@getpara/core-sdk 3.0.0-alpha.1 → 3.1.0

package/dist/esm/services/WalletService.js

@@ -28,6 +28,7 @@ import { ParaEvent } from "../types/events.js";
 import { LOCAL_STORAGE_CURRENT_WALLET_IDS, LOCAL_STORAGE_WALLETS, SHORT_POLLING_INTERVAL_MS } from "../constants.js";
 import { distributeNewShare } from "../shares/shareDistribution.js";
 import { sendRecoveryForShare } from "../shares/recovery.js";
+import { wrapWithSpan } from "../telemetry/tracer.js";
 class WalletService {
   constructor(paraCore) {
     __privateAdd(this, _authService);
@@ -108,15 +109,20 @@ class WalletService {
         }
       });
     });
+    // wallets.populate names the GET /users/:userId/wallets call that runs to
+    // refresh address state after creation/refresh; without it the GET shows up
+    // as a bare span at the trace top level.
     this.populateWalletAddresses = () => __async(this, null, function* () {
-      const res = yield (__privateGet(this, _paraCoreInterface).isPortal() ? __privateGet(this, _paraCoreInterface).ctx.client.getAllWallets : __privateGet(this, _paraCoreInterface).ctx.client.getWallets)(__privateGet(this, _authService).userId, true);
-      const wallets = res.data.wallets;
-      wallets.forEach((entity) => {
-        if (this.wallets[entity.id]) {
-          this.wallets[entity.id] = __spreadValues(__spreadValues({}, entityToWallet(entity)), this.wallets[entity.id]);
-        }
-      });
-      yield this.setWallets(this.wallets);
+      return wrapWithSpan("wallets.populate", () => __async(this, null, function* () {
+        const res = yield (__privateGet(this, _paraCoreInterface).isPortal() ? __privateGet(this, _paraCoreInterface).ctx.client.getAllWallets : __privateGet(this, _paraCoreInterface).ctx.client.getWallets)(__privateGet(this, _authService).userId, true);
+        const wallets = res.data.wallets;
+        wallets.forEach((entity) => {
+          if (this.wallets[entity.id]) {
+            this.wallets[entity.id] = __spreadValues(__spreadValues({}, entityToWallet(entity)), this.wallets[entity.id]);
+          }
+        });
+        yield this.setWallets(this.wallets);
+      }));
     });
     this.addToCurrentWalletIds = (walletIds, options) => __async(this, null, function* () {
       const updatedWalletIds = __spreadValues({}, this.currentWalletIds);
@@ -156,31 +162,35 @@ class WalletService {
       );
       let signer;
       let wallet;
-      let keygenRes;
-      switch (walletType) {
-        case "STELLAR":
-        case "SOLANA": {
-          keygenRes = yield __privateGet(this, _paraCoreInterface).platformUtils.ed25519Keygen(
-            __privateGet(this, _paraCoreInterface).ctx,
-            __privateGet(this, _authService).userId,
-            __privateGet(this, _paraCoreInterface).retrieveSessionCookie(),
-            __privateGet(this, _paraCoreInterface).getBackupKitEmailProps(),
-            walletType
-          );
-          break;
-        }
-        default: {
-          keygenRes = yield __privateGet(this, _paraCoreInterface).platformUtils.keygen(
-            __privateGet(this, _paraCoreInterface).ctx,
-            __privateGet(this, _authService).userId,
-            walletType,
-            null,
-            __privateGet(this, _paraCoreInterface).retrieveSessionCookie(),
-            __privateGet(this, _paraCoreInterface).getBackupKitEmailProps()
-          );
-          break;
+      const keygenRes = yield wrapWithSpan(
+        "mpc.keygen",
+        () => __async(this, null, function* () {
+          switch (walletType) {
+            case "STELLAR":
+            case "SOLANA":
+              return __privateGet(this, _paraCoreInterface).platformUtils.ed25519Keygen(
+                __privateGet(this, _paraCoreInterface).ctx,
+                __privateGet(this, _authService).userId,
+                __privateGet(this, _paraCoreInterface).retrieveSessionCookie(),
+                __privateGet(this, _paraCoreInterface).getBackupKitEmailProps(),
+                walletType
+              );
+            default:
+              return __privateGet(this, _paraCoreInterface).platformUtils.keygen(
+                __privateGet(this, _paraCoreInterface).ctx,
+                __privateGet(this, _authService).userId,
+                walletType,
+                null,
+                __privateGet(this, _paraCoreInterface).retrieveSessionCookie(),
+                __privateGet(this, _paraCoreInterface).getBackupKitEmailProps()
+              );
+          }
+        }),
+        {
+          "wallet.type": walletType,
+          "wallet.scheme": walletType === "SOLANA" || walletType === "STELLAR" ? "ED25519" : "DKLS"
         }
-      }
+      );
       const walletId = keygenRes.walletId;
       const walletScheme = walletType === "SOLANA" || walletType === "STELLAR" ? "ED25519" : "DKLS";
       signer = keygenRes.signer;
@@ -388,11 +398,16 @@ class WalletService {
       }
       return type;
     });
+    // wallets.fetch names the post-keygen wallet list reads (the polling-style
+    // GETs that follow each MPC keygen). The auto-instrumented HTTP child carries
+    // the URL and status so this stays cheap.
     this.fetchWallets = () => __async(this, null, function* () {
-      const res = yield __privateGet(this, _paraCoreInterface).isPortal() || __privateGet(this, _paraCoreInterface).isParaConnect() ? __privateGet(this, _paraCoreInterface).ctx.client.getAllWallets(__privateGet(this, _authService).userId) : __privateGet(this, _paraCoreInterface).ctx.client.getWallets(__privateGet(this, _authService).userId, true);
-      return res.data.wallets.filter(
-        (wallet) => !!wallet.address && wallet.sharesPersisted && (__privateGet(this, _paraCoreInterface).isParaConnect() || !__privateGet(this, _paraCoreInterface).isParaConnect() && this.isWalletSupported(entityToWallet(wallet)))
-      );
+      return wrapWithSpan("wallets.fetch", () => __async(this, null, function* () {
+        const res = yield __privateGet(this, _paraCoreInterface).isPortal() || __privateGet(this, _paraCoreInterface).isParaConnect() ? __privateGet(this, _paraCoreInterface).ctx.client.getAllWallets(__privateGet(this, _authService).userId) : __privateGet(this, _paraCoreInterface).ctx.client.getWallets(__privateGet(this, _authService).userId, true);
+        return res.data.wallets.filter(
+          (wallet) => !!wallet.address && wallet.sharesPersisted && (__privateGet(this, _paraCoreInterface).isParaConnect() || !__privateGet(this, _paraCoreInterface).isParaConnect() && this.isWalletSupported(entityToWallet(wallet)))
+        );
+      }));
     });
     this.getWalletBalance = (_0) => __async(this, [_0], function* ({ walletId, rpcUrl }) {
       return (yield __privateGet(this, _paraCoreInterface).ctx.client.getWalletBalance({ walletId, rpcUrl })).balance;

package/dist/esm/shares/enclave.js

@@ -1,6 +1,7 @@
 import {
   __async
 } from "../chunk-7B52C2XE.js";
+import { wrapWithSpan } from "../telemetry/tracer.js";
 class EnclaveClient {
   constructor({
     userManagementClient,
@@ -172,40 +173,59 @@ ${exportedAsBase64}
    * Persist key shares to the enclave
    * @param shares Array of share data to persist
    */
+  // enclave.persist_shares wraps the encrypt + POST /enclave/key-shares pair so
+  // both the (CPU-bound) ECIES encryption and the network call show up under a
+  // named parent in the trace. Encryption can dominate the wall time so it's
+  // worth spelling out separately from the POST itself.
   persistShares(shares) {
     return __async(this, null, function* () {
-      const payload = {
-        shares,
-        jwt: this.retrieveJwt()
-      };
-      const encryptedPayload = yield this.encryptForEnclave(JSON.stringify(payload));
-      const encryptedPayloadStr = JSON.stringify(encryptedPayload);
-      return yield this.userManagementClient.persistEnclaveShares({ encryptedPayload: encryptedPayloadStr });
+      return wrapWithSpan(
+        "enclave.persist_shares",
+        () => __async(this, null, function* () {
+          const payload = {
+            shares,
+            jwt: this.retrieveJwt()
+          };
+          const encryptedPayload = yield this.encryptForEnclave(JSON.stringify(payload));
+          const encryptedPayloadStr = JSON.stringify(encryptedPayload);
+          return yield this.userManagementClient.persistEnclaveShares({ encryptedPayload: encryptedPayloadStr });
+        }),
+        { "enclave.share_count": shares.length }
+      );
     });
   }
   /**
    * Retrieve key shares from the enclave
    * @param query Query parameters for finding shares (single query or array of queries)
    */
+  // enclave.retrieve_shares wraps the JWT issue + ECDH keypair gen + GET
+  // /enclave/key-shares + decrypt pipeline. The decrypt step can be slow on
+  // many-share accounts so a named span makes that latency easy to spot.
   retrieveShares(query) {
     return __async(this, null, function* () {
-      yield this.issueEnclaveJwt();
-      const frontendKeyPair = yield this.generateFrontendKeyPair();
-      const responsePublicKeyPEM = yield this.exportPublicKeyToPEM(frontendKeyPair.publicKey);
-      const fullQuery = query.map((q) => ({
-        userId: q.userId
-      }));
-      const payload = {
-        query: fullQuery,
-        responsePublicKey: responsePublicKeyPEM,
-        jwt: this.retrieveJwt()
-      };
-      const encryptedPayload = yield this.encryptForEnclave(JSON.stringify(payload));
-      const encryptedPayloadStr = JSON.stringify(encryptedPayload);
-      const response = yield this.userManagementClient.retrieveEnclaveShares(encryptedPayloadStr);
-      const encryptedResponse = JSON.parse(response.payload);
-      const decryptedData = yield this.decryptForFrontend(encryptedResponse);
-      return Array.isArray(decryptedData == null ? void 0 : decryptedData.shares) ? decryptedData.shares : [];
+      return wrapWithSpan(
+        "enclave.retrieve_shares",
+        () => __async(this, null, function* () {
+          yield this.issueEnclaveJwt();
+          const frontendKeyPair = yield this.generateFrontendKeyPair();
+          const responsePublicKeyPEM = yield this.exportPublicKeyToPEM(frontendKeyPair.publicKey);
+          const fullQuery = query.map((q) => ({
+            userId: q.userId
+          }));
+          const payload = {
+            query: fullQuery,
+            responsePublicKey: responsePublicKeyPEM,
+            jwt: this.retrieveJwt()
+          };
+          const encryptedPayload = yield this.encryptForEnclave(JSON.stringify(payload));
+          const encryptedPayloadStr = JSON.stringify(encryptedPayload);
+          const response = yield this.userManagementClient.retrieveEnclaveShares(encryptedPayloadStr);
+          const encryptedResponse = JSON.parse(response.payload);
+          const decryptedData = yield this.decryptForFrontend(encryptedResponse);
+          return Array.isArray(decryptedData == null ? void 0 : decryptedData.shares) ? decryptedData.shares : [];
+        }),
+        { "enclave.query_count": query.length }
+      );
     });
   }
   deleteShares() {

package/dist/esm/state/CoreStateManager.js

@@ -80,7 +80,7 @@ const _CoreStateManager = class _CoreStateManager {
    * Extracts all data needed by UI consumers from authStateResult.
    */
   computeAuthStateInfo(authContext, walletContext) {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m, _n, _o, _p, _q, _r, _s, _t, _u, _v, _w, _x, _y, _z, _A, _B, _C, _D, _E, _F, _G, _H, _I;
+    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m, _n, _o, _p, _q, _r, _s, _t, _u, _v, _w, _x, _y, _z, _A, _B, _C, _D, _E, _F, _G, _H, _I, _J, _K, _L;
     const defaultAuthStateInfo = {
       userId: null,
       isPasskeySupported: false,
@@ -98,6 +98,9 @@ const _CoreStateManager = class _CoreStateManager {
       passkeyId: null,
       verificationUrl: null,
       verificationFullUrl: null,
+      deliveryChannel: null,
+      fallbackUsed: false,
+      fallbackChannel: null,
       externalWalletVerification: null,
       recoverySecret: null,
       isNewUser: false
@@ -137,6 +140,9 @@ const _CoreStateManager = class _CoreStateManager {
     let verificationFullUrl = null;
     let passkeyHints = null;
     let passkeyId = null;
+    let deliveryChannel = null;
+    let fallbackUsed = false;
+    let fallbackChannel = null;
     if (stage === "login") {
       const loginState = authStateResult;
       const authMethods = (_j = loginState.loginAuthMethods) != null ? _j : [];
@@ -170,6 +176,9 @@ const _CoreStateManager = class _CoreStateManager {
       const verifyState = authStateResult;
       verificationUrl = (_C = verifyState.loginUrl) != null ? _C : null;
       verificationFullUrl = (_D = verifyState.loginFullUrl) != null ? _D : null;
+      deliveryChannel = (_E = verifyState.deliveryChannel) != null ? _E : null;
+      fallbackUsed = (_F = verifyState.fallbackUsed) != null ? _F : false;
+      fallbackChannel = (_G = verifyState.fallbackChannel) != null ? _G : null;
     }
     return {
       userId,
@@ -188,10 +197,13 @@ const _CoreStateManager = class _CoreStateManager {
       passkeyId,
       verificationUrl,
       verificationFullUrl,
+      deliveryChannel,
+      fallbackUsed,
+      fallbackChannel,
       externalWalletVerification: externalWalletVerification ? {
-        signatureVerificationMessage: (_E = externalWalletVerification.signatureVerificationMessage) != null ? _E : "",
-        walletAddress: (_G = (_F = externalWalletVerification.externalWallet) == null ? void 0 : _F.address) != null ? _G : "",
-        walletType: (_I = (_H = externalWalletVerification.externalWallet) == null ? void 0 : _H.type) != null ? _I : ""
+        signatureVerificationMessage: (_H = externalWalletVerification.signatureVerificationMessage) != null ? _H : "",
+        walletAddress: (_J = (_I = externalWalletVerification.externalWallet) == null ? void 0 : _I.address) != null ? _J : "",
+        walletType: (_L = (_K = externalWalletVerification.externalWallet) == null ? void 0 : _K.type) != null ? _L : ""
       } : null,
       recoverySecret,
       isNewUser
@@ -253,7 +265,7 @@ const _CoreStateManager = class _CoreStateManager {
   }
   authStateInfoEqual(a, b) {
     var _a, _b, _c, _d, _e, _f, _g, _h, _i;
-    return a.userId === b.userId && a.isPasskeySupported === b.isPasskeySupported && a.hasPasskey === b.hasPasskey && a.hasPassword === b.hasPassword && a.hasPin === b.hasPin && a.passkeyUrl === b.passkeyUrl && a.passkeyFullUrl === b.passkeyFullUrl && a.passkeyKnownDeviceUrl === b.passkeyKnownDeviceUrl && a.passwordUrl === b.passwordUrl && a.passwordFullUrl === b.passwordFullUrl && a.pinUrl === b.pinUrl && a.pinFullUrl === b.pinFullUrl && a.passkeyId === b.passkeyId && a.verificationUrl === b.verificationUrl && a.verificationFullUrl === b.verificationFullUrl && a.recoverySecret === b.recoverySecret && a.isNewUser === b.isNewUser && ((_a = a.externalWalletVerification) == null ? void 0 : _a.signatureVerificationMessage) === ((_b = b.externalWalletVerification) == null ? void 0 : _b.signatureVerificationMessage) && ((_c = a.externalWalletVerification) == null ? void 0 : _c.walletAddress) === ((_d = b.externalWalletVerification) == null ? void 0 : _d.walletAddress) && ((_e = a.externalWalletVerification) == null ? void 0 : _e.walletType) === ((_f = b.externalWalletVerification) == null ? void 0 : _f.walletType) && ((_g = a.passkeyHints) == null ? void 0 : _g.length) === ((_h = b.passkeyHints) == null ? void 0 : _h.length) && ((_i = a.passkeyHints) != null ? _i : []).every(
+    return a.userId === b.userId && a.isPasskeySupported === b.isPasskeySupported && a.hasPasskey === b.hasPasskey && a.hasPassword === b.hasPassword && a.hasPin === b.hasPin && a.passkeyUrl === b.passkeyUrl && a.passkeyFullUrl === b.passkeyFullUrl && a.passkeyKnownDeviceUrl === b.passkeyKnownDeviceUrl && a.passwordUrl === b.passwordUrl && a.passwordFullUrl === b.passwordFullUrl && a.pinUrl === b.pinUrl && a.pinFullUrl === b.pinFullUrl && a.passkeyId === b.passkeyId && a.verificationUrl === b.verificationUrl && a.verificationFullUrl === b.verificationFullUrl && a.deliveryChannel === b.deliveryChannel && a.fallbackUsed === b.fallbackUsed && a.fallbackChannel === b.fallbackChannel && a.recoverySecret === b.recoverySecret && a.isNewUser === b.isNewUser && ((_a = a.externalWalletVerification) == null ? void 0 : _a.signatureVerificationMessage) === ((_b = b.externalWalletVerification) == null ? void 0 : _b.signatureVerificationMessage) && ((_c = a.externalWalletVerification) == null ? void 0 : _c.walletAddress) === ((_d = b.externalWalletVerification) == null ? void 0 : _d.walletAddress) && ((_e = a.externalWalletVerification) == null ? void 0 : _e.walletType) === ((_f = b.externalWalletVerification) == null ? void 0 : _f.walletType) && ((_g = a.passkeyHints) == null ? void 0 : _g.length) === ((_h = b.passkeyHints) == null ? void 0 : _h.length) && ((_i = a.passkeyHints) != null ? _i : []).every(
       (hint, i) => hint.useragent === b.passkeyHints[i].useragent && hint.aaguid === b.passkeyHints[i].aaguid
     );
   }

package/dist/esm/state/actors/setupPara.js

@@ -3,7 +3,10 @@ import {
 } from "../../chunk-7B52C2XE.js";
 import { fromPromise } from "xstate";
 const createSetupParaActor = (paraCoreInterface) => fromPromise(() => __async(void 0, null, function* () {
-  yield paraCoreInterface.setup();
+  const eagerPartnerLoad = paraCoreInterface.isPortal() ? Promise.resolve() : paraCoreInterface.sessionManagementService.touchSession().catch((e) => {
+    paraCoreInterface.devLog("setupPara: eager partner load via touchSession failed; will retry lazily", e);
+  });
+  yield Promise.all([paraCoreInterface.setup(), eagerPartnerLoad]);
 }));
 export {
   createSetupParaActor

package/dist/esm/state/machines/walletStateMachine.js

@@ -161,6 +161,28 @@ function createWalletStateMachine(paraCoreInterface) {
         ]
       },
       needs_wallets: {
+        // `needs_wallets` is otherwise a passive state that waits for the consumer
+        // to dispatch `WAIT_FOR_WALLET_CREATION`. That contract is fine for
+        // `isNewUser` reaching this state without auto-create (`checking_wallet_state`
+        // guard at line ~127), but it traps existing users who landed here via
+        // `waiting_for_wallets` COMPLETE with `needsWallet=true` — i.e., an
+        // authenticated user whose wallets don't satisfy the partner's
+        // `supportedWalletTypes` (e.g. EVM-only user logging into a Solana-only
+        // partner). Their auth flow set `shouldAutoCreateWallets: true` via
+        // `authenticateWithOAuth` / `authenticateWithEmailOrPhone`, but the
+        // existing `claiming_wallets` guard requires `isNewUser ||
+        // shouldClaimGuestWallets`, neither of which is true for them, so
+        // auto-create silently never happens.
+        //
+        // When `shouldAutoCreate` is true, route directly to `creating_wallets`.
+        // `createWalletPerType` is partner-aware via `#getMissingTypes`, so it
+        // provisions exactly the missing required types (no duplicates).
+        always: [
+          {
+            target: "creating_wallets",
+            guard: "shouldAutoCreate"
+          }
+        ],
         on: {
           WAIT_FOR_WALLET_CREATION: {
             target: "claiming_wallets",

package/dist/esm/telemetry/BeaconSpanProcessor.js

@@ -0,0 +1,74 @@
+import {
+  __privateAdd,
+  __privateGet,
+  __privateMethod,
+  __privateSet
+} from "../chunk-7B52C2XE.js";
+var _spans, _pagehideListener, _visibilityListener, _url, _BeaconSpanProcessor_instances, flushViaBeacon_fn;
+import { JsonTraceSerializer } from "@opentelemetry/otlp-transformer";
+const MAX_BUFFER_SIZE = 200;
+class BeaconSpanProcessor {
+  constructor(url) {
+    __privateAdd(this, _BeaconSpanProcessor_instances);
+    __privateAdd(this, _spans, []);
+    __privateAdd(this, _pagehideListener);
+    __privateAdd(this, _visibilityListener);
+    __privateAdd(this, _url);
+    __privateSet(this, _url, url);
+    if (typeof window !== "undefined") {
+      __privateSet(this, _pagehideListener, () => __privateMethod(this, _BeaconSpanProcessor_instances, flushViaBeacon_fn).call(this));
+      __privateSet(this, _visibilityListener, () => {
+        if (typeof document !== "undefined" && document.visibilityState === "hidden") {
+          __privateMethod(this, _BeaconSpanProcessor_instances, flushViaBeacon_fn).call(this);
+        }
+      });
+      window.addEventListener("pagehide", __privateGet(this, _pagehideListener));
+      if (typeof document !== "undefined") {
+        document.addEventListener("visibilitychange", __privateGet(this, _visibilityListener));
+      }
+    }
+  }
+  onStart(_span, _parentContext) {
+  }
+  onEnd(span) {
+    __privateGet(this, _spans).push(span);
+    if (__privateGet(this, _spans).length > MAX_BUFFER_SIZE) {
+      __privateGet(this, _spans).shift();
+    }
+  }
+  forceFlush() {
+    return Promise.resolve();
+  }
+  shutdown() {
+    __privateMethod(this, _BeaconSpanProcessor_instances, flushViaBeacon_fn).call(this);
+    if (__privateGet(this, _pagehideListener) && typeof window !== "undefined") {
+      window.removeEventListener("pagehide", __privateGet(this, _pagehideListener));
+      __privateSet(this, _pagehideListener, void 0);
+    }
+    if (__privateGet(this, _visibilityListener) && typeof document !== "undefined") {
+      document.removeEventListener("visibilitychange", __privateGet(this, _visibilityListener));
+      __privateSet(this, _visibilityListener, void 0);
+    }
+    __privateSet(this, _spans, []);
+    return Promise.resolve();
+  }
+}
+_spans = new WeakMap();
+_pagehideListener = new WeakMap();
+_visibilityListener = new WeakMap();
+_url = new WeakMap();
+_BeaconSpanProcessor_instances = new WeakSet();
+flushViaBeacon_fn = function() {
+  if (__privateGet(this, _spans).length === 0) return;
+  if (typeof navigator === "undefined" || typeof navigator.sendBeacon !== "function") return;
+  try {
+    const body = JsonTraceSerializer.serializeRequest(__privateGet(this, _spans));
+    const blob = new Blob([body], { type: "application/json" });
+    navigator.sendBeacon(__privateGet(this, _url), blob);
+    __privateSet(this, _spans, []);
+  } catch (e) {
+  }
+};
+export {
+  BeaconSpanProcessor
+};

package/dist/esm/telemetry/init.js

@@ -0,0 +1,130 @@
+import {
+  __async,
+  __spreadValues
+} from "../chunk-7B52C2XE.js";
+import {
+  BatchSpanProcessor,
+  BasicTracerProvider,
+  TraceIdRatioBasedSampler
+} from "@opentelemetry/sdk-trace-base";
+import { OTLPTraceExporter } from "@opentelemetry/exporter-trace-otlp-http";
+import { resourceFromAttributes } from "@opentelemetry/resources";
+import { ATTR_SERVICE_NAME, ATTR_SERVICE_VERSION } from "@opentelemetry/semantic-conventions";
+import { context, propagation, trace } from "@opentelemetry/api";
+import { CompositePropagator, W3CTraceContextPropagator } from "@opentelemetry/core";
+import { UxStateSpanProcessor } from "./uxStateSpanProcessor.js";
+import { UxBaggagePropagator } from "./uxBaggagePropagator.js";
+let initialized = false;
+let tracerProvider;
+const readyCallbacks = [];
+function onTelemetryReady(cb) {
+  if (initialized) {
+    cb();
+    return;
+  }
+  readyCallbacks.push(cb);
+}
+function initTelemetry(opts) {
+  return __async(this, null, function* () {
+    if (initialized) return;
+    initialized = true;
+    const isWeb = opts.sdkType === "WEB" && typeof window !== "undefined";
+    if (isWeb && !opts.isPortal) {
+      try {
+        const { ZoneContextManager } = yield import("@opentelemetry/context-zone");
+        const zoneManager = new ZoneContextManager().enable();
+        context.setGlobalContextManager(zoneManager);
+      } catch (e) {
+      }
+    }
+    const resource = resourceFromAttributes(__spreadValues(__spreadValues({
+      [ATTR_SERVICE_NAME]: opts.isPortal ? "para-portal" : "para-sdk",
+      [ATTR_SERVICE_VERSION]: opts.sdkVersion,
+      "para.platform": opts.sdkType
+    }, opts.partnerId ? { "para.partner_id": opts.partnerId } : {}), opts.resourceAttributes));
+    const exporter = new OTLPTraceExporter({
+      url: opts.tunnelUrl
+      // No auth header — the tunnel is a dumb proxy. Per-IP rate limit + body cap on the
+      // BE side keep abuse contained.
+    });
+    const sampler = new TraceIdRatioBasedSampler(Math.max(0, Math.min(1, opts.sampleRate)));
+    const spanProcessors = [new UxStateSpanProcessor(), new BatchSpanProcessor(exporter)];
+    if (isWeb && opts.isPortal) {
+      try {
+        const { BeaconSpanProcessor } = yield import("./BeaconSpanProcessor.js");
+        spanProcessors.push(new BeaconSpanProcessor(opts.tunnelUrl));
+      } catch (e) {
+      }
+    }
+    tracerProvider = new BasicTracerProvider({
+      resource,
+      sampler,
+      spanProcessors
+    });
+    trace.setGlobalTracerProvider(tracerProvider);
+    propagation.setGlobalPropagator(
+      new CompositePropagator({
+        propagators: [new W3CTraceContextPropagator(), new UxBaggagePropagator()]
+      })
+    );
+    if (isWeb) {
+      try {
+        const [{ registerInstrumentations }, { FetchInstrumentation }, { XMLHttpRequestInstrumentation }] = yield Promise.all([
+          import("@opentelemetry/instrumentation"),
+          import("@opentelemetry/instrumentation-fetch"),
+          import("@opentelemetry/instrumentation-xml-http-request")
+        ]);
+        const propagateTraceHeaderCorsUrls = [
+          /^https?:\/\/api\.[^/]*getpara\.com/,
+          /^https?:\/\/api\.[^/]*usecapsule\.com/
+        ];
+        if (opts.isDev) {
+          propagateTraceHeaderCorsUrls.push(/^https?:\/\/localhost/);
+        }
+        registerInstrumentations({
+          // Both fetch and XHR are instrumented because axios uses XHR by default in
+          // the browser and `window.fetch` for first-party SDK code paths that opt in.
+          // Without XHR instrumentation, axios calls don't produce client spans AND
+          // Zone-tracked traceparent injection through our manual interceptor isn't
+          // always reliable on native async/await — the auto-instrumentation handles
+          // both span creation and W3C propagation in one pass.
+          instrumentations: [
+            new FetchInstrumentation({ propagateTraceHeaderCorsUrls }),
+            new XMLHttpRequestInstrumentation({ propagateTraceHeaderCorsUrls })
+          ]
+        });
+      } catch (e) {
+      }
+    }
+    while (readyCallbacks.length) {
+      const cb = readyCallbacks.shift();
+      try {
+        cb();
+      } catch (e) {
+      }
+    }
+  });
+}
+function isTelemetryInitialized() {
+  return initialized;
+}
+function flushTelemetry() {
+  return __async(this, null, function* () {
+    if (!tracerProvider) return;
+    try {
+      yield tracerProvider.forceFlush();
+    } catch (e) {
+    }
+  });
+}
+function __resetTelemetryForTests() {
+  initialized = false;
+  tracerProvider = void 0;
+}
+export {
+  __resetTelemetryForTests,
+  flushTelemetry,
+  initTelemetry,
+  isTelemetryInitialized,
+  onTelemetryReady
+};

package/dist/esm/telemetry/modalSession.js

@@ -0,0 +1,29 @@
+import "../chunk-7B52C2XE.js";
+import { context as otelContext, trace } from "@opentelemetry/api";
+const TRACER_NAME = "para-sdk";
+let activeSpan;
+let activeCtx;
+function startModalSession() {
+  if (activeSpan) return;
+  activeSpan = trace.getTracer(TRACER_NAME).startSpan("ui.modal.session");
+  activeCtx = trace.setSpan(otelContext.active(), activeSpan);
+}
+function endModalSession() {
+  activeSpan == null ? void 0 : activeSpan.end();
+  activeSpan = void 0;
+  activeCtx = void 0;
+}
+function getModalSessionContext() {
+  return activeCtx;
+}
+function __resetModalSessionForTests() {
+  activeSpan == null ? void 0 : activeSpan.end();
+  activeSpan = void 0;
+  activeCtx = void 0;
+}
+export {
+  __resetModalSessionForTests,
+  endModalSession,
+  getModalSessionContext,
+  startModalSession
+};

package/dist/esm/telemetry/session.js

@@ -0,0 +1,16 @@
+import "../chunk-7B52C2XE.js";
+import { v4 as uuidv4 } from "uuid";
+let sessionId;
+function getOrCreateSessionId() {
+  if (!sessionId) {
+    sessionId = uuidv4();
+  }
+  return sessionId;
+}
+function __resetSessionForTests() {
+  sessionId = void 0;
+}
+export {
+  __resetSessionForTests,
+  getOrCreateSessionId
+};

package/dist/esm/telemetry/tracer.js

@@ -0,0 +1,84 @@
+import {
+  __async
+} from "../chunk-7B52C2XE.js";
+import {
+  context as otelContext,
+  propagation,
+  SpanStatusCode,
+  trace
+} from "@opentelemetry/api";
+import { getModalSessionContext } from "./modalSession.js";
+const TRACER_NAME = "para-sdk";
+function getTracer() {
+  return trace.getTracer(TRACER_NAME);
+}
+let defaultParentContext;
+function setDefaultParentContext(ctx) {
+  defaultParentContext = ctx;
+}
+function getDefaultParentContext() {
+  return defaultParentContext;
+}
+function wrapWithSpan(name, fn, attributes) {
+  return __async(this, null, function* () {
+    var _a, _b;
+    const active = otelContext.active();
+    const activeSpan = trace.getSpan(active);
+    const parentCtx = activeSpan ? active : (_b = (_a = getModalSessionContext()) != null ? _a : defaultParentContext) != null ? _b : active;
+    return otelContext.with(
+      parentCtx,
+      () => getTracer().startActiveSpan(name, { attributes }, (span) => __async(this, null, function* () {
+        try {
+          const result = yield fn(span);
+          return result;
+        } catch (err) {
+          span.recordException(err);
+          span.setStatus({ code: SpanStatusCode.ERROR, message: err.message });
+          throw err;
+        } finally {
+          span.end();
+        }
+      }))
+    );
+  });
+}
+function extractTraceContextFromUrl(search) {
+  return propagation.extract(otelContext.active(), getUrlTraceCarrier(search));
+}
+function getUrlTraceCarrier(search) {
+  const url = search != null ? search : typeof window !== "undefined" ? window.location.search : "";
+  const params = new URLSearchParams(url);
+  const carrier = {};
+  const tp = params.get("traceparent");
+  const ts = params.get("tracestate");
+  if (tp) carrier.traceparent = tp;
+  if (ts) carrier.tracestate = ts;
+  return carrier;
+}
+function wrapWithSpanInContext(parentContext, name, fn) {
+  return __async(this, null, function* () {
+    return otelContext.with(
+      parentContext,
+      () => wrapWithSpan(name, (span) => {
+        const traceHeaders = {};
+        propagation.inject(otelContext.active(), traceHeaders, {
+          set: (carrier, key, value) => {
+            carrier[key] = value;
+          }
+        });
+        return fn(span, traceHeaders);
+      })
+    );
+  });
+}
+import { SpanStatusCode as SpanStatusCode2 } from "@opentelemetry/api";
+export {
+  SpanStatusCode2 as SpanStatusCode,
+  extractTraceContextFromUrl,
+  getDefaultParentContext,
+  getTracer,
+  getUrlTraceCarrier,
+  setDefaultParentContext,
+  wrapWithSpan,
+  wrapWithSpanInContext
+};