@loamly/tracker 2.1.0 → 2.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@loamly/tracker",
-  "version": "2.1.0",
+  "version": "2.4.0",
   "description": "See every AI bot that visits your website. ChatGPT, Claude, Perplexity, Gemini — know when they crawl or refer traffic.",
   "author": "Loamly <hello@loamly.ai>",
   "license": "MIT",

package/src/behavioral/form-tracker.ts

@@ -13,6 +13,14 @@
  * @module @loamly/tracker
  */
 
+// LOA-482: Form field data (privacy-safe)
+export interface FormFieldData {
+  name: string
+  type: string
+  // Value is included only for non-sensitive fields, truncated for privacy
+  value?: string
+}
+
 export interface FormEvent {
   event_type: 'form_start' | 'form_field' | 'form_submit' | 'form_success'
   form_id: string
@@ -21,6 +29,11 @@ export interface FormEvent {
   field_type?: string
   time_to_submit_ms?: number
   is_conversion?: boolean
+  submit_source?: 'submit' | 'click' | 'thank_you'
+  // LOA-482: Captured form field data (privacy-safe)
+  fields?: FormFieldData[]
+  // LOA-482: Extracted email if found in form
+  email_submitted?: string
 }
 
 export interface FormTrackerConfig {
@@ -30,6 +43,10 @@ export interface FormTrackerConfig {
   trackableFields: string[]
   // Patterns for thank-you page detection
   thankYouPatterns: RegExp[]
+  // LOA-482: Whether to capture form field values on submission
+  captureFieldValues: boolean
+  // LOA-482: Maximum length for field values (truncate for privacy)
+  maxFieldValueLength: number
   // Callback for form events
   onFormEvent?: (event: FormEvent) => void
 }
@@ -40,10 +57,12 @@ const DEFAULT_CONFIG: FormTrackerConfig = {
     'credit', 'card', 'cvv', 'cvc',
     'ssn', 'social',
     'secret', 'token', 'key',
+    'pin', 'security', 'answer',
   ],
   trackableFields: [
     'email', 'name', 'phone', 'company',
     'first', 'last', 'city', 'country',
+    'domain', 'website', 'url', 'organization',
   ],
   thankYouPatterns: [
     /thank[-_]?you/i,
@@ -52,6 +71,9 @@ const DEFAULT_CONFIG: FormTrackerConfig = {
     /submitted/i,
     /complete/i,
   ],
+  // LOA-482: Enable field value capture by default
+  captureFieldValues: true,
+  maxFieldValueLength: 200,
 }
 
 export class FormTracker {
@@ -145,6 +167,9 @@ export class FormTracker {
 
     const formId = this.getFormId(form)
     const startTime = this.formStartTimes.get(formId)
+    
+    // LOA-482: Capture form field values with privacy sanitization
+    const { fields, emailSubmitted } = this.captureFormFields(form)
 
     this.emitEvent({
       event_type: 'form_submit',
@@ -152,18 +177,94 @@ export class FormTracker {
       form_type: this.detectFormType(form),
       time_to_submit_ms: startTime ? Date.now() - startTime : undefined,
       is_conversion: true,
+      submit_source: 'submit',
+      fields: fields.length > 0 ? fields : undefined,
+      email_submitted: emailSubmitted,
     })
   }
+  
+  /**
+   * LOA-482: Capture form field values with privacy-safe sanitization
+   * - Never captures sensitive fields (password, credit card, etc.)
+   * - Truncates values to maxFieldValueLength
+   * - Extracts email if found
+   */
+  private captureFormFields(form: HTMLFormElement): { fields: FormFieldData[], emailSubmitted?: string } {
+    const fields: FormFieldData[] = []
+    let emailSubmitted: string | undefined
+    
+    if (!this.config.captureFieldValues) {
+      return { fields, emailSubmitted }
+    }
+    
+    try {
+      const formData = new FormData(form)
+      
+      for (const [name, value] of formData.entries()) {
+        // Skip sensitive fields entirely
+        if (this.isSensitiveField(name)) {
+          continue
+        }
+        
+        // Get the input element to determine type
+        const input = form.elements.namedItem(name) as HTMLInputElement | null
+        const inputType = input?.type || 'text'
+        
+        // Skip file inputs
+        if (inputType === 'file' || value instanceof File) {
+          continue
+        }
+        
+        const stringValue = String(value)
+        
+        // Check for email field
+        if (this.isEmailField(name, stringValue)) {
+          emailSubmitted = stringValue.substring(0, 254) // Max email length
+        }
+        
+        // Truncate value for privacy
+        const truncatedValue = stringValue.length > this.config.maxFieldValueLength
+          ? stringValue.substring(0, this.config.maxFieldValueLength) + '...'
+          : stringValue
+        
+        fields.push({
+          name: this.sanitizeFieldName(name),
+          type: inputType,
+          value: truncatedValue,
+        })
+      }
+    } catch (err) {
+      // Silent fail - don't break form submission
+      console.warn('[Loamly] Failed to capture form fields:', err)
+    }
+    
+    return { fields, emailSubmitted }
+  }
+  
+  /**
+   * Check if a field contains an email
+   */
+  private isEmailField(fieldName: string, value: string): boolean {
+    const lowerName = fieldName.toLowerCase()
+    // Check if field name suggests email
+    const isEmailName = lowerName.includes('email') || lowerName === 'e-mail'
+    // Simple email validation regex
+    const isEmailValue = /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value)
+    return isEmailName && isEmailValue
+  }
 
   private handleClick = (e: Event): void => {
     const target = e.target as HTMLElement
     
     // Check for HubSpot submit button
     if (target.closest('.hs-button') || target.closest('[type="submit"]')) {
-      const form = target.closest('form')
+      const form = target.closest('form') as HTMLFormElement | null
       if (form && form.classList.contains('hs-form')) {
         const formId = this.getFormId(form)
         const startTime = this.formStartTimes.get(formId)
+        
+        // LOA-482: Capture form field values for HubSpot forms
+        const { fields, emailSubmitted } = this.captureFormFields(form)
 
         this.emitEvent({
           event_type: 'form_submit',
@@ -171,6 +272,9 @@ export class FormTracker {
           form_type: 'hubspot',
           time_to_submit_ms: startTime ? Date.now() - startTime : undefined,
           is_conversion: true,
+          submit_source: 'click',
+          fields: fields.length > 0 ? fields : undefined,
+          email_submitted: emailSubmitted,
         })
       }
     }
@@ -182,6 +286,7 @@ export class FormTracker {
         form_id: 'typeform_embed',
         form_type: 'typeform',
         is_conversion: true,
+        submit_source: 'click',
       })
     }
   }
@@ -269,6 +374,7 @@ export class FormTracker {
           form_id: 'page_conversion',
           form_type: 'unknown',
           is_conversion: true,
+          submit_source: 'thank_you',
         })
         break
       }

package/src/browser.ts

@@ -9,7 +9,9 @@
  *    <script src="https://app.loamly.ai/t.js?d=your-domain.com"></script>
  * 
  * 2. npm with data attributes:
- *    <script src="https://cdn.jsdelivr.net/npm/@loamly/tracker" data-api-key="your-key"></script>
+ *    <script src="https://cdn.jsdelivr.net/npm/@loamly/tracker"
+ *            data-api-key="your-key"
+ *            data-workspace-id="your-workspace-uuid"></script>
  * 
  * 3. Self-hosted with manual init:
  *    <script src="/tracker.js"></script>
@@ -49,7 +51,7 @@ function extractDomainFromScriptUrl(): string | null {
  */
 async function resolveWorkspaceConfig(domain: string): Promise<LoamlyConfig | null> {
   try {
-    const response = await fetch(`${DEFAULT_CONFIG.apiHost}${DEFAULT_CONFIG.endpoints.resolve}?domain=${encodeURIComponent(domain)}`)
+    const response = await fetch(`${DEFAULT_CONFIG.apiHost}${DEFAULT_CONFIG.endpoints.resolve}?d=${encodeURIComponent(domain)}`)
     
     if (!response.ok) {
       console.warn('[Loamly] Failed to resolve workspace for domain:', domain)
@@ -58,9 +60,10 @@ async function resolveWorkspaceConfig(domain: string): Promise<LoamlyConfig | nu
     
     const data = await response.json()
     
-    if (data.workspace_id) {
+    if (data.workspace_id && data.public_key) {
       return {
-        apiKey: data.workspace_api_key,
+        apiKey: data.public_key,
+        workspaceId: data.workspace_id,
         apiHost: DEFAULT_CONFIG.apiHost,
       }
     }
@@ -85,6 +88,10 @@ function extractConfigFromDataAttributes(): LoamlyConfig | null {
       if (script.dataset.apiKey) {
         config.apiKey = script.dataset.apiKey
       }
+
+      if (script.dataset.workspaceId) {
+        config.workspaceId = script.dataset.workspaceId
+      }
       
       if (script.dataset.apiHost) {
         config.apiHost = script.dataset.apiHost
@@ -102,7 +109,7 @@ function extractConfigFromDataAttributes(): LoamlyConfig | null {
         config.disableBehavioral = true
       }
       
-      if (config.apiKey) {
+      if (config.apiKey || config.workspaceId) {
         return config
       }
     }
@@ -132,8 +139,20 @@ async function autoInit(): Promise<void> {
     loamly.init(dataConfig)
     return
   }
+
+  // Priority 3: URL params (api_key + workspace_id)
+  const urlParams = new URLSearchParams(window.location.search)
+  const apiKeyParam = urlParams.get('api_key')
+  const workspaceIdParam = urlParams.get('workspace_id')
+  if (apiKeyParam || workspaceIdParam) {
+    loamly.init({
+      apiKey: apiKeyParam || undefined,
+      workspaceId: workspaceIdParam || undefined,
+    })
+    return
+  }
   
-  // Priority 3: Current domain auto-detection (for app.loamly.ai hosted script)
+  // Priority 4: Current domain auto-detection (for app.loamly.ai hosted script)
   const currentDomain = window.location.hostname
   if (currentDomain && currentDomain !== 'localhost') {
     const resolvedConfig = await resolveWorkspaceConfig(currentDomain)

package/src/config.ts

@@ -6,7 +6,7 @@
  * @see https://github.com/loamly/loamly
  */
 
-export const VERSION = '2.1.0'
+export const VERSION = '2.4.0'
 
 export const DEFAULT_CONFIG = {
   apiHost: 'https://app.loamly.ai',