@glasstrace/sdk 1.1.0 → 1.1.2

package/dist/index.cjs

@@ -17006,6 +17006,7 @@ function classifyFetchTarget(url2) {
 init_dist();
 var GLASSTRACE_DIR = ".glasstrace";
 var ANON_KEY_FILE = "anon_key";
+var CLAIMED_KEY_FILE = "claimed-key";
 var fsPathCache;
 async function loadFsPath() {
   if (fsPathCache !== void 0) return fsPathCache;
@@ -17042,6 +17043,22 @@ async function readAnonKey(projectRoot) {
   }
   return null;
 }
+async function readClaimedKey(projectRoot) {
+  const root = projectRoot ?? process.cwd();
+  const modules = await loadFsPath();
+  if (!modules) return null;
+  const keyPath = modules.path.join(root, GLASSTRACE_DIR, CLAIMED_KEY_FILE);
+  try {
+    const content = await modules.fs.readFile(keyPath, "utf-8");
+    const trimmed = content.trim();
+    const parsed = DevApiKeySchema.safeParse(trimmed);
+    if (parsed.success) {
+      return parsed.data;
+    }
+  } catch {
+  }
+  return null;
+}
 async function getOrCreateAnonKey(projectRoot) {
   const root = projectRoot ?? process.cwd();
   const existingKey = await readAnonKey(root);
@@ -17378,8 +17395,259 @@ function sleep(ms, scheduler, signal) {
   });
 }
 
-// src/init-client.ts
+// src/mcp-runtime.ts
+var import_node_crypto = require("node:crypto");
+init_dist();
+var MCP_ENDPOINT = "https://api.glasstrace.dev/mcp";
+var fsPathCache2;
+async function loadFsPath2() {
+  if (fsPathCache2 !== void 0) return fsPathCache2;
+  try {
+    const [fs3, path3] = await Promise.all([
+      import("node:fs/promises"),
+      import("node:path")
+    ]);
+    fsPathCache2 = { fs: fs3, path: path3 };
+    return fsPathCache2;
+  } catch {
+    fsPathCache2 = null;
+    return null;
+  }
+}
+function identityFingerprint(token) {
+  return `sha256:${(0, import_node_crypto.createHash)("sha256").update(token).digest("hex")}`;
+}
+function mcpConfigMatches(existingContent, expectedContent) {
+  const trimmedExpected = expectedContent.trim();
+  try {
+    const existingParsed = JSON.parse(existingContent);
+    const expectedParsed = JSON.parse(trimmedExpected);
+    return JSON.stringify(canonicalize(existingParsed)) === JSON.stringify(canonicalize(expectedParsed));
+  } catch {
+  }
+  return existingContent.trim() === trimmedExpected;
+}
+function canonicalize(value) {
+  if (Array.isArray(value)) {
+    return value.map(canonicalize);
+  }
+  if (value !== null && typeof value === "object") {
+    const obj = value;
+    const sorted = {};
+    for (const key of Object.keys(obj).sort()) {
+      sorted[key] = canonicalize(obj[key]);
+    }
+    return sorted;
+  }
+  return value;
+}
+function readEnvLocalApiKey(content) {
+  let last = null;
+  const regex = /^\s*GLASSTRACE_API_KEY\s*=\s*(.*)$/gm;
+  let match;
+  while ((match = regex.exec(content)) !== null) {
+    const raw = match[1].trim();
+    if (raw === "") continue;
+    const unquoted = raw.replace(/^(['"])(.*)\1$/, "$2");
+    if (unquoted === "" || unquoted === "your_key_here") continue;
+    last = unquoted;
+  }
+  return last;
+}
+async function resolveEffectiveMcpCredential(projectRoot) {
+  const root = projectRoot ?? process.cwd();
+  const warnings = [];
+  const envLocalKey = await readEnvLocalDevKey(root, warnings);
+  const claimedKey = envLocalKey === null ? await readClaimedKey(root) : null;
+  const anonKey = await readAnonKey(root);
+  let effective = null;
+  if (envLocalKey !== null) {
+    effective = { source: "env-local", key: envLocalKey };
+  } else if (claimedKey !== null) {
+    effective = { source: "claimed-key", key: claimedKey };
+    warnings.push("claimed-key-only");
+  } else if (anonKey !== null) {
+    effective = { source: "anon", key: anonKey };
+  }
+  return { effective, anonKey, warnings };
+}
+async function readEnvLocalDevKey(root, warnings) {
+  const modules = await loadFsPath2();
+  if (!modules) return null;
+  const envPath = modules.path.join(root, ".env.local");
+  let content;
+  try {
+    content = await modules.fs.readFile(envPath, "utf-8");
+  } catch {
+    return null;
+  }
+  const raw = readEnvLocalApiKey(content);
+  if (raw === null) return null;
+  const parsed = DevApiKeySchema.safeParse(raw);
+  if (!parsed.success) {
+    warnings.push("malformed-env-local");
+    return null;
+  }
+  return parsed.data;
+}
+var MCP_MARKER_FILE = "mcp-connected";
 var GLASSTRACE_DIR2 = ".glasstrace";
+async function readMcpMarker(projectRoot) {
+  const root = projectRoot ?? process.cwd();
+  const modules = await loadFsPath2();
+  if (!modules) return { status: "absent" };
+  const markerPath = modules.path.join(root, GLASSTRACE_DIR2, MCP_MARKER_FILE);
+  let content;
+  try {
+    content = await modules.fs.readFile(markerPath, "utf-8");
+  } catch {
+    return { status: "absent" };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    return { status: "corrupted" };
+  }
+  if (parsed === null || typeof parsed !== "object") {
+    return { status: "corrupted" };
+  }
+  const obj = parsed;
+  const version2 = obj["version"];
+  if (version2 === void 0) {
+    const keyHash = obj["keyHash"];
+    if (typeof keyHash !== "string" || keyHash === "") {
+      return { status: "corrupted" };
+    }
+    return {
+      status: "valid",
+      credentialSource: "anon",
+      credentialHash: keyHash
+    };
+  }
+  if (version2 === 2) {
+    const source = obj["credentialSource"];
+    const hash2 = obj["credentialHash"];
+    if (source !== "env-local" && source !== "claimed-key" && source !== "anon" || typeof hash2 !== "string" || hash2 === "") {
+      return { status: "corrupted" };
+    }
+    return {
+      status: "valid",
+      credentialSource: source,
+      credentialHash: hash2
+    };
+  }
+  if (typeof version2 === "number" && version2 > 2) {
+    return { status: "unknown-version" };
+  }
+  return { status: "corrupted" };
+}
+async function writeMcpMarker(projectRoot, target) {
+  const modules = await loadFsPath2();
+  if (!modules) return false;
+  const dirPath = modules.path.join(projectRoot, GLASSTRACE_DIR2);
+  const markerPath = modules.path.join(dirPath, MCP_MARKER_FILE);
+  const state = await readMcpMarker(projectRoot);
+  if (state.status === "valid" && state.credentialSource === target.credentialSource && state.credentialHash === target.credentialHash) {
+    return false;
+  }
+  await modules.fs.mkdir(dirPath, { recursive: true, mode: 448 });
+  const body = JSON.stringify(
+    {
+      version: 2,
+      credentialSource: target.credentialSource,
+      credentialHash: target.credentialHash,
+      configuredAt: (/* @__PURE__ */ new Date()).toISOString()
+    },
+    null,
+    2
+  );
+  await modules.fs.writeFile(markerPath, body, { mode: 384 });
+  await modules.fs.chmod(markerPath, 384);
+  return true;
+}
+var MCP_CONFIG_FILE = "mcp.json";
+var refreshNudgeEmitted = false;
+function emitRefreshNudge(persistedSource) {
+  if (refreshNudgeEmitted) return;
+  refreshNudgeEmitted = true;
+  try {
+    if (persistedSource === "claimed-key") {
+      process.stderr.write(
+        "[glasstrace] MCP config refreshed for the new credential. Copy .glasstrace/claimed-key into .env.local so Codex can pick it up on next restart.\n"
+      );
+    } else {
+      process.stderr.write(
+        "[glasstrace] MCP config refreshed for the new credential.\n"
+      );
+    }
+  } catch {
+  }
+}
+function genericMcpConfigContent(endpoint, bearer) {
+  return JSON.stringify(
+    {
+      mcpServers: {
+        glasstrace: {
+          url: endpoint,
+          headers: {
+            Authorization: `Bearer ${bearer}`
+          }
+        }
+      }
+    },
+    null,
+    2
+  );
+}
+async function refreshGenericMcpConfigAtRuntime(projectRoot, effective, anonKeyOnDisk) {
+  if (effective === null || effective.source === "anon") {
+    return { action: "skipped-anon-source" };
+  }
+  if (anonKeyOnDisk === null) {
+    return { action: "absent" };
+  }
+  const modules = await loadFsPath2();
+  if (!modules) return { action: "absent" };
+  const dirPath = modules.path.join(projectRoot, GLASSTRACE_DIR2);
+  const configPath = modules.path.join(dirPath, MCP_CONFIG_FILE);
+  const tmpPath = configPath + ".tmp";
+  let existing;
+  try {
+    existing = await modules.fs.readFile(configPath, "utf-8");
+  } catch (err) {
+    const code = err.code;
+    if (code === "ENOENT") {
+      return { action: "absent" };
+    }
+    return { action: "preserved" };
+  }
+  const expectedAnon = genericMcpConfigContent(MCP_ENDPOINT, anonKeyOnDisk);
+  if (!mcpConfigMatches(existing, expectedAnon)) {
+    return { action: "preserved" };
+  }
+  const replacement = genericMcpConfigContent(MCP_ENDPOINT, effective.key);
+  try {
+    await modules.fs.writeFile(tmpPath, replacement, { mode: 384 });
+    await modules.fs.chmod(tmpPath, 384);
+    await modules.fs.rename(tmpPath, configPath);
+    await writeMcpMarker(projectRoot, {
+      credentialSource: effective.source,
+      credentialHash: identityFingerprint(effective.key)
+    });
+  } catch {
+    try {
+      await modules.fs.unlink(tmpPath);
+    } catch {
+    }
+    return { action: "preserved" };
+  }
+  emitRefreshNudge(effective.source);
+  return { action: "rewrote" };
+}
+
+// src/init-client.ts
+var GLASSTRACE_DIR3 = ".glasstrace";
 var CONFIG_FILE = "config";
 var TWENTY_FOUR_HOURS_MS = 24 * 60 * 60 * 1e3;
 var INIT_TIMEOUT_MS = 1e4;
@@ -17416,7 +17684,7 @@ function loadCachedConfig(projectRoot) {
   const modules = loadFsSyncOrNull();
   if (!modules) return null;
   const root = projectRoot ?? process.cwd();
-  const configPath = modules.join(root, GLASSTRACE_DIR2, CONFIG_FILE);
+  const configPath = modules.join(root, GLASSTRACE_DIR3, CONFIG_FILE);
   try {
     const content = modules.readFileSync(configPath, "utf-8");
     const parsed = JSON.parse(content);
@@ -17442,7 +17710,7 @@ async function saveCachedConfig(response, projectRoot) {
   const modules = await loadFsPathAsync();
   if (!modules) return;
   const root = projectRoot ?? process.cwd();
-  const dirPath = modules.path.join(root, GLASSTRACE_DIR2);
+  const dirPath = modules.path.join(root, GLASSTRACE_DIR3);
   const configPath = modules.path.join(dirPath, CONFIG_FILE);
   const tmpPath = `${configPath}.tmp`;
   try {
@@ -17568,11 +17836,11 @@ async function writeClaimedKey(newApiKey, projectRoot) {
         );
       } catch {
       }
-      return;
+      return { persisted: "env-local" };
     }
     let claimedKeyWritten = false;
     try {
-      const dirPath = modules.path.join(root, GLASSTRACE_DIR2);
+      const dirPath = modules.path.join(root, GLASSTRACE_DIR3);
       await modules.fs.mkdir(dirPath, { recursive: true, mode: 448 });
       await modules.fs.chmod(dirPath, 448);
       const claimedKeyPath = modules.path.join(dirPath, "claimed-key");
@@ -17591,7 +17859,7 @@ async function writeClaimedKey(newApiKey, projectRoot) {
         );
       } catch {
       }
-      return;
+      return { persisted: "claimed-key" };
     }
   }
   try {
@@ -17600,6 +17868,7 @@ async function writeClaimedKey(newApiKey, projectRoot) {
     );
   } catch {
   }
+  return { persisted: "none" };
 }
 async function performInit(config2, anonKey, sdkVersion, healthReport) {
   lastInitSucceeded = false;
@@ -17631,10 +17900,23 @@ async function performInit(config2, anonKey, sdkVersion, healthReport) {
       lastInitSucceeded = true;
       await saveCachedConfig(result);
       if (result.claimResult) {
+        let persisted = "none";
         try {
-          await writeClaimedKey(result.claimResult.newApiKey);
+          const w = await writeClaimedKey(result.claimResult.newApiKey);
+          persisted = w.persisted;
         } catch {
         }
+        if (persisted !== "none") {
+          try {
+            const resolved = await resolveEffectiveMcpCredential();
+            await refreshGenericMcpConfigAtRuntime(
+              process.cwd(),
+              resolved.effective,
+              resolved.anonKey
+            );
+          } catch {
+          }
+        }
         return { claimResult: result.claimResult };
       }
       return null;
@@ -17751,6 +18033,128 @@ init_esm();
 init_dist();
 init_console_capture();
 init_error_nudge();
+
+// src/error-response-body.ts
+var ERROR_RESPONSE_BODY_MAX_BYTES = 4096;
+var ERROR_RESPONSE_BODY_TRUNCATION_MARKER = "...[truncated]";
+var REDACTED = "[REDACTED]";
+var ERROR_STATUS_MIN = 400;
+var ERROR_STATUS_MAX = 599;
+function isHttpErrorStatus(status) {
+  let numeric;
+  if (typeof status === "number") {
+    numeric = status;
+  } else if (typeof status === "string" && status.length > 0) {
+    numeric = Number(status);
+  } else {
+    return false;
+  }
+  if (!Number.isFinite(numeric)) return false;
+  return numeric >= ERROR_STATUS_MIN && numeric <= ERROR_STATUS_MAX;
+}
+var REDACTION_PATTERNS = [
+  // Order matters: redact specific token shapes BEFORE the generic
+  // key=value catcher so a literal `Bearer eyJ…` collapses into a single
+  // [REDACTED] and the JWT regex does not separately match the suffix.
+  {
+    name: "bearer",
+    // Case-insensitive on the scheme: HTTP frameworks and proxies
+    // round-trip the auth scheme with inconsistent casing
+    // (`Bearer`, `bearer`, `BEARER`), and a real token leaks just as
+    // badly under any of them.
+    pattern: /\bBearer\s+[A-Za-z0-9._\-+/=]+/gi
+  },
+  {
+    name: "jwt",
+    // Three base64url segments separated by dots. Real JWTs encode at
+    // minimum a small JSON header in the first segment, which alone is
+    // typically ≥10 chars after base64url; a 16-char floor avoids false
+    // positives on dotted text like a stack-trace frame
+    // (`react.dom.server`) while still catching every real JWT we have
+    // seen in the wild. Anchored with word boundaries on both sides so
+    // a 3-dot semantic version like "next@15.4.1.2" does not match.
+    pattern: /\b[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/g
+  },
+  {
+    name: "glasstrace-api-key",
+    // gt_dev_* and gt_anon_* keys are >=24 chars of [A-Za-z0-9].
+    pattern: /\bgt_(?:dev|anon)_[A-Za-z0-9]{16,}\b/g
+  },
+  {
+    name: "aws-access-key",
+    // 20-char prefix-fixed identifier.
+    pattern: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g
+  },
+  {
+    name: "key-value-secret-quoted",
+    // Quoted-string variant: (key) [:=] "<value>". The value runs to
+    // the next unescaped closing quote so a multi-word secret like
+    // `password="my secret phrase"` is fully consumed instead of
+    // splitting at the first space and leaving the tail visible.
+    // The leading `(?<![A-Za-z0-9_])` prevents matching inside
+    // identifiers like `passwordless`. The trailing `"?` after the
+    // keyword absorbs the closing quote in JSON-style `"apikey":
+    // "value"` so the colon is still seen as the separator.
+    pattern: /(?<![A-Za-z0-9_])(?:api[_-]?key|apikey|secret|password|token)"?\s*[:=]\s*"(?:[^"\\]|\\.)*"/gi
+  },
+  {
+    name: "key-value-secret-bare",
+    // Unquoted variant: (key) [:=] <bare-value>. The bare value
+    // capture stops at common JSON/text delimiters so we redact only
+    // the value, not surrounding structure. Listed AFTER the quoted
+    // variant so a quoted value's surrounding `"` are consumed by
+    // the first pattern and we never fall through here for a quoted
+    // secret.
+    pattern: /(?<![A-Za-z0-9_])(?:api[_-]?key|apikey|secret|password|token)"?\s*[:=]\s*[^\s,;}\]"]+/gi
+  }
+];
+function sanitizeErrorResponseBody(body) {
+  let out = body;
+  for (const { pattern } of REDACTION_PATTERNS) {
+    out = out.replace(pattern, REDACTED);
+  }
+  return out;
+}
+function truncateErrorResponseBody(body) {
+  const encoder = new TextEncoder();
+  const encoded = encoder.encode(body);
+  if (encoded.byteLength <= ERROR_RESPONSE_BODY_MAX_BYTES) {
+    return body;
+  }
+  let cut = ERROR_RESPONSE_BODY_MAX_BYTES;
+  let scan = cut - 1;
+  while (scan >= 0 && (encoded[scan] & 192) === 128) {
+    scan -= 1;
+  }
+  if (scan >= 0) {
+    const leading = encoded[scan];
+    let expected = 1;
+    if ((leading & 128) === 0) {
+      expected = 1;
+    } else if ((leading & 224) === 192) {
+      expected = 2;
+    } else if ((leading & 240) === 224) {
+      expected = 3;
+    } else if ((leading & 248) === 240) {
+      expected = 4;
+    }
+    if (scan + expected > cut) {
+      cut = scan;
+    }
+  }
+  const decoder = new TextDecoder("utf-8", { fatal: false });
+  const sliced = encoded.subarray(0, cut);
+  const decoded = decoder.decode(sliced);
+  return decoded + ERROR_RESPONSE_BODY_TRUNCATION_MARKER;
+}
+function prepareErrorResponseBody(body) {
+  if (body.length === 0) return null;
+  if (body.trim().length === 0) return null;
+  const sanitized = sanitizeErrorResponseBody(body);
+  return truncateErrorResponseBody(sanitized);
+}
+
+// src/enriching-exporter.ts
 var ATTR = GLASSTRACE_ATTRIBUTE_NAMES;
 var API_KEY_PENDING = "pending";
 var MAX_PENDING_SPANS = 1024;
@@ -17978,7 +18382,14 @@ var GlasstraceExporter = class {
       if (this.getConfig().errorResponseBodies) {
         const responseBody = attrs["glasstrace.internal.response_body"];
         if (typeof responseBody === "string") {
-          extra[ATTR.ERROR_RESPONSE_BODY] = responseBody.slice(0, 500);
+          const enrichedStatus = extra[ATTR.HTTP_STATUS_CODE];
+          const effectiveStatus = typeof enrichedStatus === "number" ? enrichedStatus : statusCode;
+          if (isHttpErrorStatus(effectiveStatus)) {
+            const prepared = prepareErrorResponseBody(responseBody);
+            if (prepared !== null) {
+              extra[ATTR.ERROR_RESPONSE_BODY] = prepared;
+            }
+          }
         }
       }
       const spanAny = span;
@@ -21844,7 +22255,7 @@ function registerGlasstrace(options) {
     setCoreState(CoreState.REGISTERING);
     startRuntimeStateWriter({
       projectRoot: process.cwd(),
-      sdkVersion: "1.1.0"
+      sdkVersion: "1.1.2"
     });
     const config2 = resolveConfig(options);
     if (config2.verbose) {
@@ -22010,8 +22421,8 @@ async function backgroundInit(config2, anonKeyForInit, generation) {
   if (config2.verbose) {
     console.info("[glasstrace] Background init firing.");
   }
-  const healthReport = collectHealthReport("1.1.0");
-  const initResult = await performInit(config2, anonKeyForInit, "1.1.0", healthReport);
+  const healthReport = collectHealthReport("1.1.2");
+  const initResult = await performInit(config2, anonKeyForInit, "1.1.2", healthReport);
   if (generation !== registrationGeneration) return;
   const currentState = getCoreState();
   if (currentState === CoreState.SHUTTING_DOWN || currentState === CoreState.SHUTDOWN) {
@@ -22034,7 +22445,7 @@ async function backgroundInit(config2, anonKeyForInit, generation) {
   }
   maybeInstallConsoleCapture();
   if (didLastInitSucceed()) {
-    startHeartbeat(config2, anonKeyForInit, "1.1.0", generation, (newApiKey, accountId) => {
+    startHeartbeat(config2, anonKeyForInit, "1.1.2", generation, (newApiKey, accountId) => {
       setAuthState(AuthState.CLAIMING);
       emitLifecycleEvent("auth:claim_started", { accountId });
       setResolvedApiKey(newApiKey);