@glasstrace/sdk 1.7.0 → 1.9.0

package/dist/{chunk-OWPA7GHV.js → chunk-XEPC4NFL.js}

@@ -1,3 +1,6 @@
+import {
+  _registerLifecycleEmitForBridge
+} from "./chunk-CL3OVHPO.js";
 import {
   DiagLogLevel,
   INVALID_SPAN_CONTEXT,
@@ -33,7 +36,7 @@ import {
   performInit,
   recordSpansDropped,
   recordSpansExported
-} from "./chunk-M2TLX6NM.js";
+} from "./chunk-QXITSNYM.js";
 import {
   isAnonymousMode,
   isProductionDisabled,
@@ -44,11 +47,11 @@ import {
   getOrCreateAnonKey,
   isSyncFsAvailable,
   readAnonKey
-} from "./chunk-WL6BXEJ5.js";
+} from "./chunk-DKV53A2C.js";
 import {
   GLASSTRACE_ATTRIBUTE_NAMES,
   deriveSessionId
-} from "./chunk-P45NZR4J.js";
+} from "./chunk-JHUNLPSS.js";
 import {
   isEndMarkerLine,
   parseStartMarkerLine
@@ -143,1114 +146,1428 @@ function classifyFetchTarget(url) {
   return "unknown";
 }
 
-// src/error-response-body.ts
-var ERROR_RESPONSE_BODY_MAX_BYTES = 4096;
-var ERROR_RESPONSE_BODY_TRUNCATION_MARKER = "...[truncated]";
-var REDACTED = "[REDACTED]";
-var ERROR_STATUS_MIN = 400;
-var ERROR_STATUS_MAX = 599;
-function coerceHttpStatus(value) {
-  let numeric;
-  if (typeof value === "number") {
-    numeric = value;
-  } else if (typeof value === "string") {
-    const trimmed = value.trim();
-    if (trimmed.length === 0) return void 0;
-    numeric = Number(trimmed);
-  } else {
-    return void 0;
-  }
-  return Number.isFinite(numeric) ? numeric : void 0;
+// src/lifecycle.ts
+import { EventEmitter } from "node:events";
+
+// src/signal-handler.ts
+var coexistenceState = "unknown";
+function setCoexistenceState(s) {
+  coexistenceState = s;
 }
-function isHttpErrorStatus(status) {
-  const numeric = coerceHttpStatus(status);
-  if (numeric === void 0) return false;
-  return numeric >= ERROR_STATUS_MIN && numeric <= ERROR_STATUS_MAX;
+function getCoexistenceState() {
+  return coexistenceState;
 }
-var REDACTION_PATTERNS = [
-  // Order matters: redact specific token shapes BEFORE the generic
-  // key=value catcher so a literal `Bearer eyJ…` collapses into a single
-  // [REDACTED] and the JWT regex does not separately match the suffix.
-  {
-    name: "bearer",
-    // Case-insensitive on the scheme: HTTP frameworks and proxies
-    // round-trip the auth scheme with inconsistent casing
-    // (`Bearer`, `bearer`, `BEARER`), and a real token leaks just as
-    // badly under any of them.
-    pattern: /\bBearer\s+[A-Za-z0-9._\-+/=]+/gi
-  },
-  {
-    name: "jwt",
-    // Three base64url segments separated by dots. Real JWTs encode at
-    // minimum a small JSON header in the first segment, which alone is
-    // typically ≥10 chars after base64url; a 16-char floor avoids false
-    // positives on dotted text like a stack-trace frame
-    // (`react.dom.server`) while still catching every real JWT we have
-    // seen in the wild. Anchored with word boundaries on both sides so
-    // a 3-dot semantic version like "next@15.4.1.2" does not match.
-    pattern: /\b[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/g
-  },
-  {
-    name: "glasstrace-api-key",
-    // gt_dev_* and gt_anon_* keys are >=24 chars of [A-Za-z0-9].
-    pattern: /\bgt_(?:dev|anon)_[A-Za-z0-9]{16,}\b/g
-  },
-  {
-    name: "aws-access-key",
-    // 20-char prefix-fixed identifier.
-    pattern: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g
-  },
-  {
-    name: "key-value-secret-quoted",
-    // Quoted-string variant: (key) [:=] "<value>". The value runs to
-    // the next unescaped closing quote so a multi-word secret like
-    // `password="my secret phrase"` is fully consumed instead of
-    // splitting at the first space and leaving the tail visible.
-    // The leading `(?<![A-Za-z0-9_])` prevents matching inside
-    // identifiers like `passwordless`. The trailing `"?` after the
-    // keyword absorbs the closing quote in JSON-style `"apikey":
-    // "value"` so the colon is still seen as the separator.
-    pattern: /(?<![A-Za-z0-9_])(?:api[_-]?key|apikey|secret|password|token)"?\s*[:=]\s*"(?:[^"\\]|\\.)*"/gi
-  },
-  {
-    name: "key-value-secret-bare",
-    // Unquoted variant: (key) [:=] <bare-value>. The bare value
-    // capture stops at common JSON/text delimiters so we redact only
-    // the value, not surrounding structure. Listed AFTER the quoted
-    // variant so a quoted value's surrounding `"` are consumed by
-    // the first pattern and we never fall through here for a quoted
-    // secret.
-    pattern: /(?<![A-Za-z0-9_])(?:api[_-]?key|apikey|secret|password|token)"?\s*[:=]\s*[^\s,;}\]"]+/gi
-  }
-];
-function sanitizeErrorResponseBody(body) {
-  let out = body;
-  for (const { pattern } of REDACTION_PATTERNS) {
-    out = out.replace(pattern, REDACTED);
+
+// src/lifecycle.ts
+var CoreState = {
+  IDLE: "IDLE",
+  REGISTERING: "REGISTERING",
+  KEY_PENDING: "KEY_PENDING",
+  KEY_RESOLVED: "KEY_RESOLVED",
+  ACTIVE: "ACTIVE",
+  ACTIVE_DEGRADED: "ACTIVE_DEGRADED",
+  SHUTTING_DOWN: "SHUTTING_DOWN",
+  SHUTDOWN: "SHUTDOWN",
+  PRODUCTION_DISABLED: "PRODUCTION_DISABLED",
+  REGISTRATION_FAILED: "REGISTRATION_FAILED"
+};
+var AuthState = {
+  ANONYMOUS: "ANONYMOUS",
+  AUTHENTICATED: "AUTHENTICATED",
+  CLAIMING: "CLAIMING",
+  CLAIMED: "CLAIMED"
+};
+var OtelState = {
+  UNCONFIGURED: "UNCONFIGURED",
+  CONFIGURING: "CONFIGURING",
+  OWNS_PROVIDER: "OWNS_PROVIDER",
+  AUTO_ATTACHED: "AUTO_ATTACHED",
+  PROCESSOR_PRESENT: "PROCESSOR_PRESENT",
+  COEXISTENCE_FAILED: "COEXISTENCE_FAILED"
+};
+var VALID_CORE_TRANSITIONS = {
+  [CoreState.IDLE]: [CoreState.REGISTERING, CoreState.REGISTRATION_FAILED, CoreState.SHUTTING_DOWN],
+  [CoreState.REGISTERING]: [
+    CoreState.KEY_PENDING,
+    CoreState.PRODUCTION_DISABLED,
+    CoreState.REGISTRATION_FAILED,
+    CoreState.SHUTTING_DOWN
+  ],
+  [CoreState.KEY_PENDING]: [
+    CoreState.KEY_RESOLVED,
+    CoreState.REGISTRATION_FAILED,
+    CoreState.SHUTTING_DOWN
+  ],
+  [CoreState.KEY_RESOLVED]: [
+    CoreState.ACTIVE,
+    CoreState.ACTIVE_DEGRADED,
+    CoreState.SHUTTING_DOWN
+  ],
+  [CoreState.ACTIVE]: [
+    CoreState.ACTIVE_DEGRADED,
+    CoreState.SHUTTING_DOWN
+  ],
+  [CoreState.ACTIVE_DEGRADED]: [
+    CoreState.ACTIVE,
+    CoreState.SHUTTING_DOWN
+  ],
+  [CoreState.SHUTTING_DOWN]: [CoreState.SHUTDOWN],
+  [CoreState.SHUTDOWN]: [],
+  [CoreState.PRODUCTION_DISABLED]: [],
+  [CoreState.REGISTRATION_FAILED]: []
+};
+var VALID_AUTH_TRANSITIONS = {
+  [AuthState.ANONYMOUS]: [AuthState.CLAIMING],
+  [AuthState.AUTHENTICATED]: [AuthState.CLAIMING],
+  [AuthState.CLAIMING]: [AuthState.CLAIMED],
+  [AuthState.CLAIMED]: [AuthState.CLAIMING]
+};
+var VALID_OTEL_TRANSITIONS = {
+  [OtelState.UNCONFIGURED]: [OtelState.CONFIGURING],
+  [OtelState.CONFIGURING]: [
+    OtelState.OWNS_PROVIDER,
+    OtelState.AUTO_ATTACHED,
+    OtelState.PROCESSOR_PRESENT,
+    OtelState.COEXISTENCE_FAILED
+  ],
+  [OtelState.OWNS_PROVIDER]: [],
+  [OtelState.AUTO_ATTACHED]: [],
+  [OtelState.PROCESSOR_PRESENT]: [],
+  [OtelState.COEXISTENCE_FAILED]: []
+};
+var _coreState = CoreState.IDLE;
+var _authState = AuthState.ANONYMOUS;
+var _otelState = OtelState.UNCONFIGURED;
+var _emitter = new EventEmitter();
+var _logger = null;
+var _initialized = false;
+var _initWarned = false;
+var _coreReadyEmitted = false;
+var _authInitialized = false;
+var _emitting = false;
+function initLifecycle(options) {
+  if (_initialized) {
+    options.logger("warn", "[glasstrace] initLifecycle() called twice \u2014 ignored.");
+    return;
   }
-  return out;
+  _logger = options.logger;
+  _initialized = true;
+  _registerLifecycleEmitForBridge((event, payload) => {
+    emitLifecycleEvent(
+      event,
+      payload
+    );
+  });
 }
-function truncateErrorResponseBody(body) {
-  const encoder = new TextEncoder();
-  const encoded = encoder.encode(body);
-  if (encoded.byteLength <= ERROR_RESPONSE_BODY_MAX_BYTES) {
-    return body;
+function warnIfNotInitialized() {
+  if (!_initialized && !_initWarned) {
+    _initWarned = true;
+    console.warn(
+      "[glasstrace] Lifecycle state changed before initLifecycle() was called. Logger not available \u2014 errors will be silent."
+    );
   }
-  let cut = ERROR_RESPONSE_BODY_MAX_BYTES;
-  let scan = cut - 1;
-  while (scan >= 0 && (encoded[scan] & 192) === 128) {
-    scan -= 1;
+}
+function setCoreState(to) {
+  warnIfNotInitialized();
+  const from = _coreState;
+  if (from === to) return;
+  const valid = VALID_CORE_TRANSITIONS[from];
+  if (!valid.includes(to)) {
+    _logger?.(
+      "warn",
+      `[glasstrace] Invalid core state transition: ${from} \u2192 ${to}. Ignored.`
+    );
+    return;
   }
-  if (scan >= 0) {
-    const leading = encoded[scan];
-    let expected = 1;
-    if ((leading & 128) === 0) {
-      expected = 1;
-    } else if ((leading & 224) === 192) {
-      expected = 2;
-    } else if ((leading & 240) === 224) {
-      expected = 3;
-    } else if ((leading & 248) === 240) {
-      expected = 4;
+  _coreState = to;
+  if (_emitting) return;
+  _emitting = true;
+  try {
+    emitSafe("core:state_changed", { from, to });
+    const current = _coreState;
+    if (!_coreReadyEmitted && (current === CoreState.ACTIVE || current === CoreState.ACTIVE_DEGRADED)) {
+      _coreReadyEmitted = true;
+      emitSafe("core:ready", {});
     }
-    if (scan + expected > cut) {
-      cut = scan;
+    if (current === CoreState.SHUTTING_DOWN) {
+      emitSafe("core:shutdown_started", {});
     }
+    if (current === CoreState.SHUTDOWN) {
+      emitSafe("core:shutdown_completed", {});
+    }
+  } finally {
+    _emitting = false;
+  }
+  if (to === CoreState.ACTIVE && _degradationSources.size > 0) {
+    recomputeCoreFromDegradationSources();
   }
-  const decoder = new TextDecoder("utf-8", { fatal: false });
-  const sliced = encoded.subarray(0, cut);
-  const decoded = decoder.decode(sliced);
-  return decoded + ERROR_RESPONSE_BODY_TRUNCATION_MARKER;
-}
-function prepareErrorResponseBody(body) {
-  if (body.length === 0) return null;
-  if (body.trim().length === 0) return null;
-  const sanitized = sanitizeErrorResponseBody(body);
-  return truncateErrorResponseBody(sanitized);
 }
-
-// src/error-stack.ts
-var ERROR_STACK_MAX_BYTES = 8192;
-var ERROR_STACK_TRUNCATION_MARKER = "...[stack truncated]";
-var PATH_REDACTED = "<path>";
-var PATH_KEEP_MARKERS = [
-  "node_modules",
-  ".next",
-  ".glasstrace",
-  "src",
-  "dist",
-  "build",
-  "lib",
-  "app",
-  "pages"
-];
-var PATH_TOKEN_RE = /(?<=^|[\s(])(\/[^\s()<>]+|[A-Za-z]:\\[^\s()<>]+|file:\/\/\/[^\s()<>]+|webpack-internal:\/\/[^\s()<>]+|node:[^\s()<>]+)/g;
-var URL_QUERY_FRAGMENT_RE = /(\bhttps?:\/\/[^\s?#()<>]+)([?#][^\s()<>]*)/g;
-function normalizePathToken(token) {
-  let work = token;
-  if (work.startsWith("file:///")) {
-    work = work.slice("file://".length);
-  }
-  if (work.startsWith("webpack-internal:") || work.startsWith("node:")) {
-    return { token, changed: false };
-  }
-  const isPosixAbs = work.startsWith("/");
-  const isWinAbs = /^[A-Za-z]:\\/.test(work);
-  if (!isPosixAbs && !isWinAbs) {
-    return { token, changed: false };
+function initAuthState(state) {
+  if (_authInitialized) {
+    _logger?.(
+      "warn",
+      "[glasstrace] initAuthState() called after auth state already initialized. Ignored."
+    );
+    return;
   }
-  const sep = isWinAbs ? "\\" : "/";
-  let bestIdx = -1;
-  for (const marker of PATH_KEEP_MARKERS) {
-    const needle = `${sep}${marker}${sep}`;
-    const idx = work.lastIndexOf(needle);
-    if (idx >= 0) {
-      bestIdx = idx;
-      break;
-    }
+  _authInitialized = true;
+  _authState = state;
+}
+function setAuthState(to) {
+  warnIfNotInitialized();
+  const from = _authState;
+  if (from === to) return;
+  const valid = VALID_AUTH_TRANSITIONS[from];
+  if (!valid.includes(to)) {
+    _logger?.(
+      "warn",
+      `[glasstrace] Invalid auth state transition: ${from} \u2192 ${to}. Ignored.`
+    );
+    return;
   }
-  if (bestIdx >= 0) {
-    const kept = work.slice(bestIdx + sep.length);
-    const rebuilt2 = `${PATH_REDACTED}/${kept.replace(/\\/g, "/")}`;
-    return { token: rebuilt2, changed: true };
+  _authState = to;
+}
+function setOtelState(to) {
+  warnIfNotInitialized();
+  const from = _otelState;
+  if (from === to) return;
+  const valid = VALID_OTEL_TRANSITIONS[from];
+  if (!valid.includes(to)) {
+    _logger?.(
+      "warn",
+      `[glasstrace] Invalid OTel state transition: ${from} \u2192 ${to}. Ignored.`
+    );
+    return;
   }
-  const colonLineRe = /:\d+(?::\d+)?$/;
-  const lineMatch = colonLineRe.exec(work);
-  const pathBody = lineMatch ? work.slice(0, lineMatch.index) : work;
-  const lineSuffix = lineMatch ? work.slice(lineMatch.index) : "";
-  const lastSep = Math.max(pathBody.lastIndexOf("/"), pathBody.lastIndexOf("\\"));
-  const basename = lastSep >= 0 ? pathBody.slice(lastSep + 1) : pathBody;
-  const rebuilt = `${PATH_REDACTED}/${basename}${lineSuffix}`;
-  return { token: rebuilt, changed: true };
+  _otelState = to;
 }
-function sanitizeStack(stack) {
-  let changed = false;
-  const pathNormalized = stack.replace(PATH_TOKEN_RE, (token) => {
-    const out = normalizePathToken(token);
-    if (out.changed) changed = true;
-    return out.token;
-  });
-  const urlStripped = pathNormalized.replace(URL_QUERY_FRAGMENT_RE, (match, prefix) => {
-    if (match !== prefix) changed = true;
-    return prefix;
-  });
-  const credentialRedacted = sanitizeErrorResponseBody(urlStripped);
-  if (credentialRedacted !== urlStripped) changed = true;
-  return { stack: credentialRedacted, redacted: changed };
+var _degradationSources = /* @__PURE__ */ new Set();
+function pushDegradationSource(key) {
+  _degradationSources.add(key);
+  recomputeCoreFromDegradationSources();
 }
-function truncateStack(stack) {
-  const encoder = new TextEncoder();
-  const encoded = encoder.encode(stack);
-  if (encoded.byteLength <= ERROR_STACK_MAX_BYTES) {
-    return { stack, truncated: false };
-  }
-  let cut = ERROR_STACK_MAX_BYTES;
-  let scan = cut - 1;
-  while (scan >= 0 && (encoded[scan] & 192) === 128) {
-    scan -= 1;
+function clearDegradationSource(key) {
+  _degradationSources.delete(key);
+  recomputeCoreFromDegradationSources();
+}
+function recomputeCoreFromDegradationSources() {
+  const hasDegradation = _degradationSources.size > 0;
+  if (hasDegradation && _coreState === CoreState.ACTIVE) {
+    setCoreState(CoreState.ACTIVE_DEGRADED);
+    return;
   }
-  if (scan >= 0) {
-    const leading = encoded[scan];
-    let expected = 1;
-    if ((leading & 128) === 0) {
-      expected = 1;
-    } else if ((leading & 224) === 192) {
-      expected = 2;
-    } else if ((leading & 240) === 224) {
-      expected = 3;
-    } else if ((leading & 248) === 240) {
-      expected = 4;
-    }
-    if (scan + expected > cut) {
-      cut = scan;
-    }
+  if (!hasDegradation && _coreState === CoreState.ACTIVE_DEGRADED) {
+    setCoreState(CoreState.ACTIVE);
   }
-  const decoder = new TextDecoder("utf-8", { fatal: false });
-  const sliced = encoded.subarray(0, cut);
-  const decoded = decoder.decode(sliced);
-  return { stack: decoded + ERROR_STACK_TRUNCATION_MARKER, truncated: true };
 }
-function prepareStack(stack) {
-  if (stack.length === 0) return null;
-  if (stack.trim().length === 0) return null;
-  const sanitized = sanitizeStack(stack);
-  const truncated = truncateStack(sanitized.stack);
+function getCoreState() {
+  return _coreState;
+}
+function getSdkState() {
   return {
-    stack: truncated.stack,
-    truncated: truncated.truncated,
-    redacted: sanitized.redacted
+    core: _coreState,
+    auth: _authState,
+    otel: _otelState
   };
 }
-
-// src/build-info.ts
-var UNSET = "";
-var SHA_SHAPE = /^[0-9a-f]{7,64}$/i;
-function redactBuildHash(value) {
-  const sanitize = (s) => s.replace(/[\x00-\x1F\x7F]/g, "?");
-  if (value.length <= 12) return sanitize(value.slice(0, 4)) + "...";
-  return sanitize(value.slice(0, 8)) + "..." + sanitize(value.slice(-4));
+function onLifecycleEvent(event, listener) {
+  _emitter.on(event, listener);
 }
-function readBuildHashFromEnv() {
-  const raw = process.env.GLASSTRACE_BUILD_HASH;
-  if (typeof raw !== "string") return UNSET;
-  const trimmed = raw.trim();
-  if (trimmed.length === 0) return UNSET;
-  if (!SHA_SHAPE.test(trimmed)) {
-    sdkLog(
-      "warn",
-      `[glasstrace] warning: GLASSTRACE_BUILD_HASH=${redactBuildHash(trimmed)} does not match expected SHA shape (7-64 hex characters); source-map enrichment may not work as expected.`
-    );
-  }
-  return trimmed;
+function emitLifecycleEvent(event, payload) {
+  emitSafe(event, payload);
 }
-var cachedBuildHash = null;
-function getBuildHash() {
-  if (cachedBuildHash === null) {
-    cachedBuildHash = readBuildHashFromEnv();
+function offLifecycleEvent(event, listener) {
+  _emitter.off(event, listener);
+}
+function emitSafe(event, payload) {
+  const listeners = _emitter.listeners(event);
+  for (const listener of listeners) {
+    try {
+      const result = listener(payload);
+      if (result && typeof result.catch === "function") {
+        result.catch((err) => {
+          _logger?.(
+            "error",
+            `[glasstrace] Async error in lifecycle event listener for "${event}": ${err instanceof Error ? err.message : String(err)}`
+          );
+        });
+      }
+    } catch (err) {
+      _logger?.(
+        "error",
+        `[glasstrace] Error in lifecycle event listener for "${event}": ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
   }
-  return cachedBuildHash === UNSET ? void 0 : cachedBuildHash;
 }
-
-// src/enriching-exporter.ts
-var ATTR = GLASSTRACE_ATTRIBUTE_NAMES;
-var API_KEY_PENDING = "pending";
-var MAX_PENDING_SPANS = 1024;
-var GlasstraceExporter = class {
-  getApiKey;
-  sessionManager;
-  getConfig;
-  environment;
-  endpointUrl;
-  createDelegateFn;
-  verbose;
-  delegate = null;
-  delegateKey = null;
-  pendingBatches = [];
-  pendingSpanCount = 0;
-  overflowLogged = false;
-  constructor(options) {
-    this.getApiKey = options.getApiKey;
-    this.sessionManager = options.sessionManager;
-    this.getConfig = options.getConfig;
-    this.environment = options.environment;
-    this.endpointUrl = options.endpointUrl;
-    this.createDelegateFn = options.createDelegate;
-    this.verbose = options.verbose ?? false;
-    this[/* @__PURE__ */ Symbol.for("glasstrace.exporter")] = true;
+function isReady() {
+  return _coreState === CoreState.ACTIVE || _coreState === CoreState.ACTIVE_DEGRADED;
+}
+function waitForReady(timeoutMs = 3e4) {
+  if (isReady()) {
+    return Promise.resolve();
   }
-  export(spans, resultCallback) {
-    const currentKey = this.getApiKey();
-    if (currentKey === API_KEY_PENDING) {
-      this.bufferSpans(spans, resultCallback);
-      return;
-    }
-    const enrichedSpans = spans.map((span) => this.enrichSpan(span));
-    const exporter = this.ensureDelegate();
-    if (exporter) {
-      exporter.export(enrichedSpans, (result) => {
-        if (result.code !== 0) {
-          sdkLog("warn", `[glasstrace] Span export failed: ${result.error?.message ?? "unknown error"}`);
-        }
-        resultCallback(result);
-      });
-      recordSpansExported(enrichedSpans.length);
-    } else {
-      recordSpansDropped(enrichedSpans.length);
-      resultCallback({ code: 0 });
-    }
+  if (_coreState === CoreState.PRODUCTION_DISABLED || _coreState === CoreState.REGISTRATION_FAILED || _coreState === CoreState.SHUTTING_DOWN || _coreState === CoreState.SHUTDOWN) {
+    return Promise.reject(new Error(`SDK is in terminal state: ${_coreState}`));
   }
-  /**
-   * Called when the API key transitions from "pending" to a resolved value.
-   * Creates the delegate exporter and flushes all buffered spans.
-   */
-  notifyKeyResolved() {
-    this.flushPending();
-  }
-  async shutdown() {
-    const currentKey = this.getApiKey();
-    if (currentKey !== API_KEY_PENDING && this.pendingBatches.length > 0) {
-      this.flushPending();
-    } else if (this.pendingBatches.length > 0) {
-      console.warn(
-        `[glasstrace] Shutdown with ${this.pendingSpanCount} buffered spans \u2014 API key never resolved, spans lost.`
-      );
-      recordSpansDropped(this.pendingSpanCount);
-      for (const batch of this.pendingBatches) {
-        batch.resultCallback({ code: 0 });
+  return new Promise((resolve2, reject) => {
+    let settled = false;
+    const listener = ({ to }) => {
+      if (settled) return;
+      if (to === CoreState.ACTIVE || to === CoreState.ACTIVE_DEGRADED) {
+        settled = true;
+        offLifecycleEvent("core:state_changed", listener);
+        resolve2();
+      } else if (to === CoreState.PRODUCTION_DISABLED || to === CoreState.REGISTRATION_FAILED || to === CoreState.SHUTTING_DOWN || to === CoreState.SHUTDOWN) {
+        settled = true;
+        offLifecycleEvent("core:state_changed", listener);
+        reject(new Error(`SDK reached terminal state: ${to}`));
+      }
+    };
+    onLifecycleEvent("core:state_changed", listener);
+    if (timeoutMs > 0) {
+      const timer = setTimeout(() => {
+        if (settled) return;
+        settled = true;
+        offLifecycleEvent("core:state_changed", listener);
+        reject(new Error(`waitForReady timed out after ${timeoutMs}ms (state: ${_coreState})`));
+      }, timeoutMs);
+      if (typeof timer === "object" && "unref" in timer) {
+        timer.unref();
       }
-      this.pendingBatches = [];
-      this.pendingSpanCount = 0;
-    }
-    if (this.delegate) {
-      return this.delegate.shutdown();
     }
+  });
+}
+function getStatus() {
+  let mode;
+  if (_coreState === CoreState.PRODUCTION_DISABLED) {
+    mode = "disabled";
+  } else if (_authState === AuthState.CLAIMING || _authState === AuthState.CLAIMED) {
+    mode = "claiming";
+  } else if (_authState === AuthState.AUTHENTICATED) {
+    mode = "authenticated";
+  } else {
+    mode = "anonymous";
   }
-  /**
-   * Flushes any pending buffered spans (if the API key has resolved) and
-   * delegates to the underlying exporter's forceFlush to drain its queue.
-   */
-  forceFlush() {
-    if (this.getApiKey() !== API_KEY_PENDING && this.pendingBatches.length > 0) {
-      this.flushPending();
-    }
-    if (this.delegate?.forceFlush) {
-      return this.delegate.forceFlush();
-    }
-    return Promise.resolve();
+  let tracing;
+  if (_otelState === OtelState.COEXISTENCE_FAILED || _otelState === OtelState.UNCONFIGURED || _otelState === OtelState.CONFIGURING) {
+    tracing = "not-configured";
+  } else if (_coreState === CoreState.ACTIVE_DEGRADED) {
+    tracing = "degraded";
+  } else if (_otelState === OtelState.AUTO_ATTACHED || _otelState === OtelState.PROCESSOR_PRESENT) {
+    tracing = "coexistence";
+  } else {
+    tracing = "active";
   }
-  /**
-   * Enriches a ReadableSpan with all glasstrace.* attributes.
-   * Returns a new ReadableSpan wrapper; the original span is not mutated.
-   *
-   * Only {@link SessionManager.getSessionId} is individually guarded because
-   * it calls into crypto and schema validation — a session ID failure should
-   * not prevent the rest of enrichment. The other helper calls
-   * ({@link deriveErrorCategory}, {@link deriveOrmProvider},
-   * {@link classifyFetchTarget}) are pure functions on typed string inputs
-   * and rely on the outer catch for any unexpected failure.
-   *
-   * On total failure, returns the original span unchanged.
-   */
-  enrichSpan(span) {
+  return {
+    ready: isReady(),
+    mode,
+    tracing
+  };
+}
+var _shutdownHooks = [];
+var _signalHandlersRegistered = false;
+var _signalHandler = null;
+var _beforeExitRegistered = false;
+var _beforeExitHandler = null;
+var _shutdownExecuted = false;
+function registerShutdownHook(hook) {
+  _shutdownHooks.push(hook);
+  _shutdownHooks.sort((a, b) => a.priority - b.priority);
+}
+async function executeShutdown(timeoutMs = 5e3) {
+  if (_shutdownExecuted) return;
+  _shutdownExecuted = true;
+  setCoreState(CoreState.SHUTTING_DOWN);
+  for (const hook of _shutdownHooks) {
     try {
-      const attrs = span.attributes ?? {};
-      const name = span.name ?? "";
-      const extra = {};
-      extra[ATTR.TRACE_TYPE] = "server";
-      try {
-        const sessionId = this.sessionManager.getSessionId(this.getApiKey());
-        extra[ATTR.SESSION_ID] = sessionId;
-      } catch {
-      }
-      const env = this.environment ?? process.env.GLASSTRACE_ENV;
-      if (env) {
-        extra[ATTR.ENVIRONMENT] = env;
-      }
-      const buildHash = getBuildHash();
-      if (buildHash) {
-        extra[ATTR.BUILD_HASH] = buildHash;
-      }
-      const existingCid = attrs["glasstrace.correlation.id"];
-      if (typeof existingCid === "string") {
-        extra[ATTR.CORRELATION_ID] = existingCid;
-      }
-      const rawRoute = attrs["http.route"];
-      const route = typeof rawRoute === "string" ? rawRoute : name;
-      if (route) {
-        extra[ATTR.ROUTE] = route;
-      }
-      const rawUrlAttr = attrs["http.url"] ?? attrs["url.full"] ?? attrs["http.target"];
-      const rawHttpUrl = typeof rawUrlAttr === "string" ? rawUrlAttr : void 0;
-      if (rawHttpUrl) {
-        const trpcMatch = rawHttpUrl.match(/\/api\/trpc\/([^/?#]+)/);
-        if (trpcMatch) {
-          let procedure;
-          try {
-            procedure = decodeURIComponent(trpcMatch[1]);
-          } catch {
-            procedure = trpcMatch[1];
-          }
-          if (procedure) {
-            extra[ATTR.TRPC_PROCEDURE] = procedure;
-          }
-        }
-      }
-      const method = attrs["http.method"] ?? attrs["http.request.method"];
-      if (method) {
-        extra[ATTR.HTTP_METHOD] = method;
-      }
-      const actionRoute = extractLeadingPath(route);
-      if (method === "POST" && actionRoute) {
-        const isApiRoute = actionRoute === "/api" || actionRoute.startsWith("/api/");
-        const isInternalRoute = actionRoute.startsWith("/_next/");
-        if (!isApiRoute && !isInternalRoute) {
-          extra[ATTR.NEXT_ACTION_DETECTED] = true;
-          if (typeof extra[ATTR.CORRELATION_ID] !== "string") {
-            maybeShowServerActionNudge();
-          }
-        }
-      }
-      const statusCode = coerceHttpStatus(attrs["http.status_code"]) ?? coerceHttpStatus(attrs["http.response.status_code"]);
-      if (statusCode !== void 0) {
-        extra[ATTR.HTTP_STATUS_CODE] = statusCode;
-      }
-      const isErrorByStatus = span.status?.code === SpanStatusCode.ERROR;
-      const isErrorByEvent = hasExceptionEvent(span);
-      const isErrorByAttrs = typeof attrs["exception.type"] === "string" || typeof attrs["exception.message"] === "string";
-      const statusNotExplicitlyOK = span.status?.code !== SpanStatusCode.OK;
-      if (this.verbose && method) {
-        sdkLog(
-          "info",
-          `[glasstrace] enrichSpan "${name}": status.code=${span.status?.code}, http.status_code=${statusCode}, isErrorByStatus=${isErrorByStatus}, isErrorByEvent=${isErrorByEvent}, isErrorByAttrs=${isErrorByAttrs}`
-        );
-      }
-      if (method && statusNotExplicitlyOK && (isErrorByStatus || isErrorByEvent || isErrorByAttrs)) {
-        if (statusCode === void 0 || statusCode === 0 || statusCode === 200) {
-          const httpErrorType = attrs["error.type"];
-          if (typeof httpErrorType === "string") {
-            const parsed = parseInt(httpErrorType, 10);
-            if (!isNaN(parsed) && parsed >= 400 && parsed <= 599) {
-              extra[ATTR.HTTP_STATUS_CODE] = parsed;
-            } else {
-              extra[ATTR.HTTP_STATUS_CODE] = 500;
-            }
-          } else {
-            extra[ATTR.HTTP_STATUS_CODE] = 500;
-          }
-          if (this.verbose) {
-            sdkLog(
-              "info",
-              `[glasstrace] enrichSpan "${name}": inferred status_code=${extra[ATTR.HTTP_STATUS_CODE]} (was ${statusCode}), error.type=${attrs["error.type"]}`
-            );
+      const hookPromise = hook.fn();
+      hookPromise.catch(() => {
+      });
+      await Promise.race([
+        hookPromise,
+        new Promise((_, reject) => {
+          const timer = setTimeout(() => reject(new Error(`Shutdown hook "${hook.name}" timed out`)), timeoutMs);
+          if (typeof timer === "object" && "unref" in timer) {
+            timer.unref();
           }
-        }
-      }
-      if (span.startTime && span.endTime) {
-        const [startSec, startNano] = span.startTime;
-        const [endSec, endNano] = span.endTime;
-        const durationMs = (endSec - startSec) * 1e3 + (endNano - startNano) / 1e6;
-        if (durationMs >= 0) {
-          extra[ATTR.HTTP_DURATION_MS] = durationMs;
-        }
+        })
+      ]);
+    } catch (err) {
+      _logger?.(
+        "warn",
+        `[glasstrace] Shutdown hook "${hook.name}" failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  setCoreState(CoreState.SHUTDOWN);
+}
+function registerSignalHandlers() {
+  if (_signalHandlersRegistered) return;
+  if (typeof process === "undefined" || typeof process.once !== "function") return;
+  _signalHandlersRegistered = true;
+  const otherSigtermListeners = process.listenerCount("SIGTERM");
+  const otherSigintListeners = process.listenerCount("SIGINT");
+  const handler = (signal) => {
+    void executeShutdown().finally(() => {
+      if (_signalHandler) {
+        process.removeListener("SIGTERM", _signalHandler);
+        process.removeListener("SIGINT", _signalHandler);
       }
-      const eventDetails = statusNotExplicitlyOK ? getExceptionEventDetails(span) : { type: void 0, message: void 0, stacktrace: void 0 };
-      let errorSource;
-      const attrMessage = attrs["exception.message"];
-      if (eventDetails.message) {
-        extra[ATTR.ERROR_MESSAGE] = eventDetails.message;
-        errorSource = "otel_exception";
-      } else if (typeof attrMessage === "string") {
-        extra[ATTR.ERROR_MESSAGE] = attrMessage;
-        errorSource = "otel_event";
+      const otherListeners = signal === "SIGTERM" ? otherSigtermListeners : otherSigintListeners;
+      const otherProviderOwnsSignal = getCoexistenceState() === "coexisting" && otherListeners > 0;
+      if (!otherProviderOwnsSignal) {
+        process.kill(process.pid, signal);
       }
-      const attrType = attrs["exception.type"];
-      if (eventDetails.type) {
-        extra[ATTR.ERROR_CODE] = eventDetails.type;
-        extra[ATTR.ERROR_CATEGORY] = deriveErrorCategory(eventDetails.type);
-        errorSource = errorSource ?? "otel_exception";
-      } else if (typeof attrType === "string") {
-        extra[ATTR.ERROR_CODE] = attrType;
-        extra[ATTR.ERROR_CATEGORY] = deriveErrorCategory(attrType);
-        errorSource = errorSource ?? "otel_event";
-      }
-      if (statusNotExplicitlyOK) {
-        const rawStack = eventDetails.stacktrace ?? (typeof attrs["exception.stacktrace"] === "string" ? attrs["exception.stacktrace"] : void 0);
-        if (rawStack) {
-          const prepared = prepareStack(rawStack);
-          if (prepared !== null) {
-            extra[ATTR.ERROR_STACK] = prepared.stack;
-            extra[ATTR.ERROR_STACK_TRUNCATED] = prepared.truncated;
-            extra[ATTR.ERROR_STACK_REDACTED] = prepared.redacted;
-            errorSource = errorSource ?? (eventDetails.stacktrace ? "otel_exception" : "otel_event");
-          }
-        }
-      }
-      const routeIsFallback = route === "/_error" || route === "/_not-found" || route === "/_404" || route === "/_500";
-      if (routeIsFallback && rawHttpUrl) {
-        const originalPath = extractPathOnly(rawHttpUrl);
-        const normOriginal = stripTrailingSlash(originalPath);
-        const normRoute = stripTrailingSlash(route);
-        if (normOriginal && normOriginal !== normRoute) {
-          extra[ATTR.ERROR_ORIGINAL_PATH] = normOriginal;
-          extra[ATTR.ERROR_FALLBACK_ROUTE] = route;
-          extra[ATTR.ERROR_FRAMEWORK_KIND] = "fallback";
-          errorSource = errorSource ?? "framework_fallback";
-        }
-      }
-      if (errorSource !== void 0) {
-        extra[ATTR.ERROR_SOURCE] = errorSource;
-      }
-      if (this.verbose && (extra[ATTR.ERROR_MESSAGE] || extra[ATTR.ERROR_CODE])) {
-        const msgSource = eventDetails.message ? "event" : typeof attrMessage === "string" ? "attrs" : "none";
-        const typeSource = eventDetails.type ? "event" : typeof attrType === "string" ? "attrs" : "none";
-        sdkLog(
-          "info",
-          `[glasstrace] enrichSpan "${name}": error.message source=${msgSource}, error.code source=${typeSource}`
-        );
-      }
-      const errorField = attrs["error.field"];
-      if (typeof errorField === "string") {
-        extra[ATTR.ERROR_FIELD] = errorField;
-      }
-      if (this.getConfig().errorResponseBodies) {
-        const responseBody = attrs["glasstrace.internal.response_body"];
-        if (typeof responseBody === "string") {
-          const enrichedStatus = extra[ATTR.HTTP_STATUS_CODE];
-          const effectiveStatus = typeof enrichedStatus === "number" ? enrichedStatus : statusCode;
-          if (isHttpErrorStatus(effectiveStatus)) {
-            const prepared = prepareErrorResponseBody(responseBody);
-            if (prepared !== null) {
-              extra[ATTR.ERROR_RESPONSE_BODY] = prepared;
-            }
-          }
-        }
-      }
-      const spanAny = span;
-      const instrumentationName = spanAny.instrumentationScope?.name ?? spanAny.instrumentationLibrary?.name ?? "";
-      const ormProvider = deriveOrmProvider(instrumentationName);
-      if (ormProvider) {
-        extra[ATTR.ORM_PROVIDER] = ormProvider;
-        const table = attrs["db.sql.table"];
-        const prismaModel = attrs["db.prisma.model"];
-        const model = typeof table === "string" ? table : typeof prismaModel === "string" ? prismaModel : void 0;
-        if (model) {
-          extra[ATTR.ORM_MODEL] = model;
-        }
-        const operation = attrs["db.operation"];
-        if (typeof operation === "string") {
-          extra[ATTR.ORM_OPERATION] = operation;
-        }
-      }
-      const httpUrl = attrs["http.url"];
-      const fullUrl = attrs["url.full"];
-      const url = typeof httpUrl === "string" ? httpUrl : typeof fullUrl === "string" ? fullUrl : void 0;
-      if (url && span.kind === SpanKind.CLIENT) {
-        extra[ATTR.FETCH_TARGET] = classifyFetchTarget(url);
-      }
-      return createEnrichedSpan(span, extra);
-    } catch {
-      return span;
-    }
-  }
-  /**
-   * Lazily creates the delegate OTLP exporter once the API key is resolved.
-   * Recreates the delegate if the key has changed (e.g., after key rotation)
-   * so the Authorization header stays current.
-   */
-  ensureDelegate() {
-    if (!this.createDelegateFn) return null;
-    const currentKey = this.getApiKey();
-    if (currentKey === API_KEY_PENDING) return null;
-    if (this.delegate && this.delegateKey === currentKey) {
-      return this.delegate;
-    }
-    if (this.delegate) {
-      void this.delegate.shutdown?.().catch(() => {
-      });
-    }
-    this.delegate = this.createDelegateFn(this.endpointUrl, {
-      Authorization: `Bearer ${currentKey}`
     });
-    this.delegateKey = currentKey;
-    return this.delegate;
-  }
-  /**
-   * Buffers raw (unenriched) spans while the API key is pending.
-   * Evicts oldest batches if the buffer exceeds MAX_PENDING_SPANS.
-   * Re-checks the key after buffering to close the race window where
-   * the key resolves between the caller's check and this buffer call.
-   */
-  bufferSpans(spans, resultCallback) {
-    this.pendingBatches.push({ spans, resultCallback });
-    this.pendingSpanCount += spans.length;
-    while (this.pendingSpanCount > MAX_PENDING_SPANS && this.pendingBatches.length > 1) {
-      const evicted = this.pendingBatches.shift();
-      this.pendingSpanCount -= evicted.spans.length;
-      recordSpansDropped(evicted.spans.length);
-      evicted.resultCallback({ code: 0 });
-      if (!this.overflowLogged) {
-        this.overflowLogged = true;
-        console.warn(
-          "[glasstrace] Pending span buffer overflow \u2014 oldest spans evicted. This usually means the API key is taking too long to resolve."
-        );
-      }
-    }
-    if (this.getApiKey() !== API_KEY_PENDING) {
-      this.flushPending();
-    }
-  }
-  /**
-   * Flushes all buffered spans through the delegate exporter.
-   * Enriches spans at flush time (not buffer time) so that session IDs
-   * are computed with the resolved API key instead of the "pending" sentinel.
-   */
-  flushPending() {
-    if (this.pendingBatches.length === 0) return;
-    const exporter = this.ensureDelegate();
-    if (!exporter) {
-      let discardedCount = 0;
-      for (const batch of this.pendingBatches) {
-        discardedCount += batch.spans.length;
-        batch.resultCallback({ code: 0 });
-      }
-      recordSpansDropped(discardedCount);
-      this.pendingBatches = [];
-      this.pendingSpanCount = 0;
-      return;
-    }
-    const batches = this.pendingBatches;
-    this.pendingBatches = [];
-    this.pendingSpanCount = 0;
-    for (const batch of batches) {
-      const enriched = batch.spans.map((span) => this.enrichSpan(span));
-      exporter.export(enriched, (result) => {
-        if (result.code !== 0) {
-          sdkLog("warn", `[glasstrace] Span export failed: ${result.error?.message ?? "unknown error"}`);
-        }
-        batch.resultCallback(result);
-      });
-      recordSpansExported(enriched.length);
-    }
-  }
-};
-function createEnrichedSpan(span, extra) {
-  const enrichedAttributes = { ...span.attributes, ...extra };
-  return Object.create(span, {
-    attributes: {
-      value: enrichedAttributes,
-      enumerable: true
-    }
-  });
-}
-function hasExceptionEvent(span) {
-  return span.events?.some((e) => e.name === "exception") ?? false;
+  };
+  _signalHandler = handler;
+  process.once("SIGTERM", handler);
+  process.once("SIGINT", handler);
 }
-function getExceptionEventDetails(span) {
-  const event = span.events?.find((e) => e.name === "exception");
-  if (!event?.attributes) {
-    return { type: void 0, message: void 0, stacktrace: void 0 };
-  }
-  const type = event.attributes["exception.type"];
-  const message = event.attributes["exception.message"];
-  const stacktrace = event.attributes["exception.stacktrace"];
-  return {
-    type: typeof type === "string" ? type : void 0,
-    message: typeof message === "string" ? message : void 0,
-    stacktrace: typeof stacktrace === "string" ? stacktrace : void 0
+function registerBeforeExitTrigger() {
+  if (_beforeExitRegistered) return;
+  if (typeof process === "undefined" || typeof process.once !== "function") return;
+  _beforeExitRegistered = true;
+  const handler = () => {
+    void executeShutdown();
   };
+  _beforeExitHandler = handler;
+  process.once("beforeExit", handler);
 }
-function extractLeadingPath(raw) {
-  if (!raw) return void 0;
-  const trimmed = raw.trim();
-  if (trimmed.length === 0) return void 0;
-  if (trimmed.startsWith("/")) {
-    const firstSpace = trimmed.indexOf(" ");
-    return firstSpace === -1 ? trimmed : trimmed.slice(0, firstSpace);
-  }
-  for (const token of trimmed.split(/\s+/)) {
-    if (token.startsWith("/")) {
-      return token;
-    }
+
+// src/error-response-body.ts
+var ERROR_RESPONSE_BODY_MAX_BYTES = 4096;
+var ERROR_RESPONSE_BODY_TRUNCATION_MARKER = "...[truncated]";
+var REDACTED = "[REDACTED]";
+var ERROR_STATUS_MIN = 400;
+var ERROR_STATUS_MAX = 599;
+function coerceHttpStatus(value) {
+  let numeric;
+  if (typeof value === "number") {
+    numeric = value;
+  } else if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (trimmed.length === 0) return void 0;
+    numeric = Number(trimmed);
+  } else {
+    return void 0;
   }
-  return void 0;
+  return Number.isFinite(numeric) ? numeric : void 0;
 }
-function stripTrailingSlash(path3) {
-  if (!path3) return path3;
-  if (path3 === "/") return path3;
-  return path3.endsWith("/") ? path3.slice(0, -1) : path3;
+function isHttpErrorStatus(status) {
+  const numeric = coerceHttpStatus(status);
+  if (numeric === void 0) return false;
+  return numeric >= ERROR_STATUS_MIN && numeric <= ERROR_STATUS_MAX;
 }
-function extractPathOnly(raw) {
-  if (!raw) return void 0;
-  const trimmed = raw.trim();
-  if (trimmed.length === 0) return void 0;
-  const isAbsoluteUrl = /^https?:\/\//i.test(trimmed);
-  const isProtocolRelative = trimmed.startsWith("//");
-  if (isAbsoluteUrl || isProtocolRelative) {
-    try {
-      const parsed = new URL(trimmed, "http://_/");
-      if (parsed.pathname && parsed.pathname.startsWith("/")) {
-        return parsed.pathname;
-      }
-    } catch {
-    }
-  }
-  if (trimmed.startsWith("/")) {
-    const queryIdx = trimmed.indexOf("?");
-    const fragIdx = trimmed.indexOf("#");
-    let cut = trimmed.length;
-    if (queryIdx >= 0) cut = Math.min(cut, queryIdx);
-    if (fragIdx >= 0) cut = Math.min(cut, fragIdx);
-    return trimmed.slice(0, cut);
+var REDACTION_PATTERNS = [
+  // Order matters: redact specific token shapes BEFORE the generic
+  // key=value catcher so a literal `Bearer eyJ…` collapses into a single
+  // [REDACTED] and the JWT regex does not separately match the suffix.
+  {
+    name: "bearer",
+    // Case-insensitive on the scheme: HTTP frameworks and proxies
+    // round-trip the auth scheme with inconsistent casing
+    // (`Bearer`, `bearer`, `BEARER`), and a real token leaks just as
+    // badly under any of them.
+    pattern: /\bBearer\s+[A-Za-z0-9._\-+/=]+/gi
+  },
+  {
+    name: "jwt",
+    // Three base64url segments separated by dots. Real JWTs encode at
+    // minimum a small JSON header in the first segment, which alone is
+    // typically ≥10 chars after base64url; a 16-char floor avoids false
+    // positives on dotted text like a stack-trace frame
+    // (`react.dom.server`) while still catching every real JWT we have
+    // seen in the wild. Anchored with word boundaries on both sides so
+    // a 3-dot semantic version like "next@15.4.1.2" does not match.
+    pattern: /\b[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/g
+  },
+  {
+    name: "glasstrace-api-key",
+    // gt_dev_* and gt_anon_* keys are >=24 chars of [A-Za-z0-9].
+    pattern: /\bgt_(?:dev|anon)_[A-Za-z0-9]{16,}\b/g
+  },
+  {
+    name: "aws-access-key",
+    // 20-char prefix-fixed identifier.
+    pattern: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g
+  },
+  {
+    name: "key-value-secret-quoted",
+    // Quoted-string variant: (key) [:=] "<value>". The value runs to
+    // the next unescaped closing quote so a multi-word secret like
+    // `password="my secret phrase"` is fully consumed instead of
+    // splitting at the first space and leaving the tail visible.
+    // The leading `(?<![A-Za-z0-9_])` prevents matching inside
+    // identifiers like `passwordless`. The trailing `"?` after the
+    // keyword absorbs the closing quote in JSON-style `"apikey":
+    // "value"` so the colon is still seen as the separator.
+    pattern: /(?<![A-Za-z0-9_])(?:api[_-]?key|apikey|secret|password|token)"?\s*[:=]\s*"(?:[^"\\]|\\.)*"/gi
+  },
+  {
+    name: "key-value-secret-bare",
+    // Unquoted variant: (key) [:=] <bare-value>. The bare value
+    // capture stops at common JSON/text delimiters so we redact only
+    // the value, not surrounding structure. Listed AFTER the quoted
+    // variant so a quoted value's surrounding `"` are consumed by
+    // the first pattern and we never fall through here for a quoted
+    // secret.
+    pattern: /(?<![A-Za-z0-9_])(?:api[_-]?key|apikey|secret|password|token)"?\s*[:=]\s*[^\s,;}\]"]+/gi
   }
-  return void 0;
+];
+function sanitizeErrorResponseBody(body) {
+  let out = body;
+  for (const { pattern } of REDACTION_PATTERNS) {
+    out = out.replace(pattern, REDACTED);
+  }
+  return out;
 }
-function deriveOrmProvider(instrumentationName) {
-  const lower = instrumentationName.toLowerCase();
-  if (lower.includes("prisma")) {
-    return "prisma";
+function truncateErrorResponseBody(body) {
+  const encoder = new TextEncoder();
+  const encoded = encoder.encode(body);
+  if (encoded.byteLength <= ERROR_RESPONSE_BODY_MAX_BYTES) {
+    return body;
   }
-  if (lower.includes("drizzle")) {
-    return "drizzle";
+  let cut = ERROR_RESPONSE_BODY_MAX_BYTES;
+  let scan = cut - 1;
+  while (scan >= 0 && (encoded[scan] & 192) === 128) {
+    scan -= 1;
   }
-  return null;
+  if (scan >= 0) {
+    const leading = encoded[scan];
+    let expected = 1;
+    if ((leading & 128) === 0) {
+      expected = 1;
+    } else if ((leading & 224) === 192) {
+      expected = 2;
+    } else if ((leading & 240) === 224) {
+      expected = 3;
+    } else if ((leading & 248) === 240) {
+      expected = 4;
+    }
+    if (scan + expected > cut) {
+      cut = scan;
+    }
+  }
+  const decoder = new TextDecoder("utf-8", { fatal: false });
+  const sliced = encoded.subarray(0, cut);
+  const decoded = decoder.decode(sliced);
+  return decoded + ERROR_RESPONSE_BODY_TRUNCATION_MARKER;
 }
-function deriveErrorCategory(errorType) {
-  const lower = errorType.toLowerCase();
-  if (lower.includes("validation") || lower.includes("zod")) {
-    return "validation";
+function prepareErrorResponseBody(body) {
+  if (body.length === 0) return null;
+  if (body.trim().length === 0) return null;
+  const sanitized = sanitizeErrorResponseBody(body);
+  return truncateErrorResponseBody(sanitized);
+}
+
+// src/error-stack.ts
+var ERROR_STACK_MAX_BYTES = 8192;
+var ERROR_STACK_TRUNCATION_MARKER = "...[stack truncated]";
+var PATH_REDACTED = "<path>";
+var PATH_KEEP_MARKERS = [
+  "node_modules",
+  ".next",
+  ".glasstrace",
+  "src",
+  "dist",
+  "build",
+  "lib",
+  "app",
+  "pages"
+];
+var PATH_TOKEN_RE = /(?<=^|[\s(])(\/[^\s()<>]+|[A-Za-z]:\\[^\s()<>]+|file:\/\/\/[^\s()<>]+|webpack-internal:\/\/[^\s()<>]+|node:[^\s()<>]+)/g;
+var URL_QUERY_FRAGMENT_RE = /(\bhttps?:\/\/[^\s?#()<>]+)([?#][^\s()<>]*)/g;
+function normalizePathToken(token) {
+  let work = token;
+  if (work.startsWith("file:///")) {
+    work = work.slice("file://".length);
   }
-  if (lower.includes("network") || lower.includes("econnrefused") || lower.includes("fetch") || lower.includes("timeout")) {
-    return "network";
+  if (work.startsWith("webpack-internal:") || work.startsWith("node:")) {
+    return { token, changed: false };
   }
-  if (lower.includes("auth") || lower.includes("unauthorized") || lower.includes("forbidden")) {
-    return "auth";
+  const isPosixAbs = work.startsWith("/");
+  const isWinAbs = /^[A-Za-z]:\\/.test(work);
+  if (!isPosixAbs && !isWinAbs) {
+    return { token, changed: false };
   }
-  if (lower.includes("notfound") || lower.includes("not_found")) {
-    return "not-found";
+  const sep = isWinAbs ? "\\" : "/";
+  let bestIdx = -1;
+  for (const marker of PATH_KEEP_MARKERS) {
+    const needle = `${sep}${marker}${sep}`;
+    const idx = work.lastIndexOf(needle);
+    if (idx >= 0) {
+      bestIdx = idx;
+      break;
+    }
   }
-  return "internal";
+  if (bestIdx >= 0) {
+    const kept = work.slice(bestIdx + sep.length);
+    const rebuilt2 = `${PATH_REDACTED}/${kept.replace(/\\/g, "/")}`;
+    return { token: rebuilt2, changed: true };
+  }
+  const colonLineRe = /:\d+(?::\d+)?$/;
+  const lineMatch = colonLineRe.exec(work);
+  const pathBody = lineMatch ? work.slice(0, lineMatch.index) : work;
+  const lineSuffix = lineMatch ? work.slice(lineMatch.index) : "";
+  const lastSep = Math.max(pathBody.lastIndexOf("/"), pathBody.lastIndexOf("\\"));
+  const basename = lastSep >= 0 ? pathBody.slice(lastSep + 1) : pathBody;
+  const rebuilt = `${PATH_REDACTED}/${basename}${lineSuffix}`;
+  return { token: rebuilt, changed: true };
 }
-
-// src/lifecycle.ts
-import { EventEmitter } from "node:events";
-
-// src/signal-handler.ts
-var coexistenceState = "unknown";
-function setCoexistenceState(s) {
-  coexistenceState = s;
+function sanitizeStack(stack) {
+  let changed = false;
+  const pathNormalized = stack.replace(PATH_TOKEN_RE, (token) => {
+    const out = normalizePathToken(token);
+    if (out.changed) changed = true;
+    return out.token;
+  });
+  const urlStripped = pathNormalized.replace(URL_QUERY_FRAGMENT_RE, (match, prefix) => {
+    if (match !== prefix) changed = true;
+    return prefix;
+  });
+  const credentialRedacted = sanitizeErrorResponseBody(urlStripped);
+  if (credentialRedacted !== urlStripped) changed = true;
+  return { stack: credentialRedacted, redacted: changed };
 }
-function getCoexistenceState() {
-  return coexistenceState;
+function truncateStack(stack) {
+  const encoder = new TextEncoder();
+  const encoded = encoder.encode(stack);
+  if (encoded.byteLength <= ERROR_STACK_MAX_BYTES) {
+    return { stack, truncated: false };
+  }
+  let cut = ERROR_STACK_MAX_BYTES;
+  let scan = cut - 1;
+  while (scan >= 0 && (encoded[scan] & 192) === 128) {
+    scan -= 1;
+  }
+  if (scan >= 0) {
+    const leading = encoded[scan];
+    let expected = 1;
+    if ((leading & 128) === 0) {
+      expected = 1;
+    } else if ((leading & 224) === 192) {
+      expected = 2;
+    } else if ((leading & 240) === 224) {
+      expected = 3;
+    } else if ((leading & 248) === 240) {
+      expected = 4;
+    }
+    if (scan + expected > cut) {
+      cut = scan;
+    }
+  }
+  const decoder = new TextDecoder("utf-8", { fatal: false });
+  const sliced = encoded.subarray(0, cut);
+  const decoded = decoder.decode(sliced);
+  return { stack: decoded + ERROR_STACK_TRUNCATION_MARKER, truncated: true };
+}
+function prepareStack(stack) {
+  if (stack.length === 0) return null;
+  if (stack.trim().length === 0) return null;
+  const sanitized = sanitizeStack(stack);
+  const truncated = truncateStack(sanitized.stack);
+  return {
+    stack: truncated.stack,
+    truncated: truncated.truncated,
+    redacted: sanitized.redacted
+  };
 }
 
-// src/lifecycle.ts
-var CoreState = {
-  IDLE: "IDLE",
-  REGISTERING: "REGISTERING",
-  KEY_PENDING: "KEY_PENDING",
-  KEY_RESOLVED: "KEY_RESOLVED",
-  ACTIVE: "ACTIVE",
-  ACTIVE_DEGRADED: "ACTIVE_DEGRADED",
-  SHUTTING_DOWN: "SHUTTING_DOWN",
-  SHUTDOWN: "SHUTDOWN",
-  PRODUCTION_DISABLED: "PRODUCTION_DISABLED",
-  REGISTRATION_FAILED: "REGISTRATION_FAILED"
-};
-var AuthState = {
-  ANONYMOUS: "ANONYMOUS",
-  AUTHENTICATED: "AUTHENTICATED",
-  CLAIMING: "CLAIMING",
-  CLAIMED: "CLAIMED"
-};
-var OtelState = {
-  UNCONFIGURED: "UNCONFIGURED",
-  CONFIGURING: "CONFIGURING",
-  OWNS_PROVIDER: "OWNS_PROVIDER",
-  AUTO_ATTACHED: "AUTO_ATTACHED",
-  PROCESSOR_PRESENT: "PROCESSOR_PRESENT",
-  COEXISTENCE_FAILED: "COEXISTENCE_FAILED"
-};
-var VALID_CORE_TRANSITIONS = {
-  [CoreState.IDLE]: [CoreState.REGISTERING, CoreState.REGISTRATION_FAILED, CoreState.SHUTTING_DOWN],
-  [CoreState.REGISTERING]: [
-    CoreState.KEY_PENDING,
-    CoreState.PRODUCTION_DISABLED,
-    CoreState.REGISTRATION_FAILED,
-    CoreState.SHUTTING_DOWN
-  ],
-  [CoreState.KEY_PENDING]: [
-    CoreState.KEY_RESOLVED,
-    CoreState.REGISTRATION_FAILED,
-    CoreState.SHUTTING_DOWN
-  ],
-  [CoreState.KEY_RESOLVED]: [
-    CoreState.ACTIVE,
-    CoreState.ACTIVE_DEGRADED,
-    CoreState.SHUTTING_DOWN
-  ],
-  [CoreState.ACTIVE]: [
-    CoreState.ACTIVE_DEGRADED,
-    CoreState.SHUTTING_DOWN
-  ],
-  [CoreState.ACTIVE_DEGRADED]: [
-    CoreState.ACTIVE,
-    CoreState.SHUTTING_DOWN
-  ],
-  [CoreState.SHUTTING_DOWN]: [CoreState.SHUTDOWN],
-  [CoreState.SHUTDOWN]: [],
-  [CoreState.PRODUCTION_DISABLED]: [],
-  [CoreState.REGISTRATION_FAILED]: []
-};
-var VALID_AUTH_TRANSITIONS = {
-  [AuthState.ANONYMOUS]: [AuthState.CLAIMING],
-  [AuthState.AUTHENTICATED]: [AuthState.CLAIMING],
-  [AuthState.CLAIMING]: [AuthState.CLAIMED],
-  [AuthState.CLAIMED]: [AuthState.CLAIMING]
-};
-var VALID_OTEL_TRANSITIONS = {
-  [OtelState.UNCONFIGURED]: [OtelState.CONFIGURING],
-  [OtelState.CONFIGURING]: [
-    OtelState.OWNS_PROVIDER,
-    OtelState.AUTO_ATTACHED,
-    OtelState.PROCESSOR_PRESENT,
-    OtelState.COEXISTENCE_FAILED
-  ],
-  [OtelState.OWNS_PROVIDER]: [],
-  [OtelState.AUTO_ATTACHED]: [],
-  [OtelState.PROCESSOR_PRESENT]: [],
-  [OtelState.COEXISTENCE_FAILED]: []
-};
-var _coreState = CoreState.IDLE;
-var _authState = AuthState.ANONYMOUS;
-var _otelState = OtelState.UNCONFIGURED;
-var _emitter = new EventEmitter();
-var _logger = null;
-var _initialized = false;
-var _initWarned = false;
-var _coreReadyEmitted = false;
-var _authInitialized = false;
-var _emitting = false;
-function initLifecycle(options) {
-  if (_initialized) {
-    options.logger("warn", "[glasstrace] initLifecycle() called twice \u2014 ignored.");
-    return;
-  }
-  _logger = options.logger;
-  _initialized = true;
+// src/build-info.ts
+var UNSET = "";
+var SHA_SHAPE = /^[0-9a-f]{7,64}$/i;
+function redactBuildHash(value) {
+  const sanitize = (s) => s.replace(/[\x00-\x1F\x7F]/g, "?");
+  if (value.length <= 12) return sanitize(value.slice(0, 4)) + "...";
+  return sanitize(value.slice(0, 8)) + "..." + sanitize(value.slice(-4));
 }
-function warnIfNotInitialized() {
-  if (!_initialized && !_initWarned) {
-    _initWarned = true;
-    console.warn(
-      "[glasstrace] Lifecycle state changed before initLifecycle() was called. Logger not available \u2014 errors will be silent."
+function readBuildHashFromEnv() {
+  const raw = process.env.GLASSTRACE_BUILD_HASH;
+  if (typeof raw !== "string") return UNSET;
+  const trimmed = raw.trim();
+  if (trimmed.length === 0) return UNSET;
+  if (!SHA_SHAPE.test(trimmed)) {
+    sdkLog(
+      "warn",
+      `[glasstrace] warning: GLASSTRACE_BUILD_HASH=${redactBuildHash(trimmed)} does not match expected SHA shape (7-64 hex characters); source-map enrichment may not work as expected.`
     );
   }
+  return trimmed;
 }
-function setCoreState(to) {
-  warnIfNotInitialized();
-  const from = _coreState;
-  if (from === to) return;
-  const valid = VALID_CORE_TRANSITIONS[from];
-  if (!valid.includes(to)) {
-    _logger?.(
-      "warn",
-      `[glasstrace] Invalid core state transition: ${from} \u2192 ${to}. Ignored.`
-    );
-    return;
+var cachedBuildHash = null;
+function getBuildHash() {
+  if (cachedBuildHash === null) {
+    cachedBuildHash = readBuildHashFromEnv();
   }
-  _coreState = to;
-  if (_emitting) return;
-  _emitting = true;
-  try {
-    emitSafe("core:state_changed", { from, to });
-    const current = _coreState;
-    if (!_coreReadyEmitted && (current === CoreState.ACTIVE || current === CoreState.ACTIVE_DEGRADED)) {
-      _coreReadyEmitted = true;
-      emitSafe("core:ready", {});
-    }
-    if (current === CoreState.SHUTTING_DOWN) {
-      emitSafe("core:shutdown_started", {});
-    }
-    if (current === CoreState.SHUTDOWN) {
-      emitSafe("core:shutdown_completed", {});
+  return cachedBuildHash === UNSET ? void 0 : cachedBuildHash;
+}
+
+// src/export-circuit-breaker.ts
+var INITIAL_BACKOFF_MS = 3e4;
+var BACKOFF_FACTOR = 2;
+var MAX_BACKOFF_MS = 30 * 60 * 1e3;
+var FAILURE_THRESHOLD = 5;
+function classifyExportFailure(info) {
+  const status = readStatus(info);
+  if (status === 401 || status === 403) return "auth";
+  if (status === 429) return "rate_limit";
+  if (typeof status === "number" && status >= 500 && status <= 599) return "server_error";
+  if (typeof status === "number" && status >= 400 && status <= 499) return "client_error";
+  return "network";
+}
+function readStatus(info) {
+  if (typeof info.status === "number") return info.status;
+  const err = info.error;
+  if (!err || typeof err !== "object") return void 0;
+  const record = err;
+  const direct = record.status;
+  if (typeof direct === "number") return direct;
+  if (typeof direct === "string") {
+    const parsed = Number.parseInt(direct, 10);
+    if (Number.isFinite(parsed)) return parsed;
+  }
+  const nested = record.response;
+  if (nested && typeof nested === "object") {
+    const nestedStatus = nested.status;
+    if (typeof nestedStatus === "number") return nestedStatus;
+    if (typeof nestedStatus === "string") {
+      const parsed = Number.parseInt(nestedStatus, 10);
+      if (Number.isFinite(parsed)) return parsed;
     }
-  } finally {
-    _emitting = false;
   }
+  return void 0;
 }
-function initAuthState(state) {
-  if (_authInitialized) {
-    _logger?.(
-      "warn",
-      "[glasstrace] initAuthState() called after auth state already initialized. Ignored."
-    );
-    return;
+function buildOpenedMessage(category, count) {
+  return `[glasstrace] Export circuit opened after ${count} consecutive failures (category: ${category}). Subsequent spans dropped until probe succeeds.`;
+}
+var _singleton = null;
+function getExportCircuitBreaker(options) {
+  if (_singleton === null) {
+    _singleton = createExportCircuitBreaker(options);
   }
-  _authInitialized = true;
-  _authState = state;
+  return _singleton;
 }
-function setAuthState(to) {
-  warnIfNotInitialized();
-  const from = _authState;
-  if (from === to) return;
-  const valid = VALID_AUTH_TRANSITIONS[from];
-  if (!valid.includes(to)) {
-    _logger?.(
-      "warn",
-      `[glasstrace] Invalid auth state transition: ${from} \u2192 ${to}. Ignored.`
-    );
-    return;
+function peekExportCircuitBreaker() {
+  return _singleton;
+}
+function createExportCircuitBreaker(options) {
+  const events = options.events;
+  const recordDropped = options.recordDropped;
+  const fsm = options.fsm;
+  const now = options.now ?? (() => Date.now());
+  const setTimer = options.setTimer ?? ((fn, delayMs) => {
+    const handle = setTimeout(fn, delayMs);
+    if (typeof handle === "object" && handle && "unref" in handle) {
+      handle.unref();
+    }
+    return handle;
+  });
+  const clearTimer = options.clearTimer ?? ((handle) => clearTimeout(handle));
+  let state = "CLOSED";
+  let consecutiveFailures = 0;
+  let currentBackoffMs = INITIAL_BACKOFF_MS;
+  let openedAtMs = null;
+  let pendingTimer = null;
+  let halfOpenProbeInFlight = false;
+  let generation = 0;
+  function clearPendingTimer() {
+    if (pendingTimer !== null) {
+      clearTimer(pendingTimer);
+      pendingTimer = null;
+    }
+  }
+  function scheduleHalfOpen(delayMs) {
+    clearPendingTimer();
+    pendingTimer = setTimer(() => {
+      pendingTimer = null;
+      if (state !== "OPEN") return;
+      transitionToHalfOpen(delayMs);
+    }, delayMs);
+  }
+  function transitionToOpen(category) {
+    const wasNonOpen = state !== "OPEN";
+    state = "OPEN";
+    halfOpenProbeInFlight = false;
+    if (openedAtMs === null) {
+      openedAtMs = now();
+    }
+    if (wasNonOpen) {
+      const timestamp = new Date(now()).toISOString();
+      const message = buildOpenedMessage(category, consecutiveFailures);
+      try {
+        events.emitOpened({
+          category,
+          message,
+          timestamp,
+          consecutiveFailures,
+          nextProbeMs: currentBackoffMs
+        });
+      } catch {
+      }
+      try {
+        fsm?.onCircuitOpened();
+      } catch {
+      }
+    }
+    scheduleHalfOpen(currentBackoffMs);
   }
-  _authState = to;
+  function transitionToHalfOpen(previousTimerMs) {
+    state = "HALF_OPEN";
+    halfOpenProbeInFlight = false;
+    try {
+      events.emitHalfOpen({
+        timestamp: new Date(now()).toISOString(),
+        previousTimerMs
+      });
+    } catch {
+    }
+  }
+  function transitionToClosed() {
+    const startedAt = openedAtMs;
+    state = "CLOSED";
+    consecutiveFailures = 0;
+    currentBackoffMs = INITIAL_BACKOFF_MS;
+    openedAtMs = null;
+    halfOpenProbeInFlight = false;
+    clearPendingTimer();
+    try {
+      events.emitClosed({
+        timestamp: new Date(now()).toISOString(),
+        outageDurationMs: startedAt === null ? 0 : Math.max(0, now() - startedAt)
+      });
+    } catch {
+    }
+    try {
+      fsm?.onCircuitClosed();
+    } catch {
+    }
+  }
+  return {
+    shouldExport() {
+      if (state === "OPEN") return false;
+      if (state === "HALF_OPEN") {
+        if (halfOpenProbeInFlight) return false;
+        halfOpenProbeInFlight = true;
+        return true;
+      }
+      return true;
+    },
+    recordSuccess() {
+      if (state === "HALF_OPEN") {
+        halfOpenProbeInFlight = false;
+        transitionToClosed();
+        return;
+      }
+      consecutiveFailures = 0;
+    },
+    recordFailure(info) {
+      const category = classifyExportFailure(info);
+      if (state === "HALF_OPEN") {
+        currentBackoffMs = Math.min(currentBackoffMs * BACKOFF_FACTOR, MAX_BACKOFF_MS);
+        halfOpenProbeInFlight = false;
+        state = "OPEN";
+        scheduleHalfOpen(currentBackoffMs);
+        return;
+      }
+      if (state === "CLOSED") {
+        consecutiveFailures += 1;
+        if (consecutiveFailures >= FAILURE_THRESHOLD) {
+          transitionToOpen(category);
+        }
+        return;
+      }
+    },
+    onSpansDropped(count) {
+      if (!Number.isFinite(count) || count <= 0) return;
+      try {
+        recordDropped(count);
+      } catch {
+      }
+    },
+    getState() {
+      return state;
+    },
+    resetForKeyRotation() {
+      generation += 1;
+      const wasNonClosed = state !== "CLOSED";
+      consecutiveFailures = 0;
+      currentBackoffMs = INITIAL_BACKOFF_MS;
+      clearPendingTimer();
+      if (wasNonClosed) {
+        transitionToClosed();
+      }
+    },
+    getGeneration() {
+      return generation;
+    }
+  };
 }
-function setOtelState(to) {
-  warnIfNotInitialized();
-  const from = _otelState;
-  if (from === to) return;
-  const valid = VALID_OTEL_TRANSITIONS[from];
-  if (!valid.includes(to)) {
-    _logger?.(
-      "warn",
-      `[glasstrace] Invalid OTel state transition: ${from} \u2192 ${to}. Ignored.`
-    );
-    return;
+
+// src/enriching-exporter.ts
+var ATTR = GLASSTRACE_ATTRIBUTE_NAMES;
+var API_KEY_PENDING = "pending";
+var MAX_PENDING_SPANS = 1024;
+var GlasstraceExporter = class {
+  getApiKey;
+  sessionManager;
+  getConfig;
+  environment;
+  endpointUrl;
+  createDelegateFn;
+  verbose;
+  delegate = null;
+  delegateKey = null;
+  pendingBatches = [];
+  pendingSpanCount = 0;
+  overflowLogged = false;
+  /**
+   * Lazily-bound reference to the export-path circuit breaker
+   * (DISC-1568 / Wave 15C). Resolved on first export so this
+   * constructor stays side-effect-free. The breaker is a module-
+   * singleton — every `GlasstraceExporter` instance shares the same
+   * one so a rotation event observed in `init-client.ts` reaches
+   * every active exporter.
+   */
+  circuitBreaker = null;
+  constructor(options) {
+    this.getApiKey = options.getApiKey;
+    this.sessionManager = options.sessionManager;
+    this.getConfig = options.getConfig;
+    this.environment = options.environment;
+    this.endpointUrl = options.endpointUrl;
+    this.createDelegateFn = options.createDelegate;
+    this.verbose = options.verbose ?? false;
+    this[/* @__PURE__ */ Symbol.for("glasstrace.exporter")] = true;
+  }
+  /**
+   * Returns the export-path circuit breaker, lazily wiring it on
+   * first call. The breaker is a module-singleton so all exporter
+   * instances share state — a credential rotation observed once
+   * resets the breaker for every active exporter, and a single
+   * outage at the OTLP endpoint trips a single breaker rather than
+   * one per exporter copy.
+   *
+   * The wiring binds:
+   * - the lifecycle event sink to the SDK's lifecycle bus
+   *   (`emitLifecycleEvent`) so the `otel:circuit_*` events surface
+   *   to runtime-state, the CLI bridge, and any user-installed
+   *   subscribers.
+   * - the dropped-span counter to {@link recordSpansDropped} so OPEN-
+   *   state drops show up in the existing health surface.
+   * - the FSM hooks to {@link pushDegradationSource} /
+   *   {@link clearDegradationSource} keyed on `"export-circuit"`,
+   *   which routes the OPEN/CLOSED transitions through the
+   *   centralised `recomputeCoreFromDegradationSources()` helper.
+   *   That helper guards `ACTIVE ↔ ACTIVE_DEGRADED` so a circuit
+   *   recovery never clobbers an unrelated `OtelState.COEXISTENCE_FAILED`
+   *   degradation source.
+   */
+  getCircuitBreaker() {
+    if (this.circuitBreaker !== null) return this.circuitBreaker;
+    this.circuitBreaker = getExportCircuitBreaker({
+      events: {
+        emitOpened: (payload) => emitLifecycleEvent("otel:circuit_opened", payload),
+        emitHalfOpen: (payload) => emitLifecycleEvent("otel:circuit_half_open", payload),
+        emitClosed: (payload) => emitLifecycleEvent("otel:circuit_closed", payload)
+      },
+      recordDropped: (count) => recordSpansDropped(count),
+      fsm: {
+        onCircuitOpened: () => pushDegradationSource("export-circuit"),
+        onCircuitClosed: () => clearDegradationSource("export-circuit")
+      }
+    });
+    return this.circuitBreaker;
+  }
+  export(spans, resultCallback) {
+    const currentKey = this.getApiKey();
+    if (currentKey === API_KEY_PENDING) {
+      this.bufferSpans(spans, resultCallback);
+      return;
+    }
+    const breaker = this.getCircuitBreaker();
+    if (!breaker.shouldExport()) {
+      breaker.onSpansDropped(spans.length);
+      resultCallback({ code: 0 });
+      return;
+    }
+    const enrichedSpans = spans.map((span) => this.enrichSpan(span));
+    const exporter = this.ensureDelegate();
+    if (exporter) {
+      const generationAtIssue = breaker.getGeneration();
+      exporter.export(enrichedSpans, (result) => {
+        if (result.code !== 0) {
+          sdkLog("warn", `[glasstrace] Span export failed: ${result.error?.message ?? "unknown error"}`);
+        }
+        if (breaker.getGeneration() !== generationAtIssue) {
+          resultCallback(result);
+          return;
+        }
+        if (result.code === 0) {
+          breaker.recordSuccess();
+        } else {
+          breaker.recordFailure({ error: result.error });
+        }
+        resultCallback(result);
+      });
+      recordSpansExported(enrichedSpans.length);
+    } else {
+      recordSpansDropped(enrichedSpans.length);
+      resultCallback({ code: 0 });
+    }
+  }
+  /**
+   * Called when the API key transitions from "pending" to a resolved value.
+   * Creates the delegate exporter and flushes all buffered spans.
+   */
+  notifyKeyResolved() {
+    this.flushPending();
+  }
+  async shutdown() {
+    const currentKey = this.getApiKey();
+    if (currentKey !== API_KEY_PENDING && this.pendingBatches.length > 0) {
+      this.flushPending();
+    } else if (this.pendingBatches.length > 0) {
+      console.warn(
+        `[glasstrace] Shutdown with ${this.pendingSpanCount} buffered spans \u2014 API key never resolved, spans lost.`
+      );
+      recordSpansDropped(this.pendingSpanCount);
+      for (const batch of this.pendingBatches) {
+        batch.resultCallback({ code: 0 });
+      }
+      this.pendingBatches = [];
+      this.pendingSpanCount = 0;
+    }
+    if (this.delegate) {
+      return this.delegate.shutdown();
+    }
+  }
+  /**
+   * Flushes any pending buffered spans (if the API key has resolved) and
+   * delegates to the underlying exporter's forceFlush to drain its queue.
+   */
+  forceFlush() {
+    if (this.getApiKey() !== API_KEY_PENDING && this.pendingBatches.length > 0) {
+      this.flushPending();
+    }
+    if (this.delegate?.forceFlush) {
+      return this.delegate.forceFlush();
+    }
+    return Promise.resolve();
+  }
+  /**
+   * Enriches a ReadableSpan with all glasstrace.* attributes.
+   * Returns a new ReadableSpan wrapper; the original span is not mutated.
+   *
+   * Only {@link SessionManager.getSessionId} is individually guarded because
+   * it calls into crypto and schema validation — a session ID failure should
+   * not prevent the rest of enrichment. The other helper calls
+   * ({@link deriveErrorCategory}, {@link deriveOrmProvider},
+   * {@link classifyFetchTarget}) are pure functions on typed string inputs
+   * and rely on the outer catch for any unexpected failure.
+   *
+   * On total failure, returns the original span unchanged.
+   */
+  enrichSpan(span) {
+    try {
+      const attrs = span.attributes ?? {};
+      const name = span.name ?? "";
+      const extra = {};
+      extra[ATTR.TRACE_TYPE] = "server";
+      try {
+        const sessionId = this.sessionManager.getSessionId(this.getApiKey());
+        extra[ATTR.SESSION_ID] = sessionId;
+      } catch {
+      }
+      const env = this.environment ?? process.env.GLASSTRACE_ENV;
+      if (env) {
+        extra[ATTR.ENVIRONMENT] = env;
+      }
+      const buildHash = getBuildHash();
+      if (buildHash) {
+        extra[ATTR.BUILD_HASH] = buildHash;
+      }
+      const existingCid = attrs["glasstrace.correlation.id"];
+      if (typeof existingCid === "string") {
+        extra[ATTR.CORRELATION_ID] = existingCid;
+      }
+      const rawRoute = attrs["http.route"];
+      const route = typeof rawRoute === "string" ? rawRoute : name;
+      if (route) {
+        extra[ATTR.ROUTE] = route;
+      }
+      const rawUrlAttr = attrs["http.url"] ?? attrs["url.full"] ?? attrs["http.target"];
+      const rawHttpUrl = typeof rawUrlAttr === "string" ? rawUrlAttr : void 0;
+      if (rawHttpUrl) {
+        const trpcMatch = rawHttpUrl.match(/\/api\/trpc\/([^/?#]+)/);
+        if (trpcMatch) {
+          let procedure;
+          try {
+            procedure = decodeURIComponent(trpcMatch[1]);
+          } catch {
+            procedure = trpcMatch[1];
+          }
+          if (procedure) {
+            extra[ATTR.TRPC_PROCEDURE] = procedure;
+          }
+        }
+      }
+      const method = attrs["http.method"] ?? attrs["http.request.method"];
+      if (method) {
+        extra[ATTR.HTTP_METHOD] = method;
+      }
+      const actionRoute = extractLeadingPath(route);
+      if (method === "POST" && actionRoute) {
+        const isApiRoute = actionRoute === "/api" || actionRoute.startsWith("/api/");
+        const isInternalRoute = actionRoute.startsWith("/_next/");
+        if (!isApiRoute && !isInternalRoute) {
+          extra[ATTR.NEXT_ACTION_DETECTED] = true;
+          if (typeof extra[ATTR.CORRELATION_ID] !== "string") {
+            maybeShowServerActionNudge();
+          }
+        }
+      }
+      const statusCode = coerceHttpStatus(attrs["http.status_code"]) ?? coerceHttpStatus(attrs["http.response.status_code"]);
+      if (statusCode !== void 0) {
+        extra[ATTR.HTTP_STATUS_CODE] = statusCode;
+      }
+      const isErrorByStatus = span.status?.code === SpanStatusCode.ERROR;
+      const isErrorByEvent = hasExceptionEvent(span);
+      const isErrorByAttrs = typeof attrs["exception.type"] === "string" || typeof attrs["exception.message"] === "string";
+      const statusNotExplicitlyOK = span.status?.code !== SpanStatusCode.OK;
+      if (this.verbose && method) {
+        sdkLog(
+          "info",
+          `[glasstrace] enrichSpan "${name}": status.code=${span.status?.code}, http.status_code=${statusCode}, isErrorByStatus=${isErrorByStatus}, isErrorByEvent=${isErrorByEvent}, isErrorByAttrs=${isErrorByAttrs}`
+        );
+      }
+      if (method && statusNotExplicitlyOK && (isErrorByStatus || isErrorByEvent || isErrorByAttrs)) {
+        if (statusCode === void 0 || statusCode === 0 || statusCode === 200) {
+          const httpErrorType = attrs["error.type"];
+          if (typeof httpErrorType === "string") {
+            const parsed = parseInt(httpErrorType, 10);
+            if (!isNaN(parsed) && parsed >= 400 && parsed <= 599) {
+              extra[ATTR.HTTP_STATUS_CODE] = parsed;
+            } else {
+              extra[ATTR.HTTP_STATUS_CODE] = 500;
+            }
+          } else {
+            extra[ATTR.HTTP_STATUS_CODE] = 500;
+          }
+          if (this.verbose) {
+            sdkLog(
+              "info",
+              `[glasstrace] enrichSpan "${name}": inferred status_code=${extra[ATTR.HTTP_STATUS_CODE]} (was ${statusCode}), error.type=${attrs["error.type"]}`
+            );
+          }
+        }
+      }
+      if (span.startTime && span.endTime) {
+        const [startSec, startNano] = span.startTime;
+        const [endSec, endNano] = span.endTime;
+        const durationMs = (endSec - startSec) * 1e3 + (endNano - startNano) / 1e6;
+        if (durationMs >= 0) {
+          extra[ATTR.HTTP_DURATION_MS] = durationMs;
+        }
+      }
+      const eventDetails = statusNotExplicitlyOK ? getExceptionEventDetails(span) : { type: void 0, message: void 0, stacktrace: void 0 };
+      let errorSource;
+      const attrMessage = attrs["exception.message"];
+      if (eventDetails.message) {
+        extra[ATTR.ERROR_MESSAGE] = eventDetails.message;
+        errorSource = "otel_exception";
+      } else if (typeof attrMessage === "string") {
+        extra[ATTR.ERROR_MESSAGE] = attrMessage;
+        errorSource = "otel_event";
+      }
+      const attrType = attrs["exception.type"];
+      if (eventDetails.type) {
+        extra[ATTR.ERROR_CODE] = eventDetails.type;
+        extra[ATTR.ERROR_CATEGORY] = deriveErrorCategory(eventDetails.type);
+        errorSource = errorSource ?? "otel_exception";
+      } else if (typeof attrType === "string") {
+        extra[ATTR.ERROR_CODE] = attrType;
+        extra[ATTR.ERROR_CATEGORY] = deriveErrorCategory(attrType);
+        errorSource = errorSource ?? "otel_event";
+      }
+      if (statusNotExplicitlyOK) {
+        const rawStack = eventDetails.stacktrace ?? (typeof attrs["exception.stacktrace"] === "string" ? attrs["exception.stacktrace"] : void 0);
+        if (rawStack) {
+          const prepared = prepareStack(rawStack);
+          if (prepared !== null) {
+            extra[ATTR.ERROR_STACK] = prepared.stack;
+            extra[ATTR.ERROR_STACK_TRUNCATED] = prepared.truncated;
+            extra[ATTR.ERROR_STACK_REDACTED] = prepared.redacted;
+            errorSource = errorSource ?? (eventDetails.stacktrace ? "otel_exception" : "otel_event");
+          }
+        }
+      }
+      const routeIsFallback = route === "/_error" || route === "/_not-found" || route === "/_404" || route === "/_500";
+      if (routeIsFallback && rawHttpUrl) {
+        const originalPath = extractPathOnly(rawHttpUrl);
+        const normOriginal = stripTrailingSlash(originalPath);
+        const normRoute = stripTrailingSlash(route);
+        if (normOriginal && normOriginal !== normRoute) {
+          extra[ATTR.ERROR_ORIGINAL_PATH] = normOriginal;
+          extra[ATTR.ERROR_FALLBACK_ROUTE] = route;
+          extra[ATTR.ERROR_FRAMEWORK_KIND] = "fallback";
+          errorSource = errorSource ?? "framework_fallback";
+        }
+      }
+      if (errorSource !== void 0) {
+        extra[ATTR.ERROR_SOURCE] = errorSource;
+      }
+      if (this.verbose && (extra[ATTR.ERROR_MESSAGE] || extra[ATTR.ERROR_CODE])) {
+        const msgSource = eventDetails.message ? "event" : typeof attrMessage === "string" ? "attrs" : "none";
+        const typeSource = eventDetails.type ? "event" : typeof attrType === "string" ? "attrs" : "none";
+        sdkLog(
+          "info",
+          `[glasstrace] enrichSpan "${name}": error.message source=${msgSource}, error.code source=${typeSource}`
+        );
+      }
+      const errorField = attrs["error.field"];
+      if (typeof errorField === "string") {
+        extra[ATTR.ERROR_FIELD] = errorField;
+      }
+      if (this.getConfig().errorResponseBodies) {
+        const responseBody = attrs["glasstrace.internal.response_body"];
+        if (typeof responseBody === "string") {
+          const enrichedStatus = extra[ATTR.HTTP_STATUS_CODE];
+          const effectiveStatus = typeof enrichedStatus === "number" ? enrichedStatus : statusCode;
+          if (isHttpErrorStatus(effectiveStatus)) {
+            const prepared = prepareErrorResponseBody(responseBody);
+            if (prepared !== null) {
+              extra[ATTR.ERROR_RESPONSE_BODY] = prepared;
+            }
+          }
+        }
+      }
+      const spanAny = span;
+      const instrumentationName = spanAny.instrumentationScope?.name ?? spanAny.instrumentationLibrary?.name ?? "";
+      const ormProvider = deriveOrmProvider(instrumentationName);
+      if (ormProvider) {
+        extra[ATTR.ORM_PROVIDER] = ormProvider;
+        const table = attrs["db.sql.table"];
+        const prismaModel = attrs["db.prisma.model"];
+        const model = typeof table === "string" ? table : typeof prismaModel === "string" ? prismaModel : void 0;
+        if (model) {
+          extra[ATTR.ORM_MODEL] = model;
+        }
+        const operation = attrs["db.operation"];
+        if (typeof operation === "string") {
+          extra[ATTR.ORM_OPERATION] = operation;
+        }
+      }
+      const httpUrl = attrs["http.url"];
+      const fullUrl = attrs["url.full"];
+      const url = typeof httpUrl === "string" ? httpUrl : typeof fullUrl === "string" ? fullUrl : void 0;
+      if (url && span.kind === SpanKind.CLIENT) {
+        extra[ATTR.FETCH_TARGET] = classifyFetchTarget(url);
+      }
+      return createEnrichedSpan(span, extra);
+    } catch {
+      return span;
+    }
+  }
+  /**
+   * Lazily creates the delegate OTLP exporter once the API key is resolved.
+   * Recreates the delegate if the key has changed (e.g., after key rotation)
+   * so the Authorization header stays current.
+   */
+  ensureDelegate() {
+    if (!this.createDelegateFn) return null;
+    const currentKey = this.getApiKey();
+    if (currentKey === API_KEY_PENDING) return null;
+    if (this.delegate && this.delegateKey === currentKey) {
+      return this.delegate;
+    }
+    if (this.delegate) {
+      void this.delegate.shutdown?.().catch(() => {
+      });
+    }
+    this.delegate = this.createDelegateFn(this.endpointUrl, {
+      Authorization: `Bearer ${currentKey}`
+    });
+    this.delegateKey = currentKey;
+    return this.delegate;
+  }
+  /**
+   * Buffers raw (unenriched) spans while the API key is pending.
+   * Evicts oldest batches if the buffer exceeds MAX_PENDING_SPANS.
+   * Re-checks the key after buffering to close the race window where
+   * the key resolves between the caller's check and this buffer call.
+   */
+  bufferSpans(spans, resultCallback) {
+    this.pendingBatches.push({ spans, resultCallback });
+    this.pendingSpanCount += spans.length;
+    while (this.pendingSpanCount > MAX_PENDING_SPANS && this.pendingBatches.length > 1) {
+      const evicted = this.pendingBatches.shift();
+      this.pendingSpanCount -= evicted.spans.length;
+      recordSpansDropped(evicted.spans.length);
+      evicted.resultCallback({ code: 0 });
+      if (!this.overflowLogged) {
+        this.overflowLogged = true;
+        console.warn(
+          "[glasstrace] Pending span buffer overflow \u2014 oldest spans evicted. This usually means the API key is taking too long to resolve."
+        );
+      }
+    }
+    if (this.getApiKey() !== API_KEY_PENDING) {
+      this.flushPending();
+    }
+  }
+  /**
+   * Flushes all buffered spans through the delegate exporter.
+   * Enriches spans at flush time (not buffer time) so that session IDs
+   * are computed with the resolved API key instead of the "pending" sentinel.
+   *
+   * Honors the circuit breaker symmetrically with {@link export}: if the
+   * breaker is OPEN at flush time, every buffered batch is dropped via
+   * `recordSpansDropped` and its callback completed with `{ code: 0 }`,
+   * preserving the bounded-memory contract during outages.
+   */
+  flushPending() {
+    if (this.pendingBatches.length === 0) return;
+    const exporter = this.ensureDelegate();
+    if (!exporter) {
+      let discardedCount = 0;
+      for (const batch of this.pendingBatches) {
+        discardedCount += batch.spans.length;
+        batch.resultCallback({ code: 0 });
+      }
+      recordSpansDropped(discardedCount);
+      this.pendingBatches = [];
+      this.pendingSpanCount = 0;
+      return;
+    }
+    const breaker = this.getCircuitBreaker();
+    const batches = this.pendingBatches;
+    this.pendingBatches = [];
+    this.pendingSpanCount = 0;
+    for (const batch of batches) {
+      if (!breaker.shouldExport()) {
+        breaker.onSpansDropped(batch.spans.length);
+        batch.resultCallback({ code: 0 });
+        continue;
+      }
+      const enriched = batch.spans.map((span) => this.enrichSpan(span));
+      const generationAtIssue = breaker.getGeneration();
+      exporter.export(enriched, (result) => {
+        if (result.code !== 0) {
+          sdkLog("warn", `[glasstrace] Span export failed: ${result.error?.message ?? "unknown error"}`);
+        }
+        if (breaker.getGeneration() !== generationAtIssue) {
+          batch.resultCallback(result);
+          return;
+        }
+        if (result.code === 0) {
+          breaker.recordSuccess();
+        } else {
+          breaker.recordFailure({ error: result.error });
+        }
+        batch.resultCallback(result);
+      });
+      recordSpansExported(enriched.length);
+    }
   }
-  _otelState = to;
+};
+function createEnrichedSpan(span, extra) {
+  const enrichedAttributes = { ...span.attributes, ...extra };
+  return Object.create(span, {
+    attributes: {
+      value: enrichedAttributes,
+      enumerable: true
+    }
+  });
 }
-function getCoreState() {
-  return _coreState;
+function hasExceptionEvent(span) {
+  return span.events?.some((e) => e.name === "exception") ?? false;
 }
-function getSdkState() {
+function getExceptionEventDetails(span) {
+  const event = span.events?.find((e) => e.name === "exception");
+  if (!event?.attributes) {
+    return { type: void 0, message: void 0, stacktrace: void 0 };
+  }
+  const type = event.attributes["exception.type"];
+  const message = event.attributes["exception.message"];
+  const stacktrace = event.attributes["exception.stacktrace"];
   return {
-    core: _coreState,
-    auth: _authState,
-    otel: _otelState
+    type: typeof type === "string" ? type : void 0,
+    message: typeof message === "string" ? message : void 0,
+    stacktrace: typeof stacktrace === "string" ? stacktrace : void 0
   };
 }
-function onLifecycleEvent(event, listener) {
-  _emitter.on(event, listener);
-}
-function emitLifecycleEvent(event, payload) {
-  emitSafe(event, payload);
+function extractLeadingPath(raw) {
+  if (!raw) return void 0;
+  const trimmed = raw.trim();
+  if (trimmed.length === 0) return void 0;
+  if (trimmed.startsWith("/")) {
+    const firstSpace = trimmed.indexOf(" ");
+    return firstSpace === -1 ? trimmed : trimmed.slice(0, firstSpace);
+  }
+  for (const token of trimmed.split(/\s+/)) {
+    if (token.startsWith("/")) {
+      return token;
+    }
+  }
+  return void 0;
 }
-function offLifecycleEvent(event, listener) {
-  _emitter.off(event, listener);
+function stripTrailingSlash(path3) {
+  if (!path3) return path3;
+  if (path3 === "/") return path3;
+  return path3.endsWith("/") ? path3.slice(0, -1) : path3;
 }
-function emitSafe(event, payload) {
-  const listeners = _emitter.listeners(event);
-  for (const listener of listeners) {
+function extractPathOnly(raw) {
+  if (!raw) return void 0;
+  const trimmed = raw.trim();
+  if (trimmed.length === 0) return void 0;
+  const isAbsoluteUrl = /^https?:\/\//i.test(trimmed);
+  const isProtocolRelative = trimmed.startsWith("//");
+  if (isAbsoluteUrl || isProtocolRelative) {
     try {
-      const result = listener(payload);
-      if (result && typeof result.catch === "function") {
-        result.catch((err) => {
-          _logger?.(
-            "error",
-            `[glasstrace] Async error in lifecycle event listener for "${event}": ${err instanceof Error ? err.message : String(err)}`
-          );
-        });
+      const parsed = new URL(trimmed, "http://_/");
+      if (parsed.pathname && parsed.pathname.startsWith("/")) {
+        return parsed.pathname;
       }
-    } catch (err) {
-      _logger?.(
-        "error",
-        `[glasstrace] Error in lifecycle event listener for "${event}": ${err instanceof Error ? err.message : String(err)}`
-      );
+    } catch {
     }
   }
+  if (trimmed.startsWith("/")) {
+    const queryIdx = trimmed.indexOf("?");
+    const fragIdx = trimmed.indexOf("#");
+    let cut = trimmed.length;
+    if (queryIdx >= 0) cut = Math.min(cut, queryIdx);
+    if (fragIdx >= 0) cut = Math.min(cut, fragIdx);
+    return trimmed.slice(0, cut);
+  }
+  return void 0;
 }
-function isReady() {
-  return _coreState === CoreState.ACTIVE || _coreState === CoreState.ACTIVE_DEGRADED;
-}
-function waitForReady(timeoutMs = 3e4) {
-  if (isReady()) {
-    return Promise.resolve();
+function deriveOrmProvider(instrumentationName) {
+  const lower = instrumentationName.toLowerCase();
+  if (lower.includes("prisma")) {
+    return "prisma";
   }
-  if (_coreState === CoreState.PRODUCTION_DISABLED || _coreState === CoreState.REGISTRATION_FAILED || _coreState === CoreState.SHUTTING_DOWN || _coreState === CoreState.SHUTDOWN) {
-    return Promise.reject(new Error(`SDK is in terminal state: ${_coreState}`));
+  if (lower.includes("drizzle")) {
+    return "drizzle";
   }
-  return new Promise((resolve2, reject) => {
-    let settled = false;
-    const listener = ({ to }) => {
-      if (settled) return;
-      if (to === CoreState.ACTIVE || to === CoreState.ACTIVE_DEGRADED) {
-        settled = true;
-        offLifecycleEvent("core:state_changed", listener);
-        resolve2();
-      } else if (to === CoreState.PRODUCTION_DISABLED || to === CoreState.REGISTRATION_FAILED || to === CoreState.SHUTTING_DOWN || to === CoreState.SHUTDOWN) {
-        settled = true;
-        offLifecycleEvent("core:state_changed", listener);
-        reject(new Error(`SDK reached terminal state: ${to}`));
-      }
-    };
-    onLifecycleEvent("core:state_changed", listener);
-    if (timeoutMs > 0) {
-      const timer = setTimeout(() => {
-        if (settled) return;
-        settled = true;
-        offLifecycleEvent("core:state_changed", listener);
-        reject(new Error(`waitForReady timed out after ${timeoutMs}ms (state: ${_coreState})`));
-      }, timeoutMs);
-      if (typeof timer === "object" && "unref" in timer) {
-        timer.unref();
-      }
-    }
-  });
+  return null;
 }
-function getStatus() {
-  let mode;
-  if (_coreState === CoreState.PRODUCTION_DISABLED) {
-    mode = "disabled";
-  } else if (_authState === AuthState.CLAIMING || _authState === AuthState.CLAIMED) {
-    mode = "claiming";
-  } else if (_authState === AuthState.AUTHENTICATED) {
-    mode = "authenticated";
-  } else {
-    mode = "anonymous";
+function deriveErrorCategory(errorType) {
+  const lower = errorType.toLowerCase();
+  if (lower.includes("validation") || lower.includes("zod")) {
+    return "validation";
   }
-  let tracing;
-  if (_otelState === OtelState.COEXISTENCE_FAILED || _otelState === OtelState.UNCONFIGURED || _otelState === OtelState.CONFIGURING) {
-    tracing = "not-configured";
-  } else if (_coreState === CoreState.ACTIVE_DEGRADED) {
-    tracing = "degraded";
-  } else if (_otelState === OtelState.AUTO_ATTACHED || _otelState === OtelState.PROCESSOR_PRESENT) {
-    tracing = "coexistence";
-  } else {
-    tracing = "active";
+  if (lower.includes("network") || lower.includes("econnrefused") || lower.includes("fetch") || lower.includes("timeout")) {
+    return "network";
   }
-  return {
-    ready: isReady(),
-    mode,
-    tracing
-  };
-}
-var _shutdownHooks = [];
-var _signalHandlersRegistered = false;
-var _signalHandler = null;
-var _beforeExitRegistered = false;
-var _beforeExitHandler = null;
-var _shutdownExecuted = false;
-function registerShutdownHook(hook) {
-  _shutdownHooks.push(hook);
-  _shutdownHooks.sort((a, b) => a.priority - b.priority);
-}
-async function executeShutdown(timeoutMs = 5e3) {
-  if (_shutdownExecuted) return;
-  _shutdownExecuted = true;
-  setCoreState(CoreState.SHUTTING_DOWN);
-  for (const hook of _shutdownHooks) {
-    try {
-      const hookPromise = hook.fn();
-      hookPromise.catch(() => {
-      });
-      await Promise.race([
-        hookPromise,
-        new Promise((_, reject) => {
-          const timer = setTimeout(() => reject(new Error(`Shutdown hook "${hook.name}" timed out`)), timeoutMs);
-          if (typeof timer === "object" && "unref" in timer) {
-            timer.unref();
-          }
-        })
-      ]);
-    } catch (err) {
-      _logger?.(
-        "warn",
-        `[glasstrace] Shutdown hook "${hook.name}" failed: ${err instanceof Error ? err.message : String(err)}`
-      );
-    }
+  if (lower.includes("auth") || lower.includes("unauthorized") || lower.includes("forbidden")) {
+    return "auth";
   }
-  setCoreState(CoreState.SHUTDOWN);
-}
-function registerSignalHandlers() {
-  if (_signalHandlersRegistered) return;
-  if (typeof process === "undefined" || typeof process.once !== "function") return;
-  _signalHandlersRegistered = true;
-  const otherSigtermListeners = process.listenerCount("SIGTERM");
-  const otherSigintListeners = process.listenerCount("SIGINT");
-  const handler = (signal) => {
-    void executeShutdown().finally(() => {
-      if (_signalHandler) {
-        process.removeListener("SIGTERM", _signalHandler);
-        process.removeListener("SIGINT", _signalHandler);
-      }
-      const otherListeners = signal === "SIGTERM" ? otherSigtermListeners : otherSigintListeners;
-      const otherProviderOwnsSignal = getCoexistenceState() === "coexisting" && otherListeners > 0;
-      if (!otherProviderOwnsSignal) {
-        process.kill(process.pid, signal);
-      }
-    });
-  };
-  _signalHandler = handler;
-  process.once("SIGTERM", handler);
-  process.once("SIGINT", handler);
-}
-function registerBeforeExitTrigger() {
-  if (_beforeExitRegistered) return;
-  if (typeof process === "undefined" || typeof process.once !== "function") return;
-  _beforeExitRegistered = true;
-  const handler = () => {
-    void executeShutdown();
-  };
-  _beforeExitHandler = handler;
-  process.once("beforeExit", handler);
+  if (lower.includes("notfound") || lower.includes("not_found")) {
+    return "not-found";
+  }
+  return "internal";
 }
 
 // ../../node_modules/@opentelemetry/core/build/esm/trace/suppress-tracing.js
@@ -3852,6 +4169,31 @@ var OTLPTraceExporter = class extends OTLPExporterBase {
   }
 };
 
+// src/api-key-hash.ts
+var cryptoModule;
+function loadCrypto() {
+  if (cryptoModule !== void 0) return cryptoModule;
+  try {
+    cryptoModule = __require("node:crypto");
+  } catch {
+    cryptoModule = null;
+  }
+  return cryptoModule;
+}
+function hashApiKey(key) {
+  if (typeof key !== "string" || key.length === 0) return "";
+  const crypto = loadCrypto();
+  if (crypto !== null) {
+    return crypto.createHash("sha256").update(key, "utf8").digest("hex").slice(0, 32);
+  }
+  let hash = 2166136261;
+  for (let i = 0; i < key.length; i++) {
+    hash ^= key.charCodeAt(i);
+    hash = hash + ((hash << 1) + (hash << 4) + (hash << 7) + (hash << 8) + (hash << 24)) >>> 0;
+  }
+  return `fnv:${hash.toString(16).padStart(8, "0")}`;
+}
+
 // src/proxy-detection.ts
 function isProxyTracerProvider(value) {
   if (value === null || value === void 0 || typeof value !== "object") {
@@ -3878,8 +4220,15 @@ var resolvedApiKey = API_KEY_PENDING;
 var activeExporter = null;
 var additionalExporters = [];
 var injectedProcessor = null;
+var resolvedApiKeyHash = "";
 function setResolvedApiKey(key) {
+  const newHash = hashApiKey(key);
+  const isRotation = resolvedApiKeyHash !== "" && resolvedApiKeyHash !== newHash;
   resolvedApiKey = key;
+  resolvedApiKeyHash = newHash;
+  if (isRotation) {
+    peekExportCircuitBreaker()?.resetForKeyRotation();
+  }
 }
 function getResolvedApiKey() {
   return resolvedApiKey;
@@ -3971,10 +4320,7 @@ async function runCoexistencePath(existingProvider, config) {
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
     providerClass: readProviderClass(existingProvider)
   });
-  const coreState = getCoreState();
-  if (coreState === CoreState.ACTIVE || coreState === CoreState.KEY_RESOLVED) {
-    setCoreState(CoreState.ACTIVE_DEGRADED);
-  }
+  pushDegradationSource("otel-coexistence-failed");
 }
 function readProviderClass(tracerProvider) {
   try {
@@ -4404,6 +4750,21 @@ function startRuntimeStateWriter(options) {
     _lastError = { ...payload };
     debouncedWrite();
   });
+  onLifecycleEvent("otel:circuit_opened", (payload) => {
+    _lastError = {
+      category: "export-circuit-open",
+      message: payload.message,
+      timestamp: payload.timestamp,
+      exportCircuitCategory: payload.category
+    };
+    debouncedWrite();
+  });
+  onLifecycleEvent("otel:circuit_closed", () => {
+    if (_lastError?.category === "export-circuit-open") {
+      _lastError = void 0;
+      debouncedWrite();
+    }
+  });
   onLifecycleEvent("auth:key_resolved", () => debouncedWrite());
   onLifecycleEvent("auth:claim_started", () => debouncedWrite());
   onLifecycleEvent("auth:claim_completed", () => debouncedWrite());
@@ -4616,11 +4977,11 @@ function registerGlasstrace(options) {
     setCoreState(CoreState.REGISTERING);
     maybeWarnStaleAgentInstructions({
       projectRoot: process.cwd(),
-      sdkVersion: "1.7.0"
+      sdkVersion: "1.9.0"
     });
     startRuntimeStateWriter({
       projectRoot: process.cwd(),
-      sdkVersion: "1.7.0"
+      sdkVersion: "1.9.0"
     });
     const config = resolveConfig(options);
     if (config.verbose) {
@@ -4787,8 +5148,8 @@ async function backgroundInit(config, anonKeyForInit, generation) {
   if (config.verbose) {
     console.info("[glasstrace] Background init firing.");
   }
-  const healthReport = collectHealthReport("1.7.0");
-  const initResult = await performInit(config, anonKeyForInit, "1.7.0", healthReport);
+  const healthReport = collectHealthReport("1.9.0");
+  const initResult = await performInit(config, anonKeyForInit, "1.9.0", healthReport);
   if (generation !== registrationGeneration) return;
   const currentState = getCoreState();
   if (currentState === CoreState.SHUTTING_DOWN || currentState === CoreState.SHUTDOWN) {
@@ -4811,7 +5172,7 @@ async function backgroundInit(config, anonKeyForInit, generation) {
   }
   maybeInstallConsoleCapture();
   if (didLastInitSucceed()) {
-    startHeartbeat(config, anonKeyForInit, "1.7.0", generation, (newApiKey, accountId) => {
+    startHeartbeat(config, anonKeyForInit, "1.9.0", generation, (newApiKey, accountId) => {
       setAuthState(AuthState.CLAIMING);
       emitLifecycleEvent("auth:claim_started", { accountId });
       setResolvedApiKey(newApiKey);
@@ -5108,7 +5469,7 @@ async function handleSourceMapUpload(distDir) {
       );
       return;
     }
-    const { discoverSourceMapFiles, computeBuildHash, uploadSourceMaps } = await import("./source-map-uploader-XFUEVV7I.js");
+    const { discoverSourceMapFiles, computeBuildHash, uploadSourceMaps } = await import("./source-map-uploader-MMJ2WCL4.js");
     const files = await discoverSourceMapFiles(distDir);
     if (files.length === 0) {
       console.info("[glasstrace] No source map files found. Skipping upload.");
@@ -5201,14 +5562,14 @@ export {
   getDateString,
   SessionManager,
   classifyFetchTarget,
-  GlasstraceExporter,
   isReady,
   waitForReady,
   getStatus,
+  GlasstraceExporter,
   createGlasstraceSpanProcessor,
   registerGlasstrace,
   getDiscoveryHandler,
   withGlasstraceConfig,
   captureError
 };
-//# sourceMappingURL=chunk-OWPA7GHV.js.map
+//# sourceMappingURL=chunk-XEPC4NFL.js.map