accessio 1.3.0 → 1.4.0

package/cjs/interceptors/interceptorManager.cjs

@@ -23,41 +23,48 @@ __export(interceptorManager_exports, {
 });
 module.exports = __toCommonJS(interceptorManager_exports);
 class InterceptorManager {
-  handlers;
-  _activeCount;
+  _handlers;
+  _nextId;
   constructor() {
-    this.handlers = [];
-    this._activeCount = 0;
+    this._handlers = /* @__PURE__ */ new Map();
+    this._nextId = 0;
   }
   use(fulfilled, rejected, options = {}) {
-    this.handlers.push({
+    const id = this._nextId++;
+    this._handlers.set(id, {
       fulfilled: fulfilled || null,
       rejected: rejected || null,
       synchronous: options.synchronous || false,
       runWhen: options.runWhen || null
     });
-    this._activeCount++;
-    return this.handlers.length - 1;
+    return id;
   }
   eject(id) {
-    if (this.handlers[id]) {
-      this.handlers[id] = null;
-      this._activeCount--;
-    }
+    this._handlers.delete(id);
   }
   clear() {
-    this.handlers = [];
-    this._activeCount = 0;
+    this._handlers.clear();
   }
   forEach(fn) {
-    for (const handler of this.handlers) {
-      if (handler !== null) {
-        fn(handler);
-      }
+    for (const handler of this._handlers.values()) {
+      fn(handler);
     }
   }
   get size() {
-    return this._activeCount;
+    return this._handlers.size;
+  }
+  /**
+   * Snapshot view for backward-compat introspection. Slot index = interceptor ID;
+   * ejected IDs appear as `null`. Reading this builds a fresh array each time —
+   * prefer `forEach`/`size` in hot paths.
+   */
+  get handlers() {
+    const max = this._nextId;
+    const out = new Array(max);
+    for (let i = 0; i < max; i++) {
+      out[i] = this._handlers.get(i) ?? null;
+    }
+    return out;
   }
 }
 var interceptorManager_default = InterceptorManager;

package/cjs/interceptors/interceptorManager.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/interceptors/interceptorManager.ts"],"sourcesContent":["import type { TransformFunction, InterceptorHandler, InterceptorOptions } from '../types';\n\nexport class InterceptorManager {\n  handlers: Array<InterceptorHandler | null>;\n  private _activeCount: number;\n\n  constructor() {\n    this.handlers = [];\n    this._activeCount = 0;\n  }\n\n  use(\n    fulfilled: TransformFunction | null,\n    rejected?: ((error: unknown) => unknown) | null,\n    options: InterceptorOptions = {},\n  ): number {\n    this.handlers.push({\n      fulfilled: fulfilled || null,\n      rejected: rejected || null,\n      synchronous: options.synchronous || false,\n      runWhen: options.runWhen || null,\n    });\n\n    this._activeCount++;\n    return this.handlers.length - 1;\n  }\n\n  eject(id: number): void {\n    if (this.handlers[id]) {\n      this.handlers[id] = null;\n      this._activeCount--;\n    }\n  }\n\n  clear(): void {\n    this.handlers = [];\n    this._activeCount = 0;\n  }\n\n  forEach(fn: (handler: InterceptorHandler) => void): void {\n    for (const handler of this.handlers) {\n      if (handler !== null) {\n        fn(handler);\n      }\n    }\n  }\n\n  get size(): number {\n    return this._activeCount;\n  }\n}\n\nexport default InterceptorManager;\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEO,MAAM,mBAAmB;AAAA,EAC9B;AAAA,EACQ;AAAA,EAER,cAAc;AACZ,SAAK,WAAW,CAAC;AACjB,SAAK,eAAe;AAAA,EACtB;AAAA,EAEA,IACE,WACA,UACA,UAA8B,CAAC,GACvB;AACR,SAAK,SAAS,KAAK;AAAA,MACjB,WAAW,aAAa;AAAA,MACxB,UAAU,YAAY;AAAA,MACtB,aAAa,QAAQ,eAAe;AAAA,MACpC,SAAS,QAAQ,WAAW;AAAA,IAC9B,CAAC;AAED,SAAK;AACL,WAAO,KAAK,SAAS,SAAS;AAAA,EAChC;AAAA,EAEA,MAAM,IAAkB;AACtB,QAAI,KAAK,SAAS,EAAE,GAAG;AACrB,WAAK,SAAS,EAAE,IAAI;AACpB,WAAK;AAAA,IACP;AAAA,EACF;AAAA,EAEA,QAAc;AACZ,SAAK,WAAW,CAAC;AACjB,SAAK,eAAe;AAAA,EACtB;AAAA,EAEA,QAAQ,IAAiD;AACvD,eAAW,WAAW,KAAK,UAAU;AACnC,UAAI,YAAY,MAAM;AACpB,WAAG,OAAO;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AAAA,EAEA,IAAI,OAAe;AACjB,WAAO,KAAK;AAAA,EACd;AACF;AAEA,IAAO,6BAAQ;","names":[]}
+{"version":3,"sources":["../../src/interceptors/interceptorManager.ts"],"sourcesContent":["import type { TransformFunction, InterceptorHandler, InterceptorOptions } from '../types';\n\nexport class InterceptorManager {\n  private _handlers: Map<number, InterceptorHandler>;\n  private _nextId: number;\n\n  constructor() {\n    this._handlers = new Map();\n    this._nextId = 0;\n  }\n\n  use(\n    fulfilled: TransformFunction | null,\n    rejected?: ((error: unknown) => unknown) | null,\n    options: InterceptorOptions = {},\n  ): number {\n    const id = this._nextId++;\n    this._handlers.set(id, {\n      fulfilled: fulfilled || null,\n      rejected: rejected || null,\n      synchronous: options.synchronous || false,\n      runWhen: options.runWhen || null,\n    });\n    return id;\n  }\n\n  eject(id: number): void {\n    this._handlers.delete(id);\n  }\n\n  clear(): void {\n    this._handlers.clear();\n  }\n\n  forEach(fn: (handler: InterceptorHandler) => void): void {\n    for (const handler of this._handlers.values()) {\n      fn(handler);\n    }\n  }\n\n  get size(): number {\n    return this._handlers.size;\n  }\n\n  /**\n   * Snapshot view for backward-compat introspection. Slot index = interceptor ID;\n   * ejected IDs appear as `null`. Reading this builds a fresh array each time —\n   * prefer `forEach`/`size` in hot paths.\n   */\n  get handlers(): Array<InterceptorHandler | null> {\n    const max = this._nextId;\n    const out: Array<InterceptorHandler | null> = new Array(max);\n    for (let i = 0; i < max; i++) {\n      out[i] = this._handlers.get(i) ?? null;\n    }\n    return out;\n  }\n}\n\nexport default InterceptorManager;\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEO,MAAM,mBAAmB;AAAA,EACtB;AAAA,EACA;AAAA,EAER,cAAc;AACZ,SAAK,YAAY,oBAAI,IAAI;AACzB,SAAK,UAAU;AAAA,EACjB;AAAA,EAEA,IACE,WACA,UACA,UAA8B,CAAC,GACvB;AACR,UAAM,KAAK,KAAK;AAChB,SAAK,UAAU,IAAI,IAAI;AAAA,MACrB,WAAW,aAAa;AAAA,MACxB,UAAU,YAAY;AAAA,MACtB,aAAa,QAAQ,eAAe;AAAA,MACpC,SAAS,QAAQ,WAAW;AAAA,IAC9B,CAAC;AACD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,IAAkB;AACtB,SAAK,UAAU,OAAO,EAAE;AAAA,EAC1B;AAAA,EAEA,QAAc;AACZ,SAAK,UAAU,MAAM;AAAA,EACvB;AAAA,EAEA,QAAQ,IAAiD;AACvD,eAAW,WAAW,KAAK,UAAU,OAAO,GAAG;AAC7C,SAAG,OAAO;AAAA,IACZ;AAAA,EACF;AAAA,EAEA,IAAI,OAAe;AACjB,WAAO,KAAK,UAAU;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,IAAI,WAA6C;AAC/C,UAAM,MAAM,KAAK;AACjB,UAAM,MAAwC,IAAI,MAAM,GAAG;AAC3D,aAAS,IAAI,GAAG,IAAI,KAAK,KAAK;AAC5B,UAAI,CAAC,IAAI,KAAK,UAAU,IAAI,CAAC,KAAK;AAAA,IACpC;AACA,WAAO;AAAA,EACT;AACF;AAEA,IAAO,6BAAQ;","names":[]}

package/index.d.ts

@@ -6,19 +6,44 @@
  * Avoids ambiguous intersection of Record<string, string> & { common?, get?, ... }
  * which TypeScript accepts but can confuse type consumers.
  */
+export type HeaderValue = string | string[];
+
 export type AccessioHeaders = {
-  common?: Record<string, string>;
-  get?: Record<string, string>;
-  post?: Record<string, string>;
-  put?: Record<string, string>;
-  patch?: Record<string, string>;
-  delete?: Record<string, string>;
-  head?: Record<string, string>;
-  options?: Record<string, string>;
-  /** Any additional custom headers */
-  [key: string]: string | number | boolean | Record<string, string> | undefined;
+  common?: Record<string, HeaderValue>;
+  get?: Record<string, HeaderValue>;
+  post?: Record<string, HeaderValue>;
+  put?: Record<string, HeaderValue>;
+  patch?: Record<string, HeaderValue>;
+  delete?: Record<string, HeaderValue>;
+  head?: Record<string, HeaderValue>;
+  options?: Record<string, HeaderValue>;
+  /** Any additional custom headers (flat or per-method-nested) */
+  [key: string]: HeaderValue | Record<string, HeaderValue> | undefined;
 };
 
+export interface AccessioHooks {
+  onBeforeRequest?: (config: AccessioRequestConfig) => void | Promise<void>;
+  onRequestResponse?: (response: AccessioResponse) => void | Promise<void>;
+  onRequestError?: (error: AccessioError) => void | Promise<void>;
+}
+
+export interface CacheProvider {
+  get(key: string): Promise<any> | any;
+  set(key: string, value: any, ttl?: number): Promise<void> | void;
+  delete(key: string): Promise<void> | void;
+  clear(): Promise<void> | void;
+}
+
+export interface SchemaValidator<T = any> {
+  parse(data: unknown): T;
+  parseAsync?(data: unknown): Promise<T>;
+}
+
+export type TransformFunction = (
+  data: any,
+  headers: Record<string, HeaderValue>,
+) => any | Promise<any>;
+
 export interface AccessioRequestConfig {
   /** Request URL (path or full URL) */
   url?: string;
@@ -66,17 +91,13 @@ export interface AccessioRequestConfig {
   responseType?: "json" | "text" | "blob" | "arraybuffer" | "stream";
 
   /** Transform functions applied to request data */
-  transformRequest?: Array<
-    (data: any, headers?: Record<string, string>) => any
-  >;
+  transformRequest?: TransformFunction | TransformFunction[];
 
   /** Transform functions applied to response data */
-  transformResponse?: Array<
-    (data: any, headers?: Record<string, string>) => any
-  >;
+  transformResponse?: TransformFunction | TransformFunction[];
 
-  /** Function to determine if a status code should resolve or reject */
-  validateStatus?: (status: number) => boolean;
+  /** Function to determine if a status code should resolve or reject. Pass `null` to disable. */
+  validateStatus?: ((status: number) => boolean) | null;
 
   /** AbortSignal for request cancellation */
   signal?: AbortSignal;
@@ -105,6 +126,9 @@ export interface AccessioRequestConfig {
     config: AccessioRequestConfig,
   ) => void;
 
+  /** Retry on HTTP 429 (Too Many Requests), honoring Retry-After when present */
+  retryOn429?: boolean;
+
   // ── Debug ──────────────────────────────────────────
 
   /** Enable debug logging for this request */
@@ -115,6 +139,43 @@ export interface AccessioRequestConfig {
   /** Rate limiter instance to control concurrent requests */
   rateLimiter?: RateLimiter;
 
+  // ── Caching / dedupe ───────────────────────────────
+
+  /** Dedupe in-flight identical GETs (cache/dedupe key is per fullURL+auth+accept+responseType+withCredentials) */
+  dedupe?: boolean;
+
+  /** Enable response caching for GETs. `true` uses the default in-memory cache; pass a provider to customize. */
+  cache?: boolean | CacheProvider;
+
+  /** TTL in ms for cached responses (when supported by the provider) */
+  cacheTTL?: number;
+
+  // ── Response handling ──────────────────────────────
+
+  /** Maximum allowed response Content-Length in bytes */
+  maxContentLength?: number;
+
+  /** Schema validator applied to response data (Zod-compatible: `parse` / `parseAsync`) */
+  schema?: SchemaValidator;
+
+  /** Progress callback for downloads. Wraps the response body in a passthrough ReadableStream. */
+  onDownloadProgress?: (progressEvent: { loaded: number; total: number }) => void;
+
+  // ── Lifecycle hooks ────────────────────────────────
+
+  hooks?: AccessioHooks;
+
+  // ── Adapter / runtime ──────────────────────────────
+
+  /** Custom fetch implementation (defaults to global `fetch`) */
+  fetch?: typeof fetch;
+
+  /** Undici dispatcher (Node.js) */
+  dispatcher?: unknown;
+
+  /** Node.js http(s).Agent */
+  agent?: unknown;
+
   /** Allow any additional custom properties */
   [key: string]: any;
 }
@@ -129,8 +190,8 @@ export interface AccessioResponse<T = any> {
   /** HTTP status text */
   statusText: string;
 
-  /** Response headers (lowercased keys) */
-  headers: Record<string, string>;
+  /** Response headers (lowercased keys; repeated headers become string arrays) */
+  headers: Record<string, HeaderValue>;
 
   /** The config used for this request */
   config: AccessioRequestConfig;
@@ -458,4 +519,4 @@ export const createRateLimiter: (maxConcurrent?: number) => RateLimiter;
 
 export function logRequest(config: AccessioRequestConfig, fullUrl: string): void;
 export function logResponse(response: AccessioResponse): void;
-export function logError(error: Error, config?: AccessioRequestConfig): void;
+export function logError(error: AccessioError, config?: AccessioRequestConfig): void;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "accessio",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Fast, flexible HTTP client — simple, modular, and dependency-free",
   "type": "module",
   "main": "./cjs/index.cjs",
@@ -106,4 +106,4 @@
     "typescript-eslint": "^8.59.3",
     "vitest": "^3.1.0"
   }
-}
+}

package/src/accessio.ts

@@ -15,6 +15,66 @@ import type {
 } from './types';
 import defaultsConfig from './defaults/index';
 
+function runRequestInterceptorsSync(
+  startConfig: AccessioRequestConfig,
+  interceptors: InterceptorHandler[],
+): Promise<AccessioRequestConfig> {
+  let cfg = startConfig;
+  let rejectReason: any = null;
+  let isRejected = false;
+
+  for (const interceptor of interceptors) {
+    if (!isRejected) {
+      try {
+        if (interceptor.fulfilled) {
+          cfg = (interceptor.fulfilled as any)(cfg) as AccessioRequestConfig;
+        }
+      } catch (err) {
+        rejectReason = err;
+        isRejected = true;
+      }
+    } else if (interceptor.rejected) {
+      try {
+        cfg = interceptor.rejected(rejectReason) as AccessioRequestConfig;
+        isRejected = false;
+      } catch (err) {
+        rejectReason = err;
+        isRejected = true;
+      }
+    }
+  }
+
+  return isRejected ? Promise.reject(rejectReason) : Promise.resolve(cfg);
+}
+
+function runRequestInterceptorsAsync(
+  startConfig: AccessioRequestConfig,
+  interceptors: InterceptorHandler[],
+): Promise<AccessioRequestConfig> {
+  let promise: Promise<any> = Promise.resolve(startConfig);
+  for (const interceptor of interceptors) {
+    promise = promise.then(
+      (value: any) => (interceptor.fulfilled ? (interceptor.fulfilled as any)(value) : value),
+      interceptor.rejected ?? undefined,
+    );
+  }
+  return promise as Promise<AccessioRequestConfig>;
+}
+
+function dispatchAndRetry(cfg: AccessioRequestConfig): Promise<AccessioResponse> {
+  const fullUrl = buildURL(cfg.url ?? '', cfg.baseURL, cfg.params, cfg.paramsSerializer);
+  logRequest(cfg, fullUrl);
+
+  const enrichedCfg = fullUrl !== (cfg.url || '') ? { ...cfg, _builtUrl: fullUrl } : cfg;
+
+  const dispatchFn = cfg.rateLimiter
+    ? (config: AccessioRequestConfig) =>
+        rateLimitedRequest(dispatchRequest, config.rateLimiter!, config)
+    : dispatchRequest;
+
+  return retryRequest(dispatchFn, enrichedCfg);
+}
+
 export class Accessio {
   defaults: AccessioRequestConfig;
   interceptors: Interceptors;
@@ -51,86 +111,17 @@ export class Accessio {
       );
     }
 
-    const requestInterceptors: any[] = [];
-    const responseInterceptors: any[] = [];
-    let synchronousRequestInterceptors = true;
+    const { requestInterceptors, responseInterceptors, synchronous } =
+      this.collectInterceptors(mergedConfig);
 
-    this.interceptors.request.forEach((interceptor: InterceptorHandler) => {
-      if (interceptor.runWhen && !interceptor.runWhen(mergedConfig)) {
-        return;
-      }
-      synchronousRequestInterceptors = synchronousRequestInterceptors && interceptor.synchronous;
-      requestInterceptors.unshift(interceptor);
-    });
-
-    this.interceptors.response.forEach((interceptor: InterceptorHandler) => {
-      responseInterceptors.push(interceptor);
-    });
-
-    let promise: Promise<any>;
-
-    if (synchronousRequestInterceptors) {
-      let newConfig = mergedConfig;
-      let rejectReason: any = null;
-      let isRejected = false;
-
-      for (const interceptor of requestInterceptors) {
-        if (!isRejected) {
-          try {
-            if (interceptor.fulfilled) {
-              newConfig = interceptor.fulfilled(newConfig);
-            }
-          } catch (err) {
-            rejectReason = err;
-            isRejected = true;
-          }
-        } else {
-          if (interceptor.rejected) {
-            try {
-              newConfig = interceptor.rejected(rejectReason);
-              isRejected = false;
-            } catch (err) {
-              rejectReason = err;
-              isRejected = true;
-            }
-          }
-        }
-      }
-
-      if (isRejected) {
-        promise = Promise.reject(rejectReason);
-      } else {
-        promise = Promise.resolve(newConfig);
-      }
-    } else {
-      promise = Promise.resolve(mergedConfig);
-      for (const interceptor of requestInterceptors) {
-        promise = promise.then((value: any) => {
-          if (interceptor.fulfilled) {
-            return interceptor.fulfilled(value);
-          }
-          return value;
-        }, interceptor.rejected);
-      }
-    }
+    let promise: Promise<any> = synchronous
+      ? runRequestInterceptorsSync(mergedConfig, requestInterceptors)
+      : runRequestInterceptorsAsync(mergedConfig, requestInterceptors);
 
-    promise = promise.then((cfg: any) => {
-      const fullUrl = buildURL(cfg.url ?? '', cfg.baseURL, cfg.params, cfg.paramsSerializer);
-
-      logRequest(cfg, fullUrl);
-
-      const enrichedCfg = fullUrl !== (cfg.url || '') ? { ...cfg, _builtUrl: fullUrl } : cfg;
-
-      const dispatchFn = cfg.rateLimiter
-        ? (config: AccessioRequestConfig) =>
-            rateLimitedRequest(dispatchRequest, config.rateLimiter!, config)
-        : dispatchRequest;
-
-      return retryRequest(dispatchFn, enrichedCfg);
-    });
+    promise = promise.then((cfg: AccessioRequestConfig) => dispatchAndRetry(cfg));
 
     promise = promise.then(
-      (value: any) => {
+      (value: AccessioResponse) => {
         logResponse(value);
         return value;
       },
@@ -143,15 +134,37 @@ export class Accessio {
     for (const interceptor of responseInterceptors) {
       promise = promise.then((value: any) => {
         if (interceptor.fulfilled) {
-          return interceptor.fulfilled(value);
+          return (interceptor.fulfilled as any)(value);
         }
         return value;
-      }, interceptor.rejected);
+      }, interceptor.rejected ?? undefined);
     }
 
     return promise;
   }
 
+  private collectInterceptors(mergedConfig: AccessioRequestConfig): {
+    requestInterceptors: InterceptorHandler[];
+    responseInterceptors: InterceptorHandler[];
+    synchronous: boolean;
+  } {
+    const requestInterceptors: InterceptorHandler[] = [];
+    const responseInterceptors: InterceptorHandler[] = [];
+    let synchronous = true;
+
+    this.interceptors.request.forEach((interceptor: InterceptorHandler) => {
+      if (interceptor.runWhen && !interceptor.runWhen(mergedConfig)) return;
+      synchronous = synchronous && interceptor.synchronous;
+      requestInterceptors.unshift(interceptor);
+    });
+
+    this.interceptors.response.forEach((interceptor: InterceptorHandler) => {
+      responseInterceptors.push(interceptor);
+    });
+
+    return { requestInterceptors, responseInterceptors, synchronous };
+  }
+
   getUri(config?: AccessioRequestConfig): string {
     const merged = mergeConfig(this.defaults, config);
     return buildURL(merged.url ?? '', merged.baseURL, merged.params, merged.paramsSerializer);
@@ -197,7 +210,8 @@ export class Accessio {
     return this.request<T>(mergeConfig(config || {}, { method: 'patch', url, data }));
   }
 
-  postForm<T = any>(
+  private formRequest<T = any>(
+    method: 'post' | 'put' | 'patch',
     url: string,
     data?: any,
     config?: AccessioRequestConfig,
@@ -205,7 +219,7 @@ export class Accessio {
     const formData = data && !(data instanceof FormData) ? toFormData(data) : data;
     return this.request<T>(
       mergeConfig(config || {}, {
-        method: 'post',
+        method,
         url,
         data: formData,
         headers: { 'Content-Type': 'multipart/form-data' },
@@ -213,20 +227,20 @@ export class Accessio {
     );
   }
 
+  postForm<T = any>(
+    url: string,
+    data?: any,
+    config?: AccessioRequestConfig,
+  ): Promise<AccessioResponse<T>> {
+    return this.formRequest<T>('post', url, data, config);
+  }
+
   putForm<T = any>(
     url: string,
     data?: any,
     config?: AccessioRequestConfig,
   ): Promise<AccessioResponse<T>> {
-    const formData = data && !(data instanceof FormData) ? toFormData(data) : data;
-    return this.request<T>(
-      mergeConfig(config || {}, {
-        method: 'put',
-        url,
-        data: formData,
-        headers: { 'Content-Type': 'multipart/form-data' },
-      }),
-    );
+    return this.formRequest<T>('put', url, data, config);
   }
 
   patchForm<T = any>(
@@ -234,15 +248,7 @@ export class Accessio {
     data?: any,
     config?: AccessioRequestConfig,
   ): Promise<AccessioResponse<T>> {
-    const formData = data && !(data instanceof FormData) ? toFormData(data) : data;
-    return this.request<T>(
-      mergeConfig(config || {}, {
-        method: 'patch',
-        url,
-        data: formData,
-        headers: { 'Content-Type': 'multipart/form-data' },
-      }),
-    );
+    return this.formRequest<T>('patch', url, data, config);
   }
 
   async *stream<T = any>(

package/src/core/accessioError.ts

@@ -6,7 +6,7 @@ function redactHeaders(headers: unknown): unknown {
   const out: Record<string, unknown> = {};
   for (const key of Object.keys(headers as Record<string, unknown>)) {
     const value = (headers as Record<string, unknown>)[key];
-    if (/^authorization$/i.test(key)) {
+    if (/^authorization$/i.test(key) || /^cookie$/i.test(key) || /^set-cookie$/i.test(key)) {
       out[key] = '[REDACTED]';
     } else if (value && typeof value === 'object' && !Array.isArray(value)) {
       out[key] = redactHeaders(value);
@@ -17,6 +17,31 @@ function redactHeaders(headers: unknown): unknown {
   return out;
 }
 
+const SENSITIVE_BODY_KEY =
+  /^(password|passwd|pwd|token|access_token|refresh_token|id_token|authorization|api[_-]?key|secret|client[_-]?secret|cookie|set[_-]?cookie|private[_-]?key|session)$/i;
+
+export function redactBody(value: unknown, seen?: WeakSet<object>): unknown {
+  if (value === null || typeof value !== 'object') return value;
+  const visited = seen ?? new WeakSet<object>();
+  if (visited.has(value as object)) return '[Circular]';
+  visited.add(value as object);
+
+  if (Array.isArray(value)) {
+    return value.map((item) => redactBody(item, visited));
+  }
+
+  const out: Record<string, unknown> = {};
+  for (const key of Object.keys(value as Record<string, unknown>)) {
+    const v = (value as Record<string, unknown>)[key];
+    if (SENSITIVE_BODY_KEY.test(key)) {
+      out[key] = '[REDACTED]';
+    } else {
+      out[key] = redactBody(v, visited);
+    }
+  }
+  return out;
+}
+
 export function redactConfig(config: AccessioRequestConfig | null): AccessioRequestConfig | null {
   if (!config) return config;
   const clone = { ...config } as AccessioRequestConfig & { auth?: unknown };

package/src/core/buildURL.ts

@@ -76,11 +76,19 @@ export default function buildURL(
   let fullURL = baseURL && !isAbsoluteURL(url) ? combineURLs(baseURL, url) : url || '';
 
   let finalParams = params;
-  if (params && typeof params === 'object') {
-    const unusedParams = { ...params };
+  if (params && typeof params === 'object' && !(params instanceof URLSearchParams)) {
+    const unusedParams: Record<string, unknown> = {};
+    for (const key of Object.keys(params)) {
+      if (key === '__proto__' || key === 'prototype' || key === 'constructor') continue;
+      unusedParams[key] = (params as Record<string, unknown>)[key];
+    }
     fullURL = fullURL.replace(/(?::([a-zA-Z0-9_]+))|(?:{([a-zA-Z0-9_]+)})/g, (match, p1, p2) => {
       const key = p1 || p2;
-      if (key && unusedParams[key] !== undefined) {
+      if (
+        key &&
+        Object.prototype.hasOwnProperty.call(unusedParams, key) &&
+        unusedParams[key] !== undefined
+      ) {
         const val = unusedParams[key];
         delete unusedParams[key];
         return encodeURIComponent(String(val));
@@ -93,10 +101,12 @@ export default function buildURL(
   const serialized = serializeParams(finalParams as Record<string, unknown>, paramsSerializer);
   if (serialized) {
     const hashIndex = fullURL.indexOf('#');
+    let fragment = '';
     if (hashIndex !== -1) {
+      fragment = fullURL.slice(hashIndex);
       fullURL = fullURL.slice(0, hashIndex);
     }
-    fullURL += (fullURL.indexOf('?') === -1 ? '?' : '&') + serialized;
+    fullURL += (fullURL.indexOf('?') === -1 ? '?' : '&') + serialized + fragment;
   }
 
   return fullURL;