@glasstrace/sdk 0.18.0 → 0.20.0

package/dist/index.d.cts

@@ -140,6 +140,49 @@ declare const SourceMapManifestResponseSchema: z.ZodObject<{
 }, z.core.$strip>;
 type SourceMapManifestResponse = z.infer<typeof SourceMapManifestResponseSchema>;
 
+/**
+ * Session ID derivation — part of the public Glasstrace wire contract.
+ *
+ * Deriving the session ID is deterministic: given the same inputs,
+ * every runtime that implements this module produces the same
+ * 16-character hex identifier. That determinism is the contract — it
+ * lets independent clients (SDK, browser extension, server tooling)
+ * agree on the same session without coordination.
+ *
+ * This module is pure: it has no module-level state and no
+ * runtime-dependent branches. It is safe to import from Node 20+,
+ * modern browsers, Vercel Edge, and Cloudflare Workers. The SHA-256
+ * implementation is pure JavaScript; no `node:crypto`, no Web Crypto,
+ * no bundler-specific shims.
+ */
+
+/**
+ * Derives a deterministic session ID from the inputs that define a
+ * Glasstrace session. The output is a 16-character lowercase hex
+ * string validated through {@link SessionIdSchema}.
+ *
+ * This function is part of the Glasstrace wire contract: any consumer
+ * (SDK, browser extension, server tooling) that calls it with the same
+ * arguments receives the same `SessionId`. That property is what lets
+ * independent clients agree on a session without coordination.
+ *
+ * Uses a pure-JavaScript SHA-256 so the output is identical across
+ * every runtime this package supports (Node 20+, modern browsers,
+ * Vercel Edge, Cloudflare Workers).
+ *
+ * Security note: the session ID is an **identifier**, not a secret or
+ * an authentication token. It is never used for authorization.
+ *
+ * @param apiKey - The project's API key (or anonymous placeholder).
+ * @param origin - The origin string identifying the deployment
+ *   environment (for example `localhost:3000` or `production`).
+ * @param date - UTC date as `YYYY-MM-DD`.
+ * @param windowIndex - Zero-based index of the 4-hour activity window
+ *   within the day.
+ * @returns A 16-character hex {@link SessionId}.
+ */
+declare function deriveSessionId(apiKey: string, origin: string, date: string, windowIndex: number): SessionId;
+
 /**
  * Internal SDK error class with a typed diagnostic code.
  * Caught at the boundary and converted to a log message + diagnostic entry.
@@ -188,18 +231,6 @@ declare function isProductionDisabled(config: ResolvedConfig): boolean;
  */
 declare function isAnonymousMode(config: ResolvedConfig): boolean;
 
-/**
- * Derives a deterministic session ID from the given inputs.
- * Uses SHA-256 (truncated to 16 hex chars) when `node:crypto` is available,
- * or a deterministic FNV-1a hash as a fallback in non-Node environments.
- *
- * @param apiKey - The project's API key (or anonymous placeholder).
- * @param origin - The origin string identifying the deployment environment.
- * @param date - UTC date as YYYY-MM-DD.
- * @param windowIndex - Zero-based index of the 4-hour activity window within the day.
- * @returns A 16-character hex SessionId.
- */
-declare function deriveSessionId(apiKey: string, origin: string, date: string, windowIndex: number): SessionId;
 /**
  * Returns the origin string for the current process.
  * If GLASSTRACE_ENV is set, returns that value.

package/dist/index.d.ts

@@ -140,6 +140,49 @@ declare const SourceMapManifestResponseSchema: z.ZodObject<{
 }, z.core.$strip>;
 type SourceMapManifestResponse = z.infer<typeof SourceMapManifestResponseSchema>;
 
+/**
+ * Session ID derivation — part of the public Glasstrace wire contract.
+ *
+ * Deriving the session ID is deterministic: given the same inputs,
+ * every runtime that implements this module produces the same
+ * 16-character hex identifier. That determinism is the contract — it
+ * lets independent clients (SDK, browser extension, server tooling)
+ * agree on the same session without coordination.
+ *
+ * This module is pure: it has no module-level state and no
+ * runtime-dependent branches. It is safe to import from Node 20+,
+ * modern browsers, Vercel Edge, and Cloudflare Workers. The SHA-256
+ * implementation is pure JavaScript; no `node:crypto`, no Web Crypto,
+ * no bundler-specific shims.
+ */
+
+/**
+ * Derives a deterministic session ID from the inputs that define a
+ * Glasstrace session. The output is a 16-character lowercase hex
+ * string validated through {@link SessionIdSchema}.
+ *
+ * This function is part of the Glasstrace wire contract: any consumer
+ * (SDK, browser extension, server tooling) that calls it with the same
+ * arguments receives the same `SessionId`. That property is what lets
+ * independent clients agree on a session without coordination.
+ *
+ * Uses a pure-JavaScript SHA-256 so the output is identical across
+ * every runtime this package supports (Node 20+, modern browsers,
+ * Vercel Edge, Cloudflare Workers).
+ *
+ * Security note: the session ID is an **identifier**, not a secret or
+ * an authentication token. It is never used for authorization.
+ *
+ * @param apiKey - The project's API key (or anonymous placeholder).
+ * @param origin - The origin string identifying the deployment
+ *   environment (for example `localhost:3000` or `production`).
+ * @param date - UTC date as `YYYY-MM-DD`.
+ * @param windowIndex - Zero-based index of the 4-hour activity window
+ *   within the day.
+ * @returns A 16-character hex {@link SessionId}.
+ */
+declare function deriveSessionId(apiKey: string, origin: string, date: string, windowIndex: number): SessionId;
+
 /**
  * Internal SDK error class with a typed diagnostic code.
  * Caught at the boundary and converted to a log message + diagnostic entry.
@@ -188,18 +231,6 @@ declare function isProductionDisabled(config: ResolvedConfig): boolean;
  */
 declare function isAnonymousMode(config: ResolvedConfig): boolean;
 
-/**
- * Derives a deterministic session ID from the given inputs.
- * Uses SHA-256 (truncated to 16 hex chars) when `node:crypto` is available,
- * or a deterministic FNV-1a hash as a fallback in non-Node environments.
- *
- * @param apiKey - The project's API key (or anonymous placeholder).
- * @param origin - The origin string identifying the deployment environment.
- * @param date - UTC date as YYYY-MM-DD.
- * @param windowIndex - Zero-based index of the 4-hour activity window within the day.
- * @returns A 16-character hex SessionId.
- */
-declare function deriveSessionId(apiKey: string, origin: string, date: string, windowIndex: number): SessionId;
 /**
  * Returns the origin string for the current process.
  * If GLASSTRACE_ENV is set, returns that value.

package/dist/index.js

@@ -10,7 +10,7 @@ import {
   uploadSourceMaps,
   uploadSourceMapsAuto,
   uploadSourceMapsPresigned
-} from "./chunk-E33Y7BQH.js";
+} from "./chunk-VN3GZDV6.js";
 import {
   _setCurrentConfig,
   buildImportGraph,
@@ -28,7 +28,7 @@ import {
   recordSpansExported,
   saveCachedConfig,
   sendInitRequest
-} from "./chunk-IOPCSX6C.js";
+} from "./chunk-F2TZRBEH.js";
 import {
   isAnonymousMode,
   isProductionDisabled,
@@ -38,11 +38,11 @@ import {
 import {
   getOrCreateAnonKey,
   readAnonKey
-} from "./chunk-J5BW7V2D.js";
+} from "./chunk-YPXW2TN3.js";
 import {
   GLASSTRACE_ATTRIBUTE_NAMES,
-  SessionIdSchema
-} from "./chunk-GSGX76Q5.js";
+  deriveSessionId
+} from "./chunk-5N2IR4EO.js";
 import {
   DiagLogLevel,
   INVALID_SPAN_CONTEXT,
@@ -76,37 +76,8 @@ var SdkError = class extends Error {
 
 // src/session.ts
 var FOUR_HOURS_MS = 4 * 60 * 60 * 1e3;
-var hashFn = null;
-function fnv1aHash(input) {
-  let hash = 2166136261;
-  for (let i = 0; i < input.length; i++) {
-    hash ^= input.charCodeAt(i);
-    hash = Math.imul(hash, 16777619);
-    hash >>>= 0;
-  }
-  return hash.toString(16).padStart(8, "0");
-}
-function getHashFn() {
-  if (hashFn) return hashFn;
-  try {
-    const { createHash } = __require("node:crypto");
-    hashFn = (input) => createHash("sha256").update(input).digest("hex").slice(0, 16);
-  } catch {
-    hashFn = (input) => {
-      const h1 = fnv1aHash(input);
-      const h2 = fnv1aHash(input + "\0");
-      return (h1 + h2).slice(0, 16);
-    };
-  }
-  return hashFn;
-}
 var cachedGlasstraceEnv = process.env.GLASSTRACE_ENV;
 var cachedPort = process.env.PORT ?? "3000";
-function deriveSessionId(apiKey, origin, date, windowIndex) {
-  const input = JSON.stringify([apiKey, origin, date, windowIndex]);
-  const hash = getHashFn()(input);
-  return SessionIdSchema.parse(hash);
-}
 function getOrigin() {
   if (cachedGlasstraceEnv) {
     return cachedGlasstraceEnv;
@@ -616,6 +587,14 @@ function deriveErrorCategory(errorType) {
 }
 
 // src/discovery-endpoint.ts
+var runtimeHandlerDeprecationWarned = false;
+function warnRuntimeHandlerDeprecatedOnce() {
+  if (runtimeHandlerDeprecationWarned) return;
+  runtimeHandlerDeprecationWarned = true;
+  console.warn(
+    "[glasstrace] createDiscoveryHandler is deprecated. Run `npx glasstrace init` to generate a static file at public/.well-known/glasstrace.json (or static/.well-known/glasstrace.json on SvelteKit). The runtime handler will be removed in v1.0.0."
+  );
+}
 function isAllowedOrigin(origin) {
   if (origin === null) return true;
   if (origin.startsWith("chrome-extension://")) return true;
@@ -644,6 +623,7 @@ function createDiscoveryHandler(getAnonKey, getSessionId, getClaimState) {
     if (url.pathname !== "/__glasstrace/config") {
       return null;
     }
+    warnRuntimeHandlerDeprecatedOnce();
     const origin = request.headers.get("Origin");
     const corsHeaders = buildCorsHeaders(origin);
     if (request.method === "OPTIONS") {
@@ -4236,7 +4216,7 @@ function registerGlasstrace(options) {
     setCoreState(CoreState.REGISTERING);
     startRuntimeStateWriter({
       projectRoot: process.cwd(),
-      sdkVersion: "0.18.0"
+      sdkVersion: "0.20.0"
     });
     const config = resolveConfig(options);
     if (config.verbose) {
@@ -4402,8 +4382,8 @@ async function backgroundInit(config, anonKeyForInit, generation) {
   if (config.verbose) {
     console.info("[glasstrace] Background init firing.");
   }
-  const healthReport = collectHealthReport("0.18.0");
-  const initResult = await performInit(config, anonKeyForInit, "0.18.0", healthReport);
+  const healthReport = collectHealthReport("0.20.0");
+  const initResult = await performInit(config, anonKeyForInit, "0.20.0", healthReport);
   if (generation !== registrationGeneration) return;
   const currentState = getCoreState();
   if (currentState === CoreState.SHUTTING_DOWN || currentState === CoreState.SHUTDOWN) {
@@ -4426,7 +4406,7 @@ async function backgroundInit(config, anonKeyForInit, generation) {
   }
   maybeInstallConsoleCapture();
   if (didLastInitSucceed()) {
-    startHeartbeat(config, anonKeyForInit, "0.18.0", generation, (newApiKey, accountId) => {
+    startHeartbeat(config, anonKeyForInit, "0.20.0", generation, (newApiKey, accountId) => {
       setAuthState(AuthState.CLAIMING);
       emitLifecycleEvent("auth:claim_started", { accountId });
       setResolvedApiKey(newApiKey);
@@ -4563,7 +4543,7 @@ async function handleSourceMapUpload(distDir) {
       );
       return;
     }
-    const { discoverSourceMapFiles: discoverSourceMapFiles2, computeBuildHash: computeBuildHash2, uploadSourceMaps: uploadSourceMaps2 } = await import("./source-map-uploader-26QPRSCG.js");
+    const { discoverSourceMapFiles: discoverSourceMapFiles2, computeBuildHash: computeBuildHash2, uploadSourceMaps: uploadSourceMaps2 } = await import("./source-map-uploader-VPDZWWM2.js");
     const files = await discoverSourceMapFiles2(distDir);
     if (files.length === 0) {
       console.info("[glasstrace] No source map files found. Skipping upload.");