@glasstrace/sdk 1.15.1 → 1.17.0

package/dist/node-subpath.d.cts

@@ -1,239 +1,55 @@
-import { m as SourceMapUploadResponse, n as SourceMapManifestResponse, I as ImportGraphPayload } from './index.d-BQIJ5Dvc.cjs';
+export { A as AutoUploadOptions, B as BlobUploader, P as PRESIGNED_THRESHOLD_BYTES, S as SourceMapEntry, a as SourceMapFileInfo, b as buildImportGraph, c as collectSourceMaps, d as computeBuildHash, e as discoverSourceMapFiles, f as discoverTestFiles, g as extractImports, u as uploadSourceMaps, h as uploadSourceMapsAuto, i as uploadSourceMapsPresigned } from './import-graph-DBLGNjcI.cjs';
+import './index.d-3-cJoY8y.cjs';
 import './v4/classic/external.cjs';
 
 /**
- * In-memory source map entry: a file path paired with its full text content.
- *
- * @remarks
- * Node-only. Describes the legacy in-memory shape consumed by
- * {@link uploadSourceMaps} and {@link uploadSourceMapsAuto}. The type
- * itself erases at runtime and is safe to import from edge code, but
- * every function that produces or consumes it depends on `node:fs`
- * and cannot run at the edge.
- */
-interface SourceMapEntry {
-    filePath: string;
-    content: string;
-}
-/**
- * Metadata for a discovered source map file, without its content loaded.
- * Used by the streaming upload flow to defer file reads until upload time.
- *
- * @remarks
- * Node-only. Describes the shape of data produced by the Node-only
- * source-map upload flow ({@link discoverSourceMapFiles},
- * {@link uploadSourceMapsAuto}). The type itself erases at runtime and
- * is safe to import from edge code, but every function that produces
- * or consumes it depends on `node:fs`/`node:path` and cannot run at
- * the edge.
- */
-interface SourceMapFileInfo {
-    /** Relative path to the compiled JS file (`.map` extension stripped). */
-    filePath: string;
-    /** Absolute path on disk for reading the file content on demand. */
-    absolutePath: string;
-    /** File size in bytes. */
-    sizeBytes: number;
-}
-/**
- * Recursively discovers all `.map` files in the given build directory.
- * Returns metadata only — file content is NOT read into memory.
- *
- * @remarks
- * Node-only. Walks the filesystem with `node:fs/promises` (`readdir`,
- * `stat`) and resolves paths with `node:path`. No edge-safe
- * alternative — call from a Node context (build script, Next.js
- * `next.config.ts`, CI job).
- */
-declare function discoverSourceMapFiles(buildDir: string): Promise<SourceMapFileInfo[]>;
-/**
- * Recursively finds all .map files in the given build directory.
- * Returns relative paths and file contents.
- *
- * @deprecated Prefer {@link discoverSourceMapFiles} to avoid loading all
- * source maps into memory simultaneously.
- *
- * @remarks
- * Node-only. Reads every discovered `.map` file into memory via
- * `node:fs/promises` (`readFile`). No edge-safe alternative — call
- * from a Node context (build script, Next.js `next.config.ts`, CI job).
- */
-declare function collectSourceMaps(buildDir: string): Promise<SourceMapEntry[]>;
-/**
- * Computes a build hash for source map uploads.
- *
- * First tries `git rev-parse HEAD` to get the git commit SHA.
- * On failure, falls back to a deterministic content hash:
- * sort source map file paths alphabetically, concatenate each as
- * `{relativePath}\n{fileLength}\n{fileContent}`, then SHA-256 the result.
- *
- * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
- * `SourceMapFileInfo[]` (streaming, reads on demand).
- *
- * @remarks
- * Node-only. Spawns `git rev-parse HEAD` via `node:child_process`
- * (`execFileSync`), hashes with `node:crypto` (`createHash("sha256")`),
- * and reads map contents from disk with `node:fs/promises`. No
- * edge-safe alternative — call from a Node context (build script,
- * Next.js `next.config.ts`, CI job). If a pre-computed build hash is
- * already known (e.g., provided as a CI environment variable), pass
- * it directly to {@link uploadSourceMaps} instead of calling this
- * helper.
- */
-declare function computeBuildHash(maps?: SourceMapEntry[] | SourceMapFileInfo[]): Promise<string>;
-/**
- * Uploads source maps to the ingestion API.
- *
- * POSTs to `{endpoint}/v1/source-maps` with the API key, build hash,
- * and file entries. Validates the response against SourceMapUploadResponseSchema.
- *
- * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
- * `SourceMapFileInfo[]` (deferred reads). With `SourceMapFileInfo[]`,
- * file content is read at upload time rather than at discovery time.
- * Note: the legacy endpoint sends all files in a single JSON body, so
- * peak memory is similar — the benefit is deferring reads past discovery.
- *
- * @remarks
- * Node-only. Reads map contents from disk via `node:fs/promises` when
- * invoked with `SourceMapFileInfo[]`. The network call uses the
- * platform-standard `fetch` (edge-safe on its own), but the upstream
- * discovery and read path is Node-only, so the function is only
- * reachable from a Node context (build script, Next.js
- * `next.config.ts`, CI job). No edge-safe alternative.
- */
-declare function uploadSourceMaps(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[]): Promise<SourceMapUploadResponse>;
-/**
- * Builds at or above this byte size route to the presigned upload flow.
- *
- * @remarks
- * Node-only. The numeric value itself is pure (a constant is evaluable
- * anywhere), but it is meaningful only alongside
- * {@link uploadSourceMapsPresigned} and {@link uploadSourceMapsAuto},
- * both of which depend on `node:fs` and `@vercel/blob`. No edge-safe
- * alternative — consume from a Node context.
- */
-declare const PRESIGNED_THRESHOLD_BYTES = 4500000;
-/**
- * Signature for the blob upload function, injectable for testing.
- *
- * @remarks
- * Node-only. Describes the shape of the uploader consumed by
- * {@link uploadSourceMapsPresigned} and {@link uploadSourceMapsAuto},
- * both of which depend on `@vercel/blob` and `node:fs`. The type itself
- * erases at runtime and is safe to import from edge code, but every
- * producer and consumer is Node-only.
- */
-type BlobUploader = (clientToken: string, pathname: string, content: string) => Promise<{
-    url: string;
-    size: number;
-}>;
-/**
- * Orchestrates the 3-phase presigned upload flow.
- *
- * 1. Requests presigned tokens for all source map files
- * 2. Uploads each file to blob storage with a concurrency limit of 5,
- *    reading file content from disk just before each upload
- * 3. Submits the manifest to finalize the upload
- *
- * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
- * `SourceMapFileInfo[]` (streaming, reads on demand).
- *
- * Accepts an optional `blobUploader` for test injection; defaults to
- * {@link uploadToBlob}.
- *
- * @remarks
- * Node-only. Streams map contents from disk via `node:fs/promises`
- * and uploads through `@vercel/blob/client` (loaded lazily as an
- * optional peer dependency). No edge-safe alternative — call from a
- * Node context (build script, Next.js `next.config.ts`, CI job).
- */
-declare function uploadSourceMapsPresigned(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[], blobUploader?: BlobUploader): Promise<SourceMapManifestResponse>;
-/**
- * Options for {@link uploadSourceMapsAuto}, primarily used for test injection.
- *
- * @remarks
- * Node-only. Describes the shape of overrides consumed by
- * {@link uploadSourceMapsAuto}, which depends on `node:fs` and
- * `@vercel/blob`. The type itself erases at runtime and is safe to
- * import from edge code, but the surrounding function is Node-only.
- */
-interface AutoUploadOptions {
-    /** Override blob availability check (for testing). */
-    checkBlobAvailable?: () => Promise<boolean>;
-    /** Override blob uploader (for testing). */
-    blobUploader?: BlobUploader;
-}
-/**
- * Automatically routes source map uploads based on total build size.
- *
- * - Below {@link PRESIGNED_THRESHOLD_BYTES}: uses the legacy single-request
- *   {@link uploadSourceMaps} endpoint.
- * - At or above the threshold: checks if `@vercel/blob` is available and
- *   uses the presigned 3-phase flow. Falls back to legacy with a warning
- *   if the package is not installed.
- *
- * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
- * `SourceMapFileInfo[]` (streaming, reads on demand).
- *
- * @remarks
- * Node-only. Reads source map sizes/contents via `node:fs/promises`
- * and, above the threshold, dynamically loads `@vercel/blob/client`
- * (optional peer dependency) for direct blob storage uploads. No
- * edge-safe alternative — call from a Node context (build script,
- * Next.js `next.config.ts`, CI job). This is the recommended entry
- * point for source-map upload in most projects.
- */
-declare function uploadSourceMapsAuto(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[], options?: AutoUploadOptions): Promise<SourceMapUploadResponse | SourceMapManifestResponse>;
-
-/**
- * Discovers test files by scanning the project directory for conventional
- * test file patterns. Also reads vitest/jest config files for custom include
- * patterns and merges them with the defaults. Excludes node_modules/ and .next/.
- *
- * @param projectRoot - Absolute path to the project root directory.
- * @returns Relative POSIX paths from projectRoot, capped at {@link MAX_TEST_FILES}.
- *
- * @remarks
- * Node-only. Walks the filesystem with `node:fs/promises`
- * (`readdir`), reads vitest/jest config files with `node:fs`
- * (`readFileSync`), and resolves paths with `node:path`. No edge-safe
- * alternative — call from a Node context (build script, CI job,
- * Next.js `next.config.ts`).
- */
-declare function discoverTestFiles(projectRoot: string): Promise<string[]>;
-/**
- * Extracts import paths from file content using regex.
- * Handles ES module imports, CommonJS requires, and dynamic imports.
- *
- * @param fileContent - The full text content of a TypeScript/JavaScript file.
- * @returns An array of import path strings as written in the source (e.g. "./foo", "react").
- *
- * @remarks
- * Node-only. The function body itself is pure string processing and
- * would run anywhere, but it is exported through `@glasstrace/sdk/node`
- * alongside {@link discoverTestFiles} and {@link buildImportGraph} —
- * the practical consumers all pair it with those Node-only helpers.
- * Kept under the `/node` subpath for API cohesion; call from a Node
- * context (build script, CI job, Next.js `next.config.ts`).
- */
-declare function extractImports(fileContent: string): string[];
-/**
- * Builds an import graph mapping test file paths to their imported module paths.
- *
- * Discovers test files, reads each, extracts imports, and builds a graph.
- * Computes a deterministic buildHash from the serialized graph content.
- * Individual file read failures are silently skipped.
- *
- * @param projectRoot - Absolute path to the project root directory.
- * @returns An {@link ImportGraphPayload} containing the graph and a deterministic buildHash.
- *
- * @remarks
- * Node-only. Walks the project with `node:fs/promises`, reads each
- * test file from disk, resolves paths with `node:path`, and hashes
- * the serialized graph with `node:crypto` (`createHash("sha256")`).
- * No edge-safe alternative — call from a Node context (build script,
- * CI job, Next.js `next.config.ts`).
- */
-declare function buildImportGraph(projectRoot: string): Promise<ImportGraphPayload>;
+ * Producer-side identifier pseudonymization for the value-fidelity
+ * scalar channel.
+ *
+ * `hashId` turns a raw identifier into a stable, opaque `gthid_<hex>`
+ * token that a producer can emit on an `*Id` scalar without leaking the
+ * raw value. The SDK's `checkScalarField` rejects unhashed `*Id` values
+ * under `strict`, so a producer that wants id correlation pre-hashes the
+ * id with this helper.
+ *
+ * NODE-ONLY. This module imports `node:crypto` and is therefore exported
+ * exclusively from the `@glasstrace/sdk/node` subpath, never the root
+ * barrel — the root must stay edge-bundle-safe (no node builtins in the
+ * edge closure). `*Id` capture is a server-side concern, so the
+ * node-only placement does not reduce real coverage.
+ */
+/**
+ * Pseudonymize a raw identifier into a stable `gthid_<hex>` token using
+ * HMAC-SHA256 keyed by `key`.
+ *
+ * Node-only. Uses `node:crypto`, so it ships exclusively on the
+ * `@glasstrace/sdk/node` subpath.
+ *
+ * Fail-closed: returns `null` when `raw` or `key` is missing or empty,
+ * so a misconfigured caller emits no id rather than a raw or weakly
+ * keyed one. A `null` return routes the `*Id` scalar to the
+ * `unhashed_id` omission counter at emit time.
+ *
+ * The same `(raw, key)` always produces the same token, enabling
+ * cross-trace correlation of the same entity. This is also the privacy
+ * boundary's weak point:
+ *
+ *  - **Key rotation breaks correlation by design.** Tokens hashed under
+ *    a new key do not match tokens hashed under the old one. If
+ *    cross-rotation correlation is required, embed a key-id segment in
+ *    the key-management layer and rotate deliberately.
+ *  - **A leaked key de-pseudonymizes every id hashed under it** (an
+ *    attacker can hash a candidate id space and match tokens). Treat the
+ *    key as a secret; scope it per tenant.
+ *  - **Stable tokens plus quasi-identifier scalars enable corpus-level
+ *    re-identification / linkage**, bounded by per-tenant scope. Do not
+ *    treat a `gthid_` token as anonymization.
+ *
+ * @param raw - The raw identifier to pseudonymize.
+ * @param key - The per-tenant HMAC secret (e.g. from
+ *   `GLASSTRACE_ATTR_HMAC_KEY`). Never logged or emitted.
+ * @returns A `gthid_<32hex>` token, or `null` if `raw`/`key` is empty.
+ */
+declare function hashId(raw: string, key: string): string | null;
 
-export { type AutoUploadOptions, type BlobUploader, PRESIGNED_THRESHOLD_BYTES, type SourceMapEntry, type SourceMapFileInfo, buildImportGraph, collectSourceMaps, computeBuildHash, discoverSourceMapFiles, discoverTestFiles, extractImports, uploadSourceMaps, uploadSourceMapsAuto, uploadSourceMapsPresigned };
+export { hashId };

package/dist/node-subpath.d.ts

@@ -1,239 +1,55 @@
-import { m as SourceMapUploadResponse, n as SourceMapManifestResponse, I as ImportGraphPayload } from './index.d-BQIJ5Dvc.js';
+export { A as AutoUploadOptions, B as BlobUploader, P as PRESIGNED_THRESHOLD_BYTES, S as SourceMapEntry, a as SourceMapFileInfo, b as buildImportGraph, c as collectSourceMaps, d as computeBuildHash, e as discoverSourceMapFiles, f as discoverTestFiles, g as extractImports, u as uploadSourceMaps, h as uploadSourceMapsAuto, i as uploadSourceMapsPresigned } from './import-graph-Dka_Fm7j.js';
+import './index.d-3-cJoY8y.js';
 import './v4/classic/external.cjs';
 
 /**
- * In-memory source map entry: a file path paired with its full text content.
- *
- * @remarks
- * Node-only. Describes the legacy in-memory shape consumed by
- * {@link uploadSourceMaps} and {@link uploadSourceMapsAuto}. The type
- * itself erases at runtime and is safe to import from edge code, but
- * every function that produces or consumes it depends on `node:fs`
- * and cannot run at the edge.
- */
-interface SourceMapEntry {
-    filePath: string;
-    content: string;
-}
-/**
- * Metadata for a discovered source map file, without its content loaded.
- * Used by the streaming upload flow to defer file reads until upload time.
- *
- * @remarks
- * Node-only. Describes the shape of data produced by the Node-only
- * source-map upload flow ({@link discoverSourceMapFiles},
- * {@link uploadSourceMapsAuto}). The type itself erases at runtime and
- * is safe to import from edge code, but every function that produces
- * or consumes it depends on `node:fs`/`node:path` and cannot run at
- * the edge.
- */
-interface SourceMapFileInfo {
-    /** Relative path to the compiled JS file (`.map` extension stripped). */
-    filePath: string;
-    /** Absolute path on disk for reading the file content on demand. */
-    absolutePath: string;
-    /** File size in bytes. */
-    sizeBytes: number;
-}
-/**
- * Recursively discovers all `.map` files in the given build directory.
- * Returns metadata only — file content is NOT read into memory.
- *
- * @remarks
- * Node-only. Walks the filesystem with `node:fs/promises` (`readdir`,
- * `stat`) and resolves paths with `node:path`. No edge-safe
- * alternative — call from a Node context (build script, Next.js
- * `next.config.ts`, CI job).
- */
-declare function discoverSourceMapFiles(buildDir: string): Promise<SourceMapFileInfo[]>;
-/**
- * Recursively finds all .map files in the given build directory.
- * Returns relative paths and file contents.
- *
- * @deprecated Prefer {@link discoverSourceMapFiles} to avoid loading all
- * source maps into memory simultaneously.
- *
- * @remarks
- * Node-only. Reads every discovered `.map` file into memory via
- * `node:fs/promises` (`readFile`). No edge-safe alternative — call
- * from a Node context (build script, Next.js `next.config.ts`, CI job).
- */
-declare function collectSourceMaps(buildDir: string): Promise<SourceMapEntry[]>;
-/**
- * Computes a build hash for source map uploads.
- *
- * First tries `git rev-parse HEAD` to get the git commit SHA.
- * On failure, falls back to a deterministic content hash:
- * sort source map file paths alphabetically, concatenate each as
- * `{relativePath}\n{fileLength}\n{fileContent}`, then SHA-256 the result.
- *
- * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
- * `SourceMapFileInfo[]` (streaming, reads on demand).
- *
- * @remarks
- * Node-only. Spawns `git rev-parse HEAD` via `node:child_process`
- * (`execFileSync`), hashes with `node:crypto` (`createHash("sha256")`),
- * and reads map contents from disk with `node:fs/promises`. No
- * edge-safe alternative — call from a Node context (build script,
- * Next.js `next.config.ts`, CI job). If a pre-computed build hash is
- * already known (e.g., provided as a CI environment variable), pass
- * it directly to {@link uploadSourceMaps} instead of calling this
- * helper.
- */
-declare function computeBuildHash(maps?: SourceMapEntry[] | SourceMapFileInfo[]): Promise<string>;
-/**
- * Uploads source maps to the ingestion API.
- *
- * POSTs to `{endpoint}/v1/source-maps` with the API key, build hash,
- * and file entries. Validates the response against SourceMapUploadResponseSchema.
- *
- * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
- * `SourceMapFileInfo[]` (deferred reads). With `SourceMapFileInfo[]`,
- * file content is read at upload time rather than at discovery time.
- * Note: the legacy endpoint sends all files in a single JSON body, so
- * peak memory is similar — the benefit is deferring reads past discovery.
- *
- * @remarks
- * Node-only. Reads map contents from disk via `node:fs/promises` when
- * invoked with `SourceMapFileInfo[]`. The network call uses the
- * platform-standard `fetch` (edge-safe on its own), but the upstream
- * discovery and read path is Node-only, so the function is only
- * reachable from a Node context (build script, Next.js
- * `next.config.ts`, CI job). No edge-safe alternative.
- */
-declare function uploadSourceMaps(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[]): Promise<SourceMapUploadResponse>;
-/**
- * Builds at or above this byte size route to the presigned upload flow.
- *
- * @remarks
- * Node-only. The numeric value itself is pure (a constant is evaluable
- * anywhere), but it is meaningful only alongside
- * {@link uploadSourceMapsPresigned} and {@link uploadSourceMapsAuto},
- * both of which depend on `node:fs` and `@vercel/blob`. No edge-safe
- * alternative — consume from a Node context.
- */
-declare const PRESIGNED_THRESHOLD_BYTES = 4500000;
-/**
- * Signature for the blob upload function, injectable for testing.
- *
- * @remarks
- * Node-only. Describes the shape of the uploader consumed by
- * {@link uploadSourceMapsPresigned} and {@link uploadSourceMapsAuto},
- * both of which depend on `@vercel/blob` and `node:fs`. The type itself
- * erases at runtime and is safe to import from edge code, but every
- * producer and consumer is Node-only.
- */
-type BlobUploader = (clientToken: string, pathname: string, content: string) => Promise<{
-    url: string;
-    size: number;
-}>;
-/**
- * Orchestrates the 3-phase presigned upload flow.
- *
- * 1. Requests presigned tokens for all source map files
- * 2. Uploads each file to blob storage with a concurrency limit of 5,
- *    reading file content from disk just before each upload
- * 3. Submits the manifest to finalize the upload
- *
- * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
- * `SourceMapFileInfo[]` (streaming, reads on demand).
- *
- * Accepts an optional `blobUploader` for test injection; defaults to
- * {@link uploadToBlob}.
- *
- * @remarks
- * Node-only. Streams map contents from disk via `node:fs/promises`
- * and uploads through `@vercel/blob/client` (loaded lazily as an
- * optional peer dependency). No edge-safe alternative — call from a
- * Node context (build script, Next.js `next.config.ts`, CI job).
- */
-declare function uploadSourceMapsPresigned(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[], blobUploader?: BlobUploader): Promise<SourceMapManifestResponse>;
-/**
- * Options for {@link uploadSourceMapsAuto}, primarily used for test injection.
- *
- * @remarks
- * Node-only. Describes the shape of overrides consumed by
- * {@link uploadSourceMapsAuto}, which depends on `node:fs` and
- * `@vercel/blob`. The type itself erases at runtime and is safe to
- * import from edge code, but the surrounding function is Node-only.
- */
-interface AutoUploadOptions {
-    /** Override blob availability check (for testing). */
-    checkBlobAvailable?: () => Promise<boolean>;
-    /** Override blob uploader (for testing). */
-    blobUploader?: BlobUploader;
-}
-/**
- * Automatically routes source map uploads based on total build size.
- *
- * - Below {@link PRESIGNED_THRESHOLD_BYTES}: uses the legacy single-request
- *   {@link uploadSourceMaps} endpoint.
- * - At or above the threshold: checks if `@vercel/blob` is available and
- *   uses the presigned 3-phase flow. Falls back to legacy with a warning
- *   if the package is not installed.
- *
- * Accepts either `SourceMapEntry[]` (legacy, in-memory) or
- * `SourceMapFileInfo[]` (streaming, reads on demand).
- *
- * @remarks
- * Node-only. Reads source map sizes/contents via `node:fs/promises`
- * and, above the threshold, dynamically loads `@vercel/blob/client`
- * (optional peer dependency) for direct blob storage uploads. No
- * edge-safe alternative — call from a Node context (build script,
- * Next.js `next.config.ts`, CI job). This is the recommended entry
- * point for source-map upload in most projects.
- */
-declare function uploadSourceMapsAuto(apiKey: string, endpoint: string, buildHash: string, maps: SourceMapEntry[] | SourceMapFileInfo[], options?: AutoUploadOptions): Promise<SourceMapUploadResponse | SourceMapManifestResponse>;
-
-/**
- * Discovers test files by scanning the project directory for conventional
- * test file patterns. Also reads vitest/jest config files for custom include
- * patterns and merges them with the defaults. Excludes node_modules/ and .next/.
- *
- * @param projectRoot - Absolute path to the project root directory.
- * @returns Relative POSIX paths from projectRoot, capped at {@link MAX_TEST_FILES}.
- *
- * @remarks
- * Node-only. Walks the filesystem with `node:fs/promises`
- * (`readdir`), reads vitest/jest config files with `node:fs`
- * (`readFileSync`), and resolves paths with `node:path`. No edge-safe
- * alternative — call from a Node context (build script, CI job,
- * Next.js `next.config.ts`).
- */
-declare function discoverTestFiles(projectRoot: string): Promise<string[]>;
-/**
- * Extracts import paths from file content using regex.
- * Handles ES module imports, CommonJS requires, and dynamic imports.
- *
- * @param fileContent - The full text content of a TypeScript/JavaScript file.
- * @returns An array of import path strings as written in the source (e.g. "./foo", "react").
- *
- * @remarks
- * Node-only. The function body itself is pure string processing and
- * would run anywhere, but it is exported through `@glasstrace/sdk/node`
- * alongside {@link discoverTestFiles} and {@link buildImportGraph} —
- * the practical consumers all pair it with those Node-only helpers.
- * Kept under the `/node` subpath for API cohesion; call from a Node
- * context (build script, CI job, Next.js `next.config.ts`).
- */
-declare function extractImports(fileContent: string): string[];
-/**
- * Builds an import graph mapping test file paths to their imported module paths.
- *
- * Discovers test files, reads each, extracts imports, and builds a graph.
- * Computes a deterministic buildHash from the serialized graph content.
- * Individual file read failures are silently skipped.
- *
- * @param projectRoot - Absolute path to the project root directory.
- * @returns An {@link ImportGraphPayload} containing the graph and a deterministic buildHash.
- *
- * @remarks
- * Node-only. Walks the project with `node:fs/promises`, reads each
- * test file from disk, resolves paths with `node:path`, and hashes
- * the serialized graph with `node:crypto` (`createHash("sha256")`).
- * No edge-safe alternative — call from a Node context (build script,
- * CI job, Next.js `next.config.ts`).
- */
-declare function buildImportGraph(projectRoot: string): Promise<ImportGraphPayload>;
+ * Producer-side identifier pseudonymization for the value-fidelity
+ * scalar channel.
+ *
+ * `hashId` turns a raw identifier into a stable, opaque `gthid_<hex>`
+ * token that a producer can emit on an `*Id` scalar without leaking the
+ * raw value. The SDK's `checkScalarField` rejects unhashed `*Id` values
+ * under `strict`, so a producer that wants id correlation pre-hashes the
+ * id with this helper.
+ *
+ * NODE-ONLY. This module imports `node:crypto` and is therefore exported
+ * exclusively from the `@glasstrace/sdk/node` subpath, never the root
+ * barrel — the root must stay edge-bundle-safe (no node builtins in the
+ * edge closure). `*Id` capture is a server-side concern, so the
+ * node-only placement does not reduce real coverage.
+ */
+/**
+ * Pseudonymize a raw identifier into a stable `gthid_<hex>` token using
+ * HMAC-SHA256 keyed by `key`.
+ *
+ * Node-only. Uses `node:crypto`, so it ships exclusively on the
+ * `@glasstrace/sdk/node` subpath.
+ *
+ * Fail-closed: returns `null` when `raw` or `key` is missing or empty,
+ * so a misconfigured caller emits no id rather than a raw or weakly
+ * keyed one. A `null` return routes the `*Id` scalar to the
+ * `unhashed_id` omission counter at emit time.
+ *
+ * The same `(raw, key)` always produces the same token, enabling
+ * cross-trace correlation of the same entity. This is also the privacy
+ * boundary's weak point:
+ *
+ *  - **Key rotation breaks correlation by design.** Tokens hashed under
+ *    a new key do not match tokens hashed under the old one. If
+ *    cross-rotation correlation is required, embed a key-id segment in
+ *    the key-management layer and rotate deliberately.
+ *  - **A leaked key de-pseudonymizes every id hashed under it** (an
+ *    attacker can hash a candidate id space and match tokens). Treat the
+ *    key as a secret; scope it per tenant.
+ *  - **Stable tokens plus quasi-identifier scalars enable corpus-level
+ *    re-identification / linkage**, bounded by per-tenant scope. Do not
+ *    treat a `gthid_` token as anonymization.
+ *
+ * @param raw - The raw identifier to pseudonymize.
+ * @param key - The per-tenant HMAC secret (e.g. from
+ *   `GLASSTRACE_ATTR_HMAC_KEY`). Never logged or emitted.
+ * @returns A `gthid_<32hex>` token, or `null` if `raw`/`key` is empty.
+ */
+declare function hashId(raw: string, key: string): string | null;
 
-export { type AutoUploadOptions, type BlobUploader, PRESIGNED_THRESHOLD_BYTES, type SourceMapEntry, type SourceMapFileInfo, buildImportGraph, collectSourceMaps, computeBuildHash, discoverSourceMapFiles, discoverTestFiles, extractImports, uploadSourceMaps, uploadSourceMapsAuto, uploadSourceMapsPresigned };
+export { hashId };

package/dist/node-subpath.js

@@ -6,16 +6,28 @@ import {
   uploadSourceMaps,
   uploadSourceMapsAuto,
   uploadSourceMapsPresigned
-} from "./chunk-MP3QNDXQ.js";
+} from "./chunk-O7IJP2TQ.js";
 import "./chunk-YG3X7TUI.js";
 import {
   buildImportGraph,
   discoverTestFiles,
   extractImports
-} from "./chunk-XMD5OYD6.js";
+} from "./chunk-M3QGJUEI.js";
 import "./chunk-VUZCLMIX.js";
-import "./chunk-7LE2O4ZJ.js";
+import {
+  SIDE_EFFECT_HASHED_ID_HEX_LENGTH,
+  SIDE_EFFECT_HASHED_ID_PREFIX
+} from "./chunk-MKT54VEH.js";
 import "./chunk-NSBPE2FW.js";
+
+// src/side-effect/hash-id.ts
+import { createHmac } from "node:crypto";
+function hashId(raw, key) {
+  if (typeof raw !== "string" || raw.length === 0) return null;
+  if (typeof key !== "string" || key.length === 0) return null;
+  const digest = createHmac("sha256", key).update(raw).digest("hex").slice(0, SIDE_EFFECT_HASHED_ID_HEX_LENGTH);
+  return `${SIDE_EFFECT_HASHED_ID_PREFIX}${digest}`;
+}
 export {
   PRESIGNED_THRESHOLD_BYTES,
   buildImportGraph,
@@ -24,6 +36,7 @@ export {
   discoverSourceMapFiles,
   discoverTestFiles,
   extractImports,
+  hashId,
   uploadSourceMaps,
   uploadSourceMapsAuto,
   uploadSourceMapsPresigned

package/dist/node-subpath.js.map

@@ -1 +1 @@
-{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
+{"version":3,"sources":["../src/side-effect/hash-id.ts"],"sourcesContent":["/**\n * Producer-side identifier pseudonymization for the value-fidelity\n * scalar channel.\n *\n * `hashId` turns a raw identifier into a stable, opaque `gthid_<hex>`\n * token that a producer can emit on an `*Id` scalar without leaking the\n * raw value. The SDK's `checkScalarField` rejects unhashed `*Id` values\n * under `strict`, so a producer that wants id correlation pre-hashes the\n * id with this helper.\n *\n * NODE-ONLY. This module imports `node:crypto` and is therefore exported\n * exclusively from the `@glasstrace/sdk/node` subpath, never the root\n * barrel — the root must stay edge-bundle-safe (no node builtins in the\n * edge closure). `*Id` capture is a server-side concern, so the\n * node-only placement does not reduce real coverage.\n */\n\nimport { createHmac } from \"node:crypto\";\nimport {\n  SIDE_EFFECT_HASHED_ID_HEX_LENGTH,\n  SIDE_EFFECT_HASHED_ID_PREFIX,\n} from \"@glasstrace/protocol\";\n\n// 32 hex = 128 bits of the HMAC-SHA256 output — not brute-forceable\n// without the key, and compact. The length is shared with the SDK's\n// strict `*Id` scalar validator (via the protocol constant) so the\n// emitter and the admission check cannot drift.\n\n/**\n * Pseudonymize a raw identifier into a stable `gthid_<hex>` token using\n * HMAC-SHA256 keyed by `key`.\n *\n * Node-only. Uses `node:crypto`, so it ships exclusively on the\n * `@glasstrace/sdk/node` subpath.\n *\n * Fail-closed: returns `null` when `raw` or `key` is missing or empty,\n * so a misconfigured caller emits no id rather than a raw or weakly\n * keyed one. A `null` return routes the `*Id` scalar to the\n * `unhashed_id` omission counter at emit time.\n *\n * The same `(raw, key)` always produces the same token, enabling\n * cross-trace correlation of the same entity. This is also the privacy\n * boundary's weak point:\n *\n *  - **Key rotation breaks correlation by design.** Tokens hashed under\n *    a new key do not match tokens hashed under the old one. If\n *    cross-rotation correlation is required, embed a key-id segment in\n *    the key-management layer and rotate deliberately.\n *  - **A leaked key de-pseudonymizes every id hashed under it** (an\n *    attacker can hash a candidate id space and match tokens). Treat the\n *    key as a secret; scope it per tenant.\n *  - **Stable tokens plus quasi-identifier scalars enable corpus-level\n *    re-identification / linkage**, bounded by per-tenant scope. Do not\n *    treat a `gthid_` token as anonymization.\n *\n * @param raw - The raw identifier to pseudonymize.\n * @param key - The per-tenant HMAC secret (e.g. from\n *   `GLASSTRACE_ATTR_HMAC_KEY`). Never logged or emitted.\n * @returns A `gthid_<32hex>` token, or `null` if `raw`/`key` is empty.\n */\nexport function hashId(raw: string, key: string): string | null {\n  if (typeof raw !== \"string\" || raw.length === 0) return null;\n  if (typeof key !== \"string\" || key.length === 0) return null;\n  const digest = createHmac(\"sha256\", key)\n    .update(raw)\n    .digest(\"hex\")\n    .slice(0, SIDE_EFFECT_HASHED_ID_HEX_LENGTH);\n  return `${SIDE_EFFECT_HASHED_ID_PREFIX}${digest}`;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAiBA,SAAS,kBAAkB;AA2CpB,SAAS,OAAO,KAAa,KAA4B;AAC9D,MAAI,OAAO,QAAQ,YAAY,IAAI,WAAW,EAAG,QAAO;AACxD,MAAI,OAAO,QAAQ,YAAY,IAAI,WAAW,EAAG,QAAO;AACxD,QAAM,SAAS,WAAW,UAAU,GAAG,EACpC,OAAO,GAAG,EACV,OAAO,KAAK,EACZ,MAAM,GAAG,gCAAgC;AAC5C,SAAO,GAAG,4BAA4B,GAAG,MAAM;AACjD;","names":[]}

package/dist/{source-map-uploader-NUONOEJG.js → source-map-uploader-U7SLSKIZ.js}

@@ -11,10 +11,10 @@ import {
   uploadSourceMapsAuto,
   uploadSourceMapsPresigned,
   uploadToBlob
-} from "./chunk-MP3QNDXQ.js";
+} from "./chunk-O7IJP2TQ.js";
 import "./chunk-YG3X7TUI.js";
 import "./chunk-VUZCLMIX.js";
-import "./chunk-7LE2O4ZJ.js";
+import "./chunk-MKT54VEH.js";
 import "./chunk-NSBPE2FW.js";
 export {
   PRESIGNED_THRESHOLD_BYTES,
@@ -30,4 +30,4 @@ export {
   uploadSourceMapsPresigned,
   uploadToBlob
 };
-//# sourceMappingURL=source-map-uploader-NUONOEJG.js.map
+//# sourceMappingURL=source-map-uploader-U7SLSKIZ.js.map