@heystack/otel 0.10.0 → 0.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -25,6 +25,35 @@ HEYSTACK_API_KEY=sk_live_…
25
25
  | Browser (SPA / any web frontend) | `@heystack/otel/web` | `instrumentWeb`: session replay + opt-in browser distributed tracing (`tracing: true`) that emits CLIENT spans + propagates W3C `traceparent` (browser→API shows as one trace). No-op on the server (SSR-safe). |
26
26
  | Anywhere (pure helpers) | `@heystack/otel` | `buildExporterConfig`, types. No Node SDK loaded. |
27
27
 
28
+ ## Release & commit attribution (`version` / `build`)
29
+
30
+ Two optional options tag every span with **which release and commit it came from**, so the console can power **release health**, **suspect release**, and **suspect commit** views (spot the exact version/commit that introduced a regression). They work on **every runtime entry** (`/node`, `/next`, `/workers`).
31
+
32
+ ```ts
33
+ initHeystack({
34
+ apiKey: process.env.HEYSTACK_API_KEY,
35
+ service: "my-app",
36
+ version: process.env.APP_VERSION, // → service.version (e.g. "1.4.2" or a git tag)
37
+ build: process.env.GIT_SHA, // → service.build (the commit SHA)
38
+ });
39
+ ```
40
+
41
+ | Option | Resource attribute | Meaning |
42
+ | --- | --- | --- |
43
+ | `version` | `service.version` | Release identifier — a semver (`1.4.2`), a git tag, or any string that changes per release. Groups telemetry by release for **release health** + **suspect release**. |
44
+ | `build` | `service.build` | The commit SHA of this deploy. Powers **suspect commit** — when you configure a repository URL for the app in the console, the SHA deep-links to the exact commit. |
45
+
46
+ Both are optional and only emitted when set — an empty value is skipped (the console's release queries filter these out). Set them from your build/deploy environment, e.g. `build: process.env.GIT_SHA` (`GIT_SHA=$(git rev-parse HEAD)` in CI).
47
+
48
+ On **`/node`** they also fall back to environment variables when the option is omitted: `HEYSTACK_SERVICE_VERSION` (or `OTEL_SERVICE_VERSION`) for the release and `HEYSTACK_SERVICE_BUILD` for the commit — so a Node deploy can attribute a release without touching code:
49
+
50
+ ```bash
51
+ HEYSTACK_SERVICE_VERSION=1.4.2
52
+ HEYSTACK_SERVICE_BUILD=$(git rev-parse HEAD)
53
+ ```
54
+
55
+ On **`/next`** pass them to `registerHeystack({ service, version, build })` — they're threaded to whichever runtime the app runs on (Node or workerd). On **`/workers`** pass them in the `instrument()` / `initHeystackWorkers()` config.
56
+
28
57
  ## Node / Express / etc.
29
58
 
30
59
  At the very top of your app's entry file:
@@ -32,10 +61,15 @@ At the very top of your app's entry file:
32
61
  ```ts
33
62
  import { initHeystack } from "@heystack/otel/node";
34
63
 
35
- initHeystack({ apiKey: process.env.HEYSTACK_API_KEY, service: "my-app" });
64
+ initHeystack({
65
+ apiKey: process.env.HEYSTACK_API_KEY,
66
+ service: "my-app",
67
+ version: process.env.APP_VERSION, // optional: release health + suspect release/commit
68
+ build: process.env.GIT_SHA, // optional: commit SHA (see "Release & commit attribution")
69
+ });
36
70
  ```
37
71
 
38
- This enables auto-instrumentations (HTTP, Express, etc.) so you get spans without manual wiring.
72
+ This enables auto-instrumentations (HTTP, Express, etc.) so you get spans without manual wiring. `version`/`build` are optional (see [Release & commit attribution](#release--commit-attribution-version--build)).
39
73
 
40
74
  ### Slimming down auto-instrumentations (cost)
41
75
 
@@ -120,6 +154,8 @@ Set the key as a secret: `wrangler secret put HEYSTACK_API_KEY`.
120
154
  | `sampling` | `{ rate?: number } \| { remote: true }` | Head-sampling configuration. `{ rate }`: keep a deterministic fraction of fresh root traces (0–1; default `1` = keep all). `{ remote: true }`: fetch the rate from the Heystack config endpoint instead — lets you change it centrally without redeploying. Cold isolates keep all traffic until the first config fetch resolves; fails open if the config can't be reached. Parent-respecting in both modes: a request arriving with a sampled `traceparent` is always recorded. See [Head sampling](#head-sampling) below. |
121
155
  | `ai` | `{ captureContent?: boolean; redact?: (text: string) => string; maxContentChars?: number }` | LLM/gen_ai capture for outbound calls to known providers. See [AI / LLM observability](#ai--llm-observability) below. |
122
156
  | `waitUntil` | `(p: Promise<unknown>) => void` | Override the isolate keep-alive hook; defaults to the auto-detected `ctx.waitUntil`. |
157
+ | `version` | `string?` | Release identifier → `service.version` resource attribute. Powers release health + suspect release. See [Release & commit attribution](#release--commit-attribution-version--build). |
158
+ | `build` | `string?` | Commit SHA → `service.build` resource attribute. Powers suspect commit (deep-links to the commit when a repo URL is set in the console). |
123
159
  | `endpoint` | `string?` | Override the ingest endpoint (advanced). |
124
160
 
125
161
  ### Head sampling
@@ -304,7 +340,7 @@ The default export still needs to be wrapped with `instrument()` (or `initHeysta
304
340
 
305
341
  ## `@heystack/otel/web` (browser / session replay)
306
342
 
307
- For a browser frontend (any SPA / web app), `instrumentWeb` records **session replay** and injects a W3C `traceparent` header on outgoing `fetch` calls, so replays correlate with the backend traces they triggered. It is a **no-op on the server** (SSR-safe), so it's safe to call from code that also runs during server rendering.
343
+ For a browser frontend (any SPA / web app), `instrumentWeb` records **session replay**, captures **uncaught errors + `console.error`** as logs, and injects a W3C `traceparent` header on outgoing `fetch` calls, so replays/errors correlate with the backend traces they triggered. It is a **no-op on the server** (SSR-safe), so it's safe to call from code that also runs during server rendering.
308
344
 
309
345
  The rrweb recorder **ships inside this package** — there is nothing else to install. Uploads go cross-origin to the Heystack ingest endpoint and **work out of the box** (no CORS configuration on your side).
310
346
 
@@ -340,6 +376,11 @@ stop();
340
376
  | `flushEveryEvents` | `number?` | Max buffered events before an early flush (default 200). |
341
377
  | `tracing` | `boolean?` | Opt in to **browser distributed tracing** (default off). Emits a real CLIENT span per outbound `fetch` and propagates W3C trace context, so browser→backend calls show as one connected trace + a service-map edge. Independent of replay. |
342
378
  | `traceSampleRate` | `number?` | Head sample rate for browser tracing (0–1, default 1 when `tracing` is on). Lower it to cap span volume/cost on busy apps. |
379
+ | `tracePropagationTargets` | `(string \| RegExp)[]?` | Cross-origin backends allowed to receive the `traceparent` header (same-origin always is). Trace context is **never** sent to any other origin, so third-party calls (Clerk, Stripe, analytics) aren't broken by an unexpected CORS preflight. Match by substring/RegExp against the URL, e.g. `["api.myapp.com"]`. **A listed backend must allow `traceparent`/`tracestate` in its CORS `Access-Control-Allow-Headers`.** |
380
+ | `errors` | `boolean?` | Capture uncaught browser errors (`window.onerror` + `unhandledrejection`) as logs. **On by default** — set `false` to disable. Independent of replay/tracing. |
381
+ | `captureConsole` | `'error' \| 'warn' \| false` | Capture `console` output as logs. `'error'` (default) captures `console.error`; `'warn'` captures `console.warn` **and** `console.error`; `false` disables it. Rate-capped + recursion-guarded. |
382
+ | `version` | `string?` | Release identifier → the `service.version` resource attribute on exported browser logs (release attribution / suspect release). |
383
+ | `build` | `string?` | Commit SHA → the `service.build` resource attribute on exported browser logs. |
343
384
 
344
385
  ### Browser distributed tracing
345
386
 
@@ -350,11 +391,62 @@ await instrumentWeb({
350
391
  apiKey: import.meta.env.VITE_HEYSTACK_API_KEY,
351
392
  service: "my-web-app",
352
393
  tracing: true,
353
- traceSampleRate: 0.25, // sample 25% of requests — tune for cost
394
+ traceSampleRate: 0.25, // sample 25% of requests — tune for cost
395
+ tracePropagationTargets: ["api.myapp.com"], // cross-origin backend(s) to trace through
354
396
  });
355
397
  ```
356
398
 
357
- It's **cost-aware and safe by design**: off unless you opt in; head-sampled (an unsampled request still propagates `traceparent` with the sampled flag cleared, so the backend makes the same keep/drop decisionno orphaned server spans); and the exporter posts through the *original* `fetch`, never tracing its own upload (no self-export loop). Spans post to `/v1/traces` cross-origin with no CORS setup on your side.
399
+ **Trace headers go to same-origin + your allow-list only never third parties.** The `traceparent` header is added only to same-origin requests and to URLs matching `tracePropagationTargets`. This is a safety guarantee: injecting `traceparent` on a *cross-origin* request forces a CORS preflight, and a third party that doesn't list the header (Clerk, Stripe, most APIs) **rejects it breaking that request**. So calls to your own **cross-origin** backend need it added to `tracePropagationTargets`, **and** that backend must allow `traceparent`/`tracestate` in its CORS `Access-Control-Allow-Headers`. Same-origin backends need neither (no CORS involved).
400
+
401
+ Otherwise it's **cost-aware and safe by design**: off unless you opt in; head-sampled (an unsampled request still propagates `traceparent` with the sampled flag cleared, so the backend makes the same keep/drop decision — no orphaned server spans); and the exporter posts through the *original* `fetch`, never tracing its own upload (no self-export loop). Spans post to `/v1/traces` cross-origin with no CORS setup on your side.
402
+
403
+ ### Browser error & console collection
404
+
405
+ `instrumentWeb` captures **uncaught browser errors** out of the box — no extra setup. Any `window.onerror` / unhandled promise rejection becomes an OTLP **log** (`event.name=browser.error`, `ERROR` severity) carrying the OTel `exception.type` / `exception.message` / `exception.stacktrace` semconv attributes, the page `url.full`, the `session_id` (so it correlates to the session replay), and — when `tracing` is on — the active `trace_id` / `span_id`. `console.error` is captured too by default.
406
+
407
+ ```ts
408
+ await instrumentWeb({
409
+ apiKey: import.meta.env.VITE_HEYSTACK_API_KEY,
410
+ service: "my-web-app",
411
+ version: "1.4.2", // → service.version (release attribution)
412
+ build: "abc1234", // → service.build (commit)
413
+ captureConsole: "warn", // capture console.warn + console.error (default: 'error')
414
+ // errors: false, // opt out of error capture entirely
415
+ });
416
+ ```
417
+
418
+ It's the **same cost-safe design** as tracing/replay: logs POST to `/v1/logs` through the *original* `fetch` (captured before any patching) so the exporter never traces its own upload — no self-export loop. Console capture is **recursion-guarded** (anything logged on the export path is never re-captured) and **rate-capped** (max ~60 records/minute; the overflow is dropped and counted, with one summary log emitted when the cap lifts) so a runaway `console.error` in a render loop can't flood ingest. Errors show up in the console **Logs** tab and correlate to their session replay and trace.
419
+
420
+ ### In-app bug reports (`reportBug`)
421
+
422
+ Let users report a bug from inside your app. `reportBug` is a headless API — **no widget, you own the UX** — that files a structured report and auto-attaches the context a triager needs: the current URL, user agent, replay `session_id`, active `trace_id`, `release` / `build`, and the **last few captured browser errors** (so you see what was going wrong on the page right before the report). The report also appears on the Logs timeline (`event.name=user.bug_report`).
423
+
424
+ Call it any time after `instrumentWeb()` has run (it throws if the SDK isn't initialised yet, or if `message` is empty). Network failures are swallowed — a failed report never breaks your app.
425
+
426
+ ```ts
427
+ import { instrumentWeb, reportBug } from "@heystack/otel/web";
428
+
429
+ await instrumentWeb({ apiKey: import.meta.env.VITE_HEYSTACK_API_KEY, service: "my-web-app" });
430
+
431
+ // A minimal report button (wire this to whatever UI you like):
432
+ const btn = document.querySelector("#report-bug")!;
433
+ btn.addEventListener("click", async () => {
434
+ const message = prompt("What went wrong?");
435
+ if (!message) return;
436
+ await reportBug({
437
+ message,
438
+ email: currentUser?.email, // optional — so the team can follow up
439
+ context: { plan: "pro", screen: "checkout" }, // optional app metadata (string→string)
440
+ });
441
+ alert("Thanks — your report was sent.");
442
+ });
443
+ ```
444
+
445
+ Reports land in the console under the app's **Bugs** tab, already linked to the session replay, the trace, and the recent errors — one click from report to root cause. The POST goes to `/v1/bug-reports` via the same *original* `fetch` used by the other exporters (no self-export loop).
446
+
447
+ ### Session-replay keyframes (seekable playback)
448
+
449
+ The recorder checkpoints a fresh full snapshot roughly every **60 seconds** and starts a new chunk at each one (a "keyframe"). The console player can therefore begin playback from the nearest keyframe at or before a target moment — e.g. jumping straight to where an error happened — instead of downloading the whole session first. No configuration; it's automatic.
358
450
 
359
451
  ### Sampling & masking come from the console
360
452
 
@@ -388,6 +480,8 @@ As belt-and-suspenders the exporter also drops any span whose HTTP target points
388
480
 
389
481
  ## Migration / versioning
390
482
 
483
+ - **`0.11.0`** — **`/web`: browser error + console collection, in-app bug reports, and seekable replay keyframes.** `instrumentWeb` now captures uncaught errors (`window.onerror` + `unhandledrejection`) and `console.error` as OTLP logs by default (`event.name=browser.error` / `browser.console`, with `exception.*` semconv, `url.full`, `session_id`, and the active trace/span ids when `tracing` is on). New options: `errors?: boolean` (default `true`), `captureConsole?: 'error' | 'warn' | false` (default `'error'`). New **`reportBug({ message, email?, context? })`** API — a headless in-app bug reporter that POSTs to `/v1/bug-reports` and auto-attaches the URL, user agent, `session_id`, active `trace_id`, `release`/`build`, and the last ≤20 captured browser errors (also emitted as a `user.bug_report` log); reports triage in the console **Bugs** tab. The `version` / `build` options are now stamped as `service.version` / `service.build` on exported browser logs (release attribution). Console capture is recursion-guarded + rate-capped (no self-export loop, no flood). The recorder also checkpoints a keyframe (~60s) so the console player seeks from the nearest snapshot instead of loading the whole session. No breaking changes; all new options are optional.
484
+ - **`0.10.0`** — **release / commit attribution (`version` + `build`) on every runtime entry.** New optional options: `version` → the `service.version` resource attribute (a release identifier such as `1.4.2` or a git tag), `build` → the `service.build` resource attribute (the commit SHA). They power **release health**, **suspect release**, and **suspect commit** in the console — attributing a regression to the version/commit that introduced it (suspect-commit deep-links to the commit when a repo URL is configured for the app). Wired on `/node`, `/next` (threaded to whichever runtime runs), and `/workers`; accepted on `/web` for API symmetry. `/node` also reads `HEYSTACK_SERVICE_VERSION` / `OTEL_SERVICE_VERSION` and `HEYSTACK_SERVICE_BUILD` as env fallbacks. Both options are optional and only emitted when non-empty. No breaking changes. See [Release & commit attribution](#release--commit-attribution-version--build).
391
485
  - **`0.9.2`** — **`/workers`: `instrument()` no longer breaks WebSocket / Durable Object upgrades.** The fetch wrapper rebuilt every response with `new Response(...)`, which **drops the `webSocket` property** on a `101 Switching Protocols` upgrade — so every WebSocket connection on an instrumented Worker failed *whenever tracing was active* (an API key set), while passing in dev/staging where `instrument()` is a passthrough. `instrument()` now detects an upgrade (`response.webSocket` present, or `status === 101`) and returns the **original response untouched** (span closed immediately; no `traceparent` header injected — headers on a 101 aren't delivered anyway). Fixes failed `wss://` connections behind `routeAgentRequest` / any `new WebSocketPair()` handler. No API change; upgrade and redeploy.
392
486
  - **`0.9.1`** — **`/workers`: binding spans no longer orphan without `nodejs_compat`.** On a workerd runtime without `nodejs_compat` (no `globalThis.AsyncLocalStorage`), the synchronous fallback context manager cannot carry the active span across an `await` — so a D1/KV/R2/Vectorize/AI/Queue/Service span created *after* an `await` in your handler was emitted as the root of its own single-span trace instead of a child of the request. `instrument()` now captures the request's SERVER context per-request and uses it as an explicit parent fallback when no span is active, so binding operations are always children of the request trace. `nodejs_compat` is still recommended for cross-`await` parenting of outbound-fetch CLIENT spans and manual `withSpan` spans. No API change; upgrade and redeploy.
393
487
  - **`0.9.0`** — **`/workers`: automatic LLM gen_ai enrichment for outbound API calls.** Outbound `fetch` calls to known LLM providers (OpenAI, Anthropic, Cloudflare AI Gateway, Google) automatically gain `gen_ai.*` OTel semantic-convention attributes on the CLIENT span — model, token counts, finish reason, response ID — with no extra code. New optional `WorkersConfig.ai` option: `captureContent: true` also captures prompt/completion text (off by default; **strongly recommended for AI-app RCA**), with `redact` for scrubbing and `maxContentChars` for length capping. The original request/response bodies are never consumed (request read only when already a string; response via `response.clone()`). Streaming responses skip response enrichment. No breaking changes.
package/dist/core.d.ts CHANGED
@@ -6,7 +6,41 @@ export interface HeystackOptions {
6
6
  service: string;
7
7
  /** Override the ingest endpoint (defaults to Heystack production). */
8
8
  endpoint?: string;
9
+ /**
10
+ * Release identifier for this deploy — maps to the `service.version` resource
11
+ * attribute (a semver like `1.4.2`, a git tag, or any string that changes per
12
+ * release). Powers **release health** and the **suspect-release** view in the
13
+ * console: it groups telemetry by release so a regression can be pinned to the
14
+ * version that introduced it. Recommended for every deploy.
15
+ */
16
+ version?: string;
17
+ /**
18
+ * Commit SHA for this deploy — maps to the `service.build` resource attribute.
19
+ * Powers **suspect-commit** attribution: when a repository URL is configured
20
+ * for the app in the console, the SHA becomes a deep link to the exact commit.
21
+ * Use the full or short git SHA of the build.
22
+ */
23
+ build?: string;
9
24
  }
25
+ /**
26
+ * Resource-attribute key for the commit/build identifier. `service.version` has a
27
+ * standard OTel semantic-convention constant (`ATTR_SERVICE_VERSION`); there is
28
+ * no standard key for the build SHA, so Heystack uses the `service.build` literal.
29
+ */
30
+ export declare const ATTR_SERVICE_BUILD = "service.build";
31
+ /**
32
+ * Pure, runtime-agnostic: map the optional release-attribution options to OTel
33
+ * resource attributes — `version` → `service.version`, `build` → `service.build`.
34
+ *
35
+ * Only non-empty values are included: the console's release queries filter
36
+ * `!= ''`, so emitting an empty attribute is pure noise. Depends on nothing but
37
+ * the pure `@opentelemetry/semantic-conventions` constant, so it is safe for
38
+ * every entry including the WinterCG-only `/workers` path.
39
+ */
40
+ export declare function releaseResourceAttributes(o: {
41
+ version?: string;
42
+ build?: string;
43
+ }): Record<string, string>;
10
44
  export interface ExporterConfig {
11
45
  url: string;
12
46
  headers: {
package/dist/core.js CHANGED
@@ -1,4 +1,30 @@
1
+ import { ATTR_SERVICE_VERSION } from "@opentelemetry/semantic-conventions";
1
2
  export const DEFAULT_ENDPOINT = "https://ingest.heystack.dev";
3
+ /**
4
+ * Resource-attribute key for the commit/build identifier. `service.version` has a
5
+ * standard OTel semantic-convention constant (`ATTR_SERVICE_VERSION`); there is
6
+ * no standard key for the build SHA, so Heystack uses the `service.build` literal.
7
+ */
8
+ export const ATTR_SERVICE_BUILD = "service.build";
9
+ /**
10
+ * Pure, runtime-agnostic: map the optional release-attribution options to OTel
11
+ * resource attributes — `version` → `service.version`, `build` → `service.build`.
12
+ *
13
+ * Only non-empty values are included: the console's release queries filter
14
+ * `!= ''`, so emitting an empty attribute is pure noise. Depends on nothing but
15
+ * the pure `@opentelemetry/semantic-conventions` constant, so it is safe for
16
+ * every entry including the WinterCG-only `/workers` path.
17
+ */
18
+ export function releaseResourceAttributes(o) {
19
+ const attrs = {};
20
+ const version = o.version?.trim();
21
+ const build = o.build?.trim();
22
+ if (version)
23
+ attrs[ATTR_SERVICE_VERSION] = version;
24
+ if (build)
25
+ attrs[ATTR_SERVICE_BUILD] = build;
26
+ return attrs;
27
+ }
2
28
  /** Pure: derive the OTLP/HTTP traces URL + auth header. Works in any runtime. */
3
29
  export function buildExporterConfig(o) {
4
30
  const base = (o.endpoint ?? DEFAULT_ENDPOINT).replace(/\/+$/, "");
package/dist/next.js CHANGED
@@ -56,7 +56,14 @@ export async function registerHeystack(o) {
56
56
  // "./workers" → "./dist/workers.js" and "./node" → "./dist/node.js".
57
57
  const { initHeystackWorkers } = await import(
58
58
  /* @vite-ignore */ /* webpackIgnore: true */ "@heystack/otel/workers");
59
- initHeystackWorkers({ apiKey, service: o.service, endpoint: o.endpoint });
59
+ initHeystackWorkers({
60
+ apiKey,
61
+ service: o.service,
62
+ endpoint: o.endpoint,
63
+ // Release/commit attribution — carried into the workerd resource.
64
+ version: o.version,
65
+ build: o.build,
66
+ });
60
67
  }
61
68
  else {
62
69
  const { initHeystack } = await import(
@@ -65,6 +72,9 @@ export async function registerHeystack(o) {
65
72
  apiKey,
66
73
  service: o.service,
67
74
  endpoint: o.endpoint,
75
+ // Release/commit attribution — carried into the NodeSDK resource.
76
+ version: o.version,
77
+ build: o.build,
68
78
  debug: o.debug,
69
79
  });
70
80
  }
package/dist/node.d.ts CHANGED
@@ -52,6 +52,18 @@ export declare class SelfSpanFilteringExporter implements SpanExporter {
52
52
  shutdown(): Promise<void>;
53
53
  forceFlush(): Promise<void>;
54
54
  }
55
+ /**
56
+ * Resolve the release-attribution resource attributes for the Node entry.
57
+ *
58
+ * Prefers the explicit `version`/`build` options, then falls back to environment
59
+ * variables — `HEYSTACK_SERVICE_VERSION` (or `OTEL_SERVICE_VERSION`) for the
60
+ * release, `HEYSTACK_SERVICE_BUILD` for the commit SHA — so a deploy can stamp
61
+ * the release/commit without touching code (e.g. `HEYSTACK_SERVICE_BUILD=$(git
62
+ * rev-parse HEAD)`). Node-only: `process` is read behind a `typeof` guard so the
63
+ * function never references an undefined global. Returns only the keys that
64
+ * resolved to a non-empty value (empty attributes are noise the console filters).
65
+ */
66
+ export declare function resolveNodeReleaseAttributes(o: NodeOptions): Record<string, string>;
55
67
  /** Initialise Heystack tracing on a Node runtime. Call once, as early as possible. Returns the started SDK. */
56
68
  export declare function initHeystack(o: NodeOptions): NodeSDK;
57
69
  /** Flush + shutdown the SDK on SIGTERM/SIGINT so short-lived processes don't lose the last batch. Registers handlers at most once. */
package/dist/node.js CHANGED
@@ -3,7 +3,8 @@ import { OTLPTraceExporter } from "@opentelemetry/exporter-trace-otlp-http";
3
3
  import { getNodeAutoInstrumentations } from "@opentelemetry/auto-instrumentations-node";
4
4
  import { diag, DiagConsoleLogger, DiagLogLevel } from "@opentelemetry/api";
5
5
  import { ExportResultCode } from "@opentelemetry/core";
6
- import { buildExporterConfig } from "./core.js";
6
+ import { Resource } from "@opentelemetry/resources";
7
+ import { buildExporterConfig, releaseResourceAttributes, } from "./core.js";
7
8
  import { isSelfSpanAttrs, safeHostname } from "./self-span.js";
8
9
  /**
9
10
  * Wraps a span exporter and drops any span that targets the Heystack ingest
@@ -88,6 +89,23 @@ let _signalHandlersRegistered = false;
88
89
  * handlers).
89
90
  */
90
91
  let _sdk = null;
92
+ /**
93
+ * Resolve the release-attribution resource attributes for the Node entry.
94
+ *
95
+ * Prefers the explicit `version`/`build` options, then falls back to environment
96
+ * variables — `HEYSTACK_SERVICE_VERSION` (or `OTEL_SERVICE_VERSION`) for the
97
+ * release, `HEYSTACK_SERVICE_BUILD` for the commit SHA — so a deploy can stamp
98
+ * the release/commit without touching code (e.g. `HEYSTACK_SERVICE_BUILD=$(git
99
+ * rev-parse HEAD)`). Node-only: `process` is read behind a `typeof` guard so the
100
+ * function never references an undefined global. Returns only the keys that
101
+ * resolved to a non-empty value (empty attributes are noise the console filters).
102
+ */
103
+ export function resolveNodeReleaseAttributes(o) {
104
+ const env = typeof process !== "undefined" ? process.env : undefined;
105
+ const version = o.version ?? env?.HEYSTACK_SERVICE_VERSION ?? env?.OTEL_SERVICE_VERSION;
106
+ const build = o.build ?? env?.HEYSTACK_SERVICE_BUILD;
107
+ return releaseResourceAttributes({ version, build });
108
+ }
91
109
  /** Initialise Heystack tracing on a Node runtime. Call once, as early as possible. Returns the started SDK. */
92
110
  export function initHeystack(o) {
93
111
  // Idempotent: a second call returns the cached SDK rather than starting a new
@@ -111,6 +129,10 @@ export function initHeystack(o) {
111
129
  const traceExporter = new SelfSpanFilteringExporter(new OTLPTraceExporter({ url: cfg.url, headers: cfg.headers }), ingestHost);
112
130
  const sdk = new NodeSDK({
113
131
  serviceName: o.service,
132
+ // Release/commit attribution. NodeSDK merges `serviceName` on top of this
133
+ // resource, so the final resource carries service.name + (when provided)
134
+ // service.version + service.build. Empty when neither option nor env is set.
135
+ resource: new Resource(resolveNodeReleaseAttributes(o)),
114
136
  traceExporter,
115
137
  instrumentations,
116
138
  });
package/dist/web.d.ts CHANGED
@@ -58,6 +58,20 @@ export interface InstrumentWebOptions {
58
58
  apiKey: string;
59
59
  service: string;
60
60
  endpoint?: string;
61
+ /**
62
+ * Release identifier for this build — the same `service.version` concept as the
63
+ * server entries (see `HeystackOptions.version`). Stamped as `service.version` on
64
+ * the resource of every browser error/console log exported here, so a browser
65
+ * regression is attributed to the release that introduced it (release health /
66
+ * suspect release in the console).
67
+ */
68
+ version?: string;
69
+ /**
70
+ * Commit SHA for this build — the same `service.build` concept as the server
71
+ * entries (see `HeystackOptions.build`). Stamped as `service.build` on the
72
+ * resource of exported browser logs for commit-level attribution.
73
+ */
74
+ build?: string;
61
75
  /** Optional app-supplied user identifier stamped on the session. */
62
76
  userId?: string;
63
77
  /** Local overrides; by default sampling + masking come from server config. */
@@ -75,6 +89,32 @@ export interface InstrumentWebOptions {
75
89
  /** Head sample rate for browser tracing (0–1, default 1 when `tracing` is on).
76
90
  * Lower it to control span volume/cost on high-traffic apps. */
77
91
  traceSampleRate?: number;
92
+ /**
93
+ * Cross-origin backend URLs that may receive the `traceparent` header, in
94
+ * addition to same-origin (which always does). Trace context is NEVER sent to an
95
+ * origin outside this list, so third-party calls (Clerk, Stripe, analytics, CDNs)
96
+ * are not broken by an unexpected CORS preflight. Match by substring or RegExp
97
+ * against the request URL, e.g. `["api.myapp.com"]`.
98
+ *
99
+ * IMPORTANT: a listed backend MUST allow `traceparent` (and `tracestate`) in its
100
+ * CORS `Access-Control-Allow-Headers`, or its own requests will be preflight-
101
+ * rejected too. Same-origin calls need no CORS and are unaffected.
102
+ */
103
+ tracePropagationTargets?: (string | RegExp)[];
104
+ /**
105
+ * Capture uncaught browser errors (`window.onerror` + `unhandledrejection`) and
106
+ * export them as OTLP logs (`event.name=browser.error`, ERROR severity, with
107
+ * `exception.*` semconv attributes). **On by default** when `instrumentWeb` is
108
+ * called; set `false` to disable. Independent of replay and tracing — errors
109
+ * correlate to replays via `session_id` and to traces via the active span.
110
+ */
111
+ errors?: boolean;
112
+ /**
113
+ * Capture `console` output as logs. `'error'` (default) captures `console.error`;
114
+ * `'warn'` captures `console.warn` **and** `console.error`; `false` disables it.
115
+ * Rate-capped and recursion-guarded so it can never feed a self-export loop.
116
+ */
117
+ captureConsole?: "error" | "warn" | false;
78
118
  }
79
119
  /** Entry point: fetch config, decide sampling, start rrweb, stream chunks.
80
120
  * Returns a stop() function. Safe to call in any browser; no-ops on the server. */
@@ -88,9 +128,36 @@ export declare class TraceIdCollector {
88
128
  add(id: string): void;
89
129
  drain(): string[];
90
130
  }
131
+ /** Holds the most recent browser CLIENT span context so an error captured during
132
+ * (or right after) a fetch can be tagged with that trace/span id. There is no
133
+ * ambient active-span stack in the browser SDK — spans are per-fetch — so this is
134
+ * a best-effort "last span" correlation, only populated when tracing is on. */
135
+ export declare class ActiveTraceRef {
136
+ private cur?;
137
+ set(traceId: string, spanId: string): void;
138
+ get(): {
139
+ traceId: string;
140
+ spanId: string;
141
+ } | undefined;
142
+ }
143
+ /**
144
+ * Decide whether to attach trace headers (`traceparent`) to an outbound request.
145
+ * Same-origin is always propagated; a CROSS-origin request is propagated ONLY if
146
+ * its URL matches an explicit target.
147
+ *
148
+ * This is critical for correctness: adding the non-safelisted `traceparent` header
149
+ * to a cross-origin request forces a CORS preflight, and any third party that
150
+ * doesn't list the header in Access-Control-Allow-Headers (Clerk, Stripe, most
151
+ * APIs) rejects it — breaking the request. So we never send trace context to an
152
+ * origin the app didn't opt in. Mirrors OTel-web's `propagateTraceHeaderCorsUrls`
153
+ * / Sentry's `tracePropagationTargets`. Targets match against the full request URL
154
+ * (string substring or RegExp).
155
+ */
156
+ export declare function shouldPropagateTrace(url: string, targets?: ReadonlyArray<string | RegExp>): boolean;
91
157
  /** Patch window.fetch to inject traceparent on outgoing calls and record the
92
- * trace id for correlation. Returns an unpatch function. */
93
- export declare function patchFetchForCorrelation(collector: TraceIdCollector): () => void;
158
+ * trace id for correlation. Returns an unpatch function. `propagateTargets` are
159
+ * cross-origin backends allowed to receive trace headers (same-origin always is). */
160
+ export declare function patchFetchForCorrelation(collector: TraceIdCollector, propagateTargets?: ReadonlyArray<string | RegExp>): () => void;
94
161
  /** One recorded browser CLIENT span (an outbound fetch). */
95
162
  export interface BrowserClientSpan {
96
163
  traceId: string;
@@ -105,7 +172,7 @@ export interface BrowserClientSpan {
105
172
  error: boolean;
106
173
  }
107
174
  /** Build an OTLP/JSON ExportTraceServiceRequest for a batch of client spans. */
108
- export declare function buildTraceExport(service: string, spans: BrowserClientSpan[]): Record<string, unknown>;
175
+ export declare function buildTraceExport(service: string, spans: BrowserClientSpan[], resourceAttributes?: Record<string, string>): Record<string, unknown>;
109
176
  export interface TraceExporterOpts {
110
177
  endpoint: string;
111
178
  apiKey: string;
@@ -113,6 +180,8 @@ export interface TraceExporterOpts {
113
180
  /** MUST be the ORIGINAL fetch captured before patching, or the export POST
114
181
  * self-traces and loops (cost guardrail #1). */
115
182
  fetchImpl: typeof fetch;
183
+ /** `service.version` / `service.build` — stamped on the resource for attribution. */
184
+ resourceAttributes?: Record<string, string>;
116
185
  maxBatch?: number;
117
186
  }
118
187
  /** Buffers browser CLIENT spans and POSTs them as OTLP/JSON to /v1/traces. */
@@ -130,10 +199,148 @@ export interface TracingPatchOpts {
130
199
  ingestHost: string;
131
200
  /** Optional: also record the real trace id for replay↔trace correlation. */
132
201
  collector?: TraceIdCollector;
202
+ /** Optional: publish the current span context so captured errors can reference it. */
203
+ activeTrace?: ActiveTraceRef;
204
+ /** Cross-origin backends allowed to receive trace headers (same-origin always is).
205
+ * Third-party / non-listed cross-origin calls are passed through untouched. */
206
+ propagateTargets?: ReadonlyArray<string | RegExp>;
133
207
  rng?: () => number;
134
208
  }
135
209
  /** Patch window.fetch to emit a real CLIENT span per outbound call, inject that
136
210
  * span's W3C traceparent, and (head-sampled) hand the finished span to onSpan.
137
211
  * Returns an unpatch function. */
138
212
  export declare function patchFetchForTracing(o: TracingPatchOpts): () => void;
213
+ /** A browser log record before OTLP encoding. */
214
+ export interface BrowserLogRecord {
215
+ /** Client epoch millis. */
216
+ timeUnixMs: number;
217
+ severityText: "ERROR" | "WARN" | "INFO";
218
+ body: string;
219
+ attributes: Record<string, string>;
220
+ traceId?: string;
221
+ spanId?: string;
222
+ }
223
+ /** Build an OTLP/JSON ExportLogsServiceRequest for a batch of browser logs. */
224
+ export declare function buildLogsExport(service: string, records: BrowserLogRecord[], resourceAttributes?: Record<string, string>): Record<string, unknown>;
225
+ export interface LogsExporterOpts {
226
+ endpoint: string;
227
+ apiKey: string;
228
+ service: string;
229
+ /** MUST be the ORIGINAL fetch captured before patching, or the export POST
230
+ * self-traces and loops (cost guardrail #1). */
231
+ fetchImpl: typeof fetch;
232
+ /** `service.version` / `service.build` (from `version`/`build`) — stamped on the resource. */
233
+ resourceAttributes?: Record<string, string>;
234
+ maxBatch?: number;
235
+ }
236
+ /** Buffers browser logs and POSTs them as OTLP/JSON to /v1/logs. */
237
+ export declare class BrowserLogsExporter {
238
+ private readonly o;
239
+ private buf;
240
+ constructor(o: LogsExporterOpts);
241
+ add(r: BrowserLogRecord): void;
242
+ flush(keepalive?: boolean): Promise<void>;
243
+ }
244
+ /** Sliding-window rate gate: allow up to `cap` records per `windowMs`; count drops
245
+ * and report how many were dropped the moment a new window opens, so the caller
246
+ * can emit one summary record when the cap lifts. */
247
+ export declare class RateGate {
248
+ private readonly cap;
249
+ private readonly windowMs;
250
+ private readonly now;
251
+ private count;
252
+ private windowStart;
253
+ private dropped;
254
+ constructor(cap: number, windowMs: number, now?: () => number);
255
+ take(): {
256
+ allow: boolean;
257
+ recovered: number;
258
+ };
259
+ }
260
+ /** One recently-captured browser error, kept cheap on purpose (message + type +
261
+ * timestamp only, no stack) so a bug report can attach the last N without holding
262
+ * large objects. Populated by startErrorCapture and read by reportBug(). */
263
+ export interface RecentError {
264
+ message: string;
265
+ type?: string;
266
+ /** Client epoch millis when the error was captured. */
267
+ timestamp: number;
268
+ }
269
+ /** Fixed-capacity ring of the most recent captured errors. Push is O(1); once the
270
+ * cap is reached the oldest entry is dropped. `list()` returns oldest→newest. */
271
+ export declare class RecentErrorsBuffer {
272
+ private readonly cap;
273
+ private buf;
274
+ constructor(cap?: number);
275
+ push(e: RecentError): void;
276
+ list(): RecentError[];
277
+ }
278
+ export interface ErrorCaptureOpts {
279
+ exporter: BrowserLogsExporter;
280
+ /** Correlates logs to the replay session and to each other. */
281
+ sessionId: string;
282
+ /** `'error'` = console.error; `'warn'` = warn + error; `false` = no console capture. */
283
+ captureConsole: "error" | "warn" | false;
284
+ activeTrace?: ActiveTraceRef;
285
+ /** Optional ring the capture path records each uncaught error into (message +
286
+ * type + timestamp), so reportBug() can attach recent errors as context. */
287
+ recent?: RecentErrorsBuffer;
288
+ now?: () => number;
289
+ /** Max records per window before dropping (default 60). */
290
+ rateCap?: number;
291
+ /** Rate window in ms (default 60_000). */
292
+ rateWindowMs?: number;
293
+ }
294
+ /** Wire up `window.onerror` / `unhandledrejection` (+ optional console) capture.
295
+ * Returns an unpatch function. Recursion-guarded (anything logged on our own
296
+ * export path is never re-captured) and rate-capped. */
297
+ export declare function startErrorCapture(o: ErrorCaptureOpts): () => void;
298
+ /** The user-supplied part of a bug report. `message` is required; everything else
299
+ * the SDK attaches automatically. `context` is arbitrary app metadata (plan,
300
+ * feature flag, screen…) stored verbatim. */
301
+ export interface BugReport {
302
+ message: string;
303
+ /** Optional reporter email so the team can follow up. */
304
+ email?: string;
305
+ /** Arbitrary string metadata the app wants to attach (values are stored as-is). */
306
+ context?: Record<string, string>;
307
+ }
308
+ /** The session context reportBug() draws on, registered by instrumentWeb() and
309
+ * cleared on stop(). Kept separate from InstrumentWebOptions so the module-level
310
+ * reportBug() has everything it needs without re-reading config. */
311
+ export interface BugReportSession {
312
+ endpoint: string;
313
+ apiKey: string;
314
+ service: string;
315
+ /** Shared with browser errors / console logs / replay — the correlation key. */
316
+ sessionId: string;
317
+ /** ORIGINAL fetch captured before patching (self-export-loop guard). */
318
+ fetchImpl: typeof fetch;
319
+ /** Last browser CLIENT span, so a report references the in-flight trace. */
320
+ activeTrace: ActiveTraceRef;
321
+ /** Ring of recent captured errors attached as report context. */
322
+ recentErrors: RecentErrorsBuffer;
323
+ /** Emits the user.bug_report OTLP log so the report shows in the timeline. */
324
+ logsExporter: BrowserLogsExporter;
325
+ version?: string;
326
+ build?: string;
327
+ }
328
+ /** Internal: instrumentWeb() registers the active session here (and clears it with
329
+ * `null` on stop) so the module-level reportBug() works after instrumentWeb() is
330
+ * called. Exported for that wiring + tests; not part of the app-facing surface. */
331
+ export declare function registerBugSession(session: BugReportSession | null): void;
332
+ /** Build the /v1/bug-reports POST body: the user's fields plus the auto-attached
333
+ * session/trace/release context and recent errors. Pure (env reads are guarded)
334
+ * so it is unit-testable. */
335
+ export declare function buildBugReportPayload(s: BugReportSession, report: BugReport): Record<string, unknown>;
336
+ /**
337
+ * File an in-app bug report. Call after instrumentWeb() — it throws if the SDK
338
+ * isn't initialised or the message is empty (both are programmer errors). Network
339
+ * failures are swallowed (a failed report must never break the host app).
340
+ *
341
+ * @example
342
+ * import { reportBug } from "@heystack/otel/web";
343
+ * button.onclick = () => reportBug({ message: input.value, email: userEmail });
344
+ */
345
+ export declare function reportBug(report: BugReport): Promise<void>;
139
346
  export {};
package/dist/web.js CHANGED
@@ -1,4 +1,4 @@
1
- import { DEFAULT_ENDPOINT } from "./core.js";
1
+ import { DEFAULT_ENDPOINT, releaseResourceAttributes } from "./core.js";
2
2
  // safeHostname is pure string logic (no runtime imports) — safe in the browser
3
3
  // bundle. Used to skip tracing our OWN telemetry POSTs (the self-export loop that
4
4
  // caused the June 2026 cost incident); see CLAUDE.md → "Cost guardrails".
@@ -102,6 +102,13 @@ export async function instrumentWeb(opts) {
102
102
  const originalFetch = fetch.bind(globalThis);
103
103
  const ingestHost = safeHostname(endpoint);
104
104
  const traces = new TraceIdCollector();
105
+ const activeTrace = new ActiveTraceRef();
106
+ // One session id for the whole run — shared by errors, console logs AND replay
107
+ // (created here, before the replay sampling gate, so errors correlate even when
108
+ // replay isn't sampled; when it is, they share this id → error ↔ replay linking).
109
+ const sessionId = crypto.randomUUID();
110
+ // service.version / service.build for release attribution on exported browser logs.
111
+ const releaseAttrs = releaseResourceAttributes({ version: opts.version, build: opts.build });
105
112
  // 2. Browser distributed tracing (opt-in) — INDEPENDENT of replay sampling. Emits
106
113
  // a real CLIENT span per outbound fetch + propagates W3C context to the backend.
107
114
  let stopTracing = () => { };
@@ -109,12 +116,15 @@ export async function instrumentWeb(opts) {
109
116
  if (opts.tracing) {
110
117
  const exporter = new BrowserTraceExporter({
111
118
  endpoint, apiKey: opts.apiKey, service: opts.service, fetchImpl: originalFetch,
119
+ resourceAttributes: releaseAttrs,
112
120
  });
113
121
  const unpatchTrace = patchFetchForTracing({
114
122
  onSpan: (s) => exporter.add(s),
115
123
  sampleRate: opts.traceSampleRate ?? 1,
116
124
  ingestHost,
117
125
  collector: traces, // real trace ids also tag the replay session (better correlation)
126
+ activeTrace, // so a captured error can reference the in-flight span
127
+ propagateTargets: opts.tracePropagationTargets, // same-origin + these only (never third parties)
118
128
  });
119
129
  fetchPatched = true;
120
130
  const traceFlush = setInterval(() => void exporter.flush(), opts.flushIntervalMs ?? DEFAULT_FLUSH_MS);
@@ -129,9 +139,49 @@ export async function instrumentWeb(opts) {
129
139
  void exporter.flush(true);
130
140
  };
131
141
  }
132
- // 3. Session replay gated on the replay sampling decision (independent of tracing).
142
+ // The logs exporter + recent-errors ring are shared by error capture AND the
143
+ // in-app bug reporter, so they're constructed here (before the errors gate) and
144
+ // always available to reportBug() even when error capture is disabled. The
145
+ // exporter is inert until something is added, so constructing it eagerly is free.
146
+ const logsExporter = new BrowserLogsExporter({
147
+ endpoint, apiKey: opts.apiKey, service: opts.service, fetchImpl: originalFetch,
148
+ resourceAttributes: releaseAttrs,
149
+ });
150
+ const recentErrors = new RecentErrorsBuffer(20);
151
+ // Register the session so the module-level reportBug() works after this call.
152
+ registerBugSession({
153
+ endpoint, apiKey: opts.apiKey, service: opts.service, sessionId,
154
+ fetchImpl: originalFetch, activeTrace, recentErrors, logsExporter,
155
+ version: opts.version, build: opts.build,
156
+ });
157
+ // 2b. Browser error / console log collection — ON by default, INDEPENDENT of both
158
+ // tracing and replay sampling. Exports OTLP logs to /v1/logs via the original fetch.
159
+ let stopErrors = () => { };
160
+ if (opts.errors !== false) {
161
+ const unpatchErrors = startErrorCapture({
162
+ exporter: logsExporter,
163
+ sessionId,
164
+ captureConsole: opts.captureConsole ?? "error",
165
+ activeTrace,
166
+ recent: recentErrors,
167
+ });
168
+ const logFlush = setInterval(() => void logsExporter.flush(), opts.flushIntervalMs ?? DEFAULT_FLUSH_MS);
169
+ const onHideLogs = () => { if (document.visibilityState === "hidden")
170
+ void logsExporter.flush(true); };
171
+ const onPageHideLogs = () => void logsExporter.flush(true);
172
+ document.addEventListener("visibilitychange", onHideLogs);
173
+ window.addEventListener("pagehide", onPageHideLogs);
174
+ stopErrors = () => {
175
+ clearInterval(logFlush);
176
+ document.removeEventListener("visibilitychange", onHideLogs);
177
+ window.removeEventListener("pagehide", onPageHideLogs);
178
+ unpatchErrors();
179
+ void logsExporter.flush(true);
180
+ };
181
+ }
182
+ // 3. Session replay — gated on the replay sampling decision (independent of tracing/errors).
133
183
  if (!shouldRecord(cfg))
134
- return () => { stopTracing(); };
184
+ return () => { stopTracing(); stopErrors(); registerBugSession(null); };
135
185
  const { record } = await import("rrweb");
136
186
  // An element marked `data-hs-unmask` (or any descendant of one) is recorded in
137
187
  // cleartext; everything else is masked. rrweb 2.0.1's real opt-out hooks are
@@ -143,12 +193,11 @@ export async function instrumentWeb(opts) {
143
193
  const reveal = (text, element) => !!element?.closest?.("[data-hs-unmask]");
144
194
  const maskInputFn = (text, element) => reveal(text, element) ? text : "*".repeat(text.length);
145
195
  const maskTextFn = (text, element) => reveal(text, element) ? text : "*".repeat(text.length);
146
- const sessionId = crypto.randomUUID();
147
196
  const transport = new ReplayTransport({ endpoint, apiKey: opts.apiKey, fetchImpl: originalFetch, sessionId });
148
197
  // Only patch fetch for replay correlation if tracing didn't already patch it
149
198
  // (tracing's patch injects real context AND feeds `traces`). Avoids double-wrapping
150
199
  // window.fetch. Uses the original fetch for uploads (self-span suppression).
151
- const unpatch = fetchPatched ? () => { } : patchFetchForCorrelation(traces);
200
+ const unpatch = fetchPatched ? () => { } : patchFetchForCorrelation(traces, opts.tracePropagationTargets);
152
201
  let buffer = [];
153
202
  let errorCount = 0;
154
203
  const browser = navigator.userAgent;
@@ -169,11 +218,19 @@ export async function instrumentWeb(opts) {
169
218
  }, keepalive);
170
219
  };
171
220
  const stopRecord = record({
172
- emit(event) {
221
+ emit(event, isCheckout) {
222
+ // rrweb re-checkpoints (takes a fresh FULL_SNAPSHOT) every `checkoutEveryNms`.
223
+ // Flush the buffer BEFORE appending the checkout event so each keyframe starts
224
+ // a new chunk (has_snapshot=true) — the player can then begin playback from the
225
+ // nearest keyframe ≤ a target time instead of loading the whole session.
226
+ if (isCheckout)
227
+ flush();
173
228
  buffer.push(event);
174
229
  if (buffer.length >= (opts.flushEveryEvents ?? DEFAULT_FLUSH_EVENTS))
175
230
  flush();
176
231
  },
232
+ // A ~60s keyframe cadence bounds how many chunks the player must fetch to seek.
233
+ checkoutEveryNms: 60_000,
177
234
  maskAllInputs: cfg.masking_mode === "strict",
178
235
  maskTextSelector: "[data-hs-mask]",
179
236
  blockSelector: "[data-hs-block]",
@@ -194,6 +251,8 @@ export async function instrumentWeb(opts) {
194
251
  unpatch();
195
252
  flush(true);
196
253
  stopTracing();
254
+ stopErrors();
255
+ registerBugSession(null);
197
256
  };
198
257
  }
199
258
  function matchMediaDevice() {
@@ -230,13 +289,59 @@ export class TraceIdCollector {
230
289
  return out;
231
290
  }
232
291
  }
292
+ /** Holds the most recent browser CLIENT span context so an error captured during
293
+ * (or right after) a fetch can be tagged with that trace/span id. There is no
294
+ * ambient active-span stack in the browser SDK — spans are per-fetch — so this is
295
+ * a best-effort "last span" correlation, only populated when tracing is on. */
296
+ export class ActiveTraceRef {
297
+ cur;
298
+ set(traceId, spanId) { this.cur = { traceId, spanId }; }
299
+ get() { return this.cur; }
300
+ }
301
+ /**
302
+ * Decide whether to attach trace headers (`traceparent`) to an outbound request.
303
+ * Same-origin is always propagated; a CROSS-origin request is propagated ONLY if
304
+ * its URL matches an explicit target.
305
+ *
306
+ * This is critical for correctness: adding the non-safelisted `traceparent` header
307
+ * to a cross-origin request forces a CORS preflight, and any third party that
308
+ * doesn't list the header in Access-Control-Allow-Headers (Clerk, Stripe, most
309
+ * APIs) rejects it — breaking the request. So we never send trace context to an
310
+ * origin the app didn't opt in. Mirrors OTel-web's `propagateTraceHeaderCorsUrls`
311
+ * / Sentry's `tracePropagationTargets`. Targets match against the full request URL
312
+ * (string substring or RegExp).
313
+ */
314
+ export function shouldPropagateTrace(url, targets = []) {
315
+ const base = typeof location !== "undefined" ? location.href : undefined;
316
+ let href;
317
+ try {
318
+ const u = new URL(url, base);
319
+ if (typeof location !== "undefined" && u.origin === location.origin)
320
+ return true;
321
+ href = u.href;
322
+ }
323
+ catch {
324
+ return true; // relative/opaque with no base ⇒ same-origin (safe to propagate)
325
+ }
326
+ for (const t of targets) {
327
+ if (typeof t === "string" ? href.includes(t) : t.test(href))
328
+ return true;
329
+ }
330
+ return false;
331
+ }
233
332
  /** Patch window.fetch to inject traceparent on outgoing calls and record the
234
- * trace id for correlation. Returns an unpatch function. */
235
- export function patchFetchForCorrelation(collector) {
333
+ * trace id for correlation. Returns an unpatch function. `propagateTargets` are
334
+ * cross-origin backends allowed to receive trace headers (same-origin always is). */
335
+ export function patchFetchForCorrelation(collector, propagateTargets = []) {
236
336
  if (typeof window === "undefined" || !window.fetch)
237
337
  return () => { };
238
338
  const orig = window.fetch.bind(window);
239
339
  window.fetch = ((input, init) => {
340
+ // Only attach trace context to same-origin / allow-listed backends — never a
341
+ // third party (that would break its CORS preflight). See shouldPropagateTrace.
342
+ if (!shouldPropagateTrace(fetchUrl(input), propagateTargets)) {
343
+ return orig(input, init);
344
+ }
240
345
  const traceId = randHex(16);
241
346
  const spanId = randHex(8);
242
347
  collector.add(traceId);
@@ -270,11 +375,15 @@ function spanToOtlp(s) {
270
375
  };
271
376
  }
272
377
  /** Build an OTLP/JSON ExportTraceServiceRequest for a batch of client spans. */
273
- export function buildTraceExport(service, spans) {
378
+ export function buildTraceExport(service, spans, resourceAttributes = {}) {
379
+ const resAttrs = [
380
+ kvStr("service.name", service),
381
+ ...Object.entries(resourceAttributes).map(([k, v]) => kvStr(k, v)),
382
+ ];
274
383
  return {
275
384
  resourceSpans: [
276
385
  {
277
- resource: { attributes: [kvStr("service.name", service)] },
386
+ resource: { attributes: resAttrs },
278
387
  scopeSpans: [{ scope: { name: "@heystack/otel/web" }, spans: spans.map(spanToOtlp) }],
279
388
  },
280
389
  ],
@@ -297,7 +406,7 @@ export class BrowserTraceExporter {
297
406
  return;
298
407
  const spans = this.buf;
299
408
  this.buf = [];
300
- const body = JSON.stringify(buildTraceExport(this.o.service, spans));
409
+ const body = JSON.stringify(buildTraceExport(this.o.service, spans, this.o.resourceAttributes));
301
410
  await this.o
302
411
  .fetchImpl(`${this.o.endpoint}/v1/traces`, {
303
412
  method: "POST",
@@ -342,11 +451,18 @@ export function patchFetchForTracing(o) {
342
451
  // the original fetch; this is the belt-and-suspenders host-match guard.
343
452
  if (o.ingestHost && safeHostname(url) === o.ingestHost)
344
453
  return orig(input, init);
454
+ // Third-party / non-allow-listed cross-origin: don't trace AND don't inject a
455
+ // header — a `traceparent` on a cross-origin request forces a CORS preflight the
456
+ // third party rejects (the Clerk/Stripe outage class). Pass through untouched.
457
+ if (!shouldPropagateTrace(url, o.propagateTargets))
458
+ return orig(input, init);
345
459
  const sampled = rng() < o.sampleRate;
346
460
  const traceId = randHex(16);
347
461
  const spanId = randHex(8);
348
462
  if (sampled && o.collector)
349
463
  o.collector.add(traceId);
464
+ if (sampled)
465
+ o.activeTrace?.set(traceId, spanId);
350
466
  const headers = new Headers(init?.headers ?? (input instanceof Request ? input.headers : undefined));
351
467
  if (!headers.has("traceparent"))
352
468
  headers.set("traceparent", makeTraceparent(traceId, spanId, sampled));
@@ -361,3 +477,325 @@ export function patchFetchForTracing(o) {
361
477
  });
362
478
  return () => { window.fetch = orig; };
363
479
  }
480
+ // ── Browser error / console log collection ──────────────────────────────────
481
+ // Uncaught errors + (opt) console output become OTLP logs POSTed to /v1/logs.
482
+ // No official OTel browser *logs* SDK exists, so we write the thin exporter here
483
+ // and keep the OSS wire format (OTLP/JSON LogsRequest, matching what /v1/logs and
484
+ // schema's logsToRows parse). Same cost guardrail as traces/replay: the exporter
485
+ // MUST be handed the ORIGINAL fetch (captured before patching) so its own POST is
486
+ // never traced → re-exported → looped.
487
+ /** OTel severity numbers for the levels we emit (see OTLP LogRecord spec).
488
+ * INFO is used by non-error events such as a user bug report. */
489
+ const SEVERITY_NUMBER = { ERROR: 17, WARN: 13, INFO: 9 };
490
+ /** Max characters of a log body we keep (console args / messages can be huge). */
491
+ const MAX_LOG_BODY = 4096;
492
+ function logToOtlp(r) {
493
+ const rec = {
494
+ timeUnixNano: msToNano(r.timeUnixMs),
495
+ severityText: r.severityText,
496
+ severityNumber: SEVERITY_NUMBER[r.severityText],
497
+ body: { stringValue: r.body },
498
+ attributes: Object.entries(r.attributes).map(([k, v]) => kvStr(k, v)),
499
+ };
500
+ if (r.traceId)
501
+ rec.traceId = r.traceId;
502
+ if (r.spanId)
503
+ rec.spanId = r.spanId;
504
+ return rec;
505
+ }
506
+ /** Build an OTLP/JSON ExportLogsServiceRequest for a batch of browser logs. */
507
+ export function buildLogsExport(service, records, resourceAttributes = {}) {
508
+ const resAttrs = [
509
+ kvStr("service.name", service),
510
+ ...Object.entries(resourceAttributes).map(([k, v]) => kvStr(k, v)),
511
+ ];
512
+ return {
513
+ resourceLogs: [
514
+ {
515
+ resource: { attributes: resAttrs },
516
+ scopeLogs: [{ scope: { name: "@heystack/otel/web" }, logRecords: records.map(logToOtlp) }],
517
+ },
518
+ ],
519
+ };
520
+ }
521
+ /** Buffers browser logs and POSTs them as OTLP/JSON to /v1/logs. */
522
+ export class BrowserLogsExporter {
523
+ o;
524
+ buf = [];
525
+ constructor(o) {
526
+ this.o = o;
527
+ }
528
+ add(r) {
529
+ this.buf.push(r);
530
+ if (this.buf.length >= (this.o.maxBatch ?? 50))
531
+ void this.flush();
532
+ }
533
+ async flush(keepalive = false) {
534
+ if (this.buf.length === 0)
535
+ return;
536
+ const records = this.buf;
537
+ this.buf = [];
538
+ const body = JSON.stringify(buildLogsExport(this.o.service, records, this.o.resourceAttributes));
539
+ await this.o
540
+ .fetchImpl(`${this.o.endpoint}/v1/logs`, {
541
+ method: "POST",
542
+ keepalive,
543
+ headers: { authorization: `Bearer ${this.o.apiKey}`, "content-type": "application/json" },
544
+ body,
545
+ })
546
+ .catch(() => { });
547
+ }
548
+ }
549
+ /** Sliding-window rate gate: allow up to `cap` records per `windowMs`; count drops
550
+ * and report how many were dropped the moment a new window opens, so the caller
551
+ * can emit one summary record when the cap lifts. */
552
+ export class RateGate {
553
+ cap;
554
+ windowMs;
555
+ now;
556
+ count = 0;
557
+ windowStart = Number.NEGATIVE_INFINITY;
558
+ dropped = 0;
559
+ constructor(cap, windowMs, now = Date.now) {
560
+ this.cap = cap;
561
+ this.windowMs = windowMs;
562
+ this.now = now;
563
+ }
564
+ take() {
565
+ const t = this.now();
566
+ let recovered = 0;
567
+ if (t - this.windowStart >= this.windowMs) {
568
+ recovered = this.dropped;
569
+ this.dropped = 0;
570
+ this.count = 0;
571
+ this.windowStart = t;
572
+ }
573
+ if (this.count >= this.cap) {
574
+ this.dropped++;
575
+ return { allow: false, recovered };
576
+ }
577
+ this.count++;
578
+ return { allow: true, recovered };
579
+ }
580
+ }
581
+ /** Best-effort stringify of a console arg: strings pass through; Errors keep their
582
+ * stack; objects are JSON'd (circular refs degrade to their tag). */
583
+ function stringifyArg(a) {
584
+ if (typeof a === "string")
585
+ return a;
586
+ if (a instanceof Error)
587
+ return a.stack ?? `${a.name}: ${a.message}`;
588
+ try {
589
+ return JSON.stringify(a) ?? String(a);
590
+ }
591
+ catch {
592
+ return Object.prototype.toString.call(a);
593
+ }
594
+ }
595
+ /** Fixed-capacity ring of the most recent captured errors. Push is O(1); once the
596
+ * cap is reached the oldest entry is dropped. `list()` returns oldest→newest. */
597
+ export class RecentErrorsBuffer {
598
+ cap;
599
+ buf = [];
600
+ constructor(cap = 20) {
601
+ this.cap = cap;
602
+ }
603
+ push(e) {
604
+ this.buf.push(e);
605
+ if (this.buf.length > this.cap)
606
+ this.buf.shift();
607
+ }
608
+ list() {
609
+ return [...this.buf];
610
+ }
611
+ }
612
+ /** Wire up `window.onerror` / `unhandledrejection` (+ optional console) capture.
613
+ * Returns an unpatch function. Recursion-guarded (anything logged on our own
614
+ * export path is never re-captured) and rate-capped. */
615
+ export function startErrorCapture(o) {
616
+ if (typeof window === "undefined")
617
+ return () => { };
618
+ const now = o.now ?? Date.now;
619
+ const gate = new RateGate(o.rateCap ?? 60, o.rateWindowMs ?? 60_000, now);
620
+ // Re-entrancy flag: if capturing a record ends up invoking a patched console
621
+ // (or any path that re-enters here), we drop the nested call — this is what
622
+ // stops a console.error emitted while building/exporting a record from looping.
623
+ let inCapture = false;
624
+ const push = (rec) => {
625
+ const { allow, recovered } = gate.take();
626
+ if (recovered > 0) {
627
+ o.exporter.add({
628
+ timeUnixMs: now(),
629
+ severityText: "WARN",
630
+ body: `${recovered} browser log record(s) dropped (rate cap)`,
631
+ attributes: { "event.name": "heystack.rate_limited", session_id: o.sessionId },
632
+ });
633
+ }
634
+ if (!allow)
635
+ return;
636
+ o.exporter.add(rec);
637
+ };
638
+ const emitError = (e) => {
639
+ if (inCapture)
640
+ return;
641
+ inCapture = true;
642
+ try {
643
+ // Record into the recent-errors ring (cheap: message + type + timestamp) so
644
+ // a later reportBug() can attach it. Done before the rate gate so a captured
645
+ // error is always available as bug context even when log export is throttled.
646
+ o.recent?.push({ message: e.message, type: e.type, timestamp: now() });
647
+ const attrs = {
648
+ "event.name": "browser.error",
649
+ "url.full": location.href,
650
+ session_id: o.sessionId,
651
+ "exception.message": e.message,
652
+ };
653
+ if (e.type)
654
+ attrs["exception.type"] = e.type;
655
+ if (e.stack)
656
+ attrs["exception.stacktrace"] = e.stack;
657
+ const active = o.activeTrace?.get();
658
+ push({
659
+ timeUnixMs: now(),
660
+ severityText: "ERROR",
661
+ body: e.message,
662
+ attributes: attrs,
663
+ traceId: active?.traceId,
664
+ spanId: active?.spanId,
665
+ });
666
+ }
667
+ finally {
668
+ inCapture = false;
669
+ }
670
+ };
671
+ const onError = (ev) => {
672
+ const err = ev.error;
673
+ emitError({
674
+ message: ev.message || err?.message || "Error",
675
+ type: err?.name,
676
+ stack: err?.stack,
677
+ });
678
+ };
679
+ const onRejection = (ev) => {
680
+ const reason = ev.reason;
681
+ const isErr = reason instanceof Error;
682
+ emitError({
683
+ message: isErr ? reason.message : String(reason),
684
+ type: isErr ? reason.name : "UnhandledRejection",
685
+ stack: isErr ? reason.stack : undefined,
686
+ });
687
+ };
688
+ window.addEventListener("error", onError);
689
+ window.addEventListener("unhandledrejection", onRejection);
690
+ // Console capture (optional) — patches console methods, always calling the
691
+ // ORIGINAL first so host behaviour is unchanged.
692
+ const levels = o.captureConsole === "warn" ? ["warn", "error"] : o.captureConsole === "error" ? ["error"] : [];
693
+ const originals = {};
694
+ for (const level of levels) {
695
+ const orig = console[level];
696
+ originals[level] = orig;
697
+ console[level] = ((...args) => {
698
+ orig.apply(console, args);
699
+ if (inCapture)
700
+ return;
701
+ inCapture = true;
702
+ try {
703
+ const body = args.map(stringifyArg).join(" ").slice(0, MAX_LOG_BODY);
704
+ const active = o.activeTrace?.get();
705
+ push({
706
+ timeUnixMs: now(),
707
+ severityText: level === "error" ? "ERROR" : "WARN",
708
+ body,
709
+ attributes: {
710
+ "event.name": "browser.console",
711
+ "console.level": level,
712
+ "url.full": location.href,
713
+ session_id: o.sessionId,
714
+ },
715
+ traceId: active?.traceId,
716
+ spanId: active?.spanId,
717
+ });
718
+ }
719
+ finally {
720
+ inCapture = false;
721
+ }
722
+ });
723
+ }
724
+ return () => {
725
+ window.removeEventListener("error", onError);
726
+ window.removeEventListener("unhandledrejection", onRejection);
727
+ for (const level of levels) {
728
+ const orig = originals[level];
729
+ if (orig)
730
+ console[level] = orig;
731
+ }
732
+ };
733
+ }
734
+ let activeBugSession = null;
735
+ /** Internal: instrumentWeb() registers the active session here (and clears it with
736
+ * `null` on stop) so the module-level reportBug() works after instrumentWeb() is
737
+ * called. Exported for that wiring + tests; not part of the app-facing surface. */
738
+ export function registerBugSession(session) {
739
+ activeBugSession = session;
740
+ }
741
+ /** Build the /v1/bug-reports POST body: the user's fields plus the auto-attached
742
+ * session/trace/release context and recent errors. Pure (env reads are guarded)
743
+ * so it is unit-testable. */
744
+ export function buildBugReportPayload(s, report) {
745
+ const active = s.activeTrace.get();
746
+ return {
747
+ message: report.message,
748
+ email: report.email,
749
+ context: report.context,
750
+ url: typeof location !== "undefined" ? location.href : undefined,
751
+ user_agent: typeof navigator !== "undefined" ? navigator.userAgent : undefined,
752
+ session_id: s.sessionId,
753
+ trace_id: active?.traceId,
754
+ release: s.version,
755
+ build: s.build,
756
+ recent_errors: s.recentErrors.list(),
757
+ };
758
+ }
759
+ /**
760
+ * File an in-app bug report. Call after instrumentWeb() — it throws if the SDK
761
+ * isn't initialised or the message is empty (both are programmer errors). Network
762
+ * failures are swallowed (a failed report must never break the host app).
763
+ *
764
+ * @example
765
+ * import { reportBug } from "@heystack/otel/web";
766
+ * button.onclick = () => reportBug({ message: input.value, email: userEmail });
767
+ */
768
+ export async function reportBug(report) {
769
+ const s = activeBugSession;
770
+ if (!s) {
771
+ throw new Error("reportBug() called before instrumentWeb(); call instrumentWeb() first");
772
+ }
773
+ const message = typeof report.message === "string" ? report.message.trim() : "";
774
+ if (!message)
775
+ throw new Error("reportBug() requires a non-empty message");
776
+ const payload = buildBugReportPayload(s, { ...report, message });
777
+ // 1. POST the structured report via the ORIGINAL fetch (never the patched one).
778
+ await s
779
+ .fetchImpl(`${s.endpoint}/v1/bug-reports`, {
780
+ method: "POST",
781
+ headers: { authorization: `Bearer ${s.apiKey}`, "content-type": "application/json" },
782
+ body: JSON.stringify(payload),
783
+ })
784
+ .catch(() => { });
785
+ // 2. Emit one OTLP log so the report also appears on the telemetry timeline.
786
+ const active = s.activeTrace.get();
787
+ s.logsExporter.add({
788
+ timeUnixMs: Date.now(),
789
+ severityText: "INFO",
790
+ body: message,
791
+ attributes: {
792
+ "event.name": "user.bug_report",
793
+ "url.full": typeof location !== "undefined" ? location.href : "",
794
+ session_id: s.sessionId,
795
+ ...(report.email ? { "user.email": report.email } : {}),
796
+ },
797
+ traceId: active?.traceId,
798
+ spanId: active?.spanId,
799
+ });
800
+ await s.logsExporter.flush().catch(() => { });
801
+ }
package/dist/workers.d.ts CHANGED
@@ -134,6 +134,18 @@ export interface WorkersConfig {
134
134
  /** Defaults to env.HEYSTACK_API_KEY at request time if omitted. */
135
135
  apiKey?: string;
136
136
  endpoint?: string;
137
+ /**
138
+ * Release identifier for this deploy → `service.version` resource attribute.
139
+ * Powers release health + the suspect-release view in the console. See
140
+ * {@link HeystackOptions.version}.
141
+ */
142
+ version?: string;
143
+ /**
144
+ * Commit SHA for this deploy → `service.build` resource attribute. Powers
145
+ * suspect-commit attribution (deep-links to the commit when a repo URL is set
146
+ * in the console). See {@link HeystackOptions.build}.
147
+ */
148
+ build?: string;
137
149
  /**
138
150
  * Optional override to keep the isolate alive until each export `fetch`
139
151
  * completes. When provided this takes priority over the auto-detected
package/dist/workers.js CHANGED
@@ -13,7 +13,7 @@ import { ROOT_CONTEXT } from "@opentelemetry/api";
13
13
  import { Resource } from "@opentelemetry/resources";
14
14
  import { BasicTracerProvider, SimpleSpanProcessor, } from "@opentelemetry/sdk-trace-base";
15
15
  import { ATTR_SERVICE_NAME } from "@opentelemetry/semantic-conventions";
16
- import { buildExporterConfig, DEFAULT_ENDPOINT } from "./core.js";
16
+ import { buildExporterConfig, DEFAULT_ENDPOINT, releaseResourceAttributes, } from "./core.js";
17
17
  import { isSelfSpanAttrs, safeHostname } from "./self-span.js";
18
18
  import { detectLLMProvider, llmRequestAttrs, llmResponseAttrs, llmContentAttrs } from "./llm-enrich.js";
19
19
  import { instrumentEnv } from "./workers-bindings.js";
@@ -576,7 +576,12 @@ export class HeystackSpanExporter {
576
576
  export function createTracerProvider(config) {
577
577
  const exporter = new HeystackSpanExporter(config);
578
578
  const provider = new BasicTracerProvider({
579
- resource: new Resource({ [ATTR_SERVICE_NAME]: config.service }),
579
+ // service.name is always present; service.version/service.build are added
580
+ // only when the caller supplied `version`/`build` (release attribution).
581
+ resource: new Resource({
582
+ [ATTR_SERVICE_NAME]: config.service,
583
+ ...releaseResourceAttributes(config),
584
+ }),
580
585
  spanProcessors: [new SimpleSpanProcessor(exporter)],
581
586
  sampler: makeSampler(config.sampling),
582
587
  });
@@ -781,6 +786,8 @@ export function instrument(handler, config) {
781
786
  apiKey,
782
787
  service: config.service,
783
788
  endpoint: config.endpoint,
789
+ version: config.version,
790
+ build: config.build,
784
791
  waitUntil: config.waitUntil,
785
792
  sampling: config.sampling,
786
793
  ai: config.ai,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@heystack/otel",
3
- "version": "0.10.0",
3
+ "version": "0.11.1",
4
4
  "description": "Runtime-aware OpenTelemetry tracing that exports to Heystack (Node, Next.js, Workers).",
5
5
  "license": "MIT",
6
6
  "type": "module",