accessio 1.1.2 → 1.3.0

package/cjs/helpers/transformData.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/helpers/transformData.ts"],"sourcesContent":["import AccessioError from '../core/accessioError';\nimport type { TransformFunction, AccessioRequestConfig } from '../types';\n\nexport default async function transformData(\n  transforms: TransformFunction | TransformFunction[] | undefined,\n  data: unknown,\n  headers: Record<string, string | string[]>,\n  config?: AccessioRequestConfig,\n): Promise<unknown> {\n  if (!transforms || !Array.isArray(transforms)) {\n    return data;\n  }\n\n  let result = data;\n\n  for (const transform of transforms) {\n    if (typeof transform === 'function') {\n      try {\n        result = await transform(result, headers);\n      } catch (err) {\n        throw AccessioError.from(\n          err instanceof Error ? err : new Error(String(err)),\n          AccessioError.ERR_BAD_REQUEST,\n          config ?? null,\n          null,\n          null,\n        );\n      }\n    }\n  }\n\n  return result;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,2BAA0B;AAG1B,eAAO,cACL,YACA,MACA,SACA,QACkB;AAClB,MAAI,CAAC,cAAc,CAAC,MAAM,QAAQ,UAAU,GAAG;AAC7C,WAAO;AAAA,EACT;AAEA,MAAI,SAAS;AAEb,aAAW,aAAa,YAAY;AAClC,QAAI,OAAO,cAAc,YAAY;AACnC,UAAI;AACF,iBAAS,MAAM,UAAU,QAAQ,OAAO;AAAA,MAC1C,SAAS,KAAK;AACZ,cAAM,qBAAAA,QAAc;AAAA,UAClB,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC;AAAA,UAClD,qBAAAA,QAAc;AAAA,UACd,UAAU;AAAA,UACV;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;","names":["AccessioError"]}
+{"version":3,"sources":["../../src/helpers/transformData.ts"],"sourcesContent":["import AccessioError from '../core/accessioError';\nimport type { TransformFunction, AccessioRequestConfig } from '../types';\n\nexport default async function transformData(\n  transforms: TransformFunction | TransformFunction[] | undefined,\n  data: unknown,\n  headers: Record<string, string | string[]>,\n  config?: AccessioRequestConfig,\n  direction: 'request' | 'response' = 'request',\n): Promise<unknown> {\n  if (!transforms || !Array.isArray(transforms)) {\n    return data;\n  }\n\n  let result = data;\n\n  for (const transform of transforms) {\n    if (typeof transform === 'function') {\n      try {\n        result = await transform(result, headers);\n      } catch (err) {\n        throw AccessioError.from(\n          err instanceof Error ? err : new Error(String(err)),\n          direction === 'response' ? AccessioError.ERR_BAD_RESPONSE : AccessioError.ERR_BAD_REQUEST,\n          config ?? null,\n          null,\n          null,\n        );\n      }\n    }\n  }\n\n  return result;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,2BAA0B;AAG1B,eAAO,cACL,YACA,MACA,SACA,QACA,YAAoC,WAClB;AAClB,MAAI,CAAC,cAAc,CAAC,MAAM,QAAQ,UAAU,GAAG;AAC7C,WAAO;AAAA,EACT;AAEA,MAAI,SAAS;AAEb,aAAW,aAAa,YAAY;AAClC,QAAI,OAAO,cAAc,YAAY;AACnC,UAAI;AACF,iBAAS,MAAM,UAAU,QAAQ,OAAO;AAAA,MAC1C,SAAS,KAAK;AACZ,cAAM,qBAAAA,QAAc;AAAA,UAClB,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC;AAAA,UAClD,cAAc,aAAa,qBAAAA,QAAc,mBAAmB,qBAAAA,QAAc;AAAA,UAC1E,UAAU;AAAA,UACV;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;","names":["AccessioError"]}

package/cjs/index.cjs

@@ -62,7 +62,10 @@ const PUBLIC_METHODS = [
   "patch",
   "postForm",
   "putForm",
-  "patchForm"
+  "patchForm",
+  "stream",
+  "autoPaginate",
+  "gql"
 ];
 function createInstance(defaultConfig) {
   const context = new import_accessio.default(defaultConfig);

package/cjs/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import Accessio from './accessio';\nimport defaults from './defaults';\nimport AccessioError from './core/accessioError';\nimport mergeConfig from './core/mergeConfig';\nimport buildURL from './core/buildURL';\nimport InterceptorManager from './interceptors/interceptorManager';\nimport { createRateLimiter } from './helpers/rateLimiter';\nimport { logRequest, logResponse, logError } from './helpers/debug';\nimport { ERR_CANCELED } from './constants/errorCodes';\nimport type { AccessioRequestConfig, AccessioResponse } from './types';\n\nconst PUBLIC_METHODS = [\n  'request',\n  'getUri',\n  'get',\n  'delete',\n  'head',\n  'options',\n  'post',\n  'put',\n  'patch',\n  'postForm',\n  'putForm',\n  'patchForm',\n];\n\nfunction createInstance(defaultConfig: AccessioRequestConfig) {\n  const context = new Accessio(defaultConfig);\n\n  const instance: any = function accessio(\n    configOrUrl: string | AccessioRequestConfig,\n    config?: AccessioRequestConfig,\n  ) {\n    return context.request(configOrUrl, config);\n  };\n\n  for (const key of PUBLIC_METHODS) {\n    const method: any = (context as any)[key];\n    if (typeof method === 'function') {\n      instance[key] = method.bind(context);\n    }\n  }\n\n  instance.defaults = context.defaults;\n  instance.interceptors = context.interceptors;\n  instance.all = function all(promises: any[]): Promise<any[]> {\n    return Promise.all(promises);\n  };\n  instance.spread = function spread<T>(callback: (...args: any[]) => T): (arr: any[]) => T {\n    return function wrap(arr: any[]): T {\n      return callback(...arr);\n    };\n  };\n  instance.isCancel = function isCancel(value: any): boolean {\n    return !!(value && value.isAccessioError && value.code === ERR_CANCELED);\n  };\n  instance.isAccessioError = function isAccessioError(value: any): boolean {\n    return (\n      value instanceof AccessioError ||\n      !!(value && typeof value === 'object' && value.isAccessioError === true)\n    );\n  };\n  instance.AccessioError = AccessioError;\n  instance.Accessio = Accessio;\n  instance.mergeConfig = mergeConfig;\n  instance.buildURL = buildURL;\n  instance.InterceptorManager = InterceptorManager;\n  instance.createRateLimiter = createRateLimiter;\n\n  return instance;\n}\n\nconst accessio = createInstance(defaults);\n\nfunction create(instanceConfig?: AccessioRequestConfig) {\n  return createInstance(mergeConfig(defaults, instanceConfig));\n}\n\naccessio.create = create;\n\nexport default accessio;\n\nexport {\n  Accessio,\n  AccessioError,\n  mergeConfig,\n  buildURL,\n  InterceptorManager,\n  createInstance,\n  createRateLimiter,\n  logRequest,\n  logResponse,\n  logError,\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA,kCAAAA;AAAA,EAAA,0CAAAC;AAAA,EAAA,oDAAAC;AAAA,EAAA,gCAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wCAAAC;AAAA;AAAA;AAAA,sBAAqB;AACrB,sBAAqB;AACrB,2BAA0B;AAC1B,yBAAwB;AACxB,sBAAqB;AACrB,gCAA+B;AAC/B,yBAAkC;AAClC,mBAAkD;AAClD,wBAA6B;AAG7B,MAAM,iBAAiB;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,SAAS,eAAe,eAAsC;AAC5D,QAAM,UAAU,IAAI,gBAAAJ,QAAS,aAAa;AAE1C,QAAM,WAAgB,SAASK,UAC7B,aACA,QACA;AACA,WAAO,QAAQ,QAAQ,aAAa,MAAM;AAAA,EAC5C;AAEA,aAAW,OAAO,gBAAgB;AAChC,UAAM,SAAe,QAAgB,GAAG;AACxC,QAAI,OAAO,WAAW,YAAY;AAChC,eAAS,GAAG,IAAI,OAAO,KAAK,OAAO;AAAA,IACrC;AAAA,EACF;AAEA,WAAS,WAAW,QAAQ;AAC5B,WAAS,eAAe,QAAQ;AAChC,WAAS,MAAM,SAAS,IAAI,UAAiC;AAC3D,WAAO,QAAQ,IAAI,QAAQ;AAAA,EAC7B;AACA,WAAS,SAAS,SAAS,OAAU,UAAoD;AACvF,WAAO,SAAS,KAAK,KAAe;AAClC,aAAO,SAAS,GAAG,GAAG;AAAA,IACxB;AAAA,EACF;AACA,WAAS,WAAW,SAAS,SAAS,OAAqB;AACzD,WAAO,CAAC,EAAE,SAAS,MAAM,mBAAmB,MAAM,SAAS;AAAA,EAC7D;AACA,WAAS,kBAAkB,SAAS,gBAAgB,OAAqB;AACvE,WACE,iBAAiB,qBAAAJ,WACjB,CAAC,EAAE,SAAS,OAAO,UAAU,YAAY,MAAM,oBAAoB;AAAA,EAEvE;AACA,WAAS,gBAAgB,qBAAAA;AACzB,WAAS,WAAW,gBAAAD;AACpB,WAAS,cAAc,mBAAAI;AACvB,WAAS,WAAW,gBAAAD;AACpB,WAAS,qBAAqB,0BAAAD;AAC9B,WAAS,oBAAoB;AAE7B,SAAO;AACT;AAEA,MAAM,WAAW,eAAe,gBAAAI,OAAQ;AAExC,SAAS,OAAO,gBAAwC;AACtD,SAAO,mBAAe,mBAAAF,SAAY,gBAAAE,SAAU,cAAc,CAAC;AAC7D;AAEA,SAAS,SAAS;AAElB,IAAO,cAAQ;","names":["Accessio","AccessioError","InterceptorManager","buildURL","mergeConfig","accessio","defaults"]}
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import Accessio from './accessio';\nimport defaults from './defaults';\nimport AccessioError from './core/accessioError';\nimport mergeConfig from './core/mergeConfig';\nimport buildURL from './core/buildURL';\nimport InterceptorManager from './interceptors/interceptorManager';\nimport { createRateLimiter } from './helpers/rateLimiter';\nimport { logRequest, logResponse, logError } from './helpers/debug';\nimport { ERR_CANCELED } from './constants/errorCodes';\nimport type { AccessioRequestConfig } from './types';\n\nconst PUBLIC_METHODS = [\n  'request',\n  'getUri',\n  'get',\n  'delete',\n  'head',\n  'options',\n  'post',\n  'put',\n  'patch',\n  'postForm',\n  'putForm',\n  'patchForm',\n  'stream',\n  'autoPaginate',\n  'gql',\n];\n\nfunction createInstance(defaultConfig: AccessioRequestConfig) {\n  const context = new Accessio(defaultConfig);\n\n  const instance: any = function accessio(\n    configOrUrl: string | AccessioRequestConfig,\n    config?: AccessioRequestConfig,\n  ) {\n    return context.request(configOrUrl, config);\n  };\n\n  for (const key of PUBLIC_METHODS) {\n    const method: any = (context as any)[key];\n    if (typeof method === 'function') {\n      instance[key] = method.bind(context);\n    }\n  }\n\n  instance.defaults = context.defaults;\n  instance.interceptors = context.interceptors;\n  instance.all = function all(promises: any[]): Promise<any[]> {\n    return Promise.all(promises);\n  };\n  instance.spread = function spread<T>(callback: (...args: any[]) => T): (arr: any[]) => T {\n    return function wrap(arr: any[]): T {\n      return callback(...arr);\n    };\n  };\n  instance.isCancel = function isCancel(value: any): boolean {\n    return !!(value && value.isAccessioError && value.code === ERR_CANCELED);\n  };\n  instance.isAccessioError = function isAccessioError(value: any): boolean {\n    return (\n      value instanceof AccessioError ||\n      !!(value && typeof value === 'object' && value.isAccessioError === true)\n    );\n  };\n  instance.AccessioError = AccessioError;\n  instance.Accessio = Accessio;\n  instance.mergeConfig = mergeConfig;\n  instance.buildURL = buildURL;\n  instance.InterceptorManager = InterceptorManager;\n  instance.createRateLimiter = createRateLimiter;\n\n  return instance;\n}\n\nconst accessio = createInstance(defaults);\n\nfunction create(instanceConfig?: AccessioRequestConfig) {\n  return createInstance(mergeConfig(defaults, instanceConfig));\n}\n\naccessio.create = create;\n\nexport default accessio;\n\nexport {\n  Accessio,\n  AccessioError,\n  mergeConfig,\n  buildURL,\n  InterceptorManager,\n  createInstance,\n  createRateLimiter,\n  logRequest,\n  logResponse,\n  logError,\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA,kCAAAA;AAAA,EAAA,0CAAAC;AAAA,EAAA,oDAAAC;AAAA,EAAA,gCAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wCAAAC;AAAA;AAAA;AAAA,sBAAqB;AACrB,sBAAqB;AACrB,2BAA0B;AAC1B,yBAAwB;AACxB,sBAAqB;AACrB,gCAA+B;AAC/B,yBAAkC;AAClC,mBAAkD;AAClD,wBAA6B;AAG7B,MAAM,iBAAiB;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,SAAS,eAAe,eAAsC;AAC5D,QAAM,UAAU,IAAI,gBAAAJ,QAAS,aAAa;AAE1C,QAAM,WAAgB,SAASK,UAC7B,aACA,QACA;AACA,WAAO,QAAQ,QAAQ,aAAa,MAAM;AAAA,EAC5C;AAEA,aAAW,OAAO,gBAAgB;AAChC,UAAM,SAAe,QAAgB,GAAG;AACxC,QAAI,OAAO,WAAW,YAAY;AAChC,eAAS,GAAG,IAAI,OAAO,KAAK,OAAO;AAAA,IACrC;AAAA,EACF;AAEA,WAAS,WAAW,QAAQ;AAC5B,WAAS,eAAe,QAAQ;AAChC,WAAS,MAAM,SAAS,IAAI,UAAiC;AAC3D,WAAO,QAAQ,IAAI,QAAQ;AAAA,EAC7B;AACA,WAAS,SAAS,SAAS,OAAU,UAAoD;AACvF,WAAO,SAAS,KAAK,KAAe;AAClC,aAAO,SAAS,GAAG,GAAG;AAAA,IACxB;AAAA,EACF;AACA,WAAS,WAAW,SAAS,SAAS,OAAqB;AACzD,WAAO,CAAC,EAAE,SAAS,MAAM,mBAAmB,MAAM,SAAS;AAAA,EAC7D;AACA,WAAS,kBAAkB,SAAS,gBAAgB,OAAqB;AACvE,WACE,iBAAiB,qBAAAJ,WACjB,CAAC,EAAE,SAAS,OAAO,UAAU,YAAY,MAAM,oBAAoB;AAAA,EAEvE;AACA,WAAS,gBAAgB,qBAAAA;AACzB,WAAS,WAAW,gBAAAD;AACpB,WAAS,cAAc,mBAAAI;AACvB,WAAS,WAAW,gBAAAD;AACpB,WAAS,qBAAqB,0BAAAD;AAC9B,WAAS,oBAAoB;AAE7B,SAAO;AACT;AAEA,MAAM,WAAW,eAAe,gBAAAI,OAAQ;AAExC,SAAS,OAAO,gBAAwC;AACtD,SAAO,mBAAe,mBAAAF,SAAY,gBAAAE,SAAU,cAAc,CAAC;AAC7D;AAEA,SAAS,SAAS;AAElB,IAAO,cAAQ;","names":["Accessio","AccessioError","InterceptorManager","buildURL","mergeConfig","accessio","defaults"]}

package/index.d.ts

@@ -55,6 +55,13 @@ export interface AccessioRequestConfig {
   /** Include credentials in cross-site requests */
   withCredentials?: boolean;
 
+  /**
+   * URL protocols accepted by the client. Defaults to `["http:", "https:"]`.
+   * Pass an extended array to allow more (e.g. `["http:", "https:", "ws:"]`),
+   * or `null` to disable the check entirely.
+   */
+  allowedProtocols?: string[] | null;
+
   /** Expected response data type */
   responseType?: "json" | "text" | "blob" | "arraybuffer" | "stream";
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "accessio",
-  "version": "1.1.2",
+  "version": "1.3.0",
   "description": "Fast, flexible HTTP client — simple, modular, and dependency-free",
   "type": "module",
   "main": "./cjs/index.cjs",
@@ -29,7 +29,7 @@
     "./core/buildURL": {
       "types": "./index.d.ts",
       "import": "./src/core/buildURL.ts",
-      "require": "./cjs/helpers/buildURL.cjs"
+      "require": "./cjs/core/buildURL.cjs"
     },
     "./core/mergeConfig": {
       "types": "./index.d.ts",
@@ -103,6 +103,7 @@
     "prettier": "^3.8.3",
     "tsup": "^8.0.0",
     "typescript": "^5.0.0",
+    "typescript-eslint": "^8.59.3",
     "vitest": "^3.1.0"
   }
 }

package/src/accessio.ts

@@ -6,6 +6,7 @@ import buildURL from './core/buildURL';
 import retryRequest from './core/retry';
 import { logRequest, logResponse, logError } from './helpers/debug';
 import { rateLimitedRequest } from './helpers/rateLimiter';
+import { toFormData } from './helpers/toFormData';
 import type {
   AccessioRequestConfig,
   AccessioResponse,
@@ -201,11 +202,12 @@ export class Accessio {
     data?: any,
     config?: AccessioRequestConfig,
   ): Promise<AccessioResponse<T>> {
+    const formData = data && !(data instanceof FormData) ? toFormData(data) : data;
     return this.request<T>(
       mergeConfig(config || {}, {
         method: 'post',
         url,
-        data,
+        data: formData,
         headers: { 'Content-Type': 'multipart/form-data' },
       }),
     );
@@ -216,11 +218,12 @@ export class Accessio {
     data?: any,
     config?: AccessioRequestConfig,
   ): Promise<AccessioResponse<T>> {
+    const formData = data && !(data instanceof FormData) ? toFormData(data) : data;
     return this.request<T>(
       mergeConfig(config || {}, {
         method: 'put',
         url,
-        data,
+        data: formData,
         headers: { 'Content-Type': 'multipart/form-data' },
       }),
     );
@@ -231,15 +234,90 @@ export class Accessio {
     data?: any,
     config?: AccessioRequestConfig,
   ): Promise<AccessioResponse<T>> {
+    const formData = data && !(data instanceof FormData) ? toFormData(data) : data;
     return this.request<T>(
       mergeConfig(config || {}, {
         method: 'patch',
         url,
-        data,
+        data: formData,
         headers: { 'Content-Type': 'multipart/form-data' },
       }),
     );
   }
+
+  async *stream<T = any>(
+    url: string,
+    config?: AccessioRequestConfig,
+  ): AsyncGenerator<T, void, unknown> {
+    const response = await this.request<ReadableStream<Uint8Array>>(
+      mergeConfig(config || {}, { method: 'get', url, responseType: 'stream' }),
+    );
+    if (!response.data) return;
+
+    const reader = response.data.getReader();
+    const decoder = new TextDecoder();
+    let buffer = '';
+
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split('\n');
+      buffer = lines.pop() || '';
+
+      for (const line of lines) {
+        if (line.trim().startsWith('data:')) {
+          const dataStr = line.replace(/^data:\s*/, '');
+          if (dataStr === '[DONE]') return;
+          try {
+            yield JSON.parse(dataStr);
+          } catch (e) {
+            yield dataStr as any;
+          }
+        } else if (line.trim().startsWith('{') || line.trim().startsWith('[')) {
+          try {
+            yield JSON.parse(line);
+          } catch (e) {
+            // ignore partial json
+          }
+        }
+      }
+    }
+  }
+
+  async *autoPaginate<T = any>(
+    url: string,
+    config?: AccessioRequestConfig,
+  ): AsyncGenerator<T, void, unknown> {
+    let nextUrl: string | null = url;
+    let currentConfig = config || {};
+
+    while (nextUrl) {
+      const response: AccessioResponse<any> = await this.get(nextUrl, currentConfig);
+
+      const items = Array.isArray(response.data) ? response.data : response.data.data;
+      if (Array.isArray(items)) {
+        for (const item of items) {
+          yield item;
+        }
+      }
+
+      nextUrl = response.data.next || response.data.links?.next || null;
+      if (nextUrl) {
+        currentConfig = mergeConfig(currentConfig, { url: nextUrl, params: {} });
+      }
+    }
+  }
+
+  gql<T = any>(
+    url: string,
+    query: string,
+    variables?: Record<string, any>,
+    config?: AccessioRequestConfig,
+  ): Promise<AccessioResponse<T>> {
+    return this.post<T>(url, { query, variables }, config);
+  }
 }
 
 export default Accessio;

package/src/core/accessioError.ts

@@ -1,6 +1,30 @@
 import ErrorCodes from '../constants/errorCodes';
 import type { AccessioRequestConfig, AccessioResponse } from '../types';
 
+function redactHeaders(headers: unknown): unknown {
+  if (!headers || typeof headers !== 'object') return headers;
+  const out: Record<string, unknown> = {};
+  for (const key of Object.keys(headers as Record<string, unknown>)) {
+    const value = (headers as Record<string, unknown>)[key];
+    if (/^authorization$/i.test(key)) {
+      out[key] = '[REDACTED]';
+    } else if (value && typeof value === 'object' && !Array.isArray(value)) {
+      out[key] = redactHeaders(value);
+    } else {
+      out[key] = value;
+    }
+  }
+  return out;
+}
+
+export function redactConfig(config: AccessioRequestConfig | null): AccessioRequestConfig | null {
+  if (!config) return config;
+  const clone = { ...config } as AccessioRequestConfig & { auth?: unknown };
+  if ('auth' in clone) delete clone.auth;
+  if (clone.headers) clone.headers = redactHeaders(clone.headers) as typeof clone.headers;
+  return clone;
+}
+
 export class AccessioError extends Error {
   static ERR_BAD_OPTION_VALUE: string = ErrorCodes.ERR_BAD_OPTION_VALUE;
   static ERR_BAD_OPTION: string = ErrorCodes.ERR_BAD_OPTION;
@@ -20,6 +44,7 @@ export class AccessioError extends Error {
   readonly response: AccessioResponse | null;
   readonly isAccessioError: true;
   cause?: Error;
+  override name = 'AccessioError' as const;
 
   constructor(
     message: string,
@@ -31,7 +56,7 @@ export class AccessioError extends Error {
     super(message);
     this.name = 'AccessioError';
     this.code = code ?? null;
-    this.config = config ?? null;
+    this.config = redactConfig(config ?? null);
     this.request = request ?? null;
     this.response = response ?? null;
     this.isAccessioError = true;

package/src/core/buildURL.ts

@@ -75,7 +75,22 @@ export default function buildURL(
 ): string {
   let fullURL = baseURL && !isAbsoluteURL(url) ? combineURLs(baseURL, url) : url || '';
 
-  const serialized = serializeParams(params as Record<string, unknown>, paramsSerializer);
+  let finalParams = params;
+  if (params && typeof params === 'object') {
+    const unusedParams = { ...params };
+    fullURL = fullURL.replace(/(?::([a-zA-Z0-9_]+))|(?:{([a-zA-Z0-9_]+)})/g, (match, p1, p2) => {
+      const key = p1 || p2;
+      if (key && unusedParams[key] !== undefined) {
+        const val = unusedParams[key];
+        delete unusedParams[key];
+        return encodeURIComponent(String(val));
+      }
+      return match;
+    });
+    finalParams = unusedParams;
+  }
+
+  const serialized = serializeParams(finalParams as Record<string, unknown>, paramsSerializer);
   if (serialized) {
     const hashIndex = fullURL.indexOf('#');
     if (hashIndex !== -1) {

package/src/core/fetchAdapter.ts

@@ -2,7 +2,11 @@ import AccessioError from './accessioError';
 import parseHeaders from '../helpers/parseHeaders';
 import type { AccessioRequestConfig, AccessioResponse } from '../types';
 
-async function readResponseData(fetchResponse: Response, responseType: string): Promise<unknown> {
+async function readResponseData(
+  fetchResponse: Response,
+  config: AccessioRequestConfig,
+): Promise<unknown> {
+  const responseType = config.responseType || 'json';
   switch (responseType) {
     case 'arraybuffer':
       return await fetchResponse.arrayBuffer();
@@ -14,12 +18,20 @@ async function readResponseData(fetchResponse: Response, responseType: string):
     default: {
       const contentType = fetchResponse.headers.get('content-type') || '';
       if (contentType.includes('application/json')) {
-        if (typeof fetchResponse.clone === 'function') {
-          const text = await fetchResponse.clone().text();
-          return text ? await fetchResponse.json() : '';
-        } else {
-          const text = await fetchResponse.text();
-          return text ? JSON.parse(text) : '';
+        const text = await fetchResponse.text();
+        if (!text) return '';
+        try {
+          return JSON.parse(text);
+        } catch (err) {
+          throw new AccessioError(
+            `Failed to parse JSON response: ${(err as Error).message}. Raw body: ${
+              text.length > 500 ? text.slice(0, 500) + '…' : text
+            }`,
+            AccessioError.ERR_BAD_RESPONSE,
+            config,
+            fetchResponse,
+            null,
+          );
         }
       }
       return await fetchResponse.text();
@@ -94,10 +106,42 @@ export default async function fetchAdapter(
   }
 
   try {
-    const fetchResponse = await fetch(fullURL, fetchOptions);
+    const fetchImpl = config.fetch || fetch;
+    let fetchResponse = await fetchImpl(fullURL, fetchOptions);
+
+    if (config.onDownloadProgress && fetchResponse.body && config.responseType !== 'stream') {
+      const contentLength = fetchResponse.headers.get('content-length');
+      const total = contentLength ? parseInt(contentLength, 10) : 0;
+      let loaded = 0;
+
+      const reader = fetchResponse.body.getReader();
+      const stream = new ReadableStream({
+        async start(controller) {
+          try {
+            while (true) {
+              const { done, value } = await reader.read();
+              if (done) {
+                controller.close();
+                break;
+              }
+              loaded += value.byteLength;
+              config.onDownloadProgress!({ loaded, total });
+              controller.enqueue(value);
+            }
+          } catch (e) {
+            controller.error(e);
+          }
+        },
+      });
+
+      fetchResponse = new Response(stream, {
+        headers: fetchResponse.headers,
+        status: fetchResponse.status,
+        statusText: fetchResponse.statusText,
+      });
+    }
 
     let responseData: unknown;
-    const responseType = config.responseType || 'json';
 
     const contentLength = fetchResponse.headers.get('content-length');
     if (
@@ -115,8 +159,16 @@ export default async function fetchAdapter(
     }
 
     try {
-      responseData = await readResponseData(fetchResponse, responseType);
+      responseData = await readResponseData(fetchResponse, config);
+      if (config.schema) {
+        if (typeof config.schema.parseAsync === 'function') {
+          responseData = await config.schema.parseAsync(responseData);
+        } else {
+          responseData = config.schema.parse(responseData);
+        }
+      }
     } catch (readError) {
+      if (readError instanceof AccessioError) throw readError;
       throw AccessioError.from(
         readError as Error,
         AccessioError.ERR_BAD_RESPONSE,

package/src/core/request.ts

@@ -1,10 +1,12 @@
 import buildURL from './buildURL';
-import AccessioError from './accessioError';
+import AccessioError, { redactConfig } from './accessioError';
+import { ERR_BAD_OPTION } from '../constants/errorCodes';
 import transformData from '../helpers/transformData';
 import settle from '../helpers/settle';
 import { flattenHeaders, removeContentType, buildFetchHeaders } from '../helpers/flattenHeaders';
 import { setBasicAuth } from '../helpers/auth';
 import fetchAdapter from './fetchAdapter';
+import { defaultMemoryCache } from '../helpers/memoryCache';
 import type { AccessioRequestConfig, AccessioResponse, TransformFunction } from '../types';
 
 type HeadersConfig = Record<string, Record<string, string | string[]>>;
@@ -17,6 +19,31 @@ function buildTransformArray(
   return [transform];
 }
 
+const DEFAULT_ALLOWED_PROTOCOLS = ['http:', 'https:'];
+
+function assertAllowedProtocol(fullURL: string, config: AccessioRequestConfig): void {
+  if (config.allowedProtocols === null) return;
+  const allowed = config.allowedProtocols ?? DEFAULT_ALLOWED_PROTOCOLS;
+
+  let scheme: string | null = null;
+  const match = /^([a-z][a-z\d+\-.]*):/i.exec(fullURL);
+  if (match) scheme = match[1].toLowerCase() + ':';
+  if (!scheme) return;
+
+  if (!allowed.includes(scheme)) {
+    throw new AccessioError(
+      `URL protocol "${scheme}" is not allowed. Allowed: ${allowed.join(', ')}. ` +
+        'Set config.allowedProtocols to extend, or null to disable the check.',
+      ERR_BAD_OPTION,
+      config,
+      null,
+      null,
+    );
+  }
+}
+
+const activeRequests = new Map<string, Promise<AccessioResponse>>();
+
 export default async function dispatchRequest(
   config: AccessioRequestConfig,
 ): Promise<AccessioResponse> {
@@ -29,61 +56,124 @@ export default async function dispatchRequest(
       config.paramsSerializer,
     );
 
-  const flatHeaders = flattenHeaders(config.headers as HeadersConfig | undefined, config.method);
+  assertAllowedProtocol(fullURL, config);
 
-  const requestTransforms = buildTransformArray(config.transformRequest);
+  if (config.hooks?.onBeforeRequest) {
+    await config.hooks.onBeforeRequest(config);
+  }
 
-  const requestData = await transformData(requestTransforms, config.data, flatHeaders, config);
+  const isGet = (config.method || 'GET').toUpperCase() === 'GET';
+  const cacheKey = isGet ? `GET:${fullURL}` : '';
+
+  if (isGet && config.cache) {
+    const cacheProvider = typeof config.cache === 'object' ? config.cache : defaultMemoryCache;
+    const cached = await cacheProvider.get(cacheKey);
+    if (cached) {
+      if (config.hooks?.onRequestResponse) {
+        await config.hooks.onRequestResponse(cached);
+      }
+      return cached;
+    }
+  }
 
-  if (
-    requestData === null ||
-    requestData === undefined ||
-    (typeof FormData !== 'undefined' && requestData instanceof FormData)
-  ) {
-    removeContentType(flatHeaders);
+  if (isGet && config.dedupe) {
+    if (activeRequests.has(cacheKey)) {
+      return activeRequests.get(cacheKey)!;
+    }
   }
 
-  setBasicAuth(config, flatHeaders);
+  const performRequest = async () => {
+    const flatHeaders = flattenHeaders(config.headers as HeadersConfig | undefined, config.method);
+    const requestTransforms = buildTransformArray(config.transformRequest);
+    const requestData = await transformData(requestTransforms, config.data, flatHeaders, config);
+
+    if (
+      requestData === null ||
+      requestData === undefined ||
+      (typeof FormData !== 'undefined' && requestData instanceof FormData)
+    ) {
+      removeContentType(flatHeaders);
+    }
+
+    setBasicAuth(config, flatHeaders);
+
+    const fetchOptions: RequestInit = {
+      method: (config.method || 'GET').toUpperCase(),
+      headers: buildFetchHeaders(flatHeaders),
+    };
+
+    const methodsWithBody = ['POST', 'PUT', 'PATCH', 'DELETE'];
+    if (
+      methodsWithBody.includes(fetchOptions.method!) &&
+      requestData !== undefined &&
+      requestData !== null
+    ) {
+      fetchOptions.body = requestData as BodyInit;
+    }
+
+    if (config.withCredentials) {
+      fetchOptions.credentials = 'include';
+    }
+
+    if (config.dispatcher) {
+      (fetchOptions as any).dispatcher = config.dispatcher;
+    }
+    if (config.agent) {
+      (fetchOptions as any).agent = config.agent;
+    }
+
+    const requestStartTime = Date.now();
+
+    const response = await fetchAdapter(config, fullURL, fetchOptions, requestStartTime);
+    response.config = redactConfig(response.config) as typeof response.config;
+
+    const responseTransforms = buildTransformArray(config.transformResponse);
+
+    response.data = await transformData(
+      responseTransforms,
+      response.data,
+      response.headers,
+      config,
+      'response',
+    );
 
-  const fetchOptions: RequestInit = {
-    method: (config.method || 'GET').toUpperCase(),
-    headers: buildFetchHeaders(flatHeaders),
+    return new Promise<AccessioResponse>((resolve, reject) => {
+      settle(
+        resolve as (value: AccessioResponse) => void,
+        reject as (reason: AccessioError) => void,
+        response,
+        config,
+      );
+    });
   };
 
-  const methodsWithBody = ['POST', 'PUT', 'PATCH', 'DELETE'];
-  if (
-    methodsWithBody.includes(fetchOptions.method!) &&
-    requestData !== undefined &&
-    requestData !== null
-  ) {
-    fetchOptions.body = requestData as BodyInit;
-  }
-
-  if (config.withCredentials) {
-    fetchOptions.credentials = 'include';
-  }
+  const promise = performRequest();
 
-  if (config.dispatcher) {
-    (fetchOptions as any).dispatcher = config.dispatcher;
+  if (isGet && config.dedupe) {
+    activeRequests.set(cacheKey, promise);
+    const cleanup = () => {
+      activeRequests.delete(cacheKey);
+    };
+    promise.then(cleanup, cleanup);
   }
-  if (config.agent) {
-    (fetchOptions as any).agent = config.agent;
-  }
-
-  const requestStartTime = Date.now();
 
-  const response = await fetchAdapter(config, fullURL, fetchOptions, requestStartTime);
+  try {
+    const response = await promise;
 
-  const responseTransforms = buildTransformArray(config.transformResponse);
+    if (isGet && config.cache) {
+      const cacheProvider = typeof config.cache === 'object' ? config.cache : defaultMemoryCache;
+      await cacheProvider.set(cacheKey, response, config.cacheTTL);
+    }
 
-  response.data = await transformData(responseTransforms, response.data, response.headers, config);
+    if (config.hooks?.onRequestResponse) {
+      await config.hooks.onRequestResponse(response);
+    }
 
-  return new Promise<AccessioResponse>((resolve, reject) => {
-    settle(
-      resolve as (value: AccessioResponse) => void,
-      reject as (reason: AccessioError) => void,
-      response,
-      config,
-    );
-  });
+    return response;
+  } catch (error) {
+    if (config.hooks?.onRequestError && error instanceof AccessioError) {
+      await config.hooks.onRequestError(error);
+    }
+    throw error;
+  }
 }