@glasstrace/sdk 1.1.1 → 1.1.2

package/dist/cli/validate.d.cts

@@ -3,7 +3,7 @@
  */
 interface ValidationIssue {
     /** Stable machine-readable identifier for the issue class. */
-    code: "glasstrace-dir-without-register-import" | "sdk-import-without-glasstrace-dir" | "mcp-marker-without-configs" | "mcp-configs-without-marker";
+    code: "glasstrace-dir-without-register-import" | "sdk-import-without-glasstrace-dir" | "mcp-marker-without-configs" | "mcp-configs-without-marker" | "mcp-helper-stale-credential";
     /** Human-readable message describing the inconsistency. */
     message: string;
     /** Suggested command or manual action to resolve the issue. */
@@ -39,7 +39,7 @@ declare function hasGlasstraceImport(content: string): boolean;
 declare function hasRegisterGlasstraceImport(content: string): boolean;
 /**
  * Validates consistency between the filesystem artifacts that `sdk init`
- * produces (DISC-1247 Scenario 4). Detects four classes of inconsistency:
+ * produces (DISC-1247 Scenario 4). Detects five classes of inconsistency:
  *
  * 1. `.glasstrace/` exists but `instrumentation.ts` does not import
  *    `registerGlasstrace` from `@glasstrace/sdk`.
@@ -47,6 +47,10 @@ declare function hasRegisterGlasstraceImport(content: string): boolean;
  *    from `@glasstrace/sdk`.
  * 3. `.glasstrace/mcp-connected` marker exists but no MCP config files.
  * 4. MCP config files exist but no `.glasstrace/mcp-connected` marker.
+ * 5. `.glasstrace/mcp-connected` marker records a credential identity
+ *    that no longer matches the project's effective MCP credential
+ *    (e.g. project moved from anon to account/dev-key but the managed
+ *    helper config still embeds the anon bearer — DISC-1512).
  *
  * Each issue includes a stable `code`, a message, and a suggested fix.
  * Exit code is non-zero whenever any issue is detected so CI pipelines
@@ -55,6 +59,6 @@ declare function hasRegisterGlasstraceImport(content: string): boolean;
  * @param options - Configuration for the validator.
  * @returns A structured result describing detected inconsistencies.
  */
-declare function runValidate(options: ValidateOptions): ValidateResult;
+declare function runValidate(options: ValidateOptions): Promise<ValidateResult>;
 
 export { type ValidateOptions, type ValidateResult, type ValidationIssue, hasGlasstraceImport, hasRegisterGlasstraceImport, runValidate };

package/dist/cli/validate.d.ts

@@ -3,7 +3,7 @@
  */
 interface ValidationIssue {
     /** Stable machine-readable identifier for the issue class. */
-    code: "glasstrace-dir-without-register-import" | "sdk-import-without-glasstrace-dir" | "mcp-marker-without-configs" | "mcp-configs-without-marker";
+    code: "glasstrace-dir-without-register-import" | "sdk-import-without-glasstrace-dir" | "mcp-marker-without-configs" | "mcp-configs-without-marker" | "mcp-helper-stale-credential";
     /** Human-readable message describing the inconsistency. */
     message: string;
     /** Suggested command or manual action to resolve the issue. */
@@ -39,7 +39,7 @@ declare function hasGlasstraceImport(content: string): boolean;
 declare function hasRegisterGlasstraceImport(content: string): boolean;
 /**
  * Validates consistency between the filesystem artifacts that `sdk init`
- * produces (DISC-1247 Scenario 4). Detects four classes of inconsistency:
+ * produces (DISC-1247 Scenario 4). Detects five classes of inconsistency:
  *
  * 1. `.glasstrace/` exists but `instrumentation.ts` does not import
  *    `registerGlasstrace` from `@glasstrace/sdk`.
@@ -47,6 +47,10 @@ declare function hasRegisterGlasstraceImport(content: string): boolean;
  *    from `@glasstrace/sdk`.
  * 3. `.glasstrace/mcp-connected` marker exists but no MCP config files.
  * 4. MCP config files exist but no `.glasstrace/mcp-connected` marker.
+ * 5. `.glasstrace/mcp-connected` marker records a credential identity
+ *    that no longer matches the project's effective MCP credential
+ *    (e.g. project moved from anon to account/dev-key but the managed
+ *    helper config still embeds the anon bearer — DISC-1512).
  *
  * Each issue includes a stable `code`, a message, and a suggested fix.
  * Exit code is non-zero whenever any issue is detected so CI pipelines
@@ -55,6 +59,6 @@ declare function hasRegisterGlasstraceImport(content: string): boolean;
  * @param options - Configuration for the validator.
  * @returns A structured result describing detected inconsistencies.
  */
-declare function runValidate(options: ValidateOptions): ValidateResult;
+declare function runValidate(options: ValidateOptions): Promise<ValidateResult>;
 
 export { type ValidateOptions, type ValidateResult, type ValidationIssue, hasGlasstraceImport, hasRegisterGlasstraceImport, runValidate };

package/dist/cli/validate.js

@@ -1,3 +1,9 @@
+import {
+  identityFingerprint,
+  readMcpMarker,
+  resolveEffectiveMcpCredential
+} from "../chunk-3LILTM3T.js";
+import "../chunk-X5MAXP5T.js";
 import "../chunk-NSBPE2FW.js";
 
 // src/cli/validate.ts
@@ -7,7 +13,8 @@ var MCP_CONFIG_CANDIDATES = [
   ".mcp.json",
   ".cursor/mcp.json",
   ".gemini/settings.json",
-  ".codex/config.toml"
+  ".codex/config.toml",
+  ".glasstrace/mcp.json"
 ];
 function hasGlasstraceImport(content) {
   return /@glasstrace\/sdk/.test(content);
@@ -18,7 +25,7 @@ function hasRegisterGlasstraceImport(content) {
   if (!importMatch) return false;
   return importMatch[1].split(",").map((s) => s.trim()).includes("registerGlasstrace");
 }
-function runValidate(options) {
+async function runValidate(options) {
   const { projectRoot } = options;
   const issues = [];
   const glasstraceDir = path.join(projectRoot, ".glasstrace");
@@ -63,6 +70,22 @@ function runValidate(options) {
       fix: "Run `npx glasstrace init` to re-register the marker, or `npx glasstrace uninit` to fully remove MCP configuration."
     });
   }
+  if (markerExists) {
+    try {
+      const [markerState, resolved] = await Promise.all([
+        readMcpMarker(projectRoot),
+        resolveEffectiveMcpCredential(projectRoot)
+      ]);
+      if (markerState.status === "valid" && resolved.effective !== null && markerState.credentialHash !== identityFingerprint(resolved.effective.key)) {
+        issues.push({
+          code: "mcp-helper-stale-credential",
+          message: "Managed MCP configs were last refreshed with a different credential than the project is now using. MCP queries may return no traces while the dashboard sees them.",
+          fix: "Run `npx glasstrace mcp add --force` to refresh managed MCP configs with the current credential."
+        });
+      }
+    } catch {
+    }
+  }
   const summary = [];
   if (issues.length === 0) {
     summary.push("Glasstrace install state is consistent.");

package/dist/cli/validate.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/cli/validate.ts"],"sourcesContent":["import * as fs from \"node:fs\";\nimport * as path from \"node:path\";\n\n/**\n * A single artifact-state inconsistency detected by `sdk init --validate`.\n */\nexport interface ValidationIssue {\n  /** Stable machine-readable identifier for the issue class. */\n  code:\n    | \"glasstrace-dir-without-register-import\"\n    | \"sdk-import-without-glasstrace-dir\"\n    | \"mcp-marker-without-configs\"\n    | \"mcp-configs-without-marker\";\n  /** Human-readable message describing the inconsistency. */\n  message: string;\n  /** Suggested command or manual action to resolve the issue. */\n  fix: string;\n}\n\n/** Options for `runValidate`. */\nexport interface ValidateOptions {\n  projectRoot: string;\n}\n\n/** Structured result of running the validator. */\nexport interface ValidateResult {\n  /** Zero when no issues; non-zero when any issue is detected. */\n  exitCode: number;\n  /** Ordered lines of human-friendly summary output. */\n  summary: string[];\n  /** Detailed per-issue findings. */\n  issues: ValidationIssue[];\n}\n\n/** MCP config files init may create. Used to detect stale state. */\nconst MCP_CONFIG_CANDIDATES = [\n  \".mcp.json\",\n  \".cursor/mcp.json\",\n  \".gemini/settings.json\",\n  \".codex/config.toml\",\n] as const;\n\n/**\n * Returns true when the given instrumentation file imports\n * `@glasstrace/sdk` (which includes the `registerGlasstrace` import\n * emitted by `sdk init`).\n *\n * @internal Exported for unit testing only.\n */\nexport function hasGlasstraceImport(content: string): boolean {\n  return /@glasstrace\\/sdk/.test(content);\n}\n\n/**\n * Returns true when the file imports `registerGlasstrace` specifically\n * (as opposed to other named exports such as `withGlasstraceConfig`).\n *\n * @internal Exported for unit testing only.\n */\nexport function hasRegisterGlasstraceImport(content: string): boolean {\n  // Single- or multi-specifier imports from @glasstrace/sdk that include\n  // `registerGlasstrace` as a named export.\n  const match = /import\\s*\\{([^}]+)\\}\\s*from\\s*[\"']@glasstrace\\/sdk[\"']/;\n  const importMatch = match.exec(content);\n  if (!importMatch) return false;\n  return importMatch[1]\n    .split(\",\")\n    .map((s) => s.trim())\n    .includes(\"registerGlasstrace\");\n}\n\n/**\n * Validates consistency between the filesystem artifacts that `sdk init`\n * produces (DISC-1247 Scenario 4). Detects four classes of inconsistency:\n *\n * 1. `.glasstrace/` exists but `instrumentation.ts` does not import\n *    `registerGlasstrace` from `@glasstrace/sdk`.\n * 2. `.glasstrace/` is missing but `instrumentation.ts` still imports\n *    from `@glasstrace/sdk`.\n * 3. `.glasstrace/mcp-connected` marker exists but no MCP config files.\n * 4. MCP config files exist but no `.glasstrace/mcp-connected` marker.\n *\n * Each issue includes a stable `code`, a message, and a suggested fix.\n * Exit code is non-zero whenever any issue is detected so CI pipelines\n * can gate on `sdk init --validate`.\n *\n * @param options - Configuration for the validator.\n * @returns A structured result describing detected inconsistencies.\n */\nexport function runValidate(options: ValidateOptions): ValidateResult {\n  const { projectRoot } = options;\n  const issues: ValidationIssue[] = [];\n\n  const glasstraceDir = path.join(projectRoot, \".glasstrace\");\n  const instrumentationPath = path.join(projectRoot, \"instrumentation.ts\");\n  const markerPath = path.join(glasstraceDir, \"mcp-connected\");\n\n  const glasstraceDirExists = isDirectorySafe(glasstraceDir);\n  const instrumentationExists = fs.existsSync(instrumentationPath);\n  const instrumentationContent = instrumentationExists\n    ? safeReadFile(instrumentationPath)\n    : null;\n  const markerExists = fs.existsSync(markerPath);\n\n  const mcpConfigsPresent = MCP_CONFIG_CANDIDATES.filter((rel) =>\n    fs.existsSync(path.join(projectRoot, rel)),\n  );\n\n  // 1. .glasstrace/ present but instrumentation missing the SDK import\n  if (glasstraceDirExists) {\n    if (\n      instrumentationContent === null ||\n      !hasRegisterGlasstraceImport(instrumentationContent)\n    ) {\n      issues.push({\n        code: \"glasstrace-dir-without-register-import\",\n        message:\n          \".glasstrace/ exists but instrumentation.ts is missing the registerGlasstrace import.\",\n        fix: \"Run `npx glasstrace init` to re-scaffold instrumentation.ts, or remove .glasstrace/ if the SDK is no longer in use.\",\n      });\n    }\n  }\n\n  // 2. .glasstrace/ missing but instrumentation still imports the SDK\n  if (!glasstraceDirExists && instrumentationContent !== null) {\n    if (hasGlasstraceImport(instrumentationContent)) {\n      issues.push({\n        code: \"sdk-import-without-glasstrace-dir\",\n        message:\n          \"instrumentation.ts imports from @glasstrace/sdk but .glasstrace/ is missing.\",\n        fix: \"Run `npx glasstrace init` to recreate .glasstrace/, or `npx glasstrace uninit` to fully remove the SDK.\",\n      });\n    }\n  }\n\n  // 3. MCP marker present but no MCP config files exist\n  if (markerExists && mcpConfigsPresent.length === 0) {\n    issues.push({\n      code: \"mcp-marker-without-configs\",\n      message:\n        \".glasstrace/mcp-connected marker is present but no MCP config files were found.\",\n      fix: \"Run `npx glasstrace mcp add --force` to regenerate MCP configs, or delete .glasstrace/mcp-connected.\",\n    });\n  }\n\n  // 4. MCP config files exist but no marker\n  if (!markerExists && mcpConfigsPresent.length > 0) {\n    issues.push({\n      code: \"mcp-configs-without-marker\",\n      message: `MCP config files exist (${mcpConfigsPresent.join(\", \")}) but .glasstrace/mcp-connected marker is missing.`,\n      fix: \"Run `npx glasstrace init` to re-register the marker, or `npx glasstrace uninit` to fully remove MCP configuration.\",\n    });\n  }\n\n  const summary: string[] = [];\n  if (issues.length === 0) {\n    summary.push(\"Glasstrace install state is consistent.\");\n  } else {\n    summary.push(\n      `Detected ${issues.length} inconsistenc${issues.length === 1 ? \"y\" : \"ies\"} in Glasstrace install state:`,\n    );\n  }\n\n  return {\n    exitCode: issues.length > 0 ? 1 : 0,\n    summary,\n    issues,\n  };\n}\n\n/**\n * Reads a file as UTF-8, returning `null` if the file cannot be read.\n */\nfunction safeReadFile(filePath: string): string | null {\n  try {\n    return fs.readFileSync(filePath, \"utf-8\");\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Returns true when the path exists and is a directory. Returns false\n * when the path is missing, is not a directory, or when `statSync`\n * throws (permission denied, TOCTOU race between existsSync and\n * statSync, etc). Validation is best-effort and must not throw — a\n * crash here would turn a reporting tool into a hard failure.\n */\nfunction isDirectorySafe(dirPath: string): boolean {\n  try {\n    if (!fs.existsSync(dirPath)) return false;\n    return fs.statSync(dirPath).isDirectory();\n  } catch {\n    return false;\n  }\n}\n"],"mappings":";;;AAAA,YAAY,QAAQ;AACpB,YAAY,UAAU;AAkCtB,IAAM,wBAAwB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AASO,SAAS,oBAAoB,SAA0B;AAC5D,SAAO,mBAAmB,KAAK,OAAO;AACxC;AAQO,SAAS,4BAA4B,SAA0B;AAGpE,QAAM,QAAQ;AACd,QAAM,cAAc,MAAM,KAAK,OAAO;AACtC,MAAI,CAAC,YAAa,QAAO;AACzB,SAAO,YAAY,CAAC,EACjB,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EACnB,SAAS,oBAAoB;AAClC;AAoBO,SAAS,YAAY,SAA0C;AACpE,QAAM,EAAE,YAAY,IAAI;AACxB,QAAM,SAA4B,CAAC;AAEnC,QAAM,gBAAqB,UAAK,aAAa,aAAa;AAC1D,QAAM,sBAA2B,UAAK,aAAa,oBAAoB;AACvE,QAAM,aAAkB,UAAK,eAAe,eAAe;AAE3D,QAAM,sBAAsB,gBAAgB,aAAa;AACzD,QAAM,wBAA2B,cAAW,mBAAmB;AAC/D,QAAM,yBAAyB,wBAC3B,aAAa,mBAAmB,IAChC;AACJ,QAAM,eAAkB,cAAW,UAAU;AAE7C,QAAM,oBAAoB,sBAAsB;AAAA,IAAO,CAAC,QACnD,cAAgB,UAAK,aAAa,GAAG,CAAC;AAAA,EAC3C;AAGA,MAAI,qBAAqB;AACvB,QACE,2BAA2B,QAC3B,CAAC,4BAA4B,sBAAsB,GACnD;AACA,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,SACE;AAAA,QACF,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAGA,MAAI,CAAC,uBAAuB,2BAA2B,MAAM;AAC3D,QAAI,oBAAoB,sBAAsB,GAAG;AAC/C,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,SACE;AAAA,QACF,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAGA,MAAI,gBAAgB,kBAAkB,WAAW,GAAG;AAClD,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SACE;AAAA,MACF,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,gBAAgB,kBAAkB,SAAS,GAAG;AACjD,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,2BAA2B,kBAAkB,KAAK,IAAI,CAAC;AAAA,MAChE,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAEA,QAAM,UAAoB,CAAC;AAC3B,MAAI,OAAO,WAAW,GAAG;AACvB,YAAQ,KAAK,yCAAyC;AAAA,EACxD,OAAO;AACL,YAAQ;AAAA,MACN,YAAY,OAAO,MAAM,gBAAgB,OAAO,WAAW,IAAI,MAAM,KAAK;AAAA,IAC5E;AAAA,EACF;AAEA,SAAO;AAAA,IACL,UAAU,OAAO,SAAS,IAAI,IAAI;AAAA,IAClC;AAAA,IACA;AAAA,EACF;AACF;AAKA,SAAS,aAAa,UAAiC;AACrD,MAAI;AACF,WAAU,gBAAa,UAAU,OAAO;AAAA,EAC1C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AASA,SAAS,gBAAgB,SAA0B;AACjD,MAAI;AACF,QAAI,CAAI,cAAW,OAAO,EAAG,QAAO;AACpC,WAAU,YAAS,OAAO,EAAE,YAAY;AAAA,EAC1C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;","names":[]}
+{"version":3,"sources":["../../src/cli/validate.ts"],"sourcesContent":["import * as fs from \"node:fs\";\nimport * as path from \"node:path\";\nimport {\n  identityFingerprint,\n  readMcpMarker,\n  resolveEffectiveMcpCredential,\n} from \"../mcp-runtime.js\";\n\n/**\n * A single artifact-state inconsistency detected by `sdk init --validate`.\n */\nexport interface ValidationIssue {\n  /** Stable machine-readable identifier for the issue class. */\n  code:\n    | \"glasstrace-dir-without-register-import\"\n    | \"sdk-import-without-glasstrace-dir\"\n    | \"mcp-marker-without-configs\"\n    | \"mcp-configs-without-marker\"\n    | \"mcp-helper-stale-credential\";\n  /** Human-readable message describing the inconsistency. */\n  message: string;\n  /** Suggested command or manual action to resolve the issue. */\n  fix: string;\n}\n\n/** Options for `runValidate`. */\nexport interface ValidateOptions {\n  projectRoot: string;\n}\n\n/** Structured result of running the validator. */\nexport interface ValidateResult {\n  /** Zero when no issues; non-zero when any issue is detected. */\n  exitCode: number;\n  /** Ordered lines of human-friendly summary output. */\n  summary: string[];\n  /** Detailed per-issue findings. */\n  issues: ValidationIssue[];\n}\n\n/**\n * MCP config files init or `mcp add` may create. Used by issue classes\n * 3 and 4 to detect marker/config drift. The SDK-managed generic\n * helper at `.glasstrace/mcp.json` is included so generic-only\n * installs (e.g. CI-mode init, or workspaces whose only consumer is\n * the validation/debug query helper) validate cleanly instead of\n * being incorrectly reported as `mcp-marker-without-configs`.\n */\nconst MCP_CONFIG_CANDIDATES = [\n  \".mcp.json\",\n  \".cursor/mcp.json\",\n  \".gemini/settings.json\",\n  \".codex/config.toml\",\n  \".glasstrace/mcp.json\",\n] as const;\n\n/**\n * Returns true when the given instrumentation file imports\n * `@glasstrace/sdk` (which includes the `registerGlasstrace` import\n * emitted by `sdk init`).\n *\n * @internal Exported for unit testing only.\n */\nexport function hasGlasstraceImport(content: string): boolean {\n  return /@glasstrace\\/sdk/.test(content);\n}\n\n/**\n * Returns true when the file imports `registerGlasstrace` specifically\n * (as opposed to other named exports such as `withGlasstraceConfig`).\n *\n * @internal Exported for unit testing only.\n */\nexport function hasRegisterGlasstraceImport(content: string): boolean {\n  // Single- or multi-specifier imports from @glasstrace/sdk that include\n  // `registerGlasstrace` as a named export.\n  const match = /import\\s*\\{([^}]+)\\}\\s*from\\s*[\"']@glasstrace\\/sdk[\"']/;\n  const importMatch = match.exec(content);\n  if (!importMatch) return false;\n  return importMatch[1]\n    .split(\",\")\n    .map((s) => s.trim())\n    .includes(\"registerGlasstrace\");\n}\n\n/**\n * Validates consistency between the filesystem artifacts that `sdk init`\n * produces (DISC-1247 Scenario 4). Detects five classes of inconsistency:\n *\n * 1. `.glasstrace/` exists but `instrumentation.ts` does not import\n *    `registerGlasstrace` from `@glasstrace/sdk`.\n * 2. `.glasstrace/` is missing but `instrumentation.ts` still imports\n *    from `@glasstrace/sdk`.\n * 3. `.glasstrace/mcp-connected` marker exists but no MCP config files.\n * 4. MCP config files exist but no `.glasstrace/mcp-connected` marker.\n * 5. `.glasstrace/mcp-connected` marker records a credential identity\n *    that no longer matches the project's effective MCP credential\n *    (e.g. project moved from anon to account/dev-key but the managed\n *    helper config still embeds the anon bearer — DISC-1512).\n *\n * Each issue includes a stable `code`, a message, and a suggested fix.\n * Exit code is non-zero whenever any issue is detected so CI pipelines\n * can gate on `sdk init --validate`.\n *\n * @param options - Configuration for the validator.\n * @returns A structured result describing detected inconsistencies.\n */\nexport async function runValidate(options: ValidateOptions): Promise<ValidateResult> {\n  const { projectRoot } = options;\n  const issues: ValidationIssue[] = [];\n\n  const glasstraceDir = path.join(projectRoot, \".glasstrace\");\n  const instrumentationPath = path.join(projectRoot, \"instrumentation.ts\");\n  const markerPath = path.join(glasstraceDir, \"mcp-connected\");\n\n  const glasstraceDirExists = isDirectorySafe(glasstraceDir);\n  const instrumentationExists = fs.existsSync(instrumentationPath);\n  const instrumentationContent = instrumentationExists\n    ? safeReadFile(instrumentationPath)\n    : null;\n  const markerExists = fs.existsSync(markerPath);\n\n  const mcpConfigsPresent = MCP_CONFIG_CANDIDATES.filter((rel) =>\n    fs.existsSync(path.join(projectRoot, rel)),\n  );\n\n  // 1. .glasstrace/ present but instrumentation missing the SDK import\n  if (glasstraceDirExists) {\n    if (\n      instrumentationContent === null ||\n      !hasRegisterGlasstraceImport(instrumentationContent)\n    ) {\n      issues.push({\n        code: \"glasstrace-dir-without-register-import\",\n        message:\n          \".glasstrace/ exists but instrumentation.ts is missing the registerGlasstrace import.\",\n        fix: \"Run `npx glasstrace init` to re-scaffold instrumentation.ts, or remove .glasstrace/ if the SDK is no longer in use.\",\n      });\n    }\n  }\n\n  // 2. .glasstrace/ missing but instrumentation still imports the SDK\n  if (!glasstraceDirExists && instrumentationContent !== null) {\n    if (hasGlasstraceImport(instrumentationContent)) {\n      issues.push({\n        code: \"sdk-import-without-glasstrace-dir\",\n        message:\n          \"instrumentation.ts imports from @glasstrace/sdk but .glasstrace/ is missing.\",\n        fix: \"Run `npx glasstrace init` to recreate .glasstrace/, or `npx glasstrace uninit` to fully remove the SDK.\",\n      });\n    }\n  }\n\n  // 3. MCP marker present but no MCP config files exist\n  if (markerExists && mcpConfigsPresent.length === 0) {\n    issues.push({\n      code: \"mcp-marker-without-configs\",\n      message:\n        \".glasstrace/mcp-connected marker is present but no MCP config files were found.\",\n      fix: \"Run `npx glasstrace mcp add --force` to regenerate MCP configs, or delete .glasstrace/mcp-connected.\",\n    });\n  }\n\n  // 4. MCP config files exist but no marker\n  if (!markerExists && mcpConfigsPresent.length > 0) {\n    issues.push({\n      code: \"mcp-configs-without-marker\",\n      message: `MCP config files exist (${mcpConfigsPresent.join(\", \")}) but .glasstrace/mcp-connected marker is missing.`,\n      fix: \"Run `npx glasstrace init` to re-register the marker, or `npx glasstrace uninit` to fully remove MCP configuration.\",\n    });\n  }\n\n  // 5. Marker records a credential identity that no longer matches\n  // the project's effective MCP credential. Catches the DISC-1512\n  // case where `.glasstrace/config` is linked to an account and\n  // `.env.local` carries a dev key, but managed MCP configs still\n  // embed an anon bearer (so MCP queries are scoped to anon rows\n  // while ingestion writes account-scoped traces).\n  if (markerExists) {\n    try {\n      const [markerState, resolved] = await Promise.all([\n        readMcpMarker(projectRoot),\n        resolveEffectiveMcpCredential(projectRoot),\n      ]);\n      if (\n        markerState.status === \"valid\" &&\n        resolved.effective !== null &&\n        markerState.credentialHash !== identityFingerprint(resolved.effective.key)\n      ) {\n        issues.push({\n          code: \"mcp-helper-stale-credential\",\n          message:\n            \"Managed MCP configs were last refreshed with a different credential than the project is now using. MCP queries may return no traces while the dashboard sees them.\",\n          fix: \"Run `npx glasstrace mcp add --force` to refresh managed MCP configs with the current credential.\",\n        });\n      }\n    } catch {\n      // Validation is best-effort and must not throw — credential\n      // resolution failures here are silent and leave the issue\n      // unflagged. Other classes still apply.\n    }\n  }\n\n  const summary: string[] = [];\n  if (issues.length === 0) {\n    summary.push(\"Glasstrace install state is consistent.\");\n  } else {\n    summary.push(\n      `Detected ${issues.length} inconsistenc${issues.length === 1 ? \"y\" : \"ies\"} in Glasstrace install state:`,\n    );\n  }\n\n  return {\n    exitCode: issues.length > 0 ? 1 : 0,\n    summary,\n    issues,\n  };\n}\n\n/**\n * Reads a file as UTF-8, returning `null` if the file cannot be read.\n */\nfunction safeReadFile(filePath: string): string | null {\n  try {\n    return fs.readFileSync(filePath, \"utf-8\");\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Returns true when the path exists and is a directory. Returns false\n * when the path is missing, is not a directory, or when `statSync`\n * throws (permission denied, TOCTOU race between existsSync and\n * statSync, etc). Validation is best-effort and must not throw — a\n * crash here would turn a reporting tool into a hard failure.\n */\nfunction isDirectorySafe(dirPath: string): boolean {\n  try {\n    if (!fs.existsSync(dirPath)) return false;\n    return fs.statSync(dirPath).isDirectory();\n  } catch {\n    return false;\n  }\n}\n"],"mappings":";;;;;;;;;AAAA,YAAY,QAAQ;AACpB,YAAY,UAAU;AA+CtB,IAAM,wBAAwB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AASO,SAAS,oBAAoB,SAA0B;AAC5D,SAAO,mBAAmB,KAAK,OAAO;AACxC;AAQO,SAAS,4BAA4B,SAA0B;AAGpE,QAAM,QAAQ;AACd,QAAM,cAAc,MAAM,KAAK,OAAO;AACtC,MAAI,CAAC,YAAa,QAAO;AACzB,SAAO,YAAY,CAAC,EACjB,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EACnB,SAAS,oBAAoB;AAClC;AAwBA,eAAsB,YAAY,SAAmD;AACnF,QAAM,EAAE,YAAY,IAAI;AACxB,QAAM,SAA4B,CAAC;AAEnC,QAAM,gBAAqB,UAAK,aAAa,aAAa;AAC1D,QAAM,sBAA2B,UAAK,aAAa,oBAAoB;AACvE,QAAM,aAAkB,UAAK,eAAe,eAAe;AAE3D,QAAM,sBAAsB,gBAAgB,aAAa;AACzD,QAAM,wBAA2B,cAAW,mBAAmB;AAC/D,QAAM,yBAAyB,wBAC3B,aAAa,mBAAmB,IAChC;AACJ,QAAM,eAAkB,cAAW,UAAU;AAE7C,QAAM,oBAAoB,sBAAsB;AAAA,IAAO,CAAC,QACnD,cAAgB,UAAK,aAAa,GAAG,CAAC;AAAA,EAC3C;AAGA,MAAI,qBAAqB;AACvB,QACE,2BAA2B,QAC3B,CAAC,4BAA4B,sBAAsB,GACnD;AACA,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,SACE;AAAA,QACF,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAGA,MAAI,CAAC,uBAAuB,2BAA2B,MAAM;AAC3D,QAAI,oBAAoB,sBAAsB,GAAG;AAC/C,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,SACE;AAAA,QACF,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAGA,MAAI,gBAAgB,kBAAkB,WAAW,GAAG;AAClD,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SACE;AAAA,MACF,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,gBAAgB,kBAAkB,SAAS,GAAG;AACjD,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,2BAA2B,kBAAkB,KAAK,IAAI,CAAC;AAAA,MAChE,KAAK;AAAA,IACP,CAAC;AAAA,EACH;AAQA,MAAI,cAAc;AAChB,QAAI;AACF,YAAM,CAAC,aAAa,QAAQ,IAAI,MAAM,QAAQ,IAAI;AAAA,QAChD,cAAc,WAAW;AAAA,QACzB,8BAA8B,WAAW;AAAA,MAC3C,CAAC;AACD,UACE,YAAY,WAAW,WACvB,SAAS,cAAc,QACvB,YAAY,mBAAmB,oBAAoB,SAAS,UAAU,GAAG,GACzE;AACA,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SACE;AAAA,UACF,KAAK;AAAA,QACP,CAAC;AAAA,MACH;AAAA,IACF,QAAQ;AAAA,IAIR;AAAA,EACF;AAEA,QAAM,UAAoB,CAAC;AAC3B,MAAI,OAAO,WAAW,GAAG;AACvB,YAAQ,KAAK,yCAAyC;AAAA,EACxD,OAAO;AACL,YAAQ;AAAA,MACN,YAAY,OAAO,MAAM,gBAAgB,OAAO,WAAW,IAAI,MAAM,KAAK;AAAA,IAC5E;AAAA,EACF;AAEA,SAAO;AAAA,IACL,UAAU,OAAO,SAAS,IAAI,IAAI;AAAA,IAClC;AAAA,IACA;AAAA,EACF;AACF;AAKA,SAAS,aAAa,UAAiC;AACrD,MAAI;AACF,WAAU,gBAAa,UAAU,OAAO;AAAA,EAC1C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AASA,SAAS,gBAAgB,SAA0B;AACjD,MAAI;AACF,QAAI,CAAI,cAAW,OAAO,EAAG,QAAO;AACpC,WAAU,YAAS,OAAO,EAAE,YAAY;AAAA,EAC1C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/index.cjs

@@ -18033,6 +18033,128 @@ init_esm();
 init_dist();
 init_console_capture();
 init_error_nudge();
+
+// src/error-response-body.ts
+var ERROR_RESPONSE_BODY_MAX_BYTES = 4096;
+var ERROR_RESPONSE_BODY_TRUNCATION_MARKER = "...[truncated]";
+var REDACTED = "[REDACTED]";
+var ERROR_STATUS_MIN = 400;
+var ERROR_STATUS_MAX = 599;
+function isHttpErrorStatus(status) {
+  let numeric;
+  if (typeof status === "number") {
+    numeric = status;
+  } else if (typeof status === "string" && status.length > 0) {
+    numeric = Number(status);
+  } else {
+    return false;
+  }
+  if (!Number.isFinite(numeric)) return false;
+  return numeric >= ERROR_STATUS_MIN && numeric <= ERROR_STATUS_MAX;
+}
+var REDACTION_PATTERNS = [
+  // Order matters: redact specific token shapes BEFORE the generic
+  // key=value catcher so a literal `Bearer eyJ…` collapses into a single
+  // [REDACTED] and the JWT regex does not separately match the suffix.
+  {
+    name: "bearer",
+    // Case-insensitive on the scheme: HTTP frameworks and proxies
+    // round-trip the auth scheme with inconsistent casing
+    // (`Bearer`, `bearer`, `BEARER`), and a real token leaks just as
+    // badly under any of them.
+    pattern: /\bBearer\s+[A-Za-z0-9._\-+/=]+/gi
+  },
+  {
+    name: "jwt",
+    // Three base64url segments separated by dots. Real JWTs encode at
+    // minimum a small JSON header in the first segment, which alone is
+    // typically ≥10 chars after base64url; a 16-char floor avoids false
+    // positives on dotted text like a stack-trace frame
+    // (`react.dom.server`) while still catching every real JWT we have
+    // seen in the wild. Anchored with word boundaries on both sides so
+    // a 3-dot semantic version like "next@15.4.1.2" does not match.
+    pattern: /\b[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/g
+  },
+  {
+    name: "glasstrace-api-key",
+    // gt_dev_* and gt_anon_* keys are >=24 chars of [A-Za-z0-9].
+    pattern: /\bgt_(?:dev|anon)_[A-Za-z0-9]{16,}\b/g
+  },
+  {
+    name: "aws-access-key",
+    // 20-char prefix-fixed identifier.
+    pattern: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g
+  },
+  {
+    name: "key-value-secret-quoted",
+    // Quoted-string variant: (key) [:=] "<value>". The value runs to
+    // the next unescaped closing quote so a multi-word secret like
+    // `password="my secret phrase"` is fully consumed instead of
+    // splitting at the first space and leaving the tail visible.
+    // The leading `(?<![A-Za-z0-9_])` prevents matching inside
+    // identifiers like `passwordless`. The trailing `"?` after the
+    // keyword absorbs the closing quote in JSON-style `"apikey":
+    // "value"` so the colon is still seen as the separator.
+    pattern: /(?<![A-Za-z0-9_])(?:api[_-]?key|apikey|secret|password|token)"?\s*[:=]\s*"(?:[^"\\]|\\.)*"/gi
+  },
+  {
+    name: "key-value-secret-bare",
+    // Unquoted variant: (key) [:=] <bare-value>. The bare value
+    // capture stops at common JSON/text delimiters so we redact only
+    // the value, not surrounding structure. Listed AFTER the quoted
+    // variant so a quoted value's surrounding `"` are consumed by
+    // the first pattern and we never fall through here for a quoted
+    // secret.
+    pattern: /(?<![A-Za-z0-9_])(?:api[_-]?key|apikey|secret|password|token)"?\s*[:=]\s*[^\s,;}\]"]+/gi
+  }
+];
+function sanitizeErrorResponseBody(body) {
+  let out = body;
+  for (const { pattern } of REDACTION_PATTERNS) {
+    out = out.replace(pattern, REDACTED);
+  }
+  return out;
+}
+function truncateErrorResponseBody(body) {
+  const encoder = new TextEncoder();
+  const encoded = encoder.encode(body);
+  if (encoded.byteLength <= ERROR_RESPONSE_BODY_MAX_BYTES) {
+    return body;
+  }
+  let cut = ERROR_RESPONSE_BODY_MAX_BYTES;
+  let scan = cut - 1;
+  while (scan >= 0 && (encoded[scan] & 192) === 128) {
+    scan -= 1;
+  }
+  if (scan >= 0) {
+    const leading = encoded[scan];
+    let expected = 1;
+    if ((leading & 128) === 0) {
+      expected = 1;
+    } else if ((leading & 224) === 192) {
+      expected = 2;
+    } else if ((leading & 240) === 224) {
+      expected = 3;
+    } else if ((leading & 248) === 240) {
+      expected = 4;
+    }
+    if (scan + expected > cut) {
+      cut = scan;
+    }
+  }
+  const decoder = new TextDecoder("utf-8", { fatal: false });
+  const sliced = encoded.subarray(0, cut);
+  const decoded = decoder.decode(sliced);
+  return decoded + ERROR_RESPONSE_BODY_TRUNCATION_MARKER;
+}
+function prepareErrorResponseBody(body) {
+  if (body.length === 0) return null;
+  if (body.trim().length === 0) return null;
+  const sanitized = sanitizeErrorResponseBody(body);
+  return truncateErrorResponseBody(sanitized);
+}
+
+// src/enriching-exporter.ts
 var ATTR = GLASSTRACE_ATTRIBUTE_NAMES;
 var API_KEY_PENDING = "pending";
 var MAX_PENDING_SPANS = 1024;
@@ -18260,7 +18382,14 @@ var GlasstraceExporter = class {
       if (this.getConfig().errorResponseBodies) {
         const responseBody = attrs["glasstrace.internal.response_body"];
         if (typeof responseBody === "string") {
-          extra[ATTR.ERROR_RESPONSE_BODY] = responseBody.slice(0, 500);
+          const enrichedStatus = extra[ATTR.HTTP_STATUS_CODE];
+          const effectiveStatus = typeof enrichedStatus === "number" ? enrichedStatus : statusCode;
+          if (isHttpErrorStatus(effectiveStatus)) {
+            const prepared = prepareErrorResponseBody(responseBody);
+            if (prepared !== null) {
+              extra[ATTR.ERROR_RESPONSE_BODY] = prepared;
+            }
+          }
         }
       }
       const spanAny = span;
@@ -22126,7 +22255,7 @@ function registerGlasstrace(options) {
     setCoreState(CoreState.REGISTERING);
     startRuntimeStateWriter({
       projectRoot: process.cwd(),
-      sdkVersion: "1.1.1"
+      sdkVersion: "1.1.2"
     });
     const config2 = resolveConfig(options);
     if (config2.verbose) {
@@ -22292,8 +22421,8 @@ async function backgroundInit(config2, anonKeyForInit, generation) {
   if (config2.verbose) {
     console.info("[glasstrace] Background init firing.");
   }
-  const healthReport = collectHealthReport("1.1.1");
-  const initResult = await performInit(config2, anonKeyForInit, "1.1.1", healthReport);
+  const healthReport = collectHealthReport("1.1.2");
+  const initResult = await performInit(config2, anonKeyForInit, "1.1.2", healthReport);
   if (generation !== registrationGeneration) return;
   const currentState = getCoreState();
   if (currentState === CoreState.SHUTTING_DOWN || currentState === CoreState.SHUTDOWN) {
@@ -22316,7 +22445,7 @@ async function backgroundInit(config2, anonKeyForInit, generation) {
   }
   maybeInstallConsoleCapture();
   if (didLastInitSucceed()) {
-    startHeartbeat(config2, anonKeyForInit, "1.1.1", generation, (newApiKey, accountId) => {
+    startHeartbeat(config2, anonKeyForInit, "1.1.2", generation, (newApiKey, accountId) => {
       setAuthState(AuthState.CLAIMING);
       emitLifecycleEvent("auth:claim_started", { accountId });
       setResolvedApiKey(newApiKey);