@pingops/core 0.1.1 → 0.1.3

package/dist/index.cjs

@@ -0,0 +1,844 @@
+let _opentelemetry_api = require("@opentelemetry/api");
+
+//#region src/logger.ts
+/**
+* Creates a logger instance with a specific prefix
+*
+* @param prefix - Prefix to add to all log messages (e.g., '[PingOps Filter]')
+* @returns Logger instance
+*/
+function createLogger(prefix) {
+	const isDebugEnabled = process.env.PINGOPS_DEBUG === "true";
+	const formatMessage = (level, message) => {
+		return `[${(/* @__PURE__ */ new Date()).toISOString()}] ${prefix} [${level.toUpperCase()}] ${message}`;
+	};
+	return {
+		debug(message, ...args) {
+			if (isDebugEnabled) console.debug(formatMessage("debug", message), ...args);
+		},
+		info(message, ...args) {
+			console.log(formatMessage("info", message), ...args);
+		},
+		warn(message, ...args) {
+			console.warn(formatMessage("warn", message), ...args);
+		},
+		error(message, ...args) {
+			console.error(formatMessage("error", message), ...args);
+		}
+	};
+}
+
+//#endregion
+//#region src/filtering/span-filter.ts
+/**
+* Span filtering logic - determines if a span is eligible for capture
+*/
+const log$2 = createLogger("[PingOps SpanFilter]");
+/**
+* Checks if a span is eligible for capture based on span kind and attributes.
+* A span is eligible if:
+* 1. span.kind === SpanKind.CLIENT
+* 2. AND has HTTP attributes (http.method, http.url, or server.address)
+*    OR has GenAI attributes (gen_ai.system, gen_ai.operation.name)
+*/
+function isSpanEligible(span) {
+	log$2.debug("Checking span eligibility", {
+		spanName: span.name,
+		spanKind: span.kind,
+		spanId: span.spanContext().spanId,
+		traceId: span.spanContext().traceId
+	});
+	if (span.kind !== _opentelemetry_api.SpanKind.CLIENT) {
+		log$2.debug("Span not eligible: not CLIENT kind", {
+			spanName: span.name,
+			spanKind: span.kind
+		});
+		return false;
+	}
+	const attributes = span.attributes;
+	const hasHttpMethod = attributes["http.method"] !== void 0;
+	const hasHttpUrl = attributes["http.url"] !== void 0;
+	const hasServerAddress = attributes["server.address"] !== void 0;
+	const isEligible = hasHttpMethod || hasHttpUrl || hasServerAddress;
+	log$2.debug("Span eligibility check result", {
+		spanName: span.name,
+		isEligible,
+		httpAttributes: {
+			hasMethod: hasHttpMethod,
+			hasUrl: hasHttpUrl,
+			hasServerAddress
+		}
+	});
+	return isEligible;
+}
+
+//#endregion
+//#region src/filtering/domain-filter.ts
+const log$1 = createLogger("[PingOps DomainFilter]");
+/**
+* Extracts domain from a URL
+*/
+function extractDomain(url) {
+	try {
+		const domain = new URL(url).hostname;
+		log$1.debug("Extracted domain from URL", {
+			url,
+			domain
+		});
+		return domain;
+	} catch {
+		const match = url.match(/^(?:https?:\/\/)?([^/]+)/);
+		const domain = match ? match[1] : "";
+		log$1.debug("Extracted domain from URL (fallback)", {
+			url,
+			domain
+		});
+		return domain;
+	}
+}
+/**
+* Checks if a domain matches a rule (exact or suffix match)
+*/
+function domainMatches(domain, ruleDomain) {
+	if (domain === ruleDomain) {
+		log$1.debug("Domain exact match", {
+			domain,
+			ruleDomain
+		});
+		return true;
+	}
+	if (ruleDomain.startsWith(".")) {
+		const matches = domain.endsWith(ruleDomain) || domain === ruleDomain.slice(1);
+		log$1.debug("Domain suffix match check", {
+			domain,
+			ruleDomain,
+			matches
+		});
+		return matches;
+	}
+	log$1.debug("Domain does not match", {
+		domain,
+		ruleDomain
+	});
+	return false;
+}
+/**
+* Checks if a path matches any of the allowed paths (prefix match)
+*/
+function pathMatches(path, allowedPaths) {
+	if (!allowedPaths || allowedPaths.length === 0) {
+		log$1.debug("No path restrictions, all paths match", { path });
+		return true;
+	}
+	const matches = allowedPaths.some((allowedPath) => path.startsWith(allowedPath));
+	log$1.debug("Path match check", {
+		path,
+		allowedPaths,
+		matches
+	});
+	return matches;
+}
+/**
+* Determines if a span should be captured based on domain rules
+*/
+function shouldCaptureSpan(url, domainAllowList, domainDenyList) {
+	log$1.debug("Checking domain filter rules", {
+		url,
+		hasAllowList: !!domainAllowList && domainAllowList.length > 0,
+		hasDenyList: !!domainDenyList && domainDenyList.length > 0,
+		allowListCount: domainAllowList?.length || 0,
+		denyListCount: domainDenyList?.length || 0
+	});
+	const domain = extractDomain(url);
+	let path = "/";
+	try {
+		path = new URL(url).pathname;
+	} catch {
+		const pathMatch = url.match(/^(?:https?:\/\/)?[^/]+(\/.*)?$/);
+		path = pathMatch && pathMatch[1] ? pathMatch[1] : "/";
+	}
+	log$1.debug("Extracted domain and path", {
+		url,
+		domain,
+		path
+	});
+	if (domainDenyList) {
+		for (const rule of domainDenyList) if (domainMatches(domain, rule.domain)) {
+			log$1.info("Domain denied by deny list", {
+				domain,
+				ruleDomain: rule.domain,
+				url
+			});
+			return false;
+		}
+		log$1.debug("Domain passed deny list check", { domain });
+	}
+	if (!domainAllowList || domainAllowList.length === 0) {
+		log$1.debug("No allow list configured, capturing span", {
+			domain,
+			url
+		});
+		return true;
+	}
+	for (const rule of domainAllowList) if (domainMatches(domain, rule.domain)) if (rule.paths && rule.paths.length > 0) if (pathMatches(path, rule.paths)) {
+		log$1.info("Domain and path allowed by allow list", {
+			domain,
+			ruleDomain: rule.domain,
+			path,
+			allowedPaths: rule.paths,
+			url
+		});
+		return true;
+	} else log$1.debug("Domain allowed but path not matched", {
+		domain,
+		ruleDomain: rule.domain,
+		path,
+		allowedPaths: rule.paths
+	});
+	else {
+		log$1.info("Domain allowed by allow list", {
+			domain,
+			ruleDomain: rule.domain,
+			url
+		});
+		return true;
+	}
+	log$1.info("Domain not in allow list, filtering out", {
+		domain,
+		url
+	});
+	return false;
+}
+
+//#endregion
+//#region src/filtering/sensitive-headers.ts
+/**
+* Sensitive header patterns and redaction configuration
+*/
+/**
+* Default patterns for sensitive headers that should be redacted
+* These are matched case-insensitively
+*/
+const DEFAULT_SENSITIVE_HEADER_PATTERNS = [
+	"authorization",
+	"www-authenticate",
+	"proxy-authenticate",
+	"proxy-authorization",
+	"x-auth-token",
+	"x-api-key",
+	"x-api-token",
+	"x-access-token",
+	"x-auth-user",
+	"x-auth-password",
+	"x-csrf-token",
+	"x-xsrf-token",
+	"api-key",
+	"apikey",
+	"api_key",
+	"access-key",
+	"accesskey",
+	"access_key",
+	"secret-key",
+	"secretkey",
+	"secret_key",
+	"private-key",
+	"privatekey",
+	"private_key",
+	"cookie",
+	"set-cookie",
+	"session-id",
+	"sessionid",
+	"session_id",
+	"session-token",
+	"sessiontoken",
+	"session_token",
+	"oauth-token",
+	"oauth_token",
+	"oauth2-token",
+	"oauth2_token",
+	"bearer",
+	"x-amz-security-token",
+	"x-amz-signature",
+	"x-aws-access-key",
+	"x-aws-secret-key",
+	"x-aws-session-token",
+	"x-password",
+	"x-secret",
+	"x-token",
+	"x-jwt",
+	"x-jwt-token",
+	"x-refresh-token",
+	"x-client-secret",
+	"x-client-id",
+	"x-user-token",
+	"x-service-key"
+];
+/**
+* Redaction strategies for sensitive header values
+*/
+let HeaderRedactionStrategy = /* @__PURE__ */ function(HeaderRedactionStrategy$1) {
+	/**
+	* Replace the entire value with a fixed redaction string
+	*/
+	HeaderRedactionStrategy$1["REPLACE"] = "replace";
+	/**
+	* Show only the first N characters, redact the rest
+	*/
+	HeaderRedactionStrategy$1["PARTIAL"] = "partial";
+	/**
+	* Show only the last N characters, redact the rest
+	*/
+	HeaderRedactionStrategy$1["PARTIAL_END"] = "partial_end";
+	/**
+	* Remove the header entirely (same as deny list)
+	*/
+	HeaderRedactionStrategy$1["REMOVE"] = "remove";
+	return HeaderRedactionStrategy$1;
+}({});
+/**
+* Default redaction configuration
+*/
+const DEFAULT_REDACTION_CONFIG = {
+	sensitivePatterns: DEFAULT_SENSITIVE_HEADER_PATTERNS,
+	strategy: HeaderRedactionStrategy.REPLACE,
+	redactionString: "[REDACTED]",
+	visibleChars: 4,
+	enabled: true
+};
+/**
+* Checks if a header name matches any sensitive pattern
+* Uses case-insensitive matching with exact match, prefix/suffix, and substring matching
+*
+* @param headerName - The header name to check
+* @param patterns - Array of patterns to match against (defaults to DEFAULT_SENSITIVE_HEADER_PATTERNS)
+* @returns true if the header matches any sensitive pattern
+*/
+function isSensitiveHeader(headerName, patterns = DEFAULT_SENSITIVE_HEADER_PATTERNS) {
+	if (!headerName || typeof headerName !== "string") return false;
+	if (!patterns || patterns.length === 0) return false;
+	const normalizedName = headerName.toLowerCase().trim();
+	if (normalizedName.length === 0) return false;
+	return patterns.some((pattern) => {
+		if (!pattern || typeof pattern !== "string") return false;
+		const normalizedPattern = pattern.toLowerCase().trim();
+		if (normalizedPattern.length === 0) return false;
+		if (normalizedName === normalizedPattern) return true;
+		if (normalizedName.includes(normalizedPattern)) return true;
+		if (normalizedPattern.includes(normalizedName)) return true;
+		return false;
+	});
+}
+/**
+* Redacts a header value based on the configuration
+*/
+function redactHeaderValue(value, config) {
+	if (value === void 0 || value === null) return value;
+	if (Array.isArray(value)) return value.map((v) => redactSingleValue(v, config));
+	return redactSingleValue(value, config);
+}
+/**
+* Redacts a single string value based on the configured strategy
+*
+* @param value - The value to redact
+* @param config - Redaction configuration
+* @returns Redacted value
+*/
+function redactSingleValue(value, config) {
+	if (!value || typeof value !== "string") return value;
+	const visibleChars = Math.max(0, Math.floor(config.visibleChars || 0));
+	const trimmedValue = value.trim();
+	if (trimmedValue.length === 0) return config.redactionString;
+	switch (config.strategy) {
+		case HeaderRedactionStrategy.REPLACE: return config.redactionString;
+		case HeaderRedactionStrategy.PARTIAL:
+			if (trimmedValue.length <= visibleChars) return config.redactionString;
+			return trimmedValue.substring(0, visibleChars) + config.redactionString;
+		case HeaderRedactionStrategy.PARTIAL_END:
+			if (trimmedValue.length <= visibleChars) return config.redactionString;
+			return config.redactionString + trimmedValue.substring(trimmedValue.length - visibleChars);
+		case HeaderRedactionStrategy.REMOVE: return config.redactionString;
+		default: return config.redactionString;
+	}
+}
+
+//#endregion
+//#region src/filtering/header-filter.ts
+/**
+* Header filtering logic - applies allow/deny list rules and redaction
+*/
+const log = createLogger("[PingOps HeaderFilter]");
+/**
+* Normalizes header name to lowercase for case-insensitive matching
+*/
+function normalizeHeaderName(name) {
+	return name.toLowerCase();
+}
+/**
+* Merges redaction config with defaults
+*/
+function mergeRedactionConfig(config) {
+	if (!config) return DEFAULT_REDACTION_CONFIG;
+	if (config.enabled === false) return {
+		...DEFAULT_REDACTION_CONFIG,
+		enabled: false
+	};
+	return {
+		sensitivePatterns: config.sensitivePatterns ?? DEFAULT_REDACTION_CONFIG.sensitivePatterns,
+		strategy: config.strategy ?? DEFAULT_REDACTION_CONFIG.strategy,
+		redactionString: config.redactionString ?? DEFAULT_REDACTION_CONFIG.redactionString,
+		visibleChars: config.visibleChars ?? DEFAULT_REDACTION_CONFIG.visibleChars,
+		enabled: config.enabled ?? DEFAULT_REDACTION_CONFIG.enabled
+	};
+}
+/**
+* Filters headers based on allow/deny lists and applies redaction to sensitive headers
+* - Deny list always wins (if header is in deny list, exclude it)
+* - Allow list filters included headers (if specified, only include these)
+* - Sensitive headers are redacted after filtering (if redaction is enabled)
+* - Case-insensitive matching
+*
+* @param headers - Headers to filter
+* @param headersAllowList - Optional allow list of header names to include
+* @param headersDenyList - Optional deny list of header names to exclude
+* @param redactionConfig - Optional configuration for header value redaction
+* @returns Filtered and redacted headers
+*/
+function filterHeaders(headers, headersAllowList, headersDenyList, redactionConfig) {
+	const originalCount = Object.keys(headers).length;
+	const redaction = mergeRedactionConfig(redactionConfig);
+	log.debug("Filtering headers", {
+		originalHeaderCount: originalCount,
+		hasAllowList: !!headersAllowList && headersAllowList.length > 0,
+		hasDenyList: !!headersDenyList && headersDenyList.length > 0,
+		allowListCount: headersAllowList?.length || 0,
+		denyListCount: headersDenyList?.length || 0,
+		redactionEnabled: redaction.enabled,
+		redactionStrategy: redaction.strategy
+	});
+	const normalizedDenyList = headersDenyList?.map(normalizeHeaderName) ?? [];
+	const normalizedAllowList = headersAllowList?.map(normalizeHeaderName) ?? [];
+	const filtered = {};
+	const deniedHeaders = [];
+	const excludedHeaders = [];
+	const redactedHeaders = [];
+	for (const [name, value] of Object.entries(headers)) {
+		const normalizedName = normalizeHeaderName(name);
+		if (normalizedDenyList.includes(normalizedName)) {
+			deniedHeaders.push(name);
+			log.debug("Header denied by deny list", { headerName: name });
+			continue;
+		}
+		if (normalizedAllowList.length > 0) {
+			if (!normalizedAllowList.includes(normalizedName)) {
+				excludedHeaders.push(name);
+				log.debug("Header excluded (not in allow list)", { headerName: name });
+				continue;
+			}
+		}
+		let finalValue = value;
+		if (redaction.enabled) try {
+			if (isSensitiveHeader(name, redaction.sensitivePatterns)) {
+				if (redaction.strategy === HeaderRedactionStrategy.REMOVE) {
+					log.debug("Header removed by redaction strategy", { headerName: name });
+					continue;
+				}
+				finalValue = redactHeaderValue(value, redaction);
+				redactedHeaders.push(name);
+				log.debug("Header value redacted", {
+					headerName: name,
+					strategy: redaction.strategy
+				});
+			}
+		} catch (error) {
+			log.warn("Error redacting header value", {
+				headerName: name,
+				error: error instanceof Error ? error.message : String(error)
+			});
+			finalValue = value;
+		}
+		filtered[name] = finalValue;
+	}
+	const filteredCount = Object.keys(filtered).length;
+	log.info("Header filtering complete", {
+		originalCount,
+		filteredCount,
+		deniedCount: deniedHeaders.length,
+		excludedCount: excludedHeaders.length,
+		redactedCount: redactedHeaders.length,
+		deniedHeaders: deniedHeaders.length > 0 ? deniedHeaders : void 0,
+		excludedHeaders: excludedHeaders.length > 0 ? excludedHeaders : void 0,
+		redactedHeaders: redactedHeaders.length > 0 ? redactedHeaders : void 0
+	});
+	return filtered;
+}
+/**
+* Extracts and normalizes headers from OpenTelemetry span attributes
+*
+* Handles two formats:
+* 1. Flat array format (e.g., 'http.request.header.0', 'http.request.header.1')
+*    - 'http.request.header.0': 'Content-Type'
+*    - 'http.request.header.1': 'application/json'
+* 2. Direct key-value format (e.g., 'http.request.header.date', 'http.request.header.content-type')
+*    - 'http.request.header.date': 'Mon, 12 Jan 2026 20:22:38 GMT'
+*    - 'http.request.header.content-type': 'application/json'
+*
+* This function converts them to:
+* - { 'Content-Type': 'application/json', 'date': 'Mon, 12 Jan 2026 20:22:38 GMT' }
+*/
+function extractHeadersFromAttributes(attributes, headerPrefix) {
+	const headerMap = {};
+	const headerKeys = [];
+	const directKeyValueHeaders = [];
+	const prefixPattern = `${headerPrefix}.`;
+	const numericPattern = /* @__PURE__ */ new RegExp(`^${headerPrefix.replace(/\./g, "\\.")}\\.(\\d+)$`);
+	for (const key in attributes) if (key.startsWith(prefixPattern) && key !== headerPrefix) {
+		const numericMatch = key.match(numericPattern);
+		if (numericMatch) {
+			const index = parseInt(numericMatch[1], 10);
+			headerKeys.push(index);
+		} else {
+			const headerName = key.substring(prefixPattern.length);
+			if (headerName.length > 0) directKeyValueHeaders.push({
+				key,
+				headerName
+			});
+		}
+	}
+	if (headerKeys.length > 0) {
+		headerKeys.sort((a, b) => a - b);
+		for (let i = 0; i < headerKeys.length; i += 2) {
+			const nameIndex = headerKeys[i];
+			const valueIndex = headerKeys[i + 1];
+			if (valueIndex !== void 0) {
+				const nameKey = `${headerPrefix}.${nameIndex}`;
+				const valueKey = `${headerPrefix}.${valueIndex}`;
+				const headerName = attributes[nameKey];
+				const headerValue = attributes[valueKey];
+				if (headerName && headerValue !== void 0) {
+					const normalizedName = headerName.toLowerCase();
+					const existingKey = Object.keys(headerMap).find((k) => k.toLowerCase() === normalizedName);
+					if (existingKey) {
+						const existing = headerMap[existingKey];
+						headerMap[existingKey] = Array.isArray(existing) ? [...existing, headerValue] : [existing, headerValue];
+					} else headerMap[headerName] = headerValue;
+				}
+			}
+		}
+	}
+	if (directKeyValueHeaders.length > 0) for (const { key, headerName } of directKeyValueHeaders) {
+		const headerValue = attributes[key];
+		if (headerValue !== void 0 && headerValue !== null) {
+			const stringValue = typeof headerValue === "string" ? headerValue : String(headerValue);
+			const normalizedName = headerName.toLowerCase();
+			const existingKey = Object.keys(headerMap).find((k) => k.toLowerCase() === normalizedName);
+			if (existingKey) {
+				const existing = headerMap[existingKey];
+				headerMap[existingKey] = Array.isArray(existing) ? [...existing, stringValue] : [existing, stringValue];
+			} else headerMap[headerName] = stringValue;
+		}
+	}
+	return Object.keys(headerMap).length > 0 ? headerMap : null;
+}
+/**
+* Type guard to check if value is a Headers-like object
+*/
+function isHeadersLike(headers) {
+	return typeof headers === "object" && headers !== null && "entries" in headers && typeof headers.entries === "function";
+}
+/**
+* Normalizes headers from various sources into a proper key-value object
+*/
+function normalizeHeaders(headers) {
+	const result = {};
+	if (!headers) return result;
+	try {
+		if (isHeadersLike(headers)) {
+			for (const [key, value] of headers.entries()) if (result[key]) {
+				const existing = result[key];
+				result[key] = Array.isArray(existing) ? [...existing, value] : [existing, value];
+			} else result[key] = value;
+			return result;
+		}
+		if (typeof headers === "object" && !Array.isArray(headers)) {
+			for (const [key, value] of Object.entries(headers)) if (!/^\d+$/.test(key)) result[key] = value;
+			return result;
+		}
+		if (Array.isArray(headers)) {
+			for (let i = 0; i < headers.length; i += 2) if (i + 1 < headers.length) {
+				const key = String(headers[i]);
+				result[key] = headers[i + 1];
+			}
+			return result;
+		}
+	} catch {}
+	return result;
+}
+
+//#endregion
+//#region src/utils/span-extractor.ts
+/**
+* Extracts domain from URL
+*/
+function extractDomainFromUrl(url) {
+	try {
+		return new URL(url).hostname;
+	} catch {
+		const match = url.match(/^(?:https?:\/\/)?([^/]+)/);
+		return match ? match[1] : "";
+	}
+}
+/**
+* Gets domain rule configuration for a given URL
+*/
+function getDomainRule(url, domainAllowList) {
+	if (!domainAllowList) return;
+	const domain = extractDomainFromUrl(url);
+	for (const rule of domainAllowList) if (domain === rule.domain || domain.endsWith(`.${rule.domain}`) || domain === rule.domain.slice(1)) return rule;
+}
+/**
+* Determines if body should be captured based on priority:
+* domain rule > global config > default (false)
+*/
+function shouldCaptureBody(domainRule, globalConfig, bodyType) {
+	if (domainRule) {
+		const domainValue = bodyType === "request" ? domainRule.captureRequestBody : domainRule.captureResponseBody;
+		if (domainValue !== void 0) return domainValue;
+	}
+	if (globalConfig !== void 0) return globalConfig;
+	return false;
+}
+/**
+* Extracts structured payload from a span
+*/
+function extractSpanPayload(span, domainAllowList, globalHeadersAllowList, globalHeadersDenyList, globalCaptureRequestBody, globalCaptureResponseBody, headerRedaction) {
+	const attributes = span.attributes;
+	const url = attributes["http.url"] || attributes["url.full"];
+	const domainRule = url ? getDomainRule(url, domainAllowList) : void 0;
+	const headersAllowList = domainRule?.headersAllowList ?? globalHeadersAllowList;
+	const headersDenyList = domainRule?.headersDenyList ?? globalHeadersDenyList;
+	const shouldCaptureReqBody = shouldCaptureBody(domainRule, globalCaptureRequestBody, "request");
+	const shouldCaptureRespBody = shouldCaptureBody(domainRule, globalCaptureResponseBody, "response");
+	let requestHeaders = {};
+	let responseHeaders = {};
+	const flatRequestHeaders = extractHeadersFromAttributes(attributes, "http.request.header");
+	const flatResponseHeaders = extractHeadersFromAttributes(attributes, "http.response.header");
+	const httpRequestHeadersValue = attributes["http.request.header"];
+	const httpResponseHeadersValue = attributes["http.response.header"];
+	const isHeadersRecord = (value) => {
+		return typeof value === "object" && value !== null && !Array.isArray(value) && Object.values(value).every((v) => typeof v === "string" || Array.isArray(v) && v.every((item) => typeof item === "string") || v === void 0);
+	};
+	if (flatRequestHeaders) requestHeaders = filterHeaders(flatRequestHeaders, headersAllowList, headersDenyList, headerRedaction);
+	else if (isHeadersRecord(httpRequestHeadersValue)) requestHeaders = filterHeaders(httpRequestHeadersValue, headersAllowList, headersDenyList, headerRedaction);
+	if (flatResponseHeaders) responseHeaders = filterHeaders(flatResponseHeaders, headersAllowList, headersDenyList, headerRedaction);
+	else if (isHeadersRecord(httpResponseHeadersValue)) responseHeaders = filterHeaders(httpResponseHeadersValue, headersAllowList, headersDenyList, headerRedaction);
+	const extractedAttributes = { ...attributes };
+	for (const key in extractedAttributes) if (key.startsWith("http.request.header.") && key !== "http.request.header" || key.startsWith("http.response.header.") && key !== "http.response.header") delete extractedAttributes[key];
+	if (Object.keys(requestHeaders).length > 0) extractedAttributes["http.request.header"] = requestHeaders;
+	if (Object.keys(responseHeaders).length > 0) extractedAttributes["http.response.header"] = responseHeaders;
+	if (!shouldCaptureReqBody) delete extractedAttributes["http.request.body"];
+	if (!shouldCaptureRespBody) delete extractedAttributes["http.response.body"];
+	const spanContext = span.spanContext();
+	const parentSpanId = "parentSpanId" in span ? span.parentSpanId : void 0;
+	return {
+		traceId: spanContext.traceId,
+		spanId: spanContext.spanId,
+		parentSpanId,
+		name: span.name,
+		kind: span.kind.toString(),
+		startTime: (/* @__PURE__ */ new Date(span.startTime[0] * 1e3 + span.startTime[1] / 1e6)).toISOString(),
+		endTime: (/* @__PURE__ */ new Date(span.endTime[0] * 1e3 + span.endTime[1] / 1e6)).toISOString(),
+		duration: (span.endTime[0] - span.startTime[0]) * 1e3 + (span.endTime[1] - span.startTime[1]) / 1e6,
+		attributes: extractedAttributes,
+		status: {
+			code: span.status.code.toString(),
+			message: span.status.message
+		}
+	};
+}
+
+//#endregion
+//#region src/context-keys.ts
+/**
+* OpenTelemetry context keys for PingOps
+*/
+/**
+* Context key for enabling HTTP instrumentation.
+* When set to true, HTTP requests will be automatically instrumented.
+* This allows wrapHttp to control which HTTP calls are captured.
+*/
+const PINGOPS_HTTP_ENABLED = (0, _opentelemetry_api.createContextKey)("pingops-http-enabled");
+/**
+* Context key for user ID attribute.
+* Used to propagate user identifier to all spans in the context.
+*/
+const PINGOPS_USER_ID = (0, _opentelemetry_api.createContextKey)("pingops-user-id");
+/**
+* Context key for session ID attribute.
+* Used to propagate session identifier to all spans in the context.
+*/
+const PINGOPS_SESSION_ID = (0, _opentelemetry_api.createContextKey)("pingops-session-id");
+/**
+* Context key for tags attribute.
+* Used to propagate tags array to all spans in the context.
+*/
+const PINGOPS_TAGS = (0, _opentelemetry_api.createContextKey)("pingops-tags");
+/**
+* Context key for metadata attribute.
+* Used to propagate metadata object to all spans in the context.
+*/
+const PINGOPS_METADATA = (0, _opentelemetry_api.createContextKey)("pingops-metadata");
+/**
+* Context key for capturing request body.
+* When set, controls whether request bodies should be captured for HTTP spans.
+* This allows wrapHttp to control body capture per-request.
+*/
+const PINGOPS_CAPTURE_REQUEST_BODY = (0, _opentelemetry_api.createContextKey)("pingops-capture-request-body");
+/**
+* Context key for capturing response body.
+* When set, controls whether response bodies should be captured for HTTP spans.
+* This allows wrapHttp to control body capture per-request.
+*/
+const PINGOPS_CAPTURE_RESPONSE_BODY = (0, _opentelemetry_api.createContextKey)("pingops-capture-response-body");
+
+//#endregion
+//#region src/utils/context-extractor.ts
+/**
+* Extracts propagated attributes from the given context and returns them
+* as span attributes that can be set on a span.
+*
+* @param parentContext - The OpenTelemetry context to extract attributes from
+* @returns Record of attribute key-value pairs to set on spans
+*/
+function getPropagatedAttributesFromContext(parentContext) {
+	const attributes = {};
+	const userId = parentContext.getValue(PINGOPS_USER_ID);
+	if (userId !== void 0 && typeof userId === "string") attributes["pingops.user_id"] = userId;
+	const sessionId = parentContext.getValue(PINGOPS_SESSION_ID);
+	if (sessionId !== void 0 && typeof sessionId === "string") attributes["pingops.session_id"] = sessionId;
+	const tags = parentContext.getValue(PINGOPS_TAGS);
+	if (tags !== void 0 && Array.isArray(tags)) attributes["pingops.tags"] = tags;
+	const metadata = parentContext.getValue(PINGOPS_METADATA);
+	if (metadata !== void 0 && typeof metadata === "object" && metadata !== null && !Array.isArray(metadata)) {
+		for (const [key, value] of Object.entries(metadata)) if (typeof value === "string") attributes[`pingops.metadata.${key}`] = value;
+	}
+	return attributes;
+}
+
+//#endregion
+//#region src/wrap-http.ts
+/**
+* wrapHttp - Wraps a function to set attributes on HTTP spans created within the wrapped block.
+*
+* This function sets attributes (userId, sessionId, tags, metadata) in the OpenTelemetry
+* context, which are automatically propagated to all spans created within the wrapped function.
+*
+* Instrumentation behavior:
+* - If `initializePingops` was called: All HTTP requests are instrumented by default.
+*   `wrapHttp` only adds attributes to spans created within the wrapped block.
+* - If `initializePingops` was NOT called: Only HTTP requests within `wrapHttp` blocks
+*   are instrumented. Requests outside `wrapHttp` are not instrumented.
+*/
+const logger = createLogger("[PingOps wrapHttp]");
+/**
+* Wraps a function to set attributes on HTTP spans created within the wrapped block.
+*
+* This function sets attributes (userId, sessionId, tags, metadata) in the OpenTelemetry
+* context, which are automatically propagated to all spans created within the wrapped function.
+*
+* Instrumentation behavior:
+* - If `initializePingops` was called: All HTTP requests are instrumented by default.
+*   `wrapHttp` only adds attributes to spans created within the wrapped block.
+* - If `initializePingops` was NOT called: Only HTTP requests within `wrapHttp` blocks
+*   are instrumented. Requests outside `wrapHttp` are not instrumented.
+*
+* Note: This is the low-level API. For a simpler API with automatic setup,
+* use `wrapHttp` from `@pingops/sdk` instead.
+*
+* @param options - Options including attributes and required callbacks
+* @param fn - Function to execute within the attribute context
+* @returns The result of the function
+*/
+function wrapHttp(options, fn) {
+	logger.debug("wrapHttp called", {
+		hasAttributes: !!options.attributes,
+		hasUserId: !!options.attributes?.userId,
+		hasSessionId: !!options.attributes?.sessionId,
+		hasTags: !!options.attributes?.tags,
+		hasMetadata: !!options.attributes?.metadata
+	});
+	const normalizedOptions = "checkInitialized" in options && "isGlobalInstrumentationEnabled" in options ? options : (() => {
+		throw new Error("wrapHttp requires checkInitialized and isGlobalInstrumentationEnabled callbacks. Use wrapHttp from @pingops/sdk for automatic setup.");
+	})();
+	const { checkInitialized, ensureInitialized } = normalizedOptions;
+	if (checkInitialized()) {
+		logger.debug("SDK already initialized, executing wrapHttp synchronously");
+		return executeWrapHttpWithContext(normalizedOptions, fn);
+	}
+	if (ensureInitialized) {
+		logger.debug("SDK not initialized, using provided ensureInitialized callback");
+		return ensureInitialized().then(() => {
+			logger.debug("SDK initialized, executing wrapHttp");
+			return executeWrapHttpWithContext(normalizedOptions, fn);
+		}).catch((error) => {
+			logger.error("Failed to initialize SDK for wrapHttp", { error: error instanceof Error ? error.message : String(error) });
+			throw error;
+		});
+	}
+	logger.debug("SDK not initialized and no ensureInitialized callback provided, executing wrapHttp");
+	return executeWrapHttpWithContext(normalizedOptions, fn);
+}
+function executeWrapHttpWithContext(options, fn) {
+	const { attributes, isGlobalInstrumentationEnabled } = options;
+	const globalInstrumentationEnabled = isGlobalInstrumentationEnabled();
+	logger.debug("Executing wrapHttp context", {
+		hasAttributes: !!attributes,
+		globalInstrumentationEnabled
+	});
+	let contextWithAttributes = _opentelemetry_api.context.active();
+	if (!globalInstrumentationEnabled) contextWithAttributes = contextWithAttributes.setValue(PINGOPS_HTTP_ENABLED, true);
+	if (attributes) {
+		if (attributes.userId !== void 0) contextWithAttributes = contextWithAttributes.setValue(PINGOPS_USER_ID, attributes.userId);
+		if (attributes.sessionId !== void 0) contextWithAttributes = contextWithAttributes.setValue(PINGOPS_SESSION_ID, attributes.sessionId);
+		if (attributes.tags !== void 0) contextWithAttributes = contextWithAttributes.setValue(PINGOPS_TAGS, attributes.tags);
+		if (attributes.metadata !== void 0) contextWithAttributes = contextWithAttributes.setValue(PINGOPS_METADATA, attributes.metadata);
+		if (attributes.captureRequestBody !== void 0) contextWithAttributes = contextWithAttributes.setValue(PINGOPS_CAPTURE_REQUEST_BODY, attributes.captureRequestBody);
+		if (attributes.captureResponseBody !== void 0) contextWithAttributes = contextWithAttributes.setValue(PINGOPS_CAPTURE_RESPONSE_BODY, attributes.captureResponseBody);
+	}
+	return _opentelemetry_api.context.with(contextWithAttributes, () => {
+		try {
+			const result = fn();
+			if (result instanceof Promise) return result.catch((err) => {
+				logger.error("Error in wrapHttp async execution", { error: err instanceof Error ? err.message : String(err) });
+				throw err;
+			});
+			return result;
+		} catch (err) {
+			logger.error("Error in wrapHttp sync execution", { error: err instanceof Error ? err.message : String(err) });
+			throw err;
+		}
+	});
+}
+
+//#endregion
+exports.DEFAULT_REDACTION_CONFIG = DEFAULT_REDACTION_CONFIG;
+exports.DEFAULT_SENSITIVE_HEADER_PATTERNS = DEFAULT_SENSITIVE_HEADER_PATTERNS;
+exports.HeaderRedactionStrategy = HeaderRedactionStrategy;
+exports.PINGOPS_CAPTURE_REQUEST_BODY = PINGOPS_CAPTURE_REQUEST_BODY;
+exports.PINGOPS_CAPTURE_RESPONSE_BODY = PINGOPS_CAPTURE_RESPONSE_BODY;
+exports.PINGOPS_HTTP_ENABLED = PINGOPS_HTTP_ENABLED;
+exports.PINGOPS_METADATA = PINGOPS_METADATA;
+exports.PINGOPS_SESSION_ID = PINGOPS_SESSION_ID;
+exports.PINGOPS_TAGS = PINGOPS_TAGS;
+exports.PINGOPS_USER_ID = PINGOPS_USER_ID;
+exports.createLogger = createLogger;
+exports.extractHeadersFromAttributes = extractHeadersFromAttributes;
+exports.extractSpanPayload = extractSpanPayload;
+exports.filterHeaders = filterHeaders;
+exports.getPropagatedAttributesFromContext = getPropagatedAttributesFromContext;
+exports.isSensitiveHeader = isSensitiveHeader;
+exports.isSpanEligible = isSpanEligible;
+exports.normalizeHeaders = normalizeHeaders;
+exports.redactHeaderValue = redactHeaderValue;
+exports.shouldCaptureSpan = shouldCaptureSpan;
+exports.wrapHttp = wrapHttp;
+//# sourceMappingURL=index.cjs.map