@casoon/trackr 0.1.0 → 0.2.0

package/README.md

@@ -2,18 +2,35 @@
 
 Privacy-first, GDPR-native analytics for static sites. No cookies, no persistent IDs, self-hosted.
 
+## Live Demo
+
+- [Homepage (Pageview)](https://trackr-demo.casoon.dev/)
+- [Shop (E-Commerce Events)](https://trackr-demo.casoon.dev/shop)
+- [Landing (Lead Forms)](https://trackr-demo.casoon.dev/landing)
+- [Stats (Raw Data)](https://trackr-demo.casoon.dev/stats)
+
+**UTM-Parameter Test:**
+- [With UTM params](https://trackr-demo.casoon.dev/?utm_source=github&utm_medium=readme&utm_campaign=trackr)
+
 ## Features
 
 - **Privacy by Default** - No cookies, no localStorage, no fingerprinting
 - **Lightweight** - Client script < 1KB gzipped
 - **Self-Hosted** - Your data stays on your infrastructure
+- **UTM Tracking** - Automatic extraction of campaign parameters
+- **SPA Support** - Auto-tracks `pushState`/`replaceState`/`hashchange` navigation
+- **OS Detection** - Server-side detection (Android, iOS, Windows, macOS, Linux, ChromeOS)
+- **Bot Filtering** - Common crawlers and headless browsers excluded
+- **Flexible Storage** - Postgres, external API, GA4 Measurement Protocol, or fan-out multi-adapter
+- **Webhook** - Forward events to any HTTP endpoint with HMAC-SHA256 signing and retry
+- **Batching** - Buffer events and flush in batches (size- or time-based) to reduce network calls
+- **Pixel Tracking** - Transparent GIF endpoint for email/no-JS contexts
 - **Astro-First** - Designed for Astro, works with any static site
-- **Flexible Storage** - Postgres or external API (Plausible, Umami)
 
 ## Installation
 
 ```bash
-pnpm add @casoon/trackr
+npm install @casoon/trackr
 ```
 
 ## Quick Start
@@ -30,40 +47,29 @@ pnpm add @casoon/trackr
 </script>
 ```
 
-Include in your layout:
+Or via CDN (no build step):
 
-```astro
----
-import Analytics from "../components/Analytics.astro";
----
-<html>
-  <body>
-    <slot />
-    <Analytics />
-  </body>
-</html>
+```html
+<script src="https://unpkg.com/@casoon/trackr"></script>
+<script>
+  trackr.init({ siteId: "your-site-id", endpoint: "https://your-api.com/collect" });
+</script>
 ```
 
 ### 2. Create the API endpoint
 
 ```typescript
 // src/pages/api/track.ts
-import type { APIRoute } from "astro";
 import { createHandler } from "@casoon/trackr/server";
 import { postgres } from "@casoon/trackr/storage/postgres";
 
 const handler = createHandler({
   storage: postgres(import.meta.env.DATABASE_URL),
-  privacy: {
-    anonymizeIp: true,
-    stripPii: true
-  },
+  privacy: { anonymizeIp: true, stripPii: true },
   botFilter: true
 });
 
-export const POST: APIRoute = async ({ request }) => {
-  return handler(request);
-};
+export const POST = async ({ request }) => handler(request);
 ```
 
 ### 3. Set up the database
@@ -76,15 +82,8 @@ CREATE TABLE trackr_events (
   name TEXT,
   url TEXT NOT NULL,
   referrer_domain TEXT,
-  country TEXT,
-  device TEXT,
-  browser TEXT,
-  session_id TEXT,
   props JSONB DEFAULT '{}'
 );
-
-CREATE INDEX idx_trackr_ts ON trackr_events (ts);
-CREATE INDEX idx_trackr_url ON trackr_events (url);
 ```
 
 ## Custom Events
@@ -92,51 +91,120 @@ CREATE INDEX idx_trackr_url ON trackr_events (url);
 ```typescript
 import { track } from "@casoon/trackr/client";
 
-// Track button click
-document.querySelector("#signup").addEventListener("click", () => {
-  track("signup_click", { plan: "pro" });
-});
+track("signup_click", { plan: "pro" });
 ```
 
 ## Storage Adapters
 
-### Postgres
+### Postgres (recommended for GDPR compliance)
 
 ```typescript
 import { postgres } from "@casoon/trackr/storage/postgres";
-
 const storage = postgres(process.env.DATABASE_URL);
 ```
 
 ### External API
 
-Forward events to Plausible, Umami, or any other service:
-
 ```typescript
 import { api } from "@casoon/trackr/storage/api";
-
 const storage = api({
   url: "https://plausible.io/api/event",
-  headers: { "Authorization": "Bearer ..." },
-  transform: (event) => ({
-    name: event.type === "pageview" ? "pageview" : event.name,
-    url: event.url,
-    domain: "your-domain.com"
-  })
+  transform: (event) => ({ ... })
+});
+```
+
+### GA4 Measurement Protocol (optional, privacy proxy)
+
+Forwards events server-side — the GA script never loads in the user's browser.
+
+```typescript
+import { ga4 } from "@casoon/trackr/storage/ga4";
+const storage = ga4({
+  measurementId: "G-XXXXXXXXXX",
+  apiSecret: process.env.GA4_API_SECRET,
+  nonPersonalizedAds: true,   // default true
+  stripQueryParams: true,      // strip query strings from URLs
+  debug: false
+});
+```
+
+> **GDPR note:** GA4 forwarding sends anonymized session IDs. Enable only if you have a legal basis or user consent for GA4 data transfer to Google's US servers.
+
+### Webhook
+
+Forward events to any HTTP endpoint. Supports HMAC-SHA256 payload signing and retry with exponential backoff.
+
+```typescript
+import { webhook } from "@casoon/trackr/storage/webhook";
+
+const storage = webhook({
+  url: "https://api.example.com/events",
+  secret: process.env.WEBHOOK_SECRET,        // signs payload → X-Trackr-Signature header
+  headers: { Authorization: "Bearer ..." },
+  retry: { attempts: 3, baseDelay: 500 },    // retries on 5xx with exponential backoff
 });
 ```
 
+### Multi (fan-out to multiple adapters)
+
+```typescript
+import { multi } from "@casoon/trackr/storage/multi";
+import { postgres } from "@casoon/trackr/storage/postgres";
+import { ga4 } from "@casoon/trackr/storage/ga4";
+
+const storage = multi(
+  postgres(process.env.DATABASE_URL),
+  ga4({ measurementId: "G-XXXXXXXXXX", apiSecret: process.env.GA4_API_SECRET })
+);
+```
+
+### Batch (buffer & flush)
+
+Wraps any adapter. Buffers events in memory and flushes on size threshold or time interval. Uses `saveBatch()` when the wrapped adapter supports it (e.g. webhook), otherwise calls `save()` for each event.
+
+```typescript
+import { batch } from "@casoon/trackr/storage/batch";
+import { webhook } from "@casoon/trackr/storage/webhook";
+
+const storage = batch(
+  webhook({ url: "https://api.example.com/events", secret: "s3cret" }),
+  { maxSize: 20, maxWait: 10_000 }          // flush every 20 events or 10s
+);
+
+// Graceful shutdown
+process.on("SIGTERM", () => storage.flush());
+```
+
+## Pixel Tracking
+
+For email open tracking or no-JS environments:
+
+```typescript
+import { createPixelHandler } from "@casoon/trackr/server/pixel";
+import { postgres } from "@casoon/trackr/storage/postgres";
+
+const pixelHandler = createPixelHandler({
+  storage: postgres(process.env.DATABASE_URL),
+  privacy: { anonymizeIp: true }
+});
+
+// Returns a transparent 1x1 GIF + records a pageview
+export const GET = async ({ request }) => pixelHandler(request);
+```
+
+```html
+<img src="https://your-api.com/pixel.gif?url=https://your-site.com/page" width="1" height="1" />
+```
+
 ## Privacy Features
 
 - **IP Anonymization** - Last octet removed before any processing
 - **PII Filtering** - Email, phone, tokens stripped from URLs
-- **No Cookies** - Session ID derived from anonymized IP + UA + date
-- **Bot Filtering** - Common bots and crawlers excluded
+- **No Cookies** - Session derived from anonymized IP + UA + date (daily rotating)
+- **Bot Filtering** - Common crawlers excluded
+- **UTM Extraction** - Campaign params captured client-side (prefix stripped: `utm_source` → `source`)
+- **OS Detection** - Server-side from User-Agent, not stored raw
 
 ## License
 
 LGPL-3.0-or-later
-
-## Author
-
-Joern Seidel <joern@casoon.de>

package/dist/chunk-7UN7MXBM.js

@@ -0,0 +1,141 @@
+// src/server/bot.ts
+var BOT_PATTERNS = [
+  /bot/i,
+  /crawler/i,
+  /spider/i,
+  /crawling/i,
+  /headless/i,
+  /phantom/i,
+  /selenium/i,
+  /google/i,
+  /bing/i,
+  /yahoo/i,
+  /baidu/i,
+  /facebook/i,
+  /twitter/i,
+  /linkedin/i,
+  /slack/i,
+  /discord/i,
+  /telegram/i,
+  /preview/i,
+  /curl/i,
+  /wget/i,
+  /monitoring/i,
+  /uptime/i,
+  /pingdom/i
+];
+function isBot(request) {
+  const ua = request.headers.get("user-agent") || "";
+  if (BOT_PATTERNS.some((p) => p.test(ua))) return true;
+  if (!request.headers.get("accept-language")) return true;
+  if (ua.length < 20) return true;
+  return false;
+}
+
+// src/server/privacy.ts
+var DEFAULT_PRIVACY_CONFIG = {
+  anonymizeIp: true,
+  stripPii: true
+};
+function resolvePrivacyConfig(config) {
+  return { ...DEFAULT_PRIVACY_CONFIG, ...config };
+}
+var PII_KEY_PATTERNS = [
+  /^e?mail$/i,
+  /^phone$/i,
+  /^(first|last|full|user|display)[_-]?name$/i,
+  /^name$/i,
+  /^(token|key|password|passwd|pass|secret|api[_-]?key)$/i,
+  /^(address|street|city|zip|postal[_-]?code)$/i,
+  /^(user[_-]?id|uid|login|username|user)$/i,
+  /^(ssn|social|tax[_-]?id|national[_-]?id)$/i,
+  /^(credit[_-]?card|card[_-]?number|cvv|ccn?)$/i,
+  /^(ip[_-]?address)$/i,
+  /^(dob|date[_-]?of[_-]?birth|birthday)$/i
+];
+function isPiiKey(key) {
+  return PII_KEY_PATTERNS.some((p) => p.test(key));
+}
+var EMAIL_PATTERN = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g;
+function anonymizeIp(ip) {
+  if (ip.includes(".")) {
+    return `${ip.split(".").slice(0, 3).join(".")}.0`;
+  }
+  return `${ip.split(":").slice(0, 4).join(":")}::`;
+}
+function stripPii(url) {
+  try {
+    const u = new URL(url, "http://localhost");
+    const keysToDelete = [...u.searchParams.keys()].filter(isPiiKey);
+    for (const k of keysToDelete) {
+      u.searchParams.delete(k);
+    }
+    const pathname = u.pathname.replace(EMAIL_PATTERN, "[redacted]");
+    return pathname + (u.search || "");
+  } catch {
+    return url;
+  }
+}
+async function createSessionId(ip, ua, date) {
+  const input = `${anonymizeIp(ip)}|${ua}|${date}`;
+  const data = new TextEncoder().encode(input);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = new Uint8Array(hashBuffer);
+  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("").slice(0, 16);
+}
+function sanitizeProps(props) {
+  const result = {};
+  for (const [key, value] of Object.entries(props)) {
+    if (isPiiKey(key)) {
+      result[key] = "[redacted]";
+      continue;
+    }
+    if (typeof value === "string") {
+      result[key] = value.replace(EMAIL_PATTERN, "[redacted]");
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function applyPrivacy(event, config) {
+  const result = { ...event };
+  if (config.stripPii && result.url) {
+    result.url = stripPii(result.url);
+  }
+  if (config.stripPii && result.props) {
+    result.props = sanitizeProps(result.props);
+  }
+  if (config.stripQueryParams && result.url) {
+    try {
+      const u = new URL(result.url, "http://localhost");
+      for (const p of config.stripQueryParams) {
+        if (p.endsWith("*")) {
+          const prefix = p.slice(0, -1);
+          const keysToDelete = [...u.searchParams.keys()].filter(
+            (k) => k.startsWith(prefix)
+          );
+          for (const k of keysToDelete) {
+            u.searchParams.delete(k);
+          }
+        } else {
+          u.searchParams.delete(p);
+        }
+      }
+      result.url = u.pathname + (u.search || "");
+    } catch {
+    }
+  }
+  return result;
+}
+
+export {
+  isBot,
+  resolvePrivacyConfig,
+  anonymizeIp,
+  stripPii,
+  createSessionId,
+  sanitizeProps,
+  applyPrivacy
+};
+//# sourceMappingURL=chunk-7UN7MXBM.js.map

package/dist/chunk-7UN7MXBM.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server/bot.ts","../src/server/privacy.ts"],"sourcesContent":["const BOT_PATTERNS = [\n  /bot/i,\n  /crawler/i,\n  /spider/i,\n  /crawling/i,\n  /headless/i,\n  /phantom/i,\n  /selenium/i,\n  /google/i,\n  /bing/i,\n  /yahoo/i,\n  /baidu/i,\n  /facebook/i,\n  /twitter/i,\n  /linkedin/i,\n  /slack/i,\n  /discord/i,\n  /telegram/i,\n  /preview/i,\n  /curl/i,\n  /wget/i,\n  /monitoring/i,\n  /uptime/i,\n  /pingdom/i,\n];\n\nexport function isBot(request: Request): boolean {\n  const ua = request.headers.get(\"user-agent\") || \"\";\n\n  if (BOT_PATTERNS.some((p) => p.test(ua))) return true;\n  if (!request.headers.get(\"accept-language\")) return true;\n  if (ua.length < 20) return true;\n\n  return false;\n}\n","import type { PrivacyConfig, TrackrEvent } from \"../types.js\";\n\n/** Default privacy config — all protections ON. */\nexport const DEFAULT_PRIVACY_CONFIG: PrivacyConfig = {\n  anonymizeIp: true,\n  stripPii: true,\n};\n\n/** Merge caller config with safe defaults. */\nexport function resolvePrivacyConfig(config?: PrivacyConfig): PrivacyConfig {\n  return { ...DEFAULT_PRIVACY_CONFIG, ...config };\n}\n\n/** Regex patterns that identify PII-bearing parameter/key names. */\nconst PII_KEY_PATTERNS: RegExp[] = [\n  /^e?mail$/i,\n  /^phone$/i,\n  /^(first|last|full|user|display)[_-]?name$/i,\n  /^name$/i,\n  /^(token|key|password|passwd|pass|secret|api[_-]?key)$/i,\n  /^(address|street|city|zip|postal[_-]?code)$/i,\n  /^(user[_-]?id|uid|login|username|user)$/i,\n  /^(ssn|social|tax[_-]?id|national[_-]?id)$/i,\n  /^(credit[_-]?card|card[_-]?number|cvv|ccn?)$/i,\n  /^(ip[_-]?address)$/i,\n  /^(dob|date[_-]?of[_-]?birth|birthday)$/i,\n];\n\nfunction isPiiKey(key: string): boolean {\n  return PII_KEY_PATTERNS.some((p) => p.test(key));\n}\n\nconst EMAIL_PATTERN = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/g;\n\nexport function anonymizeIp(ip: string): string {\n  if (ip.includes(\".\")) {\n    return `${ip.split(\".\").slice(0, 3).join(\".\")}.0`;\n  }\n  return `${ip.split(\":\").slice(0, 4).join(\":\")}::`;\n}\n\nexport function stripPii(url: string): string {\n  try {\n    const u = new URL(url, \"http://localhost\");\n\n    // Remove query params whose key matches a PII pattern\n    const keysToDelete = [...u.searchParams.keys()].filter(isPiiKey);\n    for (const k of keysToDelete) {\n      u.searchParams.delete(k);\n    }\n\n    // Redact email patterns embedded in URL path segments\n    const pathname = u.pathname.replace(EMAIL_PATTERN, \"[redacted]\");\n\n    return pathname + (u.search || \"\");\n  } catch {\n    return url;\n  }\n}\n\nexport async function createSessionId(\n  ip: string,\n  ua: string,\n  date: string,\n): Promise<string> {\n  const input = `${anonymizeIp(ip)}|${ua}|${date}`;\n  const data = new TextEncoder().encode(input);\n  const hashBuffer = await crypto.subtle.digest(\"SHA-256\", data);\n  const hashArray = new Uint8Array(hashBuffer);\n  return Array.from(hashArray)\n    .map((b) => b.toString(16).padStart(2, \"0\"))\n    .join(\"\")\n    .slice(0, 16);\n}\n\nexport function sanitizeProps(\n  props: Record<string, string | number | boolean>,\n): Record<string, string | number | boolean> {\n  const result: Record<string, string | number | boolean> = {};\n  for (const [key, value] of Object.entries(props)) {\n    if (isPiiKey(key)) {\n      result[key] = \"[redacted]\";\n      continue;\n    }\n    if (typeof value === \"string\") {\n      result[key] = value.replace(EMAIL_PATTERN, \"[redacted]\");\n    } else {\n      result[key] = value;\n    }\n  }\n  return result;\n}\n\nexport function applyPrivacy(\n  event: TrackrEvent,\n  config: PrivacyConfig,\n): TrackrEvent {\n  const result = { ...event };\n\n  if (config.stripPii && result.url) {\n    result.url = stripPii(result.url);\n  }\n\n  if (config.stripPii && result.props) {\n    result.props = sanitizeProps(result.props);\n  }\n\n  if (config.stripQueryParams && result.url) {\n    try {\n      const u = new URL(result.url, \"http://localhost\");\n      for (const p of config.stripQueryParams) {\n        if (p.endsWith(\"*\")) {\n          const prefix = p.slice(0, -1);\n          const keysToDelete = [...u.searchParams.keys()].filter((k) =>\n            k.startsWith(prefix),\n          );\n          for (const k of keysToDelete) {\n            u.searchParams.delete(k);\n          }\n        } else {\n          u.searchParams.delete(p);\n        }\n      }\n      result.url = u.pathname + (u.search || \"\");\n    } catch {}\n  }\n\n  return result;\n}\n"],"mappings":";AAAA,IAAM,eAAe;AAAA,EACnB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEO,SAAS,MAAM,SAA2B;AAC/C,QAAM,KAAK,QAAQ,QAAQ,IAAI,YAAY,KAAK;AAEhD,MAAI,aAAa,KAAK,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,EAAG,QAAO;AACjD,MAAI,CAAC,QAAQ,QAAQ,IAAI,iBAAiB,EAAG,QAAO;AACpD,MAAI,GAAG,SAAS,GAAI,QAAO;AAE3B,SAAO;AACT;;;AC/BO,IAAM,yBAAwC;AAAA,EACnD,aAAa;AAAA,EACb,UAAU;AACZ;AAGO,SAAS,qBAAqB,QAAuC;AAC1E,SAAO,EAAE,GAAG,wBAAwB,GAAG,OAAO;AAChD;AAGA,IAAM,mBAA6B;AAAA,EACjC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,SAAS,SAAS,KAAsB;AACtC,SAAO,iBAAiB,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,CAAC;AACjD;AAEA,IAAM,gBAAgB;AAEf,SAAS,YAAY,IAAoB;AAC9C,MAAI,GAAG,SAAS,GAAG,GAAG;AACpB,WAAO,GAAG,GAAG,MAAM,GAAG,EAAE,MAAM,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC;AAAA,EAC/C;AACA,SAAO,GAAG,GAAG,MAAM,GAAG,EAAE,MAAM,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC;AAC/C;AAEO,SAAS,SAAS,KAAqB;AAC5C,MAAI;AACF,UAAM,IAAI,IAAI,IAAI,KAAK,kBAAkB;AAGzC,UAAM,eAAe,CAAC,GAAG,EAAE,aAAa,KAAK,CAAC,EAAE,OAAO,QAAQ;AAC/D,eAAW,KAAK,cAAc;AAC5B,QAAE,aAAa,OAAO,CAAC;AAAA,IACzB;AAGA,UAAM,WAAW,EAAE,SAAS,QAAQ,eAAe,YAAY;AAE/D,WAAO,YAAY,EAAE,UAAU;AAAA,EACjC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,gBACpB,IACA,IACA,MACiB;AACjB,QAAM,QAAQ,GAAG,YAAY,EAAE,CAAC,IAAI,EAAE,IAAI,IAAI;AAC9C,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,KAAK;AAC3C,QAAM,aAAa,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AAC7D,QAAM,YAAY,IAAI,WAAW,UAAU;AAC3C,SAAO,MAAM,KAAK,SAAS,EACxB,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE,EACP,MAAM,GAAG,EAAE;AAChB;AAEO,SAAS,cACd,OAC2C;AAC3C,QAAM,SAAoD,CAAC;AAC3D,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,KAAK,GAAG;AAChD,QAAI,SAAS,GAAG,GAAG;AACjB,aAAO,GAAG,IAAI;AACd;AAAA,IACF;AACA,QAAI,OAAO,UAAU,UAAU;AAC7B,aAAO,GAAG,IAAI,MAAM,QAAQ,eAAe,YAAY;AAAA,IACzD,OAAO;AACL,aAAO,GAAG,IAAI;AAAA,IAChB;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,aACd,OACA,QACa;AACb,QAAM,SAAS,EAAE,GAAG,MAAM;AAE1B,MAAI,OAAO,YAAY,OAAO,KAAK;AACjC,WAAO,MAAM,SAAS,OAAO,GAAG;AAAA,EAClC;AAEA,MAAI,OAAO,YAAY,OAAO,OAAO;AACnC,WAAO,QAAQ,cAAc,OAAO,KAAK;AAAA,EAC3C;AAEA,MAAI,OAAO,oBAAoB,OAAO,KAAK;AACzC,QAAI;AACF,YAAM,IAAI,IAAI,IAAI,OAAO,KAAK,kBAAkB;AAChD,iBAAW,KAAK,OAAO,kBAAkB;AACvC,YAAI,EAAE,SAAS,GAAG,GAAG;AACnB,gBAAM,SAAS,EAAE,MAAM,GAAG,EAAE;AAC5B,gBAAM,eAAe,CAAC,GAAG,EAAE,aAAa,KAAK,CAAC,EAAE;AAAA,YAAO,CAAC,MACtD,EAAE,WAAW,MAAM;AAAA,UACrB;AACA,qBAAW,KAAK,cAAc;AAC5B,cAAE,aAAa,OAAO,CAAC;AAAA,UACzB;AAAA,QACF,OAAO;AACL,YAAE,aAAa,OAAO,CAAC;AAAA,QACzB;AAAA,MACF;AACA,aAAO,MAAM,EAAE,YAAY,EAAE,UAAU;AAAA,IACzC,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,SAAO;AACT;","names":[]}

package/dist/{chunk-ABUPERUQ.js → chunk-AOB662OQ.js}

@@ -5,8 +5,18 @@ function init(options) {
   trackPageview();
   if (typeof window !== "undefined") {
     window.addEventListener("popstate", trackPageview);
+    window.addEventListener("hashchange", trackPageview);
+    patchHistoryMethod("pushState");
+    patchHistoryMethod("replaceState");
   }
 }
+function patchHistoryMethod(method) {
+  const original = history[method].bind(history);
+  history[method] = function(...args) {
+    original(...args);
+    trackPageview();
+  };
+}
 function track(name, props) {
   if (!config) {
     console.warn("[trackr] Not initialized. Call init() first.");
@@ -22,21 +32,42 @@ function track(name, props) {
 }
 function trackPageview() {
   if (!config) return;
+  const utm = getUtmParams();
   sendEvent({
     type: "pageview",
     url: getPath(),
     referrer: document.referrer ? new URL(document.referrer).hostname : void 0,
+    ...Object.keys(utm).length > 0 && { utm },
     ts: Date.now()
   });
 }
 function getPath() {
-  return window.location.pathname;
+  return window.location.pathname + window.location.search;
+}
+function getUtmParams() {
+  const params = new URLSearchParams(window.location.search);
+  const utm = {};
+  const keys = [
+    "utm_source",
+    "utm_medium",
+    "utm_campaign",
+    "utm_term",
+    "utm_content"
+  ];
+  for (const key of keys) {
+    const value = params.get(key);
+    if (value) utm[key.replace("utm_", "")] = value;
+  }
+  return utm;
 }
 function sendEvent(event) {
   if (!config) return;
   const body = JSON.stringify(event);
   if (navigator.sendBeacon) {
-    navigator.sendBeacon(config.endpoint, body);
+    navigator.sendBeacon(
+      config.endpoint,
+      new Blob([body], { type: "application/json" })
+    );
   } else {
     fetch(config.endpoint, {
       method: "POST",
@@ -55,4 +86,4 @@ export {
   init,
   track
 };
-//# sourceMappingURL=chunk-ABUPERUQ.js.map
+//# sourceMappingURL=chunk-AOB662OQ.js.map

package/dist/chunk-AOB662OQ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/client/index.ts"],"sourcesContent":["import type { TrackrConfig } from \"../types.js\";\n\nlet config: TrackrConfig | null = null;\n\nexport function init(options: TrackrConfig): void {\n  config = options;\n  trackPageview();\n\n  if (typeof window !== \"undefined\") {\n    // popstate: back/forward navigation\n    window.addEventListener(\"popstate\", trackPageview);\n\n    // hashchange: hash-based SPAs (e.g. Vue Router hash mode)\n    window.addEventListener(\"hashchange\", trackPageview);\n\n    // pushState / replaceState: history-based SPAs (React Router, Next.js, etc.)\n    patchHistoryMethod(\"pushState\");\n    patchHistoryMethod(\"replaceState\");\n  }\n}\n\nfunction patchHistoryMethod(method: \"pushState\" | \"replaceState\"): void {\n  const original = history[method].bind(history);\n  // biome-ignore lint/suspicious/noExplicitAny: patching native history API\n  (history[method] as any) = function (\n    ...args: Parameters<typeof history.pushState>\n  ) {\n    original(...args);\n    trackPageview();\n  };\n}\n\nexport function track(\n  name: string,\n  props?: Record<string, string | number | boolean>,\n): void {\n  if (!config) {\n    console.warn(\"[trackr] Not initialized. Call init() first.\");\n    return;\n  }\n\n  sendEvent({\n    type: \"event\",\n    name,\n    url: getPath(),\n    props,\n    ts: Date.now(),\n  });\n}\n\nfunction trackPageview(): void {\n  if (!config) return;\n\n  const utm = getUtmParams();\n\n  sendEvent({\n    type: \"pageview\",\n    url: getPath(),\n    referrer: document.referrer\n      ? new URL(document.referrer).hostname\n      : undefined,\n    ...(Object.keys(utm).length > 0 && { utm }),\n    ts: Date.now(),\n  });\n}\n\nfunction getPath(): string {\n  return window.location.pathname + window.location.search;\n}\n\nfunction getUtmParams(): Record<string, string> {\n  const params = new URLSearchParams(window.location.search);\n  const utm: Record<string, string> = {};\n  const keys = [\n    \"utm_source\",\n    \"utm_medium\",\n    \"utm_campaign\",\n    \"utm_term\",\n    \"utm_content\",\n  ];\n\n  for (const key of keys) {\n    const value = params.get(key);\n    // Strip utm_ prefix so stats queries work: props->'utm'->>'source'\n    if (value) utm[key.replace(\"utm_\", \"\")] = value;\n  }\n\n  return utm;\n}\n\nfunction sendEvent(event: Record<string, unknown>): void {\n  if (!config) return;\n\n  const body = JSON.stringify(event);\n\n  if (navigator.sendBeacon) {\n    // Use Blob to set Content-Type: application/json — plain string would send as text/plain\n    navigator.sendBeacon(\n      config.endpoint,\n      new Blob([body], { type: \"application/json\" }),\n    );\n  } else {\n    fetch(config.endpoint, {\n      method: \"POST\",\n      body,\n      keepalive: true,\n      headers: { \"Content-Type\": \"application/json\" },\n    }).catch(() => {});\n  }\n\n  if (config.debug) {\n    console.log(\"[trackr]\", event);\n  }\n}\n"],"mappings":";AAEA,IAAI,SAA8B;AAE3B,SAAS,KAAK,SAA6B;AAChD,WAAS;AACT,gBAAc;AAEd,MAAI,OAAO,WAAW,aAAa;AAEjC,WAAO,iBAAiB,YAAY,aAAa;AAGjD,WAAO,iBAAiB,cAAc,aAAa;AAGnD,uBAAmB,WAAW;AAC9B,uBAAmB,cAAc;AAAA,EACnC;AACF;AAEA,SAAS,mBAAmB,QAA4C;AACtE,QAAM,WAAW,QAAQ,MAAM,EAAE,KAAK,OAAO;AAE7C,EAAC,QAAQ,MAAM,IAAY,YACtB,MACH;AACA,aAAS,GAAG,IAAI;AAChB,kBAAc;AAAA,EAChB;AACF;AAEO,SAAS,MACd,MACA,OACM;AACN,MAAI,CAAC,QAAQ;AACX,YAAQ,KAAK,8CAA8C;AAC3D;AAAA,EACF;AAEA,YAAU;AAAA,IACR,MAAM;AAAA,IACN;AAAA,IACA,KAAK,QAAQ;AAAA,IACb;AAAA,IACA,IAAI,KAAK,IAAI;AAAA,EACf,CAAC;AACH;AAEA,SAAS,gBAAsB;AAC7B,MAAI,CAAC,OAAQ;AAEb,QAAM,MAAM,aAAa;AAEzB,YAAU;AAAA,IACR,MAAM;AAAA,IACN,KAAK,QAAQ;AAAA,IACb,UAAU,SAAS,WACf,IAAI,IAAI,SAAS,QAAQ,EAAE,WAC3B;AAAA,IACJ,GAAI,OAAO,KAAK,GAAG,EAAE,SAAS,KAAK,EAAE,IAAI;AAAA,IACzC,IAAI,KAAK,IAAI;AAAA,EACf,CAAC;AACH;AAEA,SAAS,UAAkB;AACzB,SAAO,OAAO,SAAS,WAAW,OAAO,SAAS;AACpD;AAEA,SAAS,eAAuC;AAC9C,QAAM,SAAS,IAAI,gBAAgB,OAAO,SAAS,MAAM;AACzD,QAAM,MAA8B,CAAC;AACrC,QAAM,OAAO;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,aAAW,OAAO,MAAM;AACtB,UAAM,QAAQ,OAAO,IAAI,GAAG;AAE5B,QAAI,MAAO,KAAI,IAAI,QAAQ,QAAQ,EAAE,CAAC,IAAI;AAAA,EAC5C;AAEA,SAAO;AACT;AAEA,SAAS,UAAU,OAAsC;AACvD,MAAI,CAAC,OAAQ;AAEb,QAAM,OAAO,KAAK,UAAU,KAAK;AAEjC,MAAI,UAAU,YAAY;AAExB,cAAU;AAAA,MACR,OAAO;AAAA,MACP,IAAI,KAAK,CAAC,IAAI,GAAG,EAAE,MAAM,mBAAmB,CAAC;AAAA,IAC/C;AAAA,EACF,OAAO;AACL,UAAM,OAAO,UAAU;AAAA,MACrB,QAAQ;AAAA,MACR;AAAA,MACA,WAAW;AAAA,MACX,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAChD,CAAC,EAAE,MAAM,MAAM;AAAA,IAAC,CAAC;AAAA,EACnB;AAEA,MAAI,OAAO,OAAO;AAChB,YAAQ,IAAI,YAAY,KAAK;AAAA,EAC/B;AACF;","names":[]}

package/dist/chunk-PEAZRYH7.js

@@ -0,0 +1,78 @@
+import {
+  applyPrivacy,
+  createSessionId,
+  isBot,
+  resolvePrivacyConfig
+} from "./chunk-7UN7MXBM.js";
+
+// src/server/index.ts
+function createHandler(config) {
+  return async (request) => {
+    if (request.method !== "POST") {
+      return new Response("Method not allowed", { status: 405 });
+    }
+    if (config.botFilter && isBot(request)) {
+      return new Response("OK");
+    }
+    try {
+      const body = await request.json();
+      if (!isValidEvent(body)) {
+        return new Response("Invalid event", { status: 400 });
+      }
+      let event = {
+        type: body.type,
+        name: body.name,
+        url: body.url,
+        referrer: body.referrer,
+        props: body.props,
+        ts: body.ts
+      };
+      const privacy = resolvePrivacyConfig(config.privacy);
+      event = applyPrivacy(event, privacy);
+      const ip = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || request.headers.get("x-real-ip") || "0.0.0.0";
+      const ua = request.headers.get("user-agent") || "";
+      const today = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+      if (privacy.anonymizeIp) {
+        event.sessionId = await createSessionId(ip, ua, today);
+      }
+      event.device = detectDevice(ua);
+      event.browser = detectBrowser(ua);
+      event.os = detectOs(ua);
+      await config.storage.save(event);
+      return new Response("OK");
+    } catch {
+      return new Response("Error", { status: 500 });
+    }
+  };
+}
+function isValidEvent(e) {
+  if (typeof e !== "object" || e === null) return false;
+  const obj = e;
+  return typeof obj.type === "string" && typeof obj.url === "string" && typeof obj.ts === "number";
+}
+function detectDevice(ua) {
+  if (/tablet|ipad/i.test(ua)) return "tablet";
+  if (/mobile|android|iphone/i.test(ua)) return "mobile";
+  return "desktop";
+}
+function detectBrowser(ua) {
+  if (/firefox/i.test(ua)) return "Firefox";
+  if (/edg/i.test(ua)) return "Edge";
+  if (/chrome/i.test(ua)) return "Chrome";
+  if (/safari/i.test(ua)) return "Safari";
+  return "Other";
+}
+function detectOs(ua) {
+  if (/android/i.test(ua)) return "Android";
+  if (/iphone|ipad|ipod/i.test(ua)) return "iOS";
+  if (/windows/i.test(ua)) return "Windows";
+  if (/cros/i.test(ua)) return "ChromeOS";
+  if (/mac os x/i.test(ua)) return "macOS";
+  if (/linux/i.test(ua)) return "Linux";
+  return "Other";
+}
+
+export {
+  createHandler
+};
+//# sourceMappingURL=chunk-PEAZRYH7.js.map

package/dist/chunk-PEAZRYH7.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server/index.ts"],"sourcesContent":["import type { HandlerConfig, TrackrEvent } from \"../types.js\";\nimport { isBot } from \"./bot.js\";\nimport { applyPrivacy, createSessionId, resolvePrivacyConfig } from \"./privacy.js\";\n\ninterface RawEvent {\n  type: string;\n  url: string;\n  ts: number;\n  name?: string;\n  referrer?: string;\n  props?: Record<string, string | number | boolean>;\n}\n\nexport function createHandler(\n  config: HandlerConfig,\n): (request: Request) => Promise<Response> {\n  return async (request: Request): Promise<Response> => {\n    if (request.method !== \"POST\") {\n      return new Response(\"Method not allowed\", { status: 405 });\n    }\n\n    if (config.botFilter && isBot(request)) {\n      return new Response(\"OK\");\n    }\n\n    try {\n      const body = (await request.json()) as unknown;\n\n      if (!isValidEvent(body)) {\n        return new Response(\"Invalid event\", { status: 400 });\n      }\n\n      let event: TrackrEvent = {\n        type: body.type as \"pageview\" | \"event\",\n        name: body.name,\n        url: body.url,\n        referrer: body.referrer,\n        props: body.props,\n        ts: body.ts,\n      };\n\n      const privacy = resolvePrivacyConfig(config.privacy);\n      event = applyPrivacy(event, privacy);\n\n      const ip =\n        request.headers.get(\"x-forwarded-for\")?.split(\",\")[0]?.trim() ||\n        request.headers.get(\"x-real-ip\") ||\n        \"0.0.0.0\";\n      const ua = request.headers.get(\"user-agent\") || \"\";\n      const today = new Date().toISOString().split(\"T\")[0];\n\n      if (privacy.anonymizeIp) {\n        event.sessionId = await createSessionId(ip, ua, today);\n      }\n\n      event.device = detectDevice(ua);\n      event.browser = detectBrowser(ua);\n      event.os = detectOs(ua);\n\n      await config.storage.save(event);\n\n      return new Response(\"OK\");\n    } catch {\n      return new Response(\"Error\", { status: 500 });\n    }\n  };\n}\n\nfunction isValidEvent(e: unknown): e is RawEvent {\n  if (typeof e !== \"object\" || e === null) return false;\n  const obj = e as Record<string, unknown>;\n  return (\n    typeof obj.type === \"string\" &&\n    typeof obj.url === \"string\" &&\n    typeof obj.ts === \"number\"\n  );\n}\n\nfunction detectDevice(ua: string): \"desktop\" | \"mobile\" | \"tablet\" {\n  if (/tablet|ipad/i.test(ua)) return \"tablet\";\n  if (/mobile|android|iphone/i.test(ua)) return \"mobile\";\n  return \"desktop\";\n}\n\nfunction detectBrowser(ua: string): string {\n  if (/firefox/i.test(ua)) return \"Firefox\";\n  if (/edg/i.test(ua)) return \"Edge\";\n  if (/chrome/i.test(ua)) return \"Chrome\";\n  if (/safari/i.test(ua)) return \"Safari\";\n  return \"Other\";\n}\n\nfunction detectOs(ua: string): string {\n  if (/android/i.test(ua)) return \"Android\";\n  if (/iphone|ipad|ipod/i.test(ua)) return \"iOS\";\n  if (/windows/i.test(ua)) return \"Windows\";\n  if (/cros/i.test(ua)) return \"ChromeOS\";\n  if (/mac os x/i.test(ua)) return \"macOS\";\n  if (/linux/i.test(ua)) return \"Linux\";\n  return \"Other\";\n}\n\nexport { isBot } from \"./bot.js\";\nexport {\n  anonymizeIp,\n  applyPrivacy,\n  resolvePrivacyConfig,\n  sanitizeProps,\n  stripPii,\n} from \"./privacy.js\";\n"],"mappings":";;;;;;;;AAaO,SAAS,cACd,QACyC;AACzC,SAAO,OAAO,YAAwC;AACpD,QAAI,QAAQ,WAAW,QAAQ;AAC7B,aAAO,IAAI,SAAS,sBAAsB,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC3D;AAEA,QAAI,OAAO,aAAa,MAAM,OAAO,GAAG;AACtC,aAAO,IAAI,SAAS,IAAI;AAAA,IAC1B;AAEA,QAAI;AACF,YAAM,OAAQ,MAAM,QAAQ,KAAK;AAEjC,UAAI,CAAC,aAAa,IAAI,GAAG;AACvB,eAAO,IAAI,SAAS,iBAAiB,EAAE,QAAQ,IAAI,CAAC;AAAA,MACtD;AAEA,UAAI,QAAqB;AAAA,QACvB,MAAM,KAAK;AAAA,QACX,MAAM,KAAK;AAAA,QACX,KAAK,KAAK;AAAA,QACV,UAAU,KAAK;AAAA,QACf,OAAO,KAAK;AAAA,QACZ,IAAI,KAAK;AAAA,MACX;AAEA,YAAM,UAAU,qBAAqB,OAAO,OAAO;AACnD,cAAQ,aAAa,OAAO,OAAO;AAEnC,YAAM,KACJ,QAAQ,QAAQ,IAAI,iBAAiB,GAAG,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK,KAC5D,QAAQ,QAAQ,IAAI,WAAW,KAC/B;AACF,YAAM,KAAK,QAAQ,QAAQ,IAAI,YAAY,KAAK;AAChD,YAAM,SAAQ,oBAAI,KAAK,GAAE,YAAY,EAAE,MAAM,GAAG,EAAE,CAAC;AAEnD,UAAI,QAAQ,aAAa;AACvB,cAAM,YAAY,MAAM,gBAAgB,IAAI,IAAI,KAAK;AAAA,MACvD;AAEA,YAAM,SAAS,aAAa,EAAE;AAC9B,YAAM,UAAU,cAAc,EAAE;AAChC,YAAM,KAAK,SAAS,EAAE;AAEtB,YAAM,OAAO,QAAQ,KAAK,KAAK;AAE/B,aAAO,IAAI,SAAS,IAAI;AAAA,IAC1B,QAAQ;AACN,aAAO,IAAI,SAAS,SAAS,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC9C;AAAA,EACF;AACF;AAEA,SAAS,aAAa,GAA2B;AAC/C,MAAI,OAAO,MAAM,YAAY,MAAM,KAAM,QAAO;AAChD,QAAM,MAAM;AACZ,SACE,OAAO,IAAI,SAAS,YACpB,OAAO,IAAI,QAAQ,YACnB,OAAO,IAAI,OAAO;AAEtB;AAEA,SAAS,aAAa,IAA6C;AACjE,MAAI,eAAe,KAAK,EAAE,EAAG,QAAO;AACpC,MAAI,yBAAyB,KAAK,EAAE,EAAG,QAAO;AAC9C,SAAO;AACT;AAEA,SAAS,cAAc,IAAoB;AACzC,MAAI,WAAW,KAAK,EAAE,EAAG,QAAO;AAChC,MAAI,OAAO,KAAK,EAAE,EAAG,QAAO;AAC5B,MAAI,UAAU,KAAK,EAAE,EAAG,QAAO;AAC/B,MAAI,UAAU,KAAK,EAAE,EAAG,QAAO;AAC/B,SAAO;AACT;AAEA,SAAS,SAAS,IAAoB;AACpC,MAAI,WAAW,KAAK,EAAE,EAAG,QAAO;AAChC,MAAI,oBAAoB,KAAK,EAAE,EAAG,QAAO;AACzC,MAAI,WAAW,KAAK,EAAE,EAAG,QAAO;AAChC,MAAI,QAAQ,KAAK,EAAE,EAAG,QAAO;AAC7B,MAAI,YAAY,KAAK,EAAE,EAAG,QAAO;AACjC,MAAI,SAAS,KAAK,EAAE,EAAG,QAAO;AAC9B,SAAO;AACT;","names":[]}

package/dist/client/index.d.ts

@@ -1,4 +1,4 @@
-import { a as TrackrConfig } from '../types-EaeYBDKE.js';
+import { T as TrackrConfig } from '../types-CceMQIhZ.js';
 
 declare function init(options: TrackrConfig): void;
 declare function track(name: string, props?: Record<string, string | number | boolean>): void;

package/dist/client/index.js

@@ -1,7 +1,7 @@
 import {
   init,
   track
-} from "../chunk-ABUPERUQ.js";
+} from "../chunk-AOB662OQ.js";
 import "../chunk-7D4SUZUM.js";
 export {
   init,

package/dist/index.d.ts

@@ -1,3 +1,3 @@
-export { H as HandlerConfig, P as PrivacyConfig, Q as QueryOptions, S as StorageAdapter, a as TrackrConfig, T as TrackrEvent } from './types-EaeYBDKE.js';
 export { init, track } from './client/index.js';
 export { createHandler } from './server/index.js';
+export { H as HandlerConfig, P as PrivacyConfig, Q as QueryOptions, S as StorageAdapter, T as TrackrConfig, a as TrackrEvent } from './types-CceMQIhZ.js';

package/dist/index.js

@@ -1,10 +1,11 @@
 import {
   init,
   track
-} from "./chunk-ABUPERUQ.js";
+} from "./chunk-AOB662OQ.js";
 import {
   createHandler
-} from "./chunk-L3N32JO4.js";
+} from "./chunk-PEAZRYH7.js";
+import "./chunk-7UN7MXBM.js";
 import "./chunk-7D4SUZUM.js";
 export {
   createHandler,

package/dist/server/index.d.ts

@@ -1,11 +1,14 @@
-import { T as TrackrEvent, P as PrivacyConfig, H as HandlerConfig } from '../types-EaeYBDKE.js';
+import { a as TrackrEvent, P as PrivacyConfig, H as HandlerConfig } from '../types-CceMQIhZ.js';
 
 declare function isBot(request: Request): boolean;
 
+/** Merge caller config with safe defaults. */
+declare function resolvePrivacyConfig(config?: PrivacyConfig): PrivacyConfig;
 declare function anonymizeIp(ip: string): string;
 declare function stripPii(url: string): string;
+declare function sanitizeProps(props: Record<string, string | number | boolean>): Record<string, string | number | boolean>;
 declare function applyPrivacy(event: TrackrEvent, config: PrivacyConfig): TrackrEvent;
 
 declare function createHandler(config: HandlerConfig): (request: Request) => Promise<Response>;
 
-export { anonymizeIp, applyPrivacy, createHandler, isBot, stripPii };
+export { anonymizeIp, applyPrivacy, createHandler, isBot, resolvePrivacyConfig, sanitizeProps, stripPii };

package/dist/server/index.js

@@ -1,16 +1,22 @@
+import {
+  createHandler
+} from "../chunk-PEAZRYH7.js";
 import {
   anonymizeIp,
   applyPrivacy,
-  createHandler,
   isBot,
+  resolvePrivacyConfig,
+  sanitizeProps,
   stripPii
-} from "../chunk-L3N32JO4.js";
+} from "../chunk-7UN7MXBM.js";
 import "../chunk-7D4SUZUM.js";
 export {
   anonymizeIp,
   applyPrivacy,
   createHandler,
   isBot,
+  resolvePrivacyConfig,
+  sanitizeProps,
   stripPii
 };
 //# sourceMappingURL=index.js.map

package/dist/server/pixel.d.ts

@@ -0,0 +1,5 @@
+import { H as HandlerConfig } from '../types-CceMQIhZ.js';
+
+declare function createPixelHandler(config: HandlerConfig): (request: Request) => Promise<Response>;
+
+export { createPixelHandler };