@barrysolomon/mobile-react-native 0.1.1-alpha → 0.2.1-alpha

package/lib/instrumentation/unhandledRejection.js

@@ -6,7 +6,10 @@
  * ErrorInstrumentation dedupe semantics.
  */
 import { Dash0Mobile } from '../index';
+import { sanitizeMessage, sanitizeStacktrace } from '../redact';
 const DEDUPE_WINDOW_MS = 5 * 60 * 1000;
+/** Cap on the dedupe map so a high-cardinality rejection storm can't leak memory. */
+const DEDUPE_MAX_ENTRIES = 256;
 const SEVERITY_ERROR = 17;
 function dedupeKey(reason) {
     if (reason instanceof Error) {
@@ -28,19 +31,26 @@ export function installUnhandledRejectionInstrumentation() {
         const lastAt = recentlySeen.get(key);
         if (lastAt !== undefined && now - lastAt < DEDUPE_WINDOW_MS)
             return;
+        // LRU-style insert + cap so a rejection storm can't grow the map forever.
+        recentlySeen.delete(key);
         recentlySeen.set(key, now);
+        if (recentlySeen.size > DEDUPE_MAX_ENTRIES) {
+            const oldest = recentlySeen.keys().next().value;
+            if (oldest !== undefined)
+                recentlySeen.delete(oldest);
+        }
         if (reason instanceof Error) {
             Dash0Mobile.log('app.error', {
                 'exception.type': reason.name ?? 'Error',
-                'exception.message': reason.message ?? String(reason),
-                'exception.stacktrace': reason.stack ?? '',
+                'exception.message': sanitizeMessage(reason.message ?? String(reason)),
+                'exception.stacktrace': sanitizeStacktrace(reason.stack ?? ''),
                 'exception.escaped': true,
             }, SEVERITY_ERROR);
         }
         else {
             Dash0Mobile.log('app.error', {
                 'exception.type': 'UnhandledRejection',
-                'exception.message': String(reason),
+                'exception.message': sanitizeMessage(String(reason)),
                 'exception.escaped': true,
             }, SEVERITY_ERROR);
         }

package/lib/instrumentation/xhr.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"xhr.d.ts","sourceRoot":"","sources":["../../src/instrumentation/xhr.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,WAAW,wBAAwB;IACvC,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAClC;AAWD,wBAAgB,yBAAyB,CACvC,MAAM,GAAE,wBAA6B,GACpC,MAAM,IAAI,CAgGZ"}
+{"version":3,"file":"xhr.d.ts","sourceRoot":"","sources":["../../src/instrumentation/xhr.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,MAAM,WAAW,wBAAwB;IACvC,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAClC;AAWD,wBAAgB,yBAAyB,CACvC,MAAM,GAAE,wBAA6B,GACpC,MAAM,IAAI,CAwHZ"}

package/lib/instrumentation/xhr.js

@@ -8,6 +8,7 @@
  * Dash0 queries see a single consistent HTTP span schema.
  */
 import { Dash0Mobile } from '../index';
+import { sanitizeUrl } from '../redact';
 const HOST_PATTERN = /^[a-z][a-z0-9+.-]*:\/\/([^/:?#]+)/i;
 function hostFromUrl(url) {
     const match = url.match(HOST_PATTERN);
@@ -23,58 +24,82 @@ export function installXhrInstrumentation(config = {}) {
             const instance = Reflect.construct(target, args, newTarget);
             const originalOpen = instance.open.bind(instance);
             instance.open = function open(method, url, ...rest) {
-                instance.__dash0_method = method.toUpperCase();
-                instance.__dash0_url = typeof url === 'string' ? url : url.toString();
+                try {
+                    instance.__dash0_method = method.toUpperCase();
+                    instance.__dash0_url = typeof url === 'string' ? url : url.toString();
+                }
+                catch {
+                    // Capturing request metadata must never block the real open().
+                }
                 // @ts-expect-error — forwarding variadic
                 return originalOpen(method, url, ...rest);
             };
             const originalSend = instance.send.bind(instance);
             instance.send = function send(body) {
-                const url = instance.__dash0_url ?? '';
-                const host = hostFromUrl(url);
-                if (!host || !ignored.has(host)) {
-                    const method = instance.__dash0_method ?? 'GET';
-                    instance.__dash0_span = Dash0Mobile.startSpan(`${method} ${host ?? 'unknown'}`, {
-                        'http.request.method': method,
-                        'url.full': url,
-                        ...(host ? { 'server.address': host } : {}),
-                    }, 'CLIENT');
-                    const onError = () => {
-                        instance.__dash0_failed = true;
-                    };
-                    const onLoadEnd = () => {
-                        const span = instance.__dash0_span;
-                        if (!span)
-                            return;
-                        if (instance.__dash0_failed) {
-                            span.setStatus('ERROR', 'network error');
-                        }
-                        else {
-                            const status = instance.status;
-                            if (typeof status === 'number' && status > 0) {
-                                span.setAttribute('http.response.status_code', status);
-                                if (status >= 400) {
-                                    span.setStatus('ERROR', `HTTP ${status}`);
+                // ALL telemetry setup is best-effort: a throw here must never stop
+                // the host's real request from going out.
+                try {
+                    const url = instance.__dash0_url ?? '';
+                    const host = hostFromUrl(url);
+                    if (!host || !ignored.has(host)) {
+                        const method = instance.__dash0_method ?? 'GET';
+                        instance.__dash0_span = Dash0Mobile.startSpan(`${method} ${host ?? 'unknown'}`, {
+                            'http.request.method': method,
+                            'url.full': sanitizeUrl(url),
+                            ...(host ? { 'server.address': host } : {}),
+                        }, 'CLIENT');
+                        const onError = () => {
+                            instance.__dash0_failed = true;
+                        };
+                        const onLoadEnd = () => {
+                            try {
+                                const span = instance.__dash0_span;
+                                if (!span)
+                                    return;
+                                if (instance.__dash0_failed) {
+                                    span.setStatus('ERROR', 'network error');
                                 }
                                 else {
-                                    span.setStatus('OK');
+                                    const status = instance.status;
+                                    if (typeof status === 'number' && status > 0) {
+                                        span.setAttribute('http.response.status_code', status);
+                                        if (status >= 400) {
+                                            span.setStatus('ERROR', `HTTP ${status}`);
+                                        }
+                                        else {
+                                            span.setStatus('OK');
+                                        }
+                                    }
+                                    else {
+                                        span.setStatus('OK');
+                                    }
                                 }
+                                span.end();
+                                instance.__dash0_span = undefined;
                             }
-                            else {
-                                span.setStatus('OK');
+                            catch {
+                                // Telemetry finalization failure must not surface to the host.
                             }
-                        }
-                        span.end();
-                        instance.__dash0_span = undefined;
-                    };
-                    instance.addEventListener('error', onError);
-                    instance.addEventListener('loadend', onLoadEnd);
+                        };
+                        instance.addEventListener('error', onError);
+                        instance.addEventListener('loadend', onLoadEnd);
+                    }
+                }
+                catch (telemetryErr) {
+                    // eslint-disable-next-line no-console
+                    console.warn?.('[@dash0/mobile] xhr instrumentation setup failed', telemetryErr);
                 }
                 return originalSend(body);
             };
             return instance;
         },
     });
+    // Double-install guard: Fast Refresh / repeated start() would otherwise
+    // stack Proxy wrappers and leak the original constructor.
+    if (OriginalXHR.__dash0_installed) {
+        return () => { };
+    }
+    OriginalXHR.__dash0_installed = true;
     globalThis.XMLHttpRequest =
         wrapped;
     return function uninstall() {
@@ -84,5 +109,7 @@ export function installXhrInstrumentation(config = {}) {
             globalThis.XMLHttpRequest =
                 OriginalXHR;
         }
+        // Clear the guard so a later install() can re-instrument.
+        delete OriginalXHR.__dash0_installed;
     };
 }

package/lib/redact.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Shared redaction + truncation helpers.
+ *
+ * Telemetry attributes can carry secrets (query-string tokens, bearer
+ * headers echoed into error messages) and unbounded payloads (multi-MB
+ * stack traces). These helpers strip the obvious leaks and cap sizes so a
+ * single pathological event can't exfiltrate credentials or blow the
+ * bridge/export budget.
+ */
+/** Max length for an exception message. */
+export declare const MAX_MESSAGE_LEN = 1024;
+/** Max length for an exception stacktrace. */
+export declare const MAX_STACKTRACE_LEN = 8192;
+/**
+ * Strip query string + fragment from a URL (they routinely carry
+ * `?token=`, `?sig=`, session ids), keeping origin + path, and cap length.
+ * Best-effort: if the input isn't a parseable URL we fall back to a manual
+ * `?`/`#` split so we never leak a query string just because parsing failed.
+ */
+export declare function sanitizeUrl(url: string): string;
+/**
+ * Run a light secret scrubber over free-text telemetry (error messages,
+ * stack traces) and cap its length.
+ */
+export declare function scrubText(value: string, max: number): string;
+/** Scrub + cap an exception message (≤1KB). */
+export declare function sanitizeMessage(message: string): string;
+/** Scrub + cap an exception stacktrace (≤8KB). */
+export declare function sanitizeStacktrace(stack: string): string;
+//# sourceMappingURL=redact.d.ts.map

package/lib/redact.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.d.ts","sourceRoot":"","sources":["../src/redact.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,2CAA2C;AAC3C,eAAO,MAAM,eAAe,OAAO,CAAC;AACpC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,OAAO,CAAC;AAOvC;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAQ/C;AAaD;;;GAGG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAO5D;AAED,+CAA+C;AAC/C,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEvD;AAED,kDAAkD;AAClD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAExD"}

package/lib/redact.js

@@ -0,0 +1,67 @@
+/**
+ * Shared redaction + truncation helpers.
+ *
+ * Telemetry attributes can carry secrets (query-string tokens, bearer
+ * headers echoed into error messages) and unbounded payloads (multi-MB
+ * stack traces). These helpers strip the obvious leaks and cap sizes so a
+ * single pathological event can't exfiltrate credentials or blow the
+ * bridge/export budget.
+ */
+/** Max length for a sanitized URL (origin + path). */
+const MAX_URL_LEN = 2048;
+/** Max length for an exception message. */
+export const MAX_MESSAGE_LEN = 1024; // 1KB
+/** Max length for an exception stacktrace. */
+export const MAX_STACKTRACE_LEN = 8192; // 8KB
+function truncate(value, max) {
+    if (value.length <= max)
+        return value;
+    return `${value.slice(0, max)}…[truncated]`;
+}
+/**
+ * Strip query string + fragment from a URL (they routinely carry
+ * `?token=`, `?sig=`, session ids), keeping origin + path, and cap length.
+ * Best-effort: if the input isn't a parseable URL we fall back to a manual
+ * `?`/`#` split so we never leak a query string just because parsing failed.
+ */
+export function sanitizeUrl(url) {
+    if (typeof url !== 'string' || url.length === 0)
+        return '';
+    let cleaned = url;
+    const queryIdx = cleaned.search(/[?#]/);
+    if (queryIdx >= 0) {
+        cleaned = cleaned.slice(0, queryIdx);
+    }
+    return truncate(cleaned, MAX_URL_LEN);
+}
+// Obvious secret patterns. Intentionally conservative — false positives are
+// cheaper than leaked credentials, but we don't try to be a full DLP engine.
+const SECRET_PATTERNS = [
+    // token=... / access_token=... in query-string or body form
+    [/([?&#]|\b)((?:access_|refresh_|id_)?token|api[_-]?key|secret|password|pwd|sig|signature)=[^&\s"']+/gi, '$1$2=[REDACTED]'],
+    // Authorization: Bearer <jwt-ish>
+    [/\bbearer\s+[A-Za-z0-9._\-+/]+=*/gi, 'bearer [REDACTED]'],
+    // long base64-ish runs (≥32 chars) that look like raw credentials
+    [/\b[A-Za-z0-9_\-+/]{32,}={0,2}\b/g, '[REDACTED]'],
+];
+/**
+ * Run a light secret scrubber over free-text telemetry (error messages,
+ * stack traces) and cap its length.
+ */
+export function scrubText(value, max) {
+    if (typeof value !== 'string' || value.length === 0)
+        return value ?? '';
+    let scrubbed = value;
+    for (const [pattern, replacement] of SECRET_PATTERNS) {
+        scrubbed = scrubbed.replace(pattern, replacement);
+    }
+    return truncate(scrubbed, max);
+}
+/** Scrub + cap an exception message (≤1KB). */
+export function sanitizeMessage(message) {
+    return scrubText(message, MAX_MESSAGE_LEN);
+}
+/** Scrub + cap an exception stacktrace (≤8KB). */
+export function sanitizeStacktrace(stack) {
+    return scrubText(stack, MAX_STACKTRACE_LEN);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@barrysolomon/mobile-react-native",
-  "version": "0.1.1-alpha",
+  "version": "0.2.1-alpha",
   "description": "Dash0 Mobile Observability SDK for React Native (JS/TS bridge). For native iOS use the Swift Package at https://github.com/barrysolomon/mobile-otel. For native Android use io.opentelemetry.android:mobile on GitHub Packages.",
   "main": "lib/index.js",
   "module": "lib/index.js",

package/src/bridge/types.ts

@@ -61,6 +61,36 @@ export interface WireframeAutoCapture {
   dedupeByContentHash?: boolean;
 }
 
+/**
+ * Trace sampling strategy passed through the RN bridge into the native SDK's
+ * `SamplingConfig`. Field names and semantics mirror Android's
+ * `io.opentelemetry.android.mobile.sampling.SamplingConfig` and iOS's
+ * `SamplingConfig` factory constructors one-to-one.
+ *
+ *   - `always_on`  → `SamplingConfig.alwaysOn()`  — sample 100% of spans.
+ *   - `always_off` → `SamplingConfig.alwaysOff()` — drop all spans.
+ *   - `dynamic`    → `SamplingConfig.dynamic(normalRate, highPriorityRate)`
+ *     — `normalRate` baseline with `highPriorityRate` for high-priority
+ *     spans (page.* / app.startup).
+ *
+ * RN DEFAULT: when `sampling` is omitted the bridge defaults to `always_on`
+ * (NOT the native SDK's `dynamic(0.1)` default). RN manual spans
+ * (`Dash0Mobile.startSpan()`) are ROOT spans with arbitrary names; a 10%
+ * baseline silently drops ~90% of a user's very first span, which is a
+ * terrible first-run experience and historically read as "spans vanish."
+ * Sampling/rate-limiting for RN architectures belongs in the collector, not
+ * the on-device SDK. Pass an explicit `sampling` to opt back into on-device
+ * sampling. The native-only Android/iOS SDKs keep their `dynamic(0.1)`
+ * default — only the RN-bridged default changes.
+ */
+export interface SamplingConfig {
+  strategy: 'always_on' | 'always_off' | 'dynamic';
+  /** Baseline rate for `dynamic` (0.0–1.0). Ignored for always_on/always_off. */
+  normalRate?: number;
+  /** Rate for high-priority spans under `dynamic` (0.0–1.0). Defaults to 1.0 natively. */
+  highPriorityRate?: number;
+}
+
 export interface StartConfig {
   serviceName: string;
   serviceVersion?: string;
@@ -72,6 +102,12 @@ export interface StartConfig {
     diskBytes?: number;
   };
   enablePolicyPolling?: boolean;
+  /**
+   * Trace sampling strategy. Defaults to `always_on` on RN (see
+   * {@link SamplingConfig}) — unlike the native SDKs' `dynamic(0.1)` default.
+   * Omit to keep all spans on-device and rate-limit in the collector.
+   */
+  sampling?: SamplingConfig;
   /**
    * Toggles for JS-side auto-instrumentation (fetch/XHR spans, JS error +
    * unhandled rejection logs). Defaults to all-on. RN bridge uses the same

package/src/index.ts

@@ -16,13 +16,14 @@ import type {
   Attributes,
   BridgePayload,
   NativeDash0MobileModule,
+  SamplingConfig,
   SeverityNumber,
   SpanKind,
   SpanStartPayload,
   StartConfig,
 } from './bridge/types';
 
-export type { Attributes, SeverityNumber, StartConfig } from './bridge/types';
+export type { Attributes, SamplingConfig, SeverityNumber, StartConfig } from './bridge/types';
 export { installReactNavigationInstrumentation } from './instrumentation/navigation';
 export { withTapTelemetry } from './instrumentation/touch';
 export { otel } from './otel-compat';
@@ -141,7 +142,7 @@ function resolveNative(): NativeDash0MobileModule | null {
 // callers and correlate issues to a specific bridge release. Keep this in
 // sync with package.json on each release.
 const DISTRO_NAME = 'dash0-react-native';
-const DISTRO_VERSION = '0.1.0-alpha';
+const DISTRO_VERSION = '0.2.1-alpha';
 
 function resolveReactNativeVersion(): string | undefined {
   try {
@@ -174,8 +175,16 @@ export const Dash0Mobile = {
     // iOS URLProtocol / NSException / signal-handler swizzles by default,
     // which collide with RN's new-arch JS event loop.
     const nativeAutoCapture = buildNativeAutoCaptureTokens(config.autoCapture);
+    // RN sampling default: always_on. RN manual spans are root spans with
+    // arbitrary names, so the native SDKs' dynamic(0.1) default would
+    // silently drop ~90% of a user's first span (Loper finding #4). Sampling
+    // for RN architectures belongs in the collector — callers can still opt
+    // into on-device sampling by passing an explicit `sampling`. See the
+    // SamplingConfig doc comment in bridge/types.ts.
+    const sampling: SamplingConfig = config.sampling ?? { strategy: 'always_on' };
     const mergedConfig: StartConfig & { nativeAutoCapture: string[] } = {
       ...config,
+      sampling,
       extraResourceAttributes: {
         'telemetry.distro.name': DISTRO_NAME,
         'telemetry.distro.version': DISTRO_VERSION,
@@ -202,7 +211,22 @@ export const Dash0Mobile = {
       if (!isReactNative()) {
         autoInstrUninstallers.push(installFetchInstrumentation({ ignoredHosts }));
       }
-      autoInstrUninstallers.push(installXhrInstrumentation({ ignoredHosts }));
+      // Android network capture is owned by the native OkHttp interceptor
+      // (OTelNetworkInterceptor), installed pre-JS in Dash0MobilePackage. The
+      // native layer is the only one that sees traffic under Expo SDK 52+ —
+      // expo/fetch routes through OkHttp directly and never touches the JS
+      // `fetch`/`XMLHttpRequest` globals these shims wrap, so the JS XHR shim
+      // sees zero traffic there. The native interceptor also injects a
+      // W3C `traceparent` built from the real native span context, which the
+      // JS shim cannot do. Installing the JS XHR shim on Android on top of the
+      // native interceptor would (for non-Expo apps) double-count every
+      // request. So: gate the JS XHR shim OFF on Android. iOS keeps the JS XHR
+      // shim — its native URLProtocol is opt-in (off by default for RN), and
+      // RN iOS fetch is XHR-backed, so XHR remains the authoritative JS layer
+      // there.
+      if (!isAndroid()) {
+        autoInstrUninstallers.push(installXhrInstrumentation({ ignoredHosts }));
+      }
     }
     if (auto.errors !== false) {
       autoInstrUninstallers.push(installErrorInstrumentation());
@@ -402,6 +426,23 @@ function isReactNative(): boolean {
   return nav?.product === 'ReactNative';
 }
 
+// True only on React Native running on Android. Reads `Platform.OS` from the
+// react-native module rather than a global so it's accurate on both old and
+// new arch. Used to gate OFF the JS `XMLHttpRequest` shim on Android, where
+// the native OkHttp interceptor (OTelNetworkInterceptor) owns network capture
+// and traceparent injection. Any failure to resolve `Platform` (Jest, SSR,
+// non-RN) returns false so those environments keep the JS shim — exactly the
+// behavior the dedup test pins.
+function isAndroid(): boolean {
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    const rn = require('react-native') as { Platform?: { OS?: string } };
+    return rn?.Platform?.OS === 'android';
+  } catch {
+    return false;
+  }
+}
+
 // Map JS autoCapture flags onto native-capability tokens the bridge
 // translates to AutoCaptureOptions. Defaults are all-OFF: callers must
 // explicitly set `true` to enable a native suite.

package/src/instrumentation/errors.ts

@@ -11,8 +11,11 @@
  */
 
 import { Dash0Mobile } from '../index';
+import { sanitizeMessage, sanitizeStacktrace } from '../redact';
 
 export const DEDUPE_WINDOW_MS = 5 * 60 * 1000;
+/** Cap on the dedupe map so a high-cardinality error storm can't leak memory. */
+const DEDUPE_MAX_ENTRIES = 256;
 const SEVERITY_ERROR = 17 as const;
 const SEVERITY_FATAL = 21 as const;
 
@@ -50,13 +53,20 @@ export function installErrorInstrumentation(): () => void {
     const now = Date.now();
     const lastAt = recentlySeen.get(key);
     if (lastAt === undefined || now - lastAt >= DEDUPE_WINDOW_MS) {
+      // LRU-style insert: re-key so the freshest entries stay, then evict the
+      // oldest if we've blown the cap. Bounds memory under an error storm.
+      recentlySeen.delete(key);
       recentlySeen.set(key, now);
+      if (recentlySeen.size > DEDUPE_MAX_ENTRIES) {
+        const oldest = recentlySeen.keys().next().value;
+        if (oldest !== undefined) recentlySeen.delete(oldest);
+      }
       Dash0Mobile.log(
         'app.error',
         {
           'exception.type': error?.name ?? 'Error',
-          'exception.message': error?.message ?? String(error),
-          'exception.stacktrace': error?.stack ?? '',
+          'exception.message': sanitizeMessage(error?.message ?? String(error)),
+          'exception.stacktrace': sanitizeStacktrace(error?.stack ?? ''),
         },
         isFatal ? SEVERITY_FATAL : SEVERITY_ERROR,
       );

package/src/instrumentation/fetch.ts

@@ -11,6 +11,7 @@
  */
 
 import { Dash0Mobile } from '../index';
+import { sanitizeUrl } from '../redact';
 
 export interface FetchInstrumentationConfig {
   ignoredHosts?: readonly string[];
@@ -43,51 +44,83 @@ export function installFetchInstrumentation(
   );
 
   const wrapped: FetchFn = async (input, init) => {
-    const url = resolveUrl(input);
-    const host = hostFromUrl(url);
-    if (host && ignored.has(host)) {
+    // Telemetry setup must never break the host's request. Build the span
+    // defensively; on ANY failure fall through to the raw call.
+    let handle: ReturnType<typeof Dash0Mobile.startSpan> | undefined;
+    try {
+      const url = resolveUrl(input);
+      const host = hostFromUrl(url);
+      if (host && ignored.has(host)) {
+        return original(input, init);
+      }
+      const method = resolveMethod(input, init);
+      handle = Dash0Mobile.startSpan(
+        method,
+        {
+          'http.request.method': method,
+          'url.full': sanitizeUrl(url),
+          ...(host ? { 'server.address': host } : {}),
+        },
+        'CLIENT',
+      );
+    } catch (telemetryErr) {
+      // Span setup failed — host request must still proceed unobserved.
+      // eslint-disable-next-line no-console
+      console.warn?.('[@dash0/mobile] fetch instrumentation setup failed', telemetryErr);
       return original(input, init);
     }
 
-    const method = resolveMethod(input, init);
-    const handle = Dash0Mobile.startSpan(
-      method,
-      {
-        'http.request.method': method,
-        'url.full': url,
-        ...(host ? { 'server.address': host } : {}),
-      },
-      'CLIENT',
-    );
-
     try {
       const response = await original(input, init);
-      const status = (response as Response | undefined)?.status;
-      if (typeof status === 'number') {
-        handle.setAttribute('http.response.status_code', status);
-        if (status >= 400) {
-          handle.setStatus('ERROR', `HTTP ${status}`);
+      try {
+        const status = (response as Response | undefined)?.status;
+        if (typeof status === 'number') {
+          handle.setAttribute('http.response.status_code', status);
+          if (status >= 400) {
+            handle.setStatus('ERROR', `HTTP ${status}`);
+          } else {
+            handle.setStatus('OK');
+          }
         } else {
           handle.setStatus('OK');
         }
-      } else {
-        handle.setStatus('OK');
+      } catch {
+        // Telemetry bookkeeping failure must not mask a successful response.
       }
       return response;
     } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      handle.setStatus('ERROR', message);
+      try {
+        const message = err instanceof Error ? err.message : String(err);
+        handle.setStatus('ERROR', message);
+      } catch {
+        // ignore telemetry failure on the error path
+      }
       throw err;
     } finally {
-      handle.end();
+      try {
+        handle.end();
+      } catch {
+        // ignore
+      }
     }
   };
 
-  globalThis.fetch = wrapped;
+  const g = globalThis as unknown as {
+    fetch: FetchFn & { __dash0_installed?: boolean };
+  };
+  // Double-install guard: Fast Refresh / repeated start() would otherwise
+  // stack wrappers and leak the captured `original`.
+  if (g.fetch && (g.fetch as { __dash0_installed?: boolean }).__dash0_installed) {
+    return () => {};
+  }
+  (wrapped as { __dash0_installed?: boolean }).__dash0_installed = true;
+  g.fetch = wrapped;
 
   return function uninstall() {
-    if (globalThis.fetch === wrapped) {
-      globalThis.fetch = original;
+    if (g.fetch === wrapped) {
+      g.fetch = original;
     }
+    // Clear the guard so a later install() can re-instrument.
+    delete (wrapped as { __dash0_installed?: boolean }).__dash0_installed;
   };
 }

package/src/instrumentation/navigation.ts

@@ -25,15 +25,19 @@ export function installReactNavigationInstrumentation(
   let currentName: string | null = null;
   let currentSpan: SpanHandle | null = null;
 
+  const endCurrentSpan = () => {
+    if (currentSpan) {
+      currentSpan.end();
+      currentSpan = null;
+    }
+  };
+
   const onState = () => {
     const route = navRef.getCurrentRoute();
     if (!route) return;
     if (route.name === currentName) return;
 
-    if (currentSpan) {
-      currentSpan.end();
-      currentSpan = null;
-    }
+    endCurrentSpan();
 
     currentName = route.name;
     Dash0Mobile.log('ui.screen_view', { 'screen.name': route.name }, 9);
@@ -42,11 +46,39 @@ export function installReactNavigationInstrumentation(
 
   const unsub = navRef.addListener('state', onState);
 
+  // End the active route span when the app leaves the foreground. Without
+  // this, a span started on the visible screen stays open until the next
+  // route change or uninstall — which on background may be minutes/never,
+  // producing absurd durations. Re-entering 'active' lets the next route
+  // change open a fresh span. AppState is required lazily so non-RN
+  // (Jest/SSR) environments don't need the native module.
+  let appStateSub: { remove?: () => void } | undefined;
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    const { AppState } = require('react-native') as {
+      AppState?: {
+        addEventListener: (
+          type: string,
+          listener: (state: string) => void,
+        ) => { remove?: () => void };
+      };
+    };
+    if (AppState && typeof AppState.addEventListener === 'function') {
+      appStateSub = AppState.addEventListener('change', (state: string) => {
+        if (state === 'background' || state === 'inactive') {
+          endCurrentSpan();
+          // Force the next foregrounded route to re-open a span.
+          currentName = null;
+        }
+      });
+    }
+  } catch {
+    // No AppState available (test/SSR) — background-end is best-effort.
+  }
+
   return function uninstall() {
     unsub();
-    if (currentSpan) {
-      currentSpan.end();
-      currentSpan = null;
-    }
+    appStateSub?.remove?.();
+    endCurrentSpan();
   };
 }