securenow 7.7.14 → 7.7.16

package/cli/auth.js

@@ -75,7 +75,6 @@ async function loginWithBrowser() {
         const returnedState = url.searchParams.get('state');
         const appKey = url.searchParams.get('app_key');
         const appName = url.searchParams.get('app_name');
-        const appInstance = url.searchParams.get('app_instance');
         const apiKey = url.searchParams.get('api_key');
 
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
@@ -96,11 +95,10 @@ async function loginWithBrowser() {
 
         if (token) {
           pendingToken = token;
-          if (appKey || appName || appInstance) {
+          if (appKey || appName) {
             pendingApp = {
               key: appKey || null,
               name: appName || null,
-              instance: appInstance || null,
             };
           }
           if (apiKey && apiKey.startsWith('snk_live_')) {

package/cli/config.js

@@ -153,11 +153,10 @@ function getToken() {
 function setAuth(token, email, expiresAt, { local = false, app = null, enableFirewall = false } = {}) {
   const targetFile = credentialsFileForLocal(local);
   const payload = { ...loadJSON(targetFile), token, email, expiresAt };
-  if (app && (app.key || app.name || app.instance)) {
+  if (app && (app.key || app.name)) {
     payload.app = {
       key: app.key || null,
       name: app.name || null,
-      instance: app.instance || null,
     };
   }
   saveJSON(
@@ -201,23 +200,52 @@ function setApp(app, { local } = {}) {
     app: {
       key: app.key || null,
       name: app.name || null,
-      instance: app.instance || null,
     },
   }) || {});
 }
 
 function ensureLocalGitignore() {
   const gitignorePath = path.join(process.cwd(), '.gitignore');
-  const entry = '.securenow/';
+  const legacyEntry = '.securenow/';
+  const entries = [
+    '.securenow/credentials.json',
+    '.securenow/credentials.*.json',
+    '!.securenow/credentials.example.json',
+    '!.securenow/credentials.*.example.json',
+  ];
   try {
+    let content = '';
     if (fs.existsSync(gitignorePath)) {
-      const content = fs.readFileSync(gitignorePath, 'utf8');
-      if (!content.split('\n').some(line => line.trim() === entry)) {
-        fs.appendFileSync(gitignorePath, `\n# SecureNow local credentials\n${entry}\n`);
+      content = fs.readFileSync(gitignorePath, 'utf8');
+    }
+
+    const lines = content ? content.split(/\r?\n/) : [];
+    let replacedLegacyEntry = false;
+    const nextLines = [];
+
+    for (const line of lines) {
+      if (line.trim() === legacyEntry) {
+        if (!replacedLegacyEntry) {
+          nextLines.push(...entries);
+          replacedLegacyEntry = true;
+        }
+        continue;
       }
-    } else {
-      fs.writeFileSync(gitignorePath, `# SecureNow local credentials\n${entry}\n`);
+      nextLines.push(line);
+    }
+
+    const hasLine = (entry) => nextLines.some(line => line.trim() === entry);
+    const missing = entries.filter(entry => !hasLine(entry));
+    if (!replacedLegacyEntry && missing.length === 0) return;
+
+    let nextContent = nextLines.join('\n').replace(/\s*$/, '');
+
+    if (missing.length > 0) {
+      const block = ['# SecureNow local credential files', '# Keep .securenow/ itself trackable for repo-owned docs/templates.', ...missing].join('\n');
+      nextContent = nextContent ? `${nextContent}\n\n${block}` : block;
     }
+
+    fs.writeFileSync(gitignorePath, `${nextContent}\n`);
   } catch {}
 }
 

package/cli/credentials.js

@@ -25,7 +25,6 @@ function buildRuntimeCredentials(options = {}) {
     app: {
       key: creds.app?.key || null,
       name: creds.app?.name || null,
-      instance: creds.app?.instance || appConfig.FREE_TRIAL_INSTANCE,
     },
     config: {
       ...(creds.config || {}),
@@ -41,6 +40,7 @@ function buildRuntimeCredentials(options = {}) {
     _securenow: {
       ...(creds._securenow || {}),
       note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json or .securenow/credentials.<environment>.json in production. Do not commit it.',
+      routing: 'Telemetry is sent to the default SecureNow ingestion gateway. The gateway routes by app.key, so runtime credentials do not expose per-instance collector URLs.',
       runtimeOnly: 'This file intentionally omits CLI OAuth fields: token, email, and expiresAt.',
       production: 'Production can use this same file shape instead of environment variables.',
     },

package/cli/diagnostics.js

@@ -36,10 +36,12 @@ function resolvedConfig(options = {}) {
     apiKey,
     firewallLocalEnabled,
     apiUrl: config.getApiUrl(),
-    loggingEnabled: appConfig.boolEnv('SECURENOW_LOGGING_ENABLED', true),
-    captureBody: appConfig.boolEnv('SECURENOW_CAPTURE_BODY', true),
-    captureMultipart: appConfig.boolEnv('SECURENOW_CAPTURE_MULTIPART', true),
-    otelLogLevel: (process.env.OTEL_LOG_LEVEL != null ? process.env.OTEL_LOG_LEVEL : appConfig.env('OTEL_LOG_LEVEL')) || 'error',
+    firewallApiUrl: firewall.apiUrl,
+    firewallSyncEndpoint: `${firewall.apiUrl.replace(/\/$/, '')}/api/v1/firewall/sync`,
+    loggingEnabled: appConfig.boolConfig('logging.enabled', true),
+    captureBody: appConfig.boolConfig('capture.body', true),
+    captureMultipart: appConfig.boolConfig('capture.multipart', true),
+    otelLogLevel: appConfig.configValue('otel.logLevel', 'error') || 'error',
     firewallEnabled,
     firewallLayers: {
       http: firewallEnabled,
@@ -330,11 +332,12 @@ async function logSend(args, flags) {
   }
 }
 
-function okHttpStatus(status) {
+function okHttpStatus(status, okStatuses) {
+  if (Array.isArray(okStatuses) && okStatuses.length) return okStatuses.includes(status);
   return status >= 200 && status < 300;
 }
 
-async function probe({ endpoint, method = 'POST', headers = {}, body = null, timeoutMs = 3000 }) {
+async function probe({ endpoint, method = 'POST', headers = {}, body = null, timeoutMs = 3000, okStatuses = null }) {
   try {
     const res = await httpRequest({
       method,
@@ -344,9 +347,9 @@ async function probe({ endpoint, method = 'POST', headers = {}, body = null, tim
       timeoutMs,
     });
     return {
-      ok: okHttpStatus(res.status),
+      ok: okHttpStatus(res.status, okStatuses),
       status: res.status,
-      ...(okHttpStatus(res.status) ? {} : { error: `HTTP ${res.status}`, body: res.body ? res.body.slice(0, 500) : '' }),
+      ...(okHttpStatus(res.status, okStatuses) ? {} : { error: `HTTP ${res.status}`, body: res.body ? res.body.slice(0, 500) : '' }),
     };
   } catch (err) {
     return { ok: false, error: err.message };
@@ -372,6 +375,8 @@ function env(_args, flags) {
     otlpHeaders: Object.keys(cfg.headers || {}).length ? '***' : null,
     firewallApiKey: cfg.apiKey ? `${cfg.apiKey.slice(0, 12)}...` : null,
     apiUrl: cfg.apiUrl,
+    firewallApiUrl: cfg.firewallApiUrl,
+    firewallSyncEndpoint: cfg.firewallSyncEndpoint,
     loggingEnabled: cfg.loggingEnabled,
     otelLogLevel: cfg.otelLogLevel,
     captureBody: cfg.captureBody,
@@ -397,6 +402,7 @@ function env(_args, flags) {
     ['Body capture', cfg.captureBody ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Multipart capture', cfg.captureMultipart ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Firewall', firewallStatusLabel(cfg)],
+    ['Firewall sync', cfg.firewallEnabled ? cfg.firewallSyncEndpoint : ui.c.dim('(not active)')],
   ]);
 
   ui.heading('Resolved credentials');
@@ -454,6 +460,26 @@ async function doctor(_args, flags) {
     checks.push({ name: 'api', ...api });
   }
 
+  if (cfg.apiKey && cfg.firewallLocalEnabled) {
+    const query = new URLSearchParams();
+    if (cfg.appKey) query.set('app', cfg.appKey);
+    if (cfg.deploymentEnvironment) query.set('env', cfg.deploymentEnvironment);
+    const endpoint = `${cfg.firewallSyncEndpoint}${query.toString() ? `?${query.toString()}` : ''}`;
+    const spin4 = ui.spinner(`Probing firewall sync ${endpoint}`);
+    const sync = await probe({
+      method: 'GET',
+      endpoint,
+      headers: {
+        Authorization: `Bearer ${cfg.apiKey}`,
+        'X-SecureNow-Environment': cfg.deploymentEnvironment,
+      },
+      okStatuses: [200, 304],
+    });
+    if (sync.ok) spin4.stop(`Firewall sync reachable (HTTP ${sync.status})`);
+    else spin4.fail(`Firewall sync unreachable: ${sync.error}`);
+    checks.push({ name: 'firewall-sync', ...sync });
+  }
+
   const warnings = [];
   const singletonOkMessage = otelApiCheck.ok && otelApiCheck.packages.length
     ? `OpenTelemetry API singleton OK (${otelApiCheck.versions[0] || 'unknown'})`
@@ -467,8 +493,12 @@ async function doctor(_args, flags) {
   if (!cfg.appKey) {
     warnings.push('No app key resolved. Run `npx securenow login` or set app.key in .securenow/credentials.json.');
   }
-  if (cfg.instance === 'https://freetrial.securenow.ai:4318') {
-    warnings.push('Using the free-trial collector. For production, set app.instance in .securenow/credentials.json.');
+  if (cfg.instance === 'https://ingest.securenow.ai') {
+    warnings.push('Using the SecureNow ingest gateway. Dedicated instances are routed server-side after policy checks.');
+  } else if (cfg.instance === 'https://api.securenow.ai/api/otlp') {
+    warnings.push('Using the legacy SecureNow telemetry gateway path. Regenerate credentials so telemetry uses https://ingest.securenow.ai.');
+  } else if (cfg.instance === 'https://freetrial.securenow.ai:4318') {
+    warnings.push('Using the legacy free-trial collector directly. Regenerate credentials so telemetry flows through https://ingest.securenow.ai.');
   }
   if (!cfg.apiKey && token) {
     warnings.push('CLI/MCP is authenticated with your SecureNow session token. Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.');

package/cli/init.js

@@ -234,6 +234,7 @@ function printAgentPrompt(kind, filename, major, project) {
   console.log([
     'Set up SecureNow in this existing Next.js project without using .env files.',
     'Use .securenow/credentials.json for local and production configuration; do not add .env files.',
+    'Ignore only .securenow/credentials.json and .securenow/credentials.*.json in git; keep the .securenow/ directory itself trackable for repo-owned files.',
     commands
       ? `Use the project scripts for verification when appropriate: ${commands}. Ask before starting long-running dev/start servers, and ask which command to use if these scripts are not the right customer workflow.`
       : 'Ask the customer which command starts, builds, and tests this app because package.json does not expose an obvious script.',

package/firewall-only.js

@@ -26,6 +26,7 @@ if (firewallOptions.apiKey && firewallOptions.enabled) {
     appKey: firewallOptions.appKey,
     environment: firewallOptions.environment,
     apiUrl: firewallOptions.apiUrl,
+    apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
     versionCheckInterval: firewallOptions.versionCheckInterval,
     syncInterval: firewallOptions.syncInterval,
     failMode: firewallOptions.failMode,

package/firewall.js

@@ -21,6 +21,7 @@ let _stats = { syncs: 0, blocked: 0, rateLimited: 0, allowed: 0, versionChecks:
 let _localhostFallbackTried = false;
 let _eventQueue = [];
 let _eventTimer = null;
+let _remainingApiUrlFallbacks = [];
 
 // Remote toggle - set by /firewall/sync when an appKey is in scope. Default
 // true so a missing/unreachable backend fails open (matches pre-7.3 behavior).
@@ -60,7 +61,7 @@ const _httpsAgent = new https.Agent({ keepAlive: false });
 const EVENT_FLUSH_INTERVAL_MS = 2_000;
 const EVENT_BATCH_SIZE = 25;
 const EVENT_QUEUE_MAX = 1_000;
-const TRANSIENT_NETWORK_CODES = new Set(['ECONNRESET', 'EPIPE', 'ETIMEDOUT', 'EAI_AGAIN']);
+const TRANSIENT_NETWORK_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'EPIPE', 'ETIMEDOUT', 'EAI_AGAIN', 'ENOTFOUND']);
 
 // Unified sync uses /firewall/sync (v2). Falls back to legacy on 404.
 let _useUnifiedSync = true;
@@ -156,7 +157,13 @@ function agentFor(url) {
 function isTransientNetworkError(err) {
   if (!err) return false;
   if (err.code && TRANSIENT_NETWORK_CODES.has(err.code)) return true;
-  return /socket hang up|connection reset|ECONNRESET/i.test(String(err.message || ''));
+  return /socket hang up|connection reset|ECONNRESET|ECONNREFUSED|ENOTFOUND|EAI_AGAIN|timed out/i.test(String(err.message || ''));
+}
+
+function isApiReachabilityError(err) {
+  if (isTransientNetworkError(err)) return true;
+  const text = `${err && err.code || ''} ${err && err.message || ''}`;
+  return /TLS|SSL|certificate|CERT_|UNABLE_TO_VERIFY|self signed/i.test(text);
 }
 
 function formatRequestError(err) {
@@ -167,6 +174,33 @@ function formatRequestError(err) {
   return parts.join(' ');
 }
 
+function resetApiUrlFallbacks() {
+  const seen = new Set([_options && _options.apiUrl].filter(Boolean));
+  _remainingApiUrlFallbacks = [];
+  for (const candidate of Array.isArray(_options && _options.apiUrlFallbacks) ? _options.apiUrlFallbacks : []) {
+    const url = String(candidate || '').trim().replace(/\/$/, '');
+    if (!url || seen.has(url)) continue;
+    seen.add(url);
+    _remainingApiUrlFallbacks.push(url);
+  }
+}
+
+function switchToNextApiUrl(reason) {
+  if (!_options || _remainingApiUrlFallbacks.length === 0) return false;
+  const previous = _options.apiUrl;
+  _options.apiUrl = _remainingApiUrlFallbacks.shift();
+  _lastUnifiedEtag = null;
+  _lastSyncEtag = null;
+  _lastAllowlistSyncEtag = null;
+  if (_options.log) {
+    fwWarn('[securenow] Firewall: %s unreachable (%s), retrying sync via %s',
+      previous,
+      reason || 'network error',
+      _options.apiUrl);
+  }
+  return true;
+}
+
 function requestOnce(method, url, body, extraHeaders, timeout, callback) {
   const mod = url.startsWith('https') ? https : http;
   const parsed = new URL(url);
@@ -562,9 +596,15 @@ function pollOnce(callback) {
 
   const done = (err, result) => {
     _pollInflight = false;
-    if (err) {
-      _consecutiveErrors++;
-      _stats.errors++;
+    if (err) {
+      if (isApiReachabilityError(err) && switchToNextApiUrl(formatRequestError(err))) {
+        _pollInflight = false;
+        const retryTimer = setTimeout(() => pollOnce(callback), 1000);
+        if (retryTimer.unref) retryTimer.unref();
+        return;
+      }
+      _consecutiveErrors++;
+      _stats.errors++;
       maybeOpenCircuit();
       if (_options.log) fwWarn('[securenow] Firewall: poll failed:', formatRequestError(err));
       return callback(err);
@@ -623,9 +663,14 @@ function startSyncLoop() {
     const syncFn = _useUnifiedSync ? doUnifiedSync : (cb) => doLegacyPoll(cb);
 
     syncFn((err, result) => {
-      if (err) {
-        const isConnErr = /ECONNREFUSED|ENOTFOUND|timed out/i.test(err.message);
-        if (isConnErr && !_localhostFallbackTried && _options.apiUrl !== 'http://localhost:4000') {
+      if (err) {
+        const isConnErr = /ECONNREFUSED|ENOTFOUND|timed out/i.test(err.message);
+        if (isApiReachabilityError(err) && switchToNextApiUrl(formatRequestError(err))) {
+          const retryTimer = setTimeout(initialSync, 1000);
+          if (retryTimer.unref) retryTimer.unref();
+          return;
+        }
+        if (isConnErr && !_localhostFallbackTried && _options.apiUrl !== 'http://localhost:4000') {
           _localhostFallbackTried = true;
           const origUrl = _options.apiUrl;
           _options.apiUrl = 'http://localhost:4000';
@@ -981,10 +1026,15 @@ function patchHttpLayer() {
 
 // Init
 
-function init(options) {
-  _options = options;
+function init(options) {
+  _options = options || {};
+  _options.apiUrl = String(_options.apiUrl || '').trim().replace(/\/$/, '');
+  _localhostFallbackTried = false;
+  _useUnifiedSync = true;
+  resetApiUrlFallbacks();
 
   if (_options.log) fwLog('[securenow] Firewall: ENABLED');
+  if (_options.log && _options.apiUrl) fwLog('[securenow] Firewall: sync endpoint=%s/api/v1/firewall/sync', _options.apiUrl);
   if (_options.log && _options.environment) fwLog('[securenow] Firewall: environment=%s', _options.environment);
 
   patchHttpLayer();
@@ -1043,8 +1093,10 @@ function shutdown() {
   _consecutiveErrors = 0;
   _pollInflight = false;
   _retryAfterUntil = 0;
+  _localhostFallbackTried = false;
   _rateLimitRules = [];
   _rateLimitBuckets = new Map();
+  _remainingApiUrlFallbacks = [];
 
   _httpAgent.destroy();
   _httpsAgent.destroy();

package/free-trial-banner.js

@@ -7,10 +7,10 @@
  * Opt-out: set config.runtime.hideBanner=true in .securenow/credentials.json
  */
 
-const FREETRIAL_HOST = 'freetrial.securenow.ai';
+const FREE_TRIAL_HOSTS = ['ingest.securenow.ai', 'freetrial.securenow.ai'];
 
 function isFreeTrial(endpointBase) {
-  return !!endpointBase && endpointBase.includes(FREETRIAL_HOST);
+  return !!endpointBase && FREE_TRIAL_HOSTS.some((host) => endpointBase.includes(host));
 }
 
 /* istanbul ignore next — runs in browser, not Node */

package/mcp/catalog.js

@@ -17,7 +17,7 @@ Primary goals:
 
 Safety rules:
 - Do not print full API keys, JWTs, tokens, or .securenow/credentials.json. Mask secrets.
-- Do not commit secrets. Ensure .securenow/ is in .gitignore.
+- Do not commit secrets. Ignore only local SecureNow credential files (.securenow/credentials.json and .securenow/credentials.*.json); keep the .securenow/ directory itself trackable for repo-owned docs/templates.
 - Do not manually browse to a SecureNow auth URL. Always start auth with npx securenow login so the CLI generates the required callback and state.
 - If the browser says "Missing callback parameter", you opened the wrong URL: rerun npx securenow login from the project root.
 - Do not skip login, app selection, firewall connection, or verification unless I explicitly say to.
@@ -42,7 +42,7 @@ Runbook:
    - Confirm .securenow/credentials.json exists.
    - Confirm it has SecureNow's default config/explanations block.
    - Confirm it has an app key/name/instance and a firewall API key after login/app selection.
-   - Confirm .securenow/ is ignored by git.
+   - Confirm .securenow/credentials.json and any .securenow/credentials.*.json runtime files are ignored by git, without ignoring the entire .securenow/ directory.
 6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=7.5.1, and retry. Do not silently ignore init failures.
 7. Configure the least invasive framework-specific integration:
    - Next.js: preserve instrumentation.js/ts. Register securenow/nextjs only when NEXT_RUNTIME is nodejs. In ESM files, use createRequire before require("securenow/nextjs"). Include require("securenow/nextjs-auto-capture") for body capture. For Next 15+, add securenow to serverExternalPackages. For older Next.js, use experimental.serverComponentsExternalPackages. Preserve proxy.js/middleware.js.

package/nextjs.d.ts

@@ -1,8 +1,8 @@
-/**
- * SecureNow Next.js Integration TypeScript Declarations
- */
-
-export interface RegisterOptions {
+/**
+ * SecureNow Next.js Integration TypeScript Declarations
+ */
+
+export interface RegisterOptions {
   /**
    * Service name for OpenTelemetry traces
    * @default .securenow/credentials.json app.key/app.name
@@ -11,7 +11,11 @@ export interface RegisterOptions {
 
   /**
    * OTLP endpoint for traces
-   * @default .securenow/credentials.json app.instance, or https://freetrial.securenow.ai:4318
+   * @default https://ingest.securenow.ai
+   *
+   * Advanced OTLP endpoint override. Normal SecureNow apps should leave this
+   * unset so the ingest gateway can route by app.key to the dashboard-selected
+   * instance.
    */
   endpoint?: string;
 
@@ -20,26 +24,26 @@ export interface RegisterOptions {
    * @default .securenow/credentials.json config.runtime.deploymentEnvironment
    */
   environment?: string;
-
-  /**
-   * Don't append UUID to service name
-   * @default false
-   */
-  noUuid?: boolean;
-
+
+  /**
+   * Don't append UUID to service name
+   * @default false
+   */
+  noUuid?: boolean;
+
    /**
    * Enable request body capture
    * @default true from .securenow/credentials.json secure defaults
    */
   captureBody?: boolean;
 }
-
-/**
- * Register SecureNow OpenTelemetry instrumentation for Next.js
- * 
- * @param options - Optional configuration options
- * 
- * @example
+
+/**
+ * Register SecureNow OpenTelemetry instrumentation for Next.js
+ * 
+ * @param options - Optional configuration options
+ * 
+ * @example
  * ```typescript
  * // instrumentation.ts
  * import { createRequire } from 'node:module';
@@ -53,46 +57,46 @@ export interface RegisterOptions {
  *   require('securenow/nextjs-auto-capture');
  * }
  * ```
- * 
- * @example
- * ```typescript
- * // With custom options
- * import { registerSecureNow } from 'securenow/nextjs';
- * 
- * export function register() {
- *   registerSecureNow({
- *     serviceName: 'my-nextjs-app',
- *     endpoint: 'http://your-otlp-backend.example.com:4318',
- *     noUuid: true,
- *   });
- * }
- * ```
- */
-export function registerSecureNow(options?: RegisterOptions): void;
-
-/**
- * Default sensitive fields that are automatically redacted from traces
- */
-export const DEFAULT_SENSITIVE_FIELDS: readonly string[];
-
-/**
- * Redact sensitive fields from an object
- * @param obj - Object to redact
- * @param sensitiveFields - Array of field names to redact (case-insensitive substring match)
- * @returns Redacted copy of the object
- */
-export function redactSensitiveData<T = any>(
-  obj: T,
-  sensitiveFields?: string[]
-): T;
-
-/**
- * Redact sensitive data from GraphQL query strings
- * @param query - GraphQL query string
- * @param sensitiveFields - Array of field names to redact
- * @returns Redacted query string
- */
-export function redactGraphQLQuery(
-  query: string,
-  sensitiveFields?: string[]
-): string;
+ * 
+ * @example
+ * ```typescript
+ * // With custom options
+ * import { registerSecureNow } from 'securenow/nextjs';
+ * 
+ * export function register() {
+ *   registerSecureNow({
+ *     serviceName: 'my-nextjs-app',
+ *     endpoint: 'http://your-otlp-backend.example.com:4318',
+ *     noUuid: true,
+ *   });
+ * }
+ * ```
+ */
+export function registerSecureNow(options?: RegisterOptions): void;
+
+/**
+ * Default sensitive fields that are automatically redacted from traces
+ */
+export const DEFAULT_SENSITIVE_FIELDS: readonly string[];
+
+/**
+ * Redact sensitive fields from an object
+ * @param obj - Object to redact
+ * @param sensitiveFields - Array of field names to redact (case-insensitive substring match)
+ * @returns Redacted copy of the object
+ */
+export function redactSensitiveData<T = any>(
+  obj: T,
+  sensitiveFields?: string[]
+): T;
+
+/**
+ * Redact sensitive data from GraphQL query strings
+ * @param query - GraphQL query string
+ * @param sensitiveFields - Array of field names to redact
+ * @returns Redacted query string
+ */
+export function redactGraphQLQuery(
+  query: string,
+  sensitiveFields?: string[]
+): string;