test-proxy-recorder 0.3.8 → 0.4.0

package/dist/proxy.js

@@ -1,5 +1,8 @@
-import path from 'path';
+import path3 from 'path';
 import { Command } from 'commander';
+import { existsSync, readFileSync, mkdirSync, writeFileSync } from 'fs';
+import { createJiti } from 'jiti';
+import { spawnSync } from 'child_process';
 import fs from 'fs/promises';
 import http2 from 'http';
 import httpProxy from 'http-proxy';
@@ -9,6 +12,39 @@ import filenamify2 from 'filenamify';
 import { WebSocket, WebSocketServer } from 'ws';
 
 // src/cli.ts
+var CONFIG_BASENAME = "test-proxy-recorder.config";
+var CONFIG_EXTENSIONS = ["ts", "mts", "js", "mjs", "cjs"];
+function findConfigFile(cwd) {
+  for (const ext of CONFIG_EXTENSIONS) {
+    const candidate = path3.join(cwd, `${CONFIG_BASENAME}.${ext}`);
+    if (existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  return null;
+}
+async function loadConfig(explicitPath, cwd = process.cwd()) {
+  let filePath;
+  if (explicitPath) {
+    filePath = path3.resolve(cwd, explicitPath);
+    if (!existsSync(filePath)) {
+      throw new Error(`Config file not found: ${filePath}`);
+    }
+  } else {
+    filePath = findConfigFile(cwd);
+  }
+  if (!filePath) {
+    return null;
+  }
+  const jiti = createJiti(import.meta.url);
+  const config = await jiti.import(filePath, { default: true });
+  if (typeof config !== "object" || config === null) {
+    throw new Error(
+      `Config file ${filePath} must export a config object (use \`export default defineConfig({ ... })\`)`
+    );
+  }
+  return config;
+}
 
 // src/constants.ts
 var DEFAULT_TIMEOUT_MS = 120 * 1e3;
@@ -22,45 +58,517 @@ var RECORDING_ID_HEADER = "x-test-rcrd-id";
 // src/cli.ts
 var DEFAULT_PORT = 8e3;
 var DEFAULT_RECORDINGS_DIR = "./recordings";
-function parseCliArgs() {
+function splitList(value) {
+  return (value ?? "").split(",").map((item) => item.trim()).filter(Boolean);
+}
+function resolveNumber(cliValue, configValue, defaultValue, isValid, errorMessage) {
+  const value = cliValue !== void 0 ? Number.parseInt(cliValue, 10) : configValue ?? defaultValue;
+  if (Number.isNaN(value) || !isValid(value)) {
+    console.error(errorMessage);
+    process.exit(1);
+  }
+  return value;
+}
+function resolveRedaction(options, configRedaction) {
+  return {
+    enabled: options.redact === false ? false : configRedaction?.enabled ?? true,
+    headers: options.redactHeaders !== void 0 ? splitList(options.redactHeaders) : configRedaction?.headers ?? [],
+    bodyPatterns: options.redactBody !== void 0 ? splitList(options.redactBody) : configRedaction?.bodyPatterns ?? [],
+    allowHeaders: options.allowHeaders !== void 0 ? splitList(options.allowHeaders) : configRedaction?.allowHeaders ?? [],
+    allowCookies: options.allowCookies !== void 0 ? splitList(options.allowCookies) : configRedaction?.allowCookies ?? [],
+    placeholder: configRedaction?.placeholder
+  };
+}
+async function parseCliArgs(argv) {
   const program = new Command();
-  program.name("dev-proxy").description(
+  program.name("test-proxy-recorder").description(
     "Development proxy server with recording and replay capabilities"
   ).argument(
-    "<target>",
-    "Target API service URL (e.g., http://localhost:3000)"
-  ).option(
-    "-p, --port <number>",
-    "Port number for the proxy server",
-    String(DEFAULT_PORT)
+    "[target]",
+    "Target API service URL (e.g., http://localhost:3000). Overrides `target` from the config file."
   ).option(
+    "-c, --config <path>",
+    "Path to a config file (default: auto-detect test-proxy-recorder.config.{ts,js,mjs} in the current directory)"
+  ).option("-p, --port <number>", "Port number for the proxy server").option(
     "-d, --dir <path>",
-    "Directory to store recordings (relative to CWD)",
-    DEFAULT_RECORDINGS_DIR
+    "Directory to store recordings (relative to CWD)"
+  ).option("-t, --timeout <ms>", "Session timeout in milliseconds").option(
+    "--no-redact",
+    "Disable secret redaction (commit raw Authorization/Cookie headers \u2014 not recommended)"
   ).option(
-    "-t, --timeout <ms>",
-    "Session timeout in milliseconds",
-    String(DEFAULT_TIMEOUT_MS)
-  ).action(() => {
-  });
-  program.parse();
-  const target2 = program.args[0];
+    "--redact-headers <names>",
+    "Comma-separated extra header names to redact (merged with the defaults)"
+  ).option(
+    "--redact-body <patterns>",
+    "Comma-separated regex patterns to redact from request/response bodies"
+  ).option(
+    "--allow-headers <names>",
+    "Comma-separated header names to exempt from redaction"
+  ).option(
+    "--allow-cookies <names>",
+    "Comma-separated cookie names to keep unredacted inside Cookie/Set-Cookie"
+  );
+  program.parse(argv);
   const options = program.opts();
-  const port2 = Number.parseInt(options.port, 10);
-  if (Number.isNaN(port2) || port2 < 1025 || port2 > 65535) {
-    console.error("Error: Invalid port number. Must be between 1 and 65535");
-    process.exit(1);
-  }
-  const timeout2 = Number.parseInt(options.timeout, 10);
-  if (Number.isNaN(timeout2) || timeout2 < 0) {
-    console.error("Error: Invalid timeout. Must be a non-negative number");
+  let config;
+  try {
+    config = await loadConfig(options.config);
+  } catch (error) {
+    console.error(
+      `Error: ${error instanceof Error ? error.message : String(error)}`
+    );
     process.exit(1);
   }
+  const target2 = program.args[0] ?? config?.target;
   if (!target2) {
+    console.error(
+      "Error: target is required. Pass it as an argument or set `target` in the config file."
+    );
     program.help();
   }
-  const recordingsDir2 = path.resolve(process.cwd(), options.dir);
-  return { target: target2, port: port2, recordingsDir: recordingsDir2, timeout: timeout2 };
+  const port2 = resolveNumber(
+    options.port,
+    config?.port,
+    DEFAULT_PORT,
+    (n) => n >= 1025 && n <= 65535,
+    "Error: Invalid port number. Must be between 1025 and 65535"
+  );
+  const timeout2 = resolveNumber(
+    options.timeout,
+    config?.timeout,
+    DEFAULT_TIMEOUT_MS,
+    (n) => n >= 0,
+    "Error: Invalid timeout. Must be a non-negative number"
+  );
+  const dir = options.dir ?? config?.recordingsDir ?? DEFAULT_RECORDINGS_DIR;
+  const recordingsDir2 = path3.resolve(process.cwd(), dir);
+  const redaction2 = resolveRedaction(options, config?.redaction);
+  return { target: target2, port: port2, recordingsDir: recordingsDir2, timeout: timeout2, redaction: redaction2 };
+}
+var CONFIG_FILENAME = "test-proxy-recorder.config.ts";
+var PLAYWRIGHT_CONFIG_NAMES = [
+  "playwright.config.ts",
+  "playwright.config.mts",
+  "playwright.config.cts",
+  "playwright.config.js",
+  "playwright.config.mjs",
+  "playwright.config.cjs"
+];
+var DEFAULT_TARGET = "http://localhost:3000";
+var DEFAULT_PORT2 = 8100;
+var DEFAULT_DIR = "./e2e/recordings";
+function renderConfig(options) {
+  return `import { defineConfig } from 'test-proxy-recorder';
+
+// Generated by \`test-proxy-recorder init\`.
+// Auto-discovered when you run \`test-proxy-recorder\` with no arguments.
+// CLI flags always override the values set here.
+export default defineConfig({
+  // Backend the proxy records against. Point your app's API base URL here too.
+  target: '${options.target}',
+
+  // Port the proxy listens on. Matches the Playwright client default
+  // (override both with the TEST_PROXY_RECORDER_PORT env var).
+  port: ${options.port},
+
+  // Where .mock.json recordings are written, relative to this file.
+  // Commit this directory \u2014 CI replays from it.
+  recordingsDir: '${options.dir}',
+
+  // Secrets are redacted automatically (Authorization / Cookie / Set-Cookie).
+  // Uncomment to redact extra headers or tokens embedded in bodies.
+  // redaction: {
+  //   headers: ['x-api-key'],
+  //   bodyPatterns: [/sk_live_\\w+/g],
+  //   allowCookies: ['theme'],
+  // },
+});
+`;
+}
+function renderPlaywrightConfig(options) {
+  return `import { defineConfig } from '@playwright/test';
+
+// Generated by \`test-proxy-recorder init\`.
+export default defineConfig({
+  testDir: './e2e',
+  // Resets the proxy to transparent mode after the run.
+  globalTeardown: './e2e/global-teardown.ts',
+  // Boots the recorder; it reads target/port/dir from
+  // test-proxy-recorder.config.ts. Health-check hits /__control, which is
+  // always available (the proxy root forwards to your backend).
+  webServer: {
+    command: 'test-proxy-recorder',
+    url: 'http://localhost:${options.port}/__control',
+    reuseExistingServer: true,
+    timeout: 15_000,
+  },
+});
+`;
+}
+function renderFixtures() {
+  return String.raw`import { test as base, type Page } from '@playwright/test';
+import { playwrightProxy } from 'test-proxy-recorder';
+
+// External domains the browser calls directly (auth, CDN, analytics, ...).
+// Server-side fetches through the proxy are recorded automatically — this is
+// only for browser-side requests that never touch the proxy.
+const CLIENT_SIDE_URL = /api\.example\.com/;
+
+// Change to 'record' to hit the real API and refresh recordings, then switch
+// back to 'replay' and commit. Record with a single worker (--workers 1).
+const MODE = 'replay' as const;
+
+export const test = base.extend<{ page: Page }>({
+  page: async ({ context }, use, testInfo) => {
+    const page = await context.newPage();
+    await playwrightProxy.before(page, testInfo, MODE, { url: CLIENT_SIDE_URL });
+    await use(page);
+  },
+});
+
+export { expect } from '@playwright/test';
+`;
+}
+function renderTeardown() {
+  return `import { playwrightProxy } from 'test-proxy-recorder';
+
+// Runs once after the whole suite \u2014 resets the proxy to transparent mode.
+// Do NOT call teardown() per-test (afterAll): it flips the global mode and
+// breaks parallel replay.
+export default async function globalTeardown() {
+  await playwrightProxy
+    .teardown()
+    .catch((err) => console.warn('test-proxy-recorder teardown', err));
+}
+`;
+}
+function scaffoldScripts() {
+  return {
+    proxy: "test-proxy-recorder",
+    "test:e2e": "playwright test",
+    "test:e2e:record": "playwright test --workers 1 --ui"
+  };
+}
+function injectProxyIntoConfig(source, options) {
+  if (source.includes("test-proxy-recorder")) {
+    return {
+      contents: source,
+      changed: false,
+      reason: "already references test-proxy-recorder"
+    };
+  }
+  if (/\bwebServer\s*:/.test(source)) {
+    return {
+      contents: source,
+      changed: false,
+      reason: "already defines webServer \u2014 add the proxy command manually"
+    };
+  }
+  const opener = source.match(/defineConfig\s*\(\s*\{/) ?? source.match(/export\s+default\s*\{/);
+  if (opener?.index === void 0) {
+    return {
+      contents: source,
+      changed: false,
+      reason: "could not locate the config object"
+    };
+  }
+  const hasTeardown = /\bglobalTeardown\s*:/.test(source);
+  const teardownLine = hasTeardown ? "" : `
+  globalTeardown: './e2e/global-teardown.ts',`;
+  const block = `
+  // Added by test-proxy-recorder init
+  webServer: {
+    command: 'test-proxy-recorder',
+    url: 'http://localhost:${options.port}/__control',
+    reuseExistingServer: true,
+    timeout: 15_000,
+  },${teardownLine}`;
+  const at = opener.index + opener[0].length;
+  const contents = source.slice(0, at) + block + source.slice(at);
+  return { contents, changed: true };
+}
+function findPlaywrightConfig(cwd) {
+  for (const name of PLAYWRIGHT_CONFIG_NAMES) {
+    const candidate = path3.join(cwd, name);
+    if (existsSync(candidate)) return candidate;
+  }
+  return null;
+}
+function writeFile(cwd, relPath, contents, force) {
+  const absPath = path3.join(cwd, relPath);
+  const overwritten = existsSync(absPath);
+  if (overwritten && !force) {
+    return { relPath, status: "skipped", detail: "already exists" };
+  }
+  mkdirSync(path3.dirname(absPath), { recursive: true });
+  writeFileSync(absPath, contents, "utf8");
+  return {
+    relPath,
+    status: "created",
+    detail: overwritten ? "overwritten" : void 0
+  };
+}
+function scaffoldPlaywright(cwd, options) {
+  const existing = findPlaywrightConfig(cwd);
+  if (!existing) {
+    return writeFile(
+      cwd,
+      "playwright.config.ts",
+      renderPlaywrightConfig(options),
+      options.force
+    );
+  }
+  const relPath = path3.relative(cwd, existing) || path3.basename(existing);
+  const source = readFileSync(existing, "utf8");
+  const { contents, changed, reason } = injectProxyIntoConfig(source, options);
+  if (!changed) {
+    return { relPath, status: "skipped", detail: reason };
+  }
+  writeFileSync(existing, contents, "utf8");
+  return {
+    relPath,
+    status: "updated",
+    detail: "added webServer + globalTeardown"
+  };
+}
+function detectIndent(source) {
+  const match = source.match(/\n([ \t]+)"/);
+  return match ? match[1] : "  ";
+}
+var DEV_APP_SCRIPT = "dev:app";
+function runScriptPrefix(pm) {
+  return pm === "pnpm" || pm === "yarn" ? pm : `${pm} run`;
+}
+function mergeScripts(existing, scripts, force) {
+  const added = [];
+  const skipped = [];
+  for (const [name, command] of Object.entries(scripts)) {
+    const conflicts = existing[name] !== void 0 && !force;
+    (conflicts ? skipped : added).push(name);
+    if (!conflicts) existing[name] = command;
+  }
+  return { added, skipped };
+}
+function wrapDevScript(scripts, pm) {
+  const dev = scripts.dev;
+  if (dev === void 0) return false;
+  if (dev.includes("test-proxy-recorder") || dev.includes("concurrently")) {
+    return false;
+  }
+  if (scripts[DEV_APP_SCRIPT] !== void 0) return false;
+  const run = runScriptPrefix(pm);
+  scripts[DEV_APP_SCRIPT] = dev;
+  scripts.dev = `concurrently --kill-others "${run} proxy" "${run} ${DEV_APP_SCRIPT}"`;
+  return true;
+}
+function ensureConcurrentlyDep(pkg) {
+  if (pkg.dependencies?.concurrently !== void 0 || pkg.devDependencies?.concurrently !== void 0) {
+    return false;
+  }
+  pkg.devDependencies ??= {};
+  pkg.devDependencies.concurrently = "^9.0.0";
+  return true;
+}
+function updatePackageScripts(cwd, scripts, force) {
+  const relPath = "package.json";
+  const absPath = path3.join(cwd, relPath);
+  if (!existsSync(absPath)) {
+    return { relPath, status: "skipped", detail: "no package.json found" };
+  }
+  const source = readFileSync(absPath, "utf8");
+  const pkg = JSON.parse(source);
+  pkg.scripts ??= {};
+  const { added, skipped } = mergeScripts(pkg.scripts, scripts, force);
+  const devWrapped = wrapDevScript(pkg.scripts, detectPackageManager(cwd));
+  if (devWrapped) ensureConcurrentlyDep(pkg);
+  if (added.length === 0 && !devWrapped) {
+    return {
+      relPath,
+      status: "skipped",
+      detail: `scripts already present (${skipped.join(", ")})`
+    };
+  }
+  const indent = detectIndent(source);
+  const trailingNewline = source.endsWith("\n") ? "\n" : "";
+  writeFileSync(absPath, JSON.stringify(pkg, null, indent) + trailingNewline);
+  return {
+    relPath,
+    status: "updated",
+    detail: describeEdit(added, skipped, devWrapped)
+  };
+}
+function describeEdit(added, skipped, devWrapped) {
+  const parts = [];
+  if (added.length > 0) parts.push(`added ${added.join(", ")}`);
+  if (skipped.length > 0) parts.push(`kept existing ${skipped.join(", ")}`);
+  if (devWrapped) parts.push(`wrapped dev (original \u2192 ${DEV_APP_SCRIPT})`);
+  return parts.join("; ");
+}
+function runInit(options, cwd = process.cwd()) {
+  const actions = [
+    writeFile(cwd, CONFIG_FILENAME, renderConfig(options), options.force),
+    scaffoldPlaywright(cwd, options),
+    writeFile(cwd, "e2e/fixtures.ts", renderFixtures(), options.force),
+    writeFile(cwd, "e2e/global-teardown.ts", renderTeardown(), options.force),
+    updatePackageScripts(cwd, scaffoldScripts(), options.force)
+  ];
+  return { actions };
+}
+function playwrightInstalled(cwd) {
+  if (existsSync(path3.join(cwd, "node_modules", "@playwright", "test"))) {
+    return true;
+  }
+  const pkgPath = path3.join(cwd, "package.json");
+  if (!existsSync(pkgPath)) return false;
+  try {
+    const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+    return Boolean(
+      pkg.dependencies?.["@playwright/test"] ?? pkg.devDependencies?.["@playwright/test"]
+    );
+  } catch {
+    return false;
+  }
+}
+function detectPackageManager(cwd) {
+  const ua = process.env.npm_config_user_agent ?? "";
+  if (ua.startsWith("pnpm") || existsSync(path3.join(cwd, "pnpm-lock.yaml"))) {
+    return "pnpm";
+  }
+  if (ua.startsWith("yarn") || existsSync(path3.join(cwd, "yarn.lock"))) {
+    return "yarn";
+  }
+  if (ua.startsWith("bun") || existsSync(path3.join(cwd, "bun.lockb"))) {
+    return "bun";
+  }
+  return "npm";
+}
+function playwrightCreateCommand(pm) {
+  const flags = ["--quiet", "--browser=chromium"];
+  switch (pm) {
+    case "pnpm": {
+      return { cmd: "pnpm", args: ["create", "playwright", "--", ...flags] };
+    }
+    case "yarn": {
+      return { cmd: "yarn", args: ["create", "playwright", ...flags] };
+    }
+    case "bun": {
+      return { cmd: "bun", args: ["create", "playwright", ...flags] };
+    }
+    default: {
+      return {
+        cmd: "npm",
+        args: ["init", "playwright@latest", "--", ...flags]
+      };
+    }
+  }
+}
+function maybeInstallPlaywright(options, cwd) {
+  if (!options.install) return;
+  if (findPlaywrightConfig(cwd)) return;
+  if (playwrightInstalled(cwd)) return;
+  const { cmd, args } = playwrightCreateCommand(detectPackageManager(cwd));
+  console.log(
+    `No Playwright config found and Playwright is not installed.
+Running \`${cmd} ${args.join(" ")}\` (pass --no-install to skip)...`
+  );
+  let failed = true;
+  try {
+    const result = spawnSync(cmd, args, { cwd, stdio: "inherit" });
+    failed = result.status !== 0;
+  } catch {
+    failed = true;
+  }
+  if (failed) {
+    console.warn(
+      "Playwright CLI scaffold did not complete \u2014 writing a default playwright.config.ts instead. Install Playwright with `npm install -D @playwright/test`."
+    );
+  }
+}
+function parseInitArgs(argv) {
+  const program = new Command();
+  program.name("test-proxy-recorder init").description(
+    "Scaffold test-proxy-recorder config + Playwright setup in the current directory"
+  ).argument(
+    "[target]",
+    "Backend API URL the proxy records against",
+    DEFAULT_TARGET
+  ).option("-p, --port <number>", "Proxy port", String(DEFAULT_PORT2)).option("-d, --dir <path>", "Recordings directory", DEFAULT_DIR).option(
+    "-f, --force",
+    "Overwrite existing files and package.json scripts",
+    false
+  ).option(
+    "--no-install",
+    "Do not run the Playwright CLI when Playwright is missing"
+  ).allowExcessArguments(false);
+  program.parse(argv, { from: "user" });
+  const target2 = program.args[0] ?? DEFAULT_TARGET;
+  const opts = program.opts();
+  const port2 = Number.parseInt(opts.port, 10);
+  if (Number.isNaN(port2) || port2 < 1025 || port2 > 65535) {
+    console.error("Error: Invalid port number. Must be between 1025 and 65535");
+    process.exit(1);
+  }
+  return {
+    target: target2,
+    port: port2,
+    dir: opts.dir,
+    force: opts.force,
+    install: opts.install
+  };
+}
+var STATUS_LABEL = {
+  created: "Created",
+  updated: "Updated",
+  skipped: "Skipped"
+};
+function initCommand(argv, cwd = process.cwd()) {
+  const options = parseInitArgs(argv);
+  maybeInstallPlaywright(options, cwd);
+  const { actions } = runInit(options, cwd);
+  console.log("");
+  for (const action of actions) {
+    const label = STATUS_LABEL[action.status];
+    const suffix = action.detail ? ` \u2014 ${action.detail}` : "";
+    console.log(`${label.padEnd(7)} ${action.relPath}${suffix}`);
+  }
+  printNextSteps(actions, options);
+}
+function backendPointingLines(options, devWrapped) {
+  const proxyUrl = `http://localhost:${options.port}`;
+  const lines = [
+    "  1. Point your app's backend calls at the proxy \u2014 in dev/test only, never in production.",
+    `     Set whatever env var your app reads its API base URL from to:  ${proxyUrl}`,
+    `     (it talks to ${options.target} directly today; the proxy forwards there while`,
+    "      recording and serves recordings on replay.)"
+  ];
+  const example = devWrapped ? `       "dev:app": "API_BASE_URL=${proxyUrl} <your dev command>"` : `       API_BASE_URL=${proxyUrl} <your dev/start command>`;
+  lines.push(
+    "     e.g. (use cross-env to make this work on Windows):",
+    example
+  );
+  return lines;
+}
+function printNextSteps(actions, options) {
+  const pkgAction = actions.find((a) => a.relPath === "package.json");
+  const pwAction = actions.find(
+    (a) => a.relPath.startsWith("playwright.config")
+  );
+  const devWrapped = pkgAction?.detail?.includes("wrapped dev") ?? false;
+  const step2 = pwAction?.status === "skipped" ? `  2. Wire the proxy into your Playwright config (${pwAction.detail}):
+       webServer: { command: 'test-proxy-recorder', url: 'http://localhost:${options.port}/__control', reuseExistingServer: true }` : "  2. Record: set MODE = 'record' in e2e/fixtures.ts, then run your record script.";
+  const step3 = pkgAction?.detail === "no package.json found" ? '  3. Add scripts manually: "proxy": "test-proxy-recorder", "test:e2e": "playwright test".' : `  3. Switch MODE back to 'replay' and commit ${options.dir}.`;
+  console.log("");
+  console.log("Next steps:");
+  for (const line of backendPointingLines(options, devWrapped)) {
+    console.log(line);
+  }
+  console.log(step2);
+  console.log(step3);
+  if (devWrapped) {
+    console.log(
+      "  \u2022 `dev` now runs the proxy + your app together (install `concurrently` if needed)."
+    );
+  }
 }
 
 // src/utils/cors.ts
@@ -307,6 +815,139 @@ var Modes = {
   record: "record",
   replay: "replay"
 };
+
+// src/utils/redact.ts
+var DEFAULT_REDACTED_HEADERS = [
+  "authorization",
+  "cookie",
+  "set-cookie"
+];
+var REDACTED_PLACEHOLDER = "[REDACTED]";
+var COOKIE_HEADERS = /* @__PURE__ */ new Set(["cookie", "set-cookie"]);
+function resolveRedaction2(config) {
+  const extra = (config?.headers ?? []).map((name) => name.toLowerCase());
+  const headerSet = /* @__PURE__ */ new Set([...DEFAULT_REDACTED_HEADERS, ...extra]);
+  for (const name of config?.allowHeaders ?? []) {
+    headerSet.delete(name.toLowerCase());
+  }
+  return {
+    headerSet,
+    allowCookies: new Set(
+      (config?.allowCookies ?? []).map((name) => name.toLowerCase())
+    ),
+    regexes: toGlobalRegexes(config?.bodyPatterns),
+    placeholder: config?.placeholder ?? REDACTED_PLACEHOLDER
+  };
+}
+function toGlobalRegexes(patterns) {
+  if (!patterns || patterns.length === 0) {
+    return [];
+  }
+  return patterns.map((pattern) => {
+    if (typeof pattern === "string") {
+      return new RegExp(pattern, "g");
+    }
+    return pattern.flags.includes("g") ? pattern : new RegExp(pattern.source, `${pattern.flags}g`);
+  });
+}
+function redactCookieHeader(value, allowCookies, placeholder) {
+  return value.split(";").map((part) => part.trim()).filter(Boolean).map((pair) => {
+    const eq = pair.indexOf("=");
+    if (eq === -1) {
+      return pair;
+    }
+    const name = pair.slice(0, eq);
+    return allowCookies.has(name.toLowerCase()) ? pair : `${name}=${placeholder}`;
+  }).join("; ");
+}
+function redactSetCookieValue(value, allowCookies, placeholder) {
+  const semicolon = value.indexOf(";");
+  const firstPair = semicolon === -1 ? value : value.slice(0, semicolon);
+  const attributes = semicolon === -1 ? "" : value.slice(semicolon);
+  const eq = firstPair.indexOf("=");
+  if (eq === -1) {
+    return value;
+  }
+  const name = firstPair.slice(0, eq).trim();
+  if (allowCookies.has(name.toLowerCase())) {
+    return value;
+  }
+  return `${name}=${placeholder}${attributes}`;
+}
+function redactCookieAware(lower, value, resolved) {
+  const { allowCookies, placeholder } = resolved;
+  const redactOne = (cookie) => lower === "cookie" ? redactCookieHeader(cookie, allowCookies, placeholder) : redactSetCookieValue(cookie, allowCookies, placeholder);
+  return Array.isArray(value) ? value.map((v) => redactOne(v)) : redactOne(String(value));
+}
+function redactHeaderValue(name, value, resolved) {
+  const lower = name.toLowerCase();
+  if (resolved.allowCookies.size > 0 && COOKIE_HEADERS.has(lower)) {
+    return redactCookieAware(lower, value, resolved);
+  }
+  return Array.isArray(value) ? value.map(() => resolved.placeholder) : resolved.placeholder;
+}
+function redactHeaders(headers, resolved) {
+  const result = {};
+  for (const [name, value] of Object.entries(headers)) {
+    result[name] = resolved.headerSet.has(name.toLowerCase()) ? redactHeaderValue(name, value, resolved) : value;
+  }
+  return result;
+}
+function redactBody(body, regexes, placeholder) {
+  if (!body || regexes.length === 0) {
+    return body ?? null;
+  }
+  let result = body;
+  for (const regex of regexes) {
+    regex.lastIndex = 0;
+    result = result.replace(regex, placeholder);
+  }
+  return result;
+}
+function redactRecording(recording, resolved) {
+  const { regexes, placeholder } = resolved;
+  return {
+    ...recording,
+    request: {
+      ...recording.request,
+      headers: redactHeaders(recording.request.headers, resolved),
+      body: redactBody(recording.request.body, regexes, placeholder)
+    },
+    response: recording.response && {
+      ...recording.response,
+      headers: redactHeaders(recording.response.headers, resolved),
+      body: redactBody(recording.response.body, regexes, placeholder)
+    }
+  };
+}
+function redactWebSocketRecording(recording, resolved) {
+  const { regexes, placeholder } = resolved;
+  return {
+    ...recording,
+    headers: recording.headers ? redactHeaders(recording.headers, resolved) : recording.headers,
+    messages: recording.messages.map((message) => ({
+      ...message,
+      data: redactBody(message.data, regexes, placeholder) ?? message.data
+    }))
+  };
+}
+function redactSession(session, config) {
+  if (config?.enabled === false) {
+    return session;
+  }
+  const resolved = resolveRedaction2(config);
+  return {
+    ...session,
+    recordings: session.recordings.map(
+      (recording) => redactRecording(recording, resolved)
+    ),
+    websocketRecordings: (session.websocketRecordings ?? []).map(
+      (recording) => redactWebSocketRecording(recording, resolved)
+    )
+  };
+}
+
+// src/utils/fileUtils.ts
 var JSON_INDENT_SPACES = 2;
 var EXTENSION = ".mock.json";
 var MAX_FILENAME_LENGTH = 255 - EXTENSION.length;
@@ -326,7 +967,7 @@ function getRecordingPath(recordingsDir2, id) {
     maxLength: 255
     // Set explicit max to prevent filenamify's default truncation
   });
-  return path.join(recordingsDir2, `${sanitizedId}${EXTENSION}`);
+  return path3.join(recordingsDir2, `${sanitizedId}${EXTENSION}`);
 }
 async function loadRecordingSession(filePath) {
   const fileContent = await fs.readFile(filePath, "utf8");
@@ -351,14 +992,17 @@ function processRecordings(recordings) {
   processedRecordings.sort((a, b) => a.recordingId - b.recordingId);
   return processedRecordings;
 }
-async function saveRecordingSession(recordingsDir2, session) {
+async function saveRecordingSession(recordingsDir2, session, redaction2) {
   const filePath = getRecordingPath(recordingsDir2, session.id);
   await fs.mkdir(recordingsDir2, { recursive: true });
   const processedRecordings = processRecordings(session.recordings);
-  const processedSession = {
-    ...session,
-    recordings: processedRecordings
-  };
+  const processedSession = redactSession(
+    {
+      ...session,
+      recordings: processedRecordings
+    },
+    redaction2
+  );
   await fs.writeFile(
     filePath,
     JSON.stringify(processedSession, null, JSON_INDENT_SPACES)
@@ -587,19 +1231,22 @@ var ProxyServer = class {
   currentSession;
   recordingsDir;
   timeoutMs;
-  recordingIdCounter;
   // Unique ID for each recording entry
-  sequenceCounterByKey;
+  recordingIdCounter;
   // Sequence counter per key (endpoint)
+  sequenceCounterByKey;
   replaySessions;
   // Track multiple concurrent replay sessions by recording ID
   recordingPromises;
   // Stack of promises that resolve to completed recordings
   flushPromise;
   // Promise for in-progress flush operation
-  constructor(target2, recordingsDir2, timeoutMs) {
+  redaction;
+  // Secret-redaction config applied before saving
+  constructor(target2, recordingsDir2, timeoutMs, redaction2) {
     this.target = target2;
     this.timeoutMs = timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    this.redaction = redaction2;
     this.mode = Modes.transparent;
     this.recordingId = null;
     this.recordingIdCounter = 0;
@@ -849,7 +1496,11 @@ var ProxyServer = class {
     console.log(
       `Saving session with ${this.currentSession.recordings.length} HTTP and ${this.currentSession.websocketRecordings.length} WebSocket recordings`
     );
-    await saveRecordingSession(this.recordingsDir, this.currentSession);
+    await saveRecordingSession(
+      this.recordingsDir,
+      this.currentSession,
+      this.redaction
+    );
   }
   getRecordingIdOrError(req, res) {
     const recordingIdFromRequest = getRecordingIdFromRequest(req);
@@ -1097,8 +1748,12 @@ var ProxyServer = class {
 };
 
 // src/proxy-cli.ts
-var { target, port, recordingsDir, timeout } = parseCliArgs();
-var proxy = new ProxyServer(target, recordingsDir, timeout);
+if (process.argv[2] === "init") {
+  initCommand(process.argv.slice(3));
+  process.exit(0);
+}
+var { target, port, recordingsDir, timeout, redaction } = await parseCliArgs();
+var proxy = new ProxyServer(target, recordingsDir, timeout, redaction);
 await proxy.init();
 proxy.listen(port);
 console.log(`Recordings will be saved to: ${recordingsDir}`);