) ? base : undefined;
+    const merged = mergeFilterRule(baseConfig, override) ?? {};
+    for (const key of REQUEST_METHOD_KEYS) {
+        const rule = mergeFilterRule(baseConfig?.[key], override[key]);
+        if (rule !== undefined)
+            merged[key] = rule;
+    }
+    return merged;
+};
+const mergeWatchers = (base, override) => {
+    if (override === undefined)
+        return { ...base };
+    return {
+        ...base,
+        ...override,
+        request: mergeRequestWatcherToggle(base.request, override.request),
+        query: mergeWatcherToggle(base.query, override.query),
+        exception: mergeWatcherToggle(base.exception, override.exception),
+        log: mergeWatcherToggle(base.log, override.log),
+        job: mergeWatcherToggle(base.job, override.job),
+        cache: mergeWatcherToggle(base.cache, override.cache),
+        schedule: mergeWatcherToggle(base.schedule, override.schedule),
+        mail: mergeWatcherToggle(base.mail, override.mail),
+        auth: mergeWatcherToggle(base.auth, override.auth),
+        event: mergeWatcherToggle(base.event, override.event),
+        model: mergeWatcherToggle(base.model, override.model),
+        notification: mergeWatcherToggle(base.notification, override.notification),
+        redis: mergeWatcherToggle(base.redis, override.redis),
+        gate: mergeWatcherToggle(base.gate, override.gate),
+        middleware: mergeWatcherToggle(base.middleware, override.middleware),
+        command: mergeWatcherToggle(base.command, override.command),
+        batch: mergeWatcherToggle(base.batch, override.batch),
+        dump: mergeWatcherToggle(base.dump, override.dump),
+        view: mergeWatcherToggle(base.view, override.view),
+        clientRequest: mergeWatcherToggle(base.clientRequest, override.clientRequest),
+    };
+};
 const DEFAULTS = Object.freeze({
     enabled: false,
     connection: undefined,
@@ -7,6 +82,37 @@ const DEFAULTS = Object.freeze({
     logMinLevel: 'info',
     watchers: {},
     redaction: {
+        keys: [
+            'password',
+            'pass',
+            'passwd',
+            'token',
+            'accessToken',
+            'access_token',
+            'refreshToken',
+            'refresh_token',
+            'secret',
+            'secretKey',
+            'secret_key',
+            'apiKey',
+            'api_key',
+            'auth',
+            'authToken',
+            'auth_token',
+            'authorization',
+            'cookie',
+            'session',
+            'sessionId',
+            'session_id',
+            'card',
+            'cardNumber',
+            'card_number',
+            'cardToken',
+            'card_token',
+            'cvv',
+            'cvc',
+            'pan',
+        ],
         headers: ['authorization', 'cookie', 'x-api-key', 'x-auth-token'],
         body: ['password', 'token', 'secret', 'apiKey', 'api_key', 'jwt', 'bearer'],
         query: [],
@@ -14,7 +120,17 @@ const DEFAULTS = Object.freeze({
 });
 const isWatcherEnabled = (config, key) => {
     const override = config.watchers[key];
-    return override !== false; // undefined = enabled by default; explicit false = disabled
+    if (override === false)
+        return false;
+    if (isObjectValue(override) && override.enabled === false)
+        return false;
+    return true; // undefined = enabled by default; explicit false = disabled
+};
+const getRedactionFields = (config, key) => {
+    if (key === 'keys') {
+        return mergeStringLists([], config.redaction.keys);
+    }
+    return mergeStringLists(config.redaction.keys, config.redaction[key]);
 };
 export const TraceConfig = Object.freeze({
     defaults() {
@@ -26,13 +142,16 @@ export const TraceConfig = Object.freeze({
         return Object.freeze({
             ...DEFAULTS,
             ...overrides,
-            watchers: { ...DEFAULTS.watchers, ...(overrides.watchers ?? {}) },
+            watchers: mergeWatchers(DEFAULTS.watchers, overrides.watchers),
             redaction: {
-                ...DEFAULTS.redaction,
-                ...(overrides.redaction ?? {}),
+                keys: mergeStringLists(DEFAULTS.redaction.keys, overrides.redaction?.keys),
+                headers: mergeStringLists(DEFAULTS.redaction.headers, overrides.redaction?.headers),
+                body: mergeStringLists(DEFAULTS.redaction.body, overrides.redaction?.body),
+                query: mergeStringLists(DEFAULTS.redaction.query, overrides.redaction?.query),
             },
             ignoreRoutes: overrides.ignoreRoutes ?? DEFAULTS.ignoreRoutes,
         });
     },
+    getRedactionFields,
     isWatcherEnabled,
 });