test-proxy-recorder 0.3.8 → 0.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "test-proxy-recorder",
-  "version": "0.3.8",
+  "version": "0.4.0",
   "description": "HTTP proxy server for recording and replaying network requests in testing. Works seamlessly with Playwright testing framework.",
   "type": "module",
   "main": "dist/index.mjs",
@@ -89,7 +89,8 @@
   "dependencies": {
     "commander": "^12.0.0",
     "filenamify": "^7.0.1",
-    "http-proxy": "^1.18.1"
+    "http-proxy": "^1.18.1",
+    "jiti": "^2.7.0"
   },
   "peerDependencies": {
     "@playwright/test": ">=1.0.0"

package/skills/proxy-setup/SKILL.md

@@ -7,9 +7,13 @@ description: >
   webServer block pointing to /__control, per-test fixtures using
   playwrightProxy.before(page, testInfo, mode, { url }), HAR browser-side
   recording via url pattern, .mock.json server-side recording, record/replay/
-  transparent modes, the record-once→commit→CI-replay lifecycle, and parallel
-  test execution with fullyParallel. Load this skill when installing
-  test-proxy-recorder, writing Playwright fixtures, or configuring record/replay.
+  transparent modes, the record-once→commit→CI-replay lifecycle, automatic
+  secret redaction of Authorization/Cookie/Set-Cookie headers (--no-redact,
+  --redact-headers, --redact-body), an optional config file
+  (test-proxy-recorder.config.ts via defineConfig, --config) with CLI-overrides-
+  config precedence, and parallel test execution with fullyParallel. Load this
+  skill when installing test-proxy-recorder, writing Playwright fixtures, or
+  configuring record/replay.
 type: core
 library: test-proxy-recorder
 library_version: "0.3.5"
@@ -17,6 +21,9 @@ sources:
   - "asmyshlyaev177/test-proxy-recorder:README.md"
   - "asmyshlyaev177/test-proxy-recorder:packages/test-proxy-recorder/src/playwright/index.ts"
   - "asmyshlyaev177/test-proxy-recorder:packages/test-proxy-recorder/src/types.ts"
+  - "asmyshlyaev177/test-proxy-recorder:packages/test-proxy-recorder/src/cli.ts"
+  - "asmyshlyaev177/test-proxy-recorder:packages/test-proxy-recorder/src/config.ts"
+  - "asmyshlyaev177/test-proxy-recorder:packages/test-proxy-recorder/src/utils/redact.ts"
   - "asmyshlyaev177/test-proxy-recorder:apps/example-nextjs16/package.json"
   - "asmyshlyaev177/test-proxy-recorder:apps/example-extension/e2e/fixtures.ts"
   - "asmyshlyaev177/test-proxy-recorder:apps/example-extension/playwright.config.ts"
@@ -151,6 +158,76 @@ Recording files must be committed — do not add `e2e/recordings/` to
 /e2e/recordings/** binary
 ```
 
+### Config file
+
+Anything passed on the CLI can instead live in a config file, auto-discovered as
+`test-proxy-recorder.config.{ts,js,mjs,cjs}` in the proxy process's working
+directory (or `--config <path>`). Prefer it over a long `proxy` script once you
+need body-redaction regexes — they go in as real `RegExp` literals instead of
+shell-escaped strings.
+
+```typescript
+// test-proxy-recorder.config.ts
+import { defineConfig } from 'test-proxy-recorder';
+
+export default defineConfig({
+  target: 'http://localhost:3002',
+  port: 8100,
+  recordingsDir: './e2e/recordings',
+  redaction: {
+    headers: ['x-api-key'],         // merged with the Authorization/Cookie defaults
+    bodyPatterns: [/sk_live_\w+/g],
+    allowCookies: ['theme'],
+  },
+});
+```
+
+```json
+// package.json — with a config file, the proxy script needs no flags
+{ "scripts": { "proxy": "test-proxy-recorder" } }
+```
+
+Precedence is **CLI flag → config file → built-in default**: a flag always
+overrides the file, and `target` may come from either (the CLI argument wins).
+List flags (`--redact-headers`, `--redact-body`, `--allow-headers`,
+`--allow-cookies`) **replace** the corresponding config list rather than merging,
+so pass them only when you intend to override the file. `--no-redact` overrides
+`redaction.enabled` from the config.
+
+### Secret redaction
+
+Recordings are committed to git, so secrets are stripped **automatically**
+before anything is written to disk. By default the proxy replaces the values of
+the `Authorization`, `Cookie`, and `Set-Cookie` headers with `[REDACTED]` in
+both `.mock.json` and WebSocket recordings. This is safe — replay matching
+ignores these headers, so redaction never breaks playback. No setup required.
+
+Tweak it via CLI flags on the `test-proxy-recorder` command:
+
+```bash
+# Redact an extra API-key header and any "sk_live_..." token in bodies,
+# but keep the harmless theme cookie unredacted
+test-proxy-recorder http://localhost:3002 --port 8100 --dir ./e2e/recordings \
+  --redact-headers x-api-key,x-auth \
+  --redact-body "sk_live_[a-zA-Z0-9]+" \
+  --allow-cookies theme,locale
+
+# Disable redaction (commit raw secrets — not recommended)
+test-proxy-recorder http://localhost:3002 --no-redact
+```
+
+- `--redact-headers <names>` — comma-separated extra header names, merged with the defaults.
+- `--redact-body <patterns>` — comma-separated regex patterns replaced in request/response bodies.
+- `--allow-headers <names>` — comma-separated header names to exempt from redaction (e.g. `set-cookie`).
+- `--allow-cookies <names>` — comma-separated cookie names kept unredacted inside `Cookie`/`Set-Cookie`; every other cookie in those headers is still redacted. Use when only some cookies are sensitive (session vs. theme/A-B-test).
+- `--no-redact` — turn redaction off.
+
+Caveat: `.har` files are written by Playwright's `routeFromHAR`, not the proxy,
+so this does **not** redact them. Keep tokens out of HAR by recording with
+short-lived test credentials and using the Auth setup pattern below (login runs
+in `transparent` mode against the real provider, with `storageState` saved to a
+gitignored file).
+
 ### Auth setup
 
 Auth always runs against the real auth provider — never recorded or replayed.