@glasstrace/sdk 1.1.1 → 1.1.3

package/dist/index.d.cts

@@ -88,15 +88,18 @@ declare function getOrCreateAnonKey(projectRoot?: string): Promise<AnonApiKey>;
  */
 declare function loadCachedConfig(projectRoot?: string): SdkInitResponse | null;
 /**
- * Persists the init response to `.glasstrace/config` using atomic
- * write-temp + rename semantics. Silently skipped when `node:fs` is
- * unavailable (non-Node environments). On I/O failure, logs a warning.
- *
- * Atomicity: the payload is written to `.glasstrace/config.tmp` and then
- * renamed into place. `rename` is atomic on POSIX filesystems, so readers
- * either see the previous valid config or the new valid config — never a
- * truncated or partially-written file (DISC-1247 Scenario 5). If the
- * rename fails, the temp file is cleaned up on a best-effort basis.
+ * Persists the init response to `.glasstrace/config` using the SDK 2.0
+ * atomic-write protocol (`tmp + fsync(tmp) + rename + fsync(parent)`).
+ * Silently skipped when `node:fs` is unavailable (non-Node environments).
+ * On I/O failure, logs a warning.
+ *
+ * Atomicity: the payload is written to `.glasstrace/config.tmp`, fsynced
+ * to durable storage, then renamed into place; the parent directory is
+ * fsynced last so the rename survives an immediate crash. `rename` is
+ * atomic on POSIX filesystems, so readers either see the previous valid
+ * config or the new valid config — never a truncated or partially-written
+ * file (DISC-1247 Scenario 5). If any step fails, the temp file is
+ * cleaned up on a best-effort basis.
  */
 declare function saveCachedConfig(response: SdkInitResponse, projectRoot?: string): Promise<void>;
 /**

package/dist/index.d.ts

@@ -88,15 +88,18 @@ declare function getOrCreateAnonKey(projectRoot?: string): Promise<AnonApiKey>;
  */
 declare function loadCachedConfig(projectRoot?: string): SdkInitResponse | null;
 /**
- * Persists the init response to `.glasstrace/config` using atomic
- * write-temp + rename semantics. Silently skipped when `node:fs` is
- * unavailable (non-Node environments). On I/O failure, logs a warning.
- *
- * Atomicity: the payload is written to `.glasstrace/config.tmp` and then
- * renamed into place. `rename` is atomic on POSIX filesystems, so readers
- * either see the previous valid config or the new valid config — never a
- * truncated or partially-written file (DISC-1247 Scenario 5). If the
- * rename fails, the temp file is cleaned up on a best-effort basis.
+ * Persists the init response to `.glasstrace/config` using the SDK 2.0
+ * atomic-write protocol (`tmp + fsync(tmp) + rename + fsync(parent)`).
+ * Silently skipped when `node:fs` is unavailable (non-Node environments).
+ * On I/O failure, logs a warning.
+ *
+ * Atomicity: the payload is written to `.glasstrace/config.tmp`, fsynced
+ * to durable storage, then renamed into place; the parent directory is
+ * fsynced last so the rename survives an immediate crash. `rename` is
+ * atomic on POSIX filesystems, so readers either see the previous valid
+ * config or the new valid config — never a truncated or partially-written
+ * file (DISC-1247 Scenario 5). If any step fails, the temp file is
+ * cleaned up on a best-effort basis.
  */
 declare function saveCachedConfig(response: SdkInitResponse, projectRoot?: string): Promise<void>;
 /**

package/dist/index.js

@@ -12,7 +12,7 @@ import {
   registerGlasstrace,
   waitForReady,
   withGlasstraceConfig
-} from "./chunk-Y26HJUPD.js";
+} from "./chunk-FGDS33I2.js";
 import {
   GlasstraceSpanProcessor,
   SdkError,
@@ -27,7 +27,7 @@ import {
   performInit,
   saveCachedConfig,
   sendInitRequest
-} from "./chunk-MXDZHFJQ.js";
+} from "./chunk-JKI4OCFV.js";
 import {
   isAnonymousMode,
   isProductionDisabled,
@@ -37,7 +37,7 @@ import {
 import {
   getOrCreateAnonKey,
   readAnonKey
-} from "./chunk-P22UQ2OJ.js";
+} from "./chunk-TWTWRJ25.js";
 import {
   deriveSessionId
 } from "./chunk-X5MAXP5T.js";

package/dist/{monorepo-GSL6JD3G.js → monorepo-PFVNPQ6X.js}

@@ -3,10 +3,8 @@ import {
   isMonorepoRoot,
   parsePnpmWorkspaceYaml,
   resolveProjectRoot
-} from "./chunk-DIM4JRXM.js";
-import "./chunk-7SZQN6IU.js";
-import "./chunk-P22UQ2OJ.js";
-import "./chunk-X5MAXP5T.js";
+} from "./chunk-2M57EO6U.js";
+import "./chunk-NB7GJE4S.js";
 import "./chunk-NSBPE2FW.js";
 export {
   findNextJsApps,
@@ -14,4 +12,4 @@ export {
   parsePnpmWorkspaceYaml,
   resolveProjectRoot
 };
-//# sourceMappingURL=monorepo-GSL6JD3G.js.map
+//# sourceMappingURL=monorepo-PFVNPQ6X.js.map

package/dist/node-entry.cjs

@@ -17495,6 +17495,208 @@ function sleep(ms, scheduler, signal) {
 // src/mcp-runtime.ts
 var import_node_crypto = require("node:crypto");
 init_dist();
+
+// src/atomic-write.ts
+function parentDir(filePath) {
+  const lastSlash = filePath.lastIndexOf("/");
+  const lastBackslash = filePath.lastIndexOf("\\");
+  const lastSep = Math.max(lastSlash, lastBackslash);
+  if (lastSep < 0) return ".";
+  if (lastSep === 0) return filePath.slice(0, 1);
+  return filePath.slice(0, lastSep);
+}
+var PARENT_FSYNC_SWALLOWED_CODES = /* @__PURE__ */ new Set([
+  "EISDIR",
+  "EINVAL",
+  "EPERM",
+  "ENOTSUP"
+]);
+function errnoCodeOf(err) {
+  if (err === null || typeof err !== "object") return void 0;
+  const code = err.code;
+  return typeof code === "string" ? code : void 0;
+}
+function defaultTmpPath(targetPath) {
+  return `${targetPath}.tmp`;
+}
+var fsPromisesCache;
+var fsSyncCache;
+async function loadFsPromises() {
+  if (fsPromisesCache !== void 0) {
+    if (fsPromisesCache === null) {
+      throw new Error(
+        "node:fs/promises is unavailable in this environment; atomicWriteFile cannot be used here."
+      );
+    }
+    return fsPromisesCache;
+  }
+  try {
+    fsPromisesCache = await import("node:fs/promises");
+    return fsPromisesCache;
+  } catch {
+    fsPromisesCache = null;
+    throw new Error(
+      "node:fs/promises is unavailable in this environment; atomicWriteFile cannot be used here."
+    );
+  }
+}
+function loadFsSync() {
+  if (fsSyncCache !== void 0) {
+    if (fsSyncCache === null) {
+      throw new Error(
+        "node:fs is unavailable in this environment; atomicWriteFileSync cannot be used here."
+      );
+    }
+    return fsSyncCache;
+  }
+  try {
+    fsSyncCache = require("node:fs");
+    return fsSyncCache;
+  } catch {
+    fsSyncCache = null;
+    throw new Error(
+      "node:fs is unavailable in this environment; atomicWriteFileSync cannot be used here."
+    );
+  }
+}
+async function atomicWriteFile(targetPath, payload, options = {}) {
+  return atomicWriteFileWithTmp(targetPath, defaultTmpPath(targetPath), payload, options);
+}
+async function atomicWriteFileWithTmp(targetPath, tmpPath, payload, options = {}) {
+  const mode = options.mode ?? 384;
+  const encoding = options.encoding ?? "utf-8";
+  const fsp = await loadFsPromises();
+  let handle = null;
+  try {
+    if (typeof payload === "string") {
+      await fsp.writeFile(tmpPath, payload, { encoding, mode });
+    } else {
+      await fsp.writeFile(tmpPath, payload, { mode });
+    }
+    await fsp.chmod(tmpPath, mode);
+    handle = await fsp.open(tmpPath, "r");
+    await handle.sync();
+    await handle.close();
+    handle = null;
+    await fsp.rename(tmpPath, targetPath);
+  } catch (err) {
+    if (handle !== null) {
+      try {
+        await handle.close();
+      } catch {
+      }
+    }
+    await removeTmpResidueAsync(fsp, tmpPath);
+    throw err;
+  }
+  await fsyncParentDirAsync(targetPath, fsp);
+}
+async function removeTmpResidueAsync(fsp, tmpPath) {
+  try {
+    await fsp.unlink(tmpPath);
+    return;
+  } catch (err) {
+    const code = errnoCodeOf(err);
+    if (code !== "EISDIR" && code !== "EPERM") {
+      return;
+    }
+  }
+  try {
+    await fsp.rmdir(tmpPath);
+  } catch {
+  }
+}
+async function fsyncParentDirAsync(targetPath, fsp) {
+  const parent = parentDir(targetPath);
+  let handle = null;
+  try {
+    handle = await fsp.open(parent, "r");
+    await handle.sync();
+  } catch (err) {
+    const code = errnoCodeOf(err);
+    if (code !== void 0 && PARENT_FSYNC_SWALLOWED_CODES.has(code)) {
+      return;
+    }
+    throw err;
+  } finally {
+    if (handle !== null) {
+      try {
+        await handle.close();
+      } catch {
+      }
+    }
+  }
+}
+function atomicWriteFileSync(targetPath, payload, options = {}) {
+  atomicWriteFileSyncWithTmp(targetPath, defaultTmpPath(targetPath), payload, options);
+}
+function atomicWriteFileSyncWithTmp(targetPath, tmpPath, payload, options = {}) {
+  const mode = options.mode ?? 384;
+  const encoding = options.encoding ?? "utf-8";
+  const fs4 = loadFsSync();
+  let fd = null;
+  try {
+    if (typeof payload === "string") {
+      fs4.writeFileSync(tmpPath, payload, { encoding, mode });
+    } else {
+      fs4.writeFileSync(tmpPath, payload, { mode });
+    }
+    fs4.chmodSync(tmpPath, mode);
+    fd = fs4.openSync(tmpPath, "r");
+    fs4.fsyncSync(fd);
+    fs4.closeSync(fd);
+    fd = null;
+    fs4.renameSync(tmpPath, targetPath);
+  } catch (err) {
+    if (fd !== null) {
+      try {
+        fs4.closeSync(fd);
+      } catch {
+      }
+    }
+    removeTmpResidueSync(fs4, tmpPath);
+    throw err;
+  }
+  fsyncParentDirSyncWithFs(targetPath, fs4);
+}
+function removeTmpResidueSync(fs4, tmpPath) {
+  try {
+    fs4.unlinkSync(tmpPath);
+    return;
+  } catch (err) {
+    const code = errnoCodeOf(err);
+    if (code !== "EISDIR" && code !== "EPERM") {
+      return;
+    }
+  }
+  try {
+    fs4.rmdirSync(tmpPath);
+  } catch {
+  }
+}
+function fsyncParentDirSyncWithFs(targetPath, fs4) {
+  const parent = parentDir(targetPath);
+  let fd = null;
+  try {
+    fd = fs4.openSync(parent, "r");
+    fs4.fsyncSync(fd);
+  } catch (err) {
+    const code = errnoCodeOf(err);
+    if (code !== void 0 && PARENT_FSYNC_SWALLOWED_CODES.has(code)) {
+      return;
+    }
+    throw err;
+  } finally {
+    if (fd !== null) {
+      try {
+        fs4.closeSync(fd);
+      } catch {
+      }
+    }
+  }
+}
+
+// src/mcp-runtime.ts
 var MCP_ENDPOINT = "https://api.glasstrace.dev/mcp";
 var fsPathCache2;
 async function loadFsPath2() {
@@ -17708,7 +17910,6 @@ async function refreshGenericMcpConfigAtRuntime(projectRoot, effective, anonKeyO
   if (!modules) return { action: "absent" };
   const dirPath = modules.path.join(projectRoot, GLASSTRACE_DIR2);
   const configPath = modules.path.join(dirPath, MCP_CONFIG_FILE);
-  const tmpPath = configPath + ".tmp";
   let existing;
   try {
     existing = await modules.fs.readFile(configPath, "utf-8");
@@ -17725,18 +17926,12 @@ async function refreshGenericMcpConfigAtRuntime(projectRoot, effective, anonKeyO
   }
   const replacement = genericMcpConfigContent(MCP_ENDPOINT, effective.key);
   try {
-    await modules.fs.writeFile(tmpPath, replacement, { mode: 384 });
-    await modules.fs.chmod(tmpPath, 384);
-    await modules.fs.rename(tmpPath, configPath);
+    await atomicWriteFile(configPath, replacement, { mode: 384 });
     await writeMcpMarker(projectRoot, {
       credentialSource: effective.source,
       credentialHash: identityFingerprint(effective.key)
     });
   } catch {
-    try {
-      await modules.fs.unlink(tmpPath);
-    } catch {
-    }
     return { action: "preserved" };
   }
   emitRefreshNudge(effective.source);
@@ -17809,7 +18004,6 @@ async function saveCachedConfig(response, projectRoot) {
   const root = projectRoot ?? process.cwd();
   const dirPath = modules.path.join(root, GLASSTRACE_DIR3);
   const configPath = modules.path.join(dirPath, CONFIG_FILE);
-  const tmpPath = `${configPath}.tmp`;
   try {
     await modules.fs.mkdir(dirPath, { recursive: true, mode: 448 });
     await modules.fs.chmod(dirPath, 448);
@@ -17817,20 +18011,10 @@ async function saveCachedConfig(response, projectRoot) {
       response,
       cachedAt: Date.now()
     };
-    await modules.fs.writeFile(tmpPath, JSON.stringify(cached2), {
+    await atomicWriteFile(configPath, JSON.stringify(cached2), {
       encoding: "utf-8",
       mode: 384
     });
-    try {
-      await modules.fs.chmod(tmpPath, 384);
-      await modules.fs.rename(tmpPath, configPath);
-    } catch (renameErr) {
-      try {
-        await modules.fs.unlink(tmpPath);
-      } catch {
-      }
-      throw renameErr;
-    }
     await modules.fs.chmod(configPath, 384);
   } catch (err) {
     console.warn(
@@ -18109,6 +18293,128 @@ init_esm();
 init_dist();
 init_console_capture();
 init_error_nudge();
+
+// src/error-response-body.ts
+var ERROR_RESPONSE_BODY_MAX_BYTES = 4096;
+var ERROR_RESPONSE_BODY_TRUNCATION_MARKER = "...[truncated]";
+var REDACTED = "[REDACTED]";
+var ERROR_STATUS_MIN = 400;
+var ERROR_STATUS_MAX = 599;
+function isHttpErrorStatus(status) {
+  let numeric;
+  if (typeof status === "number") {
+    numeric = status;
+  } else if (typeof status === "string" && status.length > 0) {
+    numeric = Number(status);
+  } else {
+    return false;
+  }
+  if (!Number.isFinite(numeric)) return false;
+  return numeric >= ERROR_STATUS_MIN && numeric <= ERROR_STATUS_MAX;
+}
+var REDACTION_PATTERNS = [
+  // Order matters: redact specific token shapes BEFORE the generic
+  // key=value catcher so a literal `Bearer eyJ…` collapses into a single
+  // [REDACTED] and the JWT regex does not separately match the suffix.
+  {
+    name: "bearer",
+    // Case-insensitive on the scheme: HTTP frameworks and proxies
+    // round-trip the auth scheme with inconsistent casing
+    // (`Bearer`, `bearer`, `BEARER`), and a real token leaks just as
+    // badly under any of them.
+    pattern: /\bBearer\s+[A-Za-z0-9._\-+/=]+/gi
+  },
+  {
+    name: "jwt",
+    // Three base64url segments separated by dots. Real JWTs encode at
+    // minimum a small JSON header in the first segment, which alone is
+    // typically ≥10 chars after base64url; a 16-char floor avoids false
+    // positives on dotted text like a stack-trace frame
+    // (`react.dom.server`) while still catching every real JWT we have
+    // seen in the wild. Anchored with word boundaries on both sides so
+    // a 3-dot semantic version like "next@15.4.1.2" does not match.
+    pattern: /\b[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/g
+  },
+  {
+    name: "glasstrace-api-key",
+    // gt_dev_* and gt_anon_* keys are >=24 chars of [A-Za-z0-9].
+    pattern: /\bgt_(?:dev|anon)_[A-Za-z0-9]{16,}\b/g
+  },
+  {
+    name: "aws-access-key",
+    // 20-char prefix-fixed identifier.
+    pattern: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g
+  },
+  {
+    name: "key-value-secret-quoted",
+    // Quoted-string variant: (key) [:=] "<value>". The value runs to
+    // the next unescaped closing quote so a multi-word secret like
+    // `password="my secret phrase"` is fully consumed instead of
+    // splitting at the first space and leaving the tail visible.
+    // The leading `(?<![A-Za-z0-9_])` prevents matching inside
+    // identifiers like `passwordless`. The trailing `"?` after the
+    // keyword absorbs the closing quote in JSON-style `"apikey":
+    // "value"` so the colon is still seen as the separator.
+    pattern: /(?<![A-Za-z0-9_])(?:api[_-]?key|apikey|secret|password|token)"?\s*[:=]\s*"(?:[^"\\]|\\.)*"/gi
+  },
+  {
+    name: "key-value-secret-bare",
+    // Unquoted variant: (key) [:=] <bare-value>. The bare value
+    // capture stops at common JSON/text delimiters so we redact only
+    // the value, not surrounding structure. Listed AFTER the quoted
+    // variant so a quoted value's surrounding `"` are consumed by
+    // the first pattern and we never fall through here for a quoted
+    // secret.
+    pattern: /(?<![A-Za-z0-9_])(?:api[_-]?key|apikey|secret|password|token)"?\s*[:=]\s*[^\s,;}\]"]+/gi
+  }
+];
+function sanitizeErrorResponseBody(body) {
+  let out = body;
+  for (const { pattern } of REDACTION_PATTERNS) {
+    out = out.replace(pattern, REDACTED);
+  }
+  return out;
+}
+function truncateErrorResponseBody(body) {
+  const encoder = new TextEncoder();
+  const encoded = encoder.encode(body);
+  if (encoded.byteLength <= ERROR_RESPONSE_BODY_MAX_BYTES) {
+    return body;
+  }
+  let cut = ERROR_RESPONSE_BODY_MAX_BYTES;
+  let scan = cut - 1;
+  while (scan >= 0 && (encoded[scan] & 192) === 128) {
+    scan -= 1;
+  }
+  if (scan >= 0) {
+    const leading = encoded[scan];
+    let expected = 1;
+    if ((leading & 128) === 0) {
+      expected = 1;
+    } else if ((leading & 224) === 192) {
+      expected = 2;
+    } else if ((leading & 240) === 224) {
+      expected = 3;
+    } else if ((leading & 248) === 240) {
+      expected = 4;
+    }
+    if (scan + expected > cut) {
+      cut = scan;
+    }
+  }
+  const decoder = new TextDecoder("utf-8", { fatal: false });
+  const sliced = encoded.subarray(0, cut);
+  const decoded = decoder.decode(sliced);
+  return decoded + ERROR_RESPONSE_BODY_TRUNCATION_MARKER;
+}
+function prepareErrorResponseBody(body) {
+  if (body.length === 0) return null;
+  if (body.trim().length === 0) return null;
+  const sanitized = sanitizeErrorResponseBody(body);
+  return truncateErrorResponseBody(sanitized);
+}
+
+// src/enriching-exporter.ts
 var ATTR2 = GLASSTRACE_ATTRIBUTE_NAMES;
 var API_KEY_PENDING = "pending";
 var MAX_PENDING_SPANS = 1024;
@@ -18336,7 +18642,14 @@ var GlasstraceExporter = class {
       if (this.getConfig().errorResponseBodies) {
         const responseBody = attrs["glasstrace.internal.response_body"];
         if (typeof responseBody === "string") {
-          extra[ATTR2.ERROR_RESPONSE_BODY] = responseBody.slice(0, 500);
+          const enrichedStatus = extra[ATTR2.HTTP_STATUS_CODE];
+          const effectiveStatus = typeof enrichedStatus === "number" ? enrichedStatus : statusCode;
+          if (isHttpErrorStatus(effectiveStatus)) {
+            const prepared = prepareErrorResponseBody(responseBody);
+            if (prepared !== null) {
+              extra[ATTR2.ERROR_RESPONSE_BODY] = prepared;
+            }
+          }
         }
       }
       const spanAny = span;
@@ -22158,12 +22471,10 @@ function writeStateNow() {
     };
     const dir = (0, import_node_path.join)(_projectRoot, ".glasstrace");
     const filePath = (0, import_node_path.join)(dir, "runtime-state.json");
-    const tmpPath = (0, import_node_path.join)(dir, "runtime-state.json.tmp");
     (0, import_node_fs.mkdirSync)(dir, { recursive: true, mode: 448 });
-    (0, import_node_fs.writeFileSync)(tmpPath, JSON.stringify(runtimeState, null, 2) + "\n", {
+    atomicWriteFileSync(filePath, JSON.stringify(runtimeState, null, 2) + "\n", {
       mode: 384
     });
-    (0, import_node_fs.renameSync)(tmpPath, filePath);
   } catch (err) {
     sdkLog(
       "warn",
@@ -22202,7 +22513,7 @@ function registerGlasstrace(options) {
     setCoreState(CoreState.REGISTERING);
     startRuntimeStateWriter({
       projectRoot: process.cwd(),
-      sdkVersion: "1.1.1"
+      sdkVersion: "1.1.3"
     });
     const config2 = resolveConfig(options);
     if (config2.verbose) {
@@ -22368,8 +22679,8 @@ async function backgroundInit(config2, anonKeyForInit, generation) {
   if (config2.verbose) {
     console.info("[glasstrace] Background init firing.");
   }
-  const healthReport = collectHealthReport("1.1.1");
-  const initResult = await performInit(config2, anonKeyForInit, "1.1.1", healthReport);
+  const healthReport = collectHealthReport("1.1.3");
+  const initResult = await performInit(config2, anonKeyForInit, "1.1.3", healthReport);
   if (generation !== registrationGeneration) return;
   const currentState = getCoreState();
   if (currentState === CoreState.SHUTTING_DOWN || currentState === CoreState.SHUTDOWN) {
@@ -22392,7 +22703,7 @@ async function backgroundInit(config2, anonKeyForInit, generation) {
   }
   maybeInstallConsoleCapture();
   if (didLastInitSucceed()) {
-    startHeartbeat(config2, anonKeyForInit, "1.1.1", generation, (newApiKey, accountId) => {
+    startHeartbeat(config2, anonKeyForInit, "1.1.3", generation, (newApiKey, accountId) => {
       setAuthState(AuthState.CLAIMING);
       emitLifecycleEvent("auth:claim_started", { accountId });
       setResolvedApiKey(newApiKey);