npm - autotel-web - Versions diffs - 1.11.0 → 1.11.2 - Mend

autotel-web 1.11.0 → 1.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -85,6 +85,120 @@ app.get('/api/users', async (req, res) => {
 Open your observability platform (Honeycomb, Datadog, Jaeger, etc.) and see the complete trace from browser → backend → database!
+## Browser Span Export (lean mode)
+By default, lean mode only injects `traceparent` headers — no spans are exported from the browser. This means trace UIs like Jaeger may show "missing parent span" because the browser's spanId doesn't exist in the collector.
+To fix this, set the `endpoint` option. autotel-web will export a lightweight span via `navigator.sendBeacon` for each fetch, so the browser span appears in your collector as the trace root:
+```typescript
+init({
+  service: 'my-frontend',
+  endpoint: '', // same-origin — requires /v1/traces proxy (see below)
+})
+```
+### Collector Proxy
+Browsers can't send directly to most collectors (CORS). Add a simple proxy route to your API:
+**Hono:**
+```typescript
+app.post('/v1/traces', async (c) => {
+  const body = await c.req.arrayBuffer()
+  await fetch(`${process.env.OTEL_EXPORTER_OTLP_ENDPOINT}/v1/traces`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body,
+  })
+  return c.json({ ok: true })
+})
+```
+**Express:**
+```typescript
+app.post('/v1/traces', express.raw({ type: 'application/json' }), async (req, res) => {
+  await fetch(`${process.env.OTEL_EXPORTER_OTLP_ENDPOINT}/v1/traces`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: req.body,
+  })
+  res.json({ ok: true })
+})
+```
+If using Vite in dev, proxy `/v1/traces` to your API:
+```typescript
+// vite.config.ts
+server: {
+  proxy: {
+    '/v1/traces': { target: 'http://localhost:8787', changeOrigin: true },
+  },
+},
+```
+### PostHog Reverse Proxy
+If you use PostHog for analytics, route events through the same API to bypass ad blockers (typically increases event capture by 10-30%):
+**Hono:**
+```typescript
+const POSTHOG_HOST = process.env.POSTHOG_HOST || 'https://eu.i.posthog.com'
+app.post('/ingest/*', async (c) => {
+  const path = c.req.path.replace('/ingest', '')
+  const body = await c.req.arrayBuffer()
+  const resp = await fetch(`${POSTHOG_HOST}${path}`, {
+    method: 'POST',
+    headers: { 'Content-Type': c.req.header('content-type') || 'application/json' },
+    body,
+  })
+  return new Response(resp.body, { status: resp.status, headers: resp.headers })
+})
+app.get('/ingest/decide*', async (c) => {
+  const url = new URL(c.req.url)
+  const resp = await fetch(`${POSTHOG_HOST}/decide${url.search}`)
+  return new Response(resp.body, { status: resp.status, headers: resp.headers })
+})
+```
+**Browser (posthog-js):**
+```typescript
+import posthog from 'posthog-js'
+posthog.init('phc_your_key', {
+  api_host: '/ingest',                  // same-origin proxy
+  ui_host: 'https://eu.i.posthog.com',  // keep toolbar working
+})
+```
+**Vite proxy (dev):**
+```typescript
+proxy: {
+  '/ingest': { target: 'http://localhost:8787', changeOrigin: true },
+}
+```
+See [PostHog reverse proxy docs](https://posthog.com/docs/advanced/proxy) for production setups (managed proxy, Cloudflare Workers, etc.).
+The resulting trace tree:
+```
+browser /api/transfer (CLIENT, root)        ← autotel-web
+  └─ POST /api/transfer (SERVER)            ← autotel / autotel-hono
+       └─ sendMoney (INTERNAL)              ← your app
+            ├─ validate
+            ├─ fetchRate
+            └─ ...
+```
 ## Full mode (real spans)
 When you need real browser spans, network timing events, and optional export from the client, use full mode. Same install: `autotel-web`. No Zone.js.
@@ -354,6 +468,14 @@ interface AutotelWebConfig {
   /** Enable debug logging (default: false) */
   debug?: boolean
+  /**
+   * OTLP endpoint for exporting browser spans.
+   * When set, a real span is sent via sendBeacon for each fetch,
+   * so the traceparent spanId exists in the collector.
+   * Use '' for same-origin (requires /v1/traces proxy).
+   */
+  endpoint?: string
   /** Privacy controls for traceparent header injection */
   privacy?: PrivacyConfig
 }
@@ -1059,6 +1181,26 @@ app.use(cors({
 3. For custom frameworks, manually extract context (see "Backend Integration" above)
+### Browser spans not appearing in collector
+If you've set `endpoint` but spans don't appear:
+1. Check the proxy is working: `curl -X POST http://localhost:8787/v1/traces -H 'Content-Type: application/json' -d '{}'`
+2. Verify Vite proxy config includes `/v1/traces`
+3. Enable `debug: true` — you should see `[autotel-web] flushSpans: sending N span(s)` in the console
+### Vite dev server caching stale autotel-web
+When using `file:` linked autotel packages in development, Vite caches pre-bundled dependencies in `node_modules/.vite/`. After rebuilding autotel-web, clear this cache:
+```bash
+rm -rf node_modules/.vite
+# or for monorepos
+rm -rf apps/web/node_modules/.vite
+```
+Then restart the Vite dev server. Without this, the browser may run an old version of autotel-web even after rebuilding.
 ### TypeScript errors
 Ensure you're using TypeScript 5.0+ and have `@types/node` installed:

package/dist/index.d.ts CHANGED Viewed

@@ -31,6 +31,13 @@ interface AutotelWebConfig {
      * @default true
      */
     instrumentXHR?: boolean;
+    /**
+     * OTLP endpoint for exporting browser spans.
+     * When set, browser spans are sent via sendBeacon so the traceparent
+     * spanId exists as a real span in the collector.
+     * Use '' (empty string) for same-origin (requires /v1/traces proxy).
+     */
+    endpoint?: string;
     /**
      * Privacy controls for traceparent header injection
      *
@@ -92,6 +99,8 @@ interface AutotelWebConfig {
  */
 declare function init(userConfig: AutotelWebConfig): void;
+declare function flushSpans(): void;
 /**
  * Minimal W3C Trace Context implementation for browser
  *
@@ -150,4 +159,4 @@ declare function parseTraceparent(traceparent: string): {
     flags: string;
 } | null;
-export { type AutotelWebConfig, PrivacyConfig, createTraceparent, generateSpanId, generateTraceId, init, parseTraceparent };
+export { type AutotelWebConfig, PrivacyConfig, createTraceparent, flushSpans, generateSpanId, generateTraceId, init, parseTraceparent };

package/dist/index.js CHANGED Viewed

@@ -1,10 +1,10 @@
-import { createTraceparent } from './chunk-L3S7LTIH.js';
+import { createTraceparent, __publicField, parseTraceparent } from './chunk-L3S7LTIH.js';
 export { createTraceparent, extractContext, generateSpanId, generateTraceId, getActiveContext, getTraceparent, parseTraceparent, trace } from './chunk-L3S7LTIH.js';
 // src/privacy.ts
 var PrivacyManager = class {
   constructor(config2) {
-    this.config = config2;
+    __publicField(this, "config", config2);
   }
   /**
    * Check if traceparent header should be injected for a given URL
@@ -128,6 +128,73 @@ function getDenialReason(privacyManager2, url) {
   return null;
 }
+// src/span-exporter.ts
+var debug = false;
+var serviceName = "browser";
+var exportEndpoint;
+var pendingSpans = [];
+var flushTimer;
+var rawFetch;
+function setRawFetch(fn) {
+  rawFetch = fn;
+}
+function configureExporter(service, endpoint, enableDebug = false) {
+  debug = enableDebug;
+  serviceName = service;
+  exportEndpoint = endpoint.replace(/\/$/, "");
+  if (!exportEndpoint.endsWith("/v1/traces")) {
+    exportEndpoint += "/v1/traces";
+  }
+  if (!flushTimer) {
+    flushTimer = setInterval(flushSpans, 2e3);
+  }
+}
+function recordSpan(traceId, spanId, name, startMs, endMs, attrs) {
+  if (!exportEndpoint) return;
+  if (debug) console.log(`[autotel-web] recordSpan: ${name} (${traceId.slice(0, 8)}\u2026)`);
+  const attributes = attrs ? Object.entries(attrs).map(([key, value]) => ({
+    key,
+    value: typeof value === "number" ? { intValue: String(value) } : { stringValue: value }
+  })) : void 0;
+  pendingSpans.push({
+    traceId,
+    spanId,
+    name,
+    kind: 3,
+    // CLIENT
+    startTimeUnixNano: String(Math.round(startMs * 1e6)),
+    endTimeUnixNano: String(Math.round(endMs * 1e6)),
+    attributes
+  });
+  flushSpans();
+}
+function flushSpans() {
+  if (!exportEndpoint || pendingSpans.length === 0) return;
+  if (debug) console.log(`[autotel-web] flushSpans: sending ${pendingSpans.length} span(s) to ${exportEndpoint}`);
+  const spans = pendingSpans;
+  pendingSpans = [];
+  const payload = JSON.stringify({
+    resourceSpans: [{
+      resource: { attributes: [{ key: "service.name", value: { stringValue: serviceName } }] },
+      scopeSpans: [{ scope: { name: "autotel-web" }, spans }]
+    }]
+  });
+  const blob = new Blob([payload], { type: "application/json" });
+  const sent = typeof navigator?.sendBeacon === "function" && navigator.sendBeacon(exportEndpoint, blob);
+  if (!sent && rawFetch) {
+    rawFetch(exportEndpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: payload,
+      keepalive: true
+    }).catch(() => {
+    });
+  }
+}
+function isConfigured() {
+  return exportEndpoint !== void 0;
+}
 // src/init.ts
 var isInitialized = false;
 var config;
@@ -150,12 +217,21 @@ function init(userConfig) {
   if (config.privacy) {
     privacyManager = new PrivacyManager(config.privacy);
   }
+  if (config.endpoint !== void 0) {
+    setRawFetch(window.fetch.bind(window));
+    configureExporter(config.service, config.endpoint, config.debug);
+  }
   if (config.instrumentFetch !== false) {
     patchFetch();
   }
   if (config.instrumentXHR !== false) {
     patchXMLHttpRequest();
   }
+  if (config.endpoint !== void 0) {
+    window.addEventListener("visibilitychange", () => {
+      if (document.visibilityState === "hidden") flushSpans();
+    });
+  }
   isInitialized = true;
   if (config.debug) {
     console.log("[autotel-web] Initialized successfully", {
@@ -177,6 +253,7 @@ function patchFetch() {
   window.fetch = function(input, init2) {
     const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
     const headers = new Headers(init2?.headers);
+    let injectedTraceparent;
     if (!headers.has("traceparent")) {
       if (privacyManager && !privacyManager.shouldInjectTraceparent(url)) {
         if (config?.debug) {
@@ -188,17 +265,58 @@ function patchFetch() {
           );
         }
       } else {
-        headers.set("traceparent", createTraceparent());
+        injectedTraceparent = createTraceparent();
+        headers.set("traceparent", injectedTraceparent);
         if (config?.debug) {
           console.log(
             "[autotel-web] Injected traceparent on fetch:",
             url,
-            headers.get("traceparent")
+            injectedTraceparent
           );
         }
       }
     }
-    return originalFetch(input, { ...init2, headers });
+    const method = init2?.method ?? (input instanceof Request ? input.method : void 0) ?? "GET";
+    const startTime = performance.timeOrigin + performance.now();
+    const fetchPromise = originalFetch(input, { ...init2, headers });
+    if (injectedTraceparent && isConfigured()) {
+      fetchPromise.then(
+        (response) => {
+          const endTime = performance.timeOrigin + performance.now();
+          const parsed = parseTraceparent(injectedTraceparent);
+          if (parsed) {
+            let pathname;
+            try {
+              pathname = new URL(url, window.location.origin).pathname;
+            } catch {
+              pathname = url;
+            }
+            recordSpan(parsed.traceId, parsed.spanId, `browser ${pathname}`, startTime, endTime, {
+              "http.method": method,
+              "http.url": url,
+              "http.status_code": response.status
+            });
+          }
+        },
+        () => {
+          const endTime = performance.timeOrigin + performance.now();
+          const parsed = parseTraceparent(injectedTraceparent);
+          if (parsed) {
+            let pathname;
+            try {
+              pathname = new URL(url, window.location.origin).pathname;
+            } catch {
+              pathname = url;
+            }
+            recordSpan(parsed.traceId, parsed.spanId, `browser ${pathname}`, startTime, endTime, {
+              "http.method": method,
+              "http.url": url
+            });
+          }
+        }
+      );
+    }
+    return fetchPromise;
   };
 }
 function patchXMLHttpRequest() {
@@ -303,6 +421,6 @@ function validateConfig(userConfig) {
   }
 }
-export { init };
+export { flushSpans, init };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/privacy.ts","../src/init.ts"],"names":["config","privacyManager","init"],"mappings":";;;;AAiEO,IAAM,iBAAN,MAAqB;AAAA,EAC1B,YAA6BA,OAAAA,EAAuB;AAAvB,IAAA,IAAA,CAAA,MAAA,GAAAA,OAAAA;AAAA,EAAwB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAerD,wBAAwB,GAAA,EAAsB;AAE5C,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,iBAAA,IAAqB,IAAA,CAAK,qBAAoB,EAAG;AAC/D,MAAA,OAAO,KAAA;AAAA,IACT;AAGA,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,UAAA,IAAc,IAAA,CAAK,cAAa,EAAG;AACjD,MAAA,OAAO,KAAA;AAAA,IACT;AAGA,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,aAAA,CAAc,GAAG,CAAA;AAG3C,IAAA,IACE,IAAA,CAAK,OAAO,cAAA,IACZ,IAAA,CAAK,iBAAiB,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,cAAc,CAAA,EAC9D;AACA,MAAA,OAAO,KAAA;AAAA,IACT;AAGA,IAAA,IAAI,KAAK,MAAA,CAAO,cAAA,IAAkB,KAAK,MAAA,CAAO,cAAA,CAAe,SAAS,CAAA,EAAG;AACvE,MAAA,OAAO,IAAA,CAAK,gBAAA,CAAiB,YAAA,EAAc,IAAA,CAAK,OAAO,cAAc,CAAA;AAAA,IACvE;AAGA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,mBAAA,GAA+B;AACrC,IAAA,IAAI,OAAO,SAAA,KAAc,WAAA,EAAa,OAAO,KAAA;AAG7C,IAAA,OAAO,UAAU,UAAA,KAAe,GAAA;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAA,GAAwB;AAC9B,IAAA,IAAI,OAAO,SAAA,KAAc,WAAA,EAAa,OAAO,KAAA;AAI7C,IAAA,MAAM,GAAA,GAAM,SAAA;AACZ,IAAA,OAAO,IAAI,oBAAA,KAAyB,IAAA;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,cAAc,GAAA,EAAqB;AACzC,IAAA,IAAI;AAEF,MAAA,IAAI,IAAI,UAAA,CAAW,SAAS,KAAK,GAAA,CAAI,UAAA,CAAW,UAAU,CAAA,EAAG;AAC3D,QAAA,OAAO,IAAI,GAAA,CAAI,GAAG,CAAA,CAAE,MAAA;AAAA,MACtB;AAGA,MAAA,IAAI,OAAO,WAAW,WAAA,EAAa;AACjC,QAAA,OAAO,IAAI,GAAA,CAAI,GAAA,EAAK,MAAA,CAAO,QAAA,CAAS,IAAI,CAAA,CAAE,MAAA;AAAA,MAC5C;AAGA,MAAA,OAAO,EAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AAEN,MAAA,OAAO,EAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWQ,gBAAA,CACN,cACA,iBAAA,EACS;AACT,IAAA,OAAO,iBAAA,CAAkB,IAAA,CAAK,CAAC,gBAAA,KAAqB;AAElD,MAAA,MAAM,gBAAA,GAAmB,aAAa,WAAA,EAAY;AAClD,MAAA,MAAM,oBAAA,GAAuB,iBAAiB,WAAA,EAAY;AAI1D,MAAA,OAAO,gBAAA,CAAiB,SAAS,oBAAoB,CAAA;AAAA,IACvD,CAAC,CAAA;AAAA,EACH;AACF,CAAA;AAqBO,SAAS,eAAA,CACdC,iBACA,GAAA,EACe;AAGf,EAAA,MAAMD,UAAUC,eAAAA,CAAuB,MAAA;AAGvC,EAAA,IAAID,OAAAA,CAAO,iBAAA,IAAqB,OAAO,SAAA,KAAc,WAAA,EAAa;AAChE,IAAA,IAAI,SAAA,CAAU,eAAe,GAAA,EAAK;AAChC,MAAA,OAAO,yBAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,IAAIA,OAAAA,CAAO,UAAA,IAAc,OAAO,SAAA,KAAc,WAAA,EAAa;AACzD,IAAA,MAAM,GAAA,GAAM,SAAA;AACZ,IAAA,IAAI,GAAA,CAAI,yBAAyB,IAAA,EAAM;AACrC,MAAA,OAAO,mCAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,IAAI,YAAA,GAAe,EAAA;AACnB,EAAA,IAAI;AACF,IAAA,IAAI,IAAI,UAAA,CAAW,SAAS,KAAK,GAAA,CAAI,UAAA,CAAW,UAAU,CAAA,EAAG;AAC3D,MAAA,YAAA,GAAe,IAAI,GAAA,CAAI,GAAG,CAAA,CAAE,MAAA;AAAA,IAC9B,CAAA,MAAA,IAAW,OAAO,MAAA,KAAW,WAAA,EAAa;AACxC,MAAA,YAAA,GAAe,IAAI,GAAA,CAAI,GAAA,EAAK,MAAA,CAAO,QAAA,CAAS,IAAI,CAAA,CAAE,MAAA;AAAA,IACpD;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,aAAA;AAAA,EACT;AAGA,EAAA,IAAIA,QAAO,cAAA,EAAgB;AACzB,IAAA,MAAM,OAAA,GAAUA,QAAO,cAAA,CAAe,IAAA;AAAA,MAAK,CAAC,WAC1C,YAAA,CAAa,WAAA,GAAc,QAAA,CAAS,MAAA,CAAO,aAAa;AAAA,KAC1D;AACA,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,OAAO,UAAU,YAAY,CAAA,0BAAA,CAAA;AAAA,IAC/B;AAAA,EACF;AAGA,EAAA,IAAIA,OAAAA,CAAO,cAAA,IAAkBA,OAAAA,CAAO,cAAA,CAAe,SAAS,CAAA,EAAG;AAC7D,IAAA,MAAM,OAAA,GAAUA,QAAO,cAAA,CAAe,IAAA;AAAA,MAAK,CAAC,WAC1C,YAAA,CAAa,WAAA,GAAc,QAAA,CAAS,MAAA,CAAO,aAAa;AAAA,KAC1D;AACA,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,UAAU,YAAY,CAAA,8BAAA,CAAA;AAAA,IAC/B;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;;;ACnMA,IAAI,aAAA,GAAgB,KAAA;AACpB,IAAI,MAAA;AACJ,IAAI,cAAA;AACJ,IAAI,aAAA;AACJ,IAAI,eAAA;AACJ,IAAI,2BAAA;AAkCG,SAAS,KAAK,UAAA,EAAoC;AAEvD,EAAA,IAAI,OAAO,WAAW,WAAA,EAAa;AACjC,IAAA;AAAA,EACF;AAEA,EAAA,IAAI,aAAA,EAAe;AACjB,IAAA,IAAI,WAAW,KAAA,EAAO;AACpB,MAAA,OAAA,CAAQ,KAAK,8CAA8C,CAAA;AAAA,IAC7D;AACA,IAAA;AAAA,EACF;AAGA,EAAA,cAAA,CAAe,UAAU,CAAA;AAEzB,EAAA,MAAA,GAAS,UAAA;AAGT,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,cAAA,GAAiB,IAAI,cAAA,CAAe,MAAA,CAAO,OAAO,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,MAAA,CAAO,oBAAoB,KAAA,EAAO;AACpC,IAAA,UAAA,EAAW;AAAA,EACb;AAGA,EAAA,IAAI,MAAA,CAAO,kBAAkB,KAAA,EAAO;AAClC,IAAA,mBAAA,EAAoB;AAAA,EACtB;AAEA,EAAA,aAAA,GAAgB,IAAA;AAEhB,EAAA,IAAI,OAAO,KAAA,EAAO;AAChB,IAAA,OAAA,CAAQ,IAAI,wCAAA,EAA0C;AAAA,MACpD,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,eAAA,EAAiB,OAAO,eAAA,KAAoB,KAAA;AAAA,MAC5C,aAAA,EAAe,OAAO,aAAA,KAAkB,KAAA;AAAA,MACxC,cAAA,EAAgB,CAAC,CAAC,MAAA,CAAO,OAAA;AAAA,MACzB,aAAA,EAAe,OAAO,OAAA,GAClB;AAAA,QACE,cAAA,EAAgB,MAAA,CAAO,OAAA,CAAQ,cAAA,EAAgB,MAAA,IAAU,CAAA;AAAA,QACzD,cAAA,EAAgB,MAAA,CAAO,OAAA,CAAQ,cAAA,EAAgB,MAAA,IAAU,CAAA;AAAA,QACzD,iBAAA,EAAmB,MAAA,CAAO,OAAA,CAAQ,iBAAA,IAAqB,KAAA;AAAA,QACvD,UAAA,EAAY,MAAA,CAAO,OAAA,CAAQ,UAAA,IAAc;AAAA,OAC3C,GACA;AAAA,KACL,CAAA;AAAA,EACH;AACF;AAKA,SAAS,UAAA,GAAmB;AAG1B,EAAA,aAAA,GAAgB,MAAA,CAAO,KAAA,CAAM,IAAA,CAAK,MAAM,CAAA;AAExC,EAAA,MAAA,CAAO,KAAA,GAAQ,SACb,KAAA,EACAE,KAAAA,EACmB;AAEnB,IAAA,MAAM,GAAA,GACJ,OAAO,KAAA,KAAU,QAAA,GACb,KAAA,GACA,iBAAiB,GAAA,GACf,KAAA,CAAM,QAAA,EAAS,GACf,KAAA,CAAM,GAAA;AAGd,IAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQA,KAAAA,EAAM,OAAO,CAAA;AAGzC,IAAA,IAAI,CAAC,OAAA,CAAQ,GAAA,CAAI,aAAa,CAAA,EAAG;AAE/B,MAAA,IAAI,cAAA,IAAkB,CAAC,cAAA,CAAe,uBAAA,CAAwB,GAAG,CAAA,EAAG;AAClE,QAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,UAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,cAAA,EAAgB,GAAG,CAAA;AAClD,UAAA,OAAA,CAAQ,GAAA;AAAA,YACN,uDAAA;AAAA,YACA,GAAA;AAAA,YACA;AAAA,WACF;AAAA,QACF;AAAA,MACF,CAAA,MAAO;AAEL,QAAA,OAAA,CAAQ,GAAA,CAAI,aAAA,EAAe,iBAAA,EAAmB,CAAA;AAE9C,QAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,UAAA,OAAA,CAAQ,GAAA;AAAA,YACN,8CAAA;AAAA,YACA,GAAA;AAAA,YACA,OAAA,CAAQ,IAAI,aAAa;AAAA,WAC3B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAIA,IAAA,OAAO,cAAe,KAAA,EAAO,EAAE,GAAGA,KAAAA,EAAM,SAAS,CAAA;AAAA,EACnD,CAAA;AACF;AAKA,SAAS,mBAAA,GAA4B;AAGnC,EAAA,eAAA,GAAkB,eAAe,SAAA,CAAU,IAAA;AAC3C,EAAA,2BAAA,GAA8B,eAAe,SAAA,CAAU,gBAAA;AAGvD,EAAA,MAAM,iBAAA,uBAAwB,OAAA,EAAwB;AAGtD,EAAA,cAAA,CAAe,SAAA,CAAU,gBAAA,GAAmB,SAC1C,IAAA,EACA,KAAA,EACM;AACN,IAAA,IAAI,IAAA,CAAK,WAAA,EAAY,KAAM,aAAA,EAAe;AACxC,MAAA,iBAAA,CAAkB,IAAI,IAAI,CAAA;AAAA,IAC5B;AAEA,IAAA,OAAO,2BAAA,CAA6B,IAAA,CAAK,IAAA,EAAM,IAAA,EAAM,KAAK,CAAA;AAAA,EAC5D,CAAA;AAGA,EAAA,cAAA,CAAe,SAAA,CAAU,OAAO,SAC9B,MAAA,EACA,KACA,KAAA,GAAiB,IAAA,EACjB,UACA,QAAA,EACM;AAGN,IAAA,MAAM,MAAA,GAAS,gBAAiB,IAAA,CAAK,IAAA,EAAM,QAAQ,GAAA,EAAK,KAAA,EAAO,UAAU,QAAQ,CAAA;AAGjF,IAAA,MAAM,SAAS,OAAO,GAAA,KAAQ,QAAA,GAAW,GAAA,GAAM,IAAI,QAAA,EAAS;AAG5D,IAAA,MAAM,GAAA,GAAM,IAAA;AACZ,IAAA,MAAM,6BAA6B,GAAA,CAAI,kBAAA;AAEvC,IAAA,GAAA,CAAI,kBAAA,GAAqB,SAAU,KAAA,EAAc;AAE/C,MAAA,IAAI,GAAA,CAAI,UAAA,KAAe,cAAA,CAAe,MAAA,EAAQ;AAE5C,QAAA,IAAI,CAAC,iBAAA,CAAkB,GAAA,CAAI,GAAG,CAAA,EAAG;AAE/B,UAAA,IAAI,cAAA,IAAkB,CAAC,cAAA,CAAe,uBAAA,CAAwB,MAAM,CAAA,EAAG;AACrE,YAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,cAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,cAAA,EAAgB,MAAM,CAAA;AACrD,cAAA,OAAA,CAAQ,GAAA;AAAA,gBACN,qDAAA;AAAA,gBACA,MAAA;AAAA,gBACA;AAAA,eACF;AAAA,YACF;AAAA,UACF,CAAA,MAAO;AAEL,YAAA,IAAI;AACF,cAAA,MAAM,cAAc,iBAAA,EAAkB;AAEtC,cAAA,2BAAA,CAA6B,IAAA,CAAK,GAAA,EAAK,aAAA,EAAe,WAAW,CAAA;AAEjE,cAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,gBAAA,OAAA,CAAQ,GAAA;AAAA,kBACN,4CAAA;AAAA,kBACA,MAAA;AAAA,kBACA;AAAA,iBACF;AAAA,cACF;AAAA,YACF,SAAS,KAAA,EAAO;AAEd,cAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,gBAAA,OAAA,CAAQ,IAAA;AAAA,kBACN,oDAAA;AAAA,kBACA;AAAA,iBACF;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAGA,MAAA,IAAI,0BAAA,EAA4B;AAC9B,QAAA,OAAO,0BAAA,CAA2B,IAAA,CAAK,GAAA,EAAK,KAAK,CAAA;AAAA,MACnD;AAAA,IACF,CAAA;AAEA,IAAA,OAAO,MAAA;AAAA,EACT,CAAA;AACF;AAMA,SAAS,eAAe,UAAA,EAAoC;AAE1D,EAAA,IAAI,CAAC,UAAA,CAAW,OAAA,IAAW,OAAO,UAAA,CAAW,YAAY,QAAA,EAAU;AACjE,IAAA,MAAM,IAAI,MAAM,6DAA6D,CAAA;AAAA,EAC/E;AAEA,EAAA,IAAI,UAAA,CAAW,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG;AACnC,IAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,EAC9D;AAEA,EAAA,IAAI,UAAA,CAAW,OAAA,CAAQ,MAAA,GAAS,GAAA,EAAK;AACnC,IAAA,OAAA,CAAQ,IAAA;AAAA,MACN;AAAA,KACF;AAAA,EACF;AAGA,EAAA,IAAI,WAAW,OAAA,EAAS;AACtB,IAAA,MAAM,EAAE,cAAA,EAAgB,cAAA,EAAe,GAAI,UAAA,CAAW,OAAA;AAGtD,IAAA,IAAA,CACG,CAAC,cAAA,IAAkB,cAAA,CAAe,MAAA,KAAW,CAAA,MAC7C,CAAC,cAAA,IAAkB,cAAA,CAAe,MAAA,KAAW,CAAA,CAAA,IAC9C,CAAC,UAAA,CAAW,OAAA,CAAQ,qBACpB,CAAC,UAAA,CAAW,QAAQ,UAAA,EACpB;AACA,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN;AAAA,OACF;AAAA,IACF;AAGA,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,MAAM,UAAU,cAAA,CAAe,MAAA;AAAA,QAAO,CAAC,YACrC,cAAA,CAAe,IAAA;AAAA,UAAK,CAAC,YACnB,OAAA,CAAQ,WAAA,GAAc,QAAA,CAAS,OAAA,CAAQ,aAAa;AAAA;AACtD,OACF;AACA,MAAA,IAAI,OAAA,CAAQ,SAAS,CAAA,EAAG;AACtB,QAAA,OAAA,CAAQ,IAAA;AAAA,UACN,qFAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,UAAA,GAAa;AAAA,MACjB,GAAI,kBAAkB,EAAC;AAAA,MACvB,GAAI,kBAAkB;AAAC,KACzB;AACA,IAAA,UAAA,CAAW,OAAA,CAAQ,CAAC,MAAA,KAAW;AAC7B,MAAA,IAAI,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,EAAG;AAC1B,QAAA,OAAA,CAAQ,IAAA;AAAA,UACN,yBAAyB,MAAM,CAAA,iFAAA;AAAA,SACjC;AAAA,MACF;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AACF","file":"index.js","sourcesContent":["/*\n Privacy controls for autotel-web\n \n Provides origin filtering and privacy signal respecting (DNT, GPC)\n * to ensure compliance with GDPR, CCPA, and user privacy preferences.\n /\n\nexport interface PrivacyConfig {\n /\n Only inject traceparent headers on requests to these origins (whitelist)\n \n If specified, traceparent will ONLY be injected on matching origins.\n * Origins are matched using substring matching (e.g., \"example.com\" matches \"https://api.example.com\").\n \n @example\n * ```typescript\n * {\n * allowedOrigins: ['api.myapp.com', 'myapp.com']\n * }\n * ```\n /\n allowedOrigins?: string[];\n\n /\n Never inject traceparent headers on requests to these origins (blacklist)\n \n Takes precedence over allowedOrigins.\n * Origins are matched using substring matching.\n \n @example\n * ```typescript\n * {\n * blockedOrigins: ['analytics.google.com', 'facebook.com']\n * }\n * ```\n /\n blockedOrigins?: string[];\n\n /\n Respect the Do Not Track (DNT) browser setting\n \n If true and user has DNT enabled, no traceparent headers will be injected.\n \n @default false\n * @see https://developer.mozilla.org/en-US/docs/Web/API/Navigator/doNotTrack\n /\n respectDoNotTrack?: boolean;\n\n /\n Respect the Global Privacy Control (GPC) browser signal\n \n If true and user has GPC enabled, no traceparent headers will be injected.\n \n @default false\n * @see https://globalprivacycontrol.org/\n /\n respectGPC?: boolean;\n}\n\n/\n Manages privacy controls for traceparent header injection\n \n Checks user privacy preferences (DNT, GPC) and origin filtering rules\n * to determine if traceparent headers should be injected on a given request.\n /\nexport class PrivacyManager {\n constructor(private readonly config: PrivacyConfig) {}\n\n /\n Check if traceparent header should be injected for a given URL\n \n Decision order:\n * 1. Check Do Not Track (if enabled)\n * 2. Check Global Privacy Control (if enabled)\n * 3. Check blockedOrigins (explicit deny)\n * 4. Check allowedOrigins (explicit allow, if configured)\n * 5. Default: allow\n \n @param url - Full URL or relative path of the request\n * @returns true if traceparent should be injected, false otherwise\n /\n shouldInjectTraceparent(url: string): boolean {\n // Check Do Not Track\n if (this.config.respectDoNotTrack && this.isDoNotTrackEnabled()) {\n return false;\n }\n\n // Check Global Privacy Control\n if (this.config.respectGPC && this.isGPCEnabled()) {\n return false;\n }\n\n // Get the origin of the target URL\n const targetOrigin = this.extractOrigin(url);\n\n // Check blocklist first (explicit deny takes precedence)\n if (\n this.config.blockedOrigins &&\n this.matchesAnyOrigin(targetOrigin, this.config.blockedOrigins)\n ) {\n return false;\n }\n\n // If allowlist exists, only allow those origins\n if (this.config.allowedOrigins && this.config.allowedOrigins.length > 0) {\n return this.matchesAnyOrigin(targetOrigin, this.config.allowedOrigins);\n }\n\n // Default: allow (backward compatible behavior)\n return true;\n }\n\n /\n Check if Do Not Track is enabled in the browser\n /\n private isDoNotTrackEnabled(): boolean {\n if (typeof navigator === 'undefined') return false;\n\n // DNT header can be \"1\" (enabled), \"0\" (disabled), or null (not set)\n return navigator.doNotTrack === '1';\n }\n\n /\n Check if Global Privacy Control is enabled in the browser\n /\n private isGPCEnabled(): boolean {\n if (typeof navigator === 'undefined') return false;\n\n // GPC is a newer spec, not all browsers support it yet\n // TypeScript doesn't have types for this yet, so we cast\n const nav = navigator as Navigator & { globalPrivacyControl?: boolean };\n return nav.globalPrivacyControl === true;\n }\n\n /\n Extract origin from a URL (handles both absolute and relative URLs)\n \n @param url - Full URL or relative path\n * @returns Origin string (e.g., \"https://api.example.com\")\n /\n private extractOrigin(url: string): string {\n try {\n // Handle absolute URLs\n if (url.startsWith('http://') \|\| url.startsWith('https://')) {\n return new URL(url).origin;\n }\n\n // Handle relative URLs - use current window location\n if (typeof window !== 'undefined') {\n return new URL(url, window.location.href).origin;\n }\n\n // Fallback for SSR or unknown cases\n return '';\n } catch {\n // Invalid URL - return empty string\n return '';\n }\n }\n\n /\n Check if a target origin matches any of the configured origins\n \n Uses substring matching for flexibility (e.g., \"example.com\" matches \"https://api.example.com\")\n \n @param targetOrigin - Origin to check\n * @param configuredOrigins - List of allowed or blocked origins\n * @returns true if any origin matches\n /\n private matchesAnyOrigin(\n targetOrigin: string,\n configuredOrigins: string[]\n ): boolean {\n return configuredOrigins.some((configuredOrigin) => {\n // Normalize both strings to lowercase for case-insensitive matching\n const normalizedTarget = targetOrigin.toLowerCase();\n const normalizedConfigured = configuredOrigin.toLowerCase();\n\n // Check if target origin contains the configured origin\n // This allows \"example.com\" to match \"https://api.example.com\"\n return normalizedTarget.includes(normalizedConfigured);\n });\n }\n}\n\n/\n Get reason why traceparent injection was denied (for debugging)\n \n Returns a human-readable reason if injection would be blocked,\n * or null if injection would be allowed.\n \n @param privacyManager - Configured PrivacyManager instance\n * @param url - URL to check\n * @returns Denial reason or null if allowed\n \n @example\n * ```typescript\n * const manager = new PrivacyManager({ respectDoNotTrack: true })\n * const reason = getDenialReason(manager, 'https://api.example.com')\n * if (reason) {\n * console.log('Traceparent blocked:', reason)\n * }\n * ```\n /\nexport function getDenialReason(\n privacyManager: PrivacyManager,\n url: string\n): string \| null {\n // This is a helper for debugging - it re-checks the conditions\n // to provide a user-friendly reason string\n const config = (privacyManager as any).config as PrivacyConfig;\n\n // Check DNT\n if (config.respectDoNotTrack && typeof navigator !== 'undefined') {\n if (navigator.doNotTrack === '1') {\n return 'Do Not Track is enabled';\n }\n }\n\n // Check GPC\n if (config.respectGPC && typeof navigator !== 'undefined') {\n const nav = navigator as Navigator & { globalPrivacyControl?: boolean };\n if (nav.globalPrivacyControl === true) {\n return 'Global Privacy Control is enabled';\n }\n }\n\n // Extract origin\n let targetOrigin = '';\n try {\n if (url.startsWith('http://') \|\| url.startsWith('https://')) {\n targetOrigin = new URL(url).origin;\n } else if (typeof window !== 'undefined') {\n targetOrigin = new URL(url, window.location.href).origin;\n }\n } catch {\n return 'Invalid URL';\n }\n\n // Check blocklist\n if (config.blockedOrigins) {\n const blocked = config.blockedOrigins.some((origin) =>\n targetOrigin.toLowerCase().includes(origin.toLowerCase())\n );\n if (blocked) {\n return `Origin ${targetOrigin} is in blockedOrigins list`;\n }\n }\n\n // Check allowlist\n if (config.allowedOrigins && config.allowedOrigins.length > 0) {\n const allowed = config.allowedOrigins.some((origin) =>\n targetOrigin.toLowerCase().includes(origin.toLowerCase())\n );\n if (!allowed) {\n return `Origin ${targetOrigin} is not in allowedOrigins list`;\n }\n }\n\n return null;\n}\n","/\n Minimal browser SDK initialization\n \n Patches fetch() and XMLHttpRequest to automatically inject W3C traceparent headers.\n * NO OpenTelemetry dependencies - just native browser APIs.\n \n Bundle size: ~2-5KB gzipped\n /\n\nimport { createTraceparent } from './traceparent';\nimport { PrivacyManager, PrivacyConfig, getDenialReason } from './privacy';\n\nexport interface AutotelWebConfig {\n /\n Service name for the browser application\n * Used only for logging/debugging - not sent in headers\n /\n service: string;\n\n /\n Enable debug logging to console\n * @default false\n /\n debug?: boolean;\n\n /\n Enable automatic traceparent injection on fetch calls\n * @default true\n /\n instrumentFetch?: boolean;\n\n /\n Enable automatic traceparent injection on XMLHttpRequest\n * @default true\n /\n instrumentXHR?: boolean;\n\n /\n Privacy controls for traceparent header injection\n \n Configure origin filtering and privacy signal respecting (DNT, GPC)\n * to ensure compliance with GDPR, CCPA, and user privacy preferences.\n \n @example Basic origin filtering\n * ```typescript\n * {\n * privacy: {\n * allowedOrigins: ['api.myapp.com'], // Only inject on API calls\n * respectDoNotTrack: true // Respect user's DNT setting\n * }\n * }\n * ```\n \n @example Block third-party analytics\n * ```typescript\n * {\n * privacy: {\n * blockedOrigins: ['analytics.google.com', 'facebook.com']\n * }\n * }\n * ```\n /\n privacy?: PrivacyConfig;\n}\n\nlet isInitialized = false;\nlet config: AutotelWebConfig \| undefined;\nlet privacyManager: PrivacyManager \| undefined;\nlet originalFetch: typeof window.fetch \| undefined;\nlet originalXHROpen: typeof XMLHttpRequest.prototype.open \| undefined;\nlet originalXHRSetRequestHeader: typeof XMLHttpRequest.prototype.setRequestHeader \| undefined;\n\n/\n Initialize autotel-web\n \n Patches fetch() and XMLHttpRequest to auto-inject traceparent headers.\n \n SSR-safe: Safe to call in SSR environments (checks for window).\n * Call once: Subsequent calls are ignored.\n \n @example\n * ```typescript\n * import { init } from 'autotel-web'\n \n init({ service: 'my-frontend-app' })\n \n // Now all fetch/XHR calls include traceparent headers!\n * fetch('/api/users') // <-- traceparent header automatically injected\n * ```\n \n @example With React (client-only)\n * ```typescript\n * import { useEffect } from 'react'\n * import { init } from 'autotel-web'\n \n function App() {\n * useEffect(() => {\n * init({ service: 'my-spa' })\n * }, [])\n \n return <div>...</div>\n * }\n * ```\n /\nexport function init(userConfig: AutotelWebConfig): void {\n // SSR-safe: do nothing on the server\n if (typeof window === 'undefined') {\n return;\n }\n\n if (isInitialized) {\n if (userConfig.debug) {\n console.warn('[autotel-web] Already initialized. Skipping.');\n }\n return;\n }\n\n // Validate configuration\n validateConfig(userConfig);\n\n config = userConfig;\n\n // Initialize privacy manager if privacy config provided\n if (config.privacy) {\n privacyManager = new PrivacyManager(config.privacy);\n }\n\n // Patch fetch\n if (config.instrumentFetch !== false) {\n patchFetch();\n }\n\n // Patch XHR\n if (config.instrumentXHR !== false) {\n patchXMLHttpRequest();\n }\n\n isInitialized = true;\n\n if (config.debug) {\n console.log('[autotel-web] Initialized successfully', {\n service: config.service,\n instrumentFetch: config.instrumentFetch !== false,\n instrumentXHR: config.instrumentXHR !== false,\n privacyEnabled: !!config.privacy,\n privacyConfig: config.privacy\n ? {\n allowedOrigins: config.privacy.allowedOrigins?.length ?? 0,\n blockedOrigins: config.privacy.blockedOrigins?.length ?? 0,\n respectDoNotTrack: config.privacy.respectDoNotTrack ?? false,\n respectGPC: config.privacy.respectGPC ?? false,\n }\n : null,\n });\n }\n}\n\n/\n Patch fetch() to auto-inject traceparent headers\n /\nfunction patchFetch(): void {\n // Always get the current window.fetch as the original\n // This allows tests to set up mocks before calling init()\n originalFetch = window.fetch.bind(window);\n\n window.fetch = function (\n input: RequestInfo \| URL,\n init?: RequestInit\n ): Promise<Response> {\n // Get URL string for logging and privacy checks\n const url =\n typeof input === 'string'\n ? input\n : input instanceof URL\n ? input.toString()\n : input.url;\n\n // Create headers object\n const headers = new Headers(init?.headers);\n\n // Only inject if traceparent doesn't already exist\n if (!headers.has('traceparent')) {\n // Check privacy controls\n if (privacyManager && !privacyManager.shouldInjectTraceparent(url)) {\n if (config?.debug) {\n const reason = getDenialReason(privacyManager, url);\n console.log(\n '[autotel-web] Skipped traceparent on fetch (privacy):',\n url,\n reason\n );\n }\n } else {\n // Inject traceparent header\n headers.set('traceparent', createTraceparent());\n\n if (config?.debug) {\n console.log(\n '[autotel-web] Injected traceparent on fetch:',\n url,\n headers.get('traceparent')\n );\n }\n }\n }\n\n // Call original fetch with updated headers\n // originalFetch is always defined here because patchFetch() sets it before patching\n return originalFetch!(input, { ...init, headers });\n };\n}\n\n/\n Patch XMLHttpRequest to auto-inject traceparent headers\n /\nfunction patchXMLHttpRequest(): void {\n // Always get the current prototypes as the originals\n // This allows tests to set up mocks before calling init()\n originalXHROpen = XMLHttpRequest.prototype.open;\n originalXHRSetRequestHeader = XMLHttpRequest.prototype.setRequestHeader;\n\n // Track which XHR instances have traceparent set\n const xhrHasTraceparent = new WeakSet<XMLHttpRequest>();\n\n // Patch setRequestHeader to track manual traceparent headers\n XMLHttpRequest.prototype.setRequestHeader = function (\n name: string,\n value: string\n ): void {\n if (name.toLowerCase() === 'traceparent') {\n xhrHasTraceparent.add(this);\n }\n // originalXHRSetRequestHeader is always defined here because patchXMLHttpRequest() sets it before patching\n return originalXHRSetRequestHeader!.call(this, name, value);\n };\n\n // Patch open to inject traceparent after headers are ready\n XMLHttpRequest.prototype.open = function (\n method: string,\n url: string \| URL,\n async: boolean = true,\n username?: string \| null,\n password?: string \| null\n ): void {\n // Call original open\n // originalXHROpen is always defined here because patchXMLHttpRequest() sets it before patching\n const result = originalXHROpen!.call(this, method, url, async, username, password);\n\n // Convert URL to string for logging and privacy checks\n const urlStr = typeof url === 'string' ? url : url.toString();\n\n // Listen for readyState change to inject header at the right time\n const xhr = this;\n const originalOnReadyStateChange = xhr.onreadystatechange;\n\n xhr.onreadystatechange = function (event: Event) {\n // OPENED state (1) - headers can now be set\n if (xhr.readyState === XMLHttpRequest.OPENED) {\n // Only inject if not already set\n if (!xhrHasTraceparent.has(xhr)) {\n // Check privacy controls\n if (privacyManager && !privacyManager.shouldInjectTraceparent(urlStr)) {\n if (config?.debug) {\n const reason = getDenialReason(privacyManager, urlStr);\n console.log(\n '[autotel-web] Skipped traceparent on XHR (privacy):',\n urlStr,\n reason\n );\n }\n } else {\n // Inject traceparent header\n try {\n const traceparent = createTraceparent();\n // originalXHRSetRequestHeader is always defined here because patchXMLHttpRequest() sets it before patching\n originalXHRSetRequestHeader!.call(xhr, 'traceparent', traceparent);\n\n if (config?.debug) {\n console.log(\n '[autotel-web] Injected traceparent on XHR:',\n urlStr,\n traceparent\n );\n }\n } catch (error) {\n // Silently ignore if setRequestHeader fails\n if (config?.debug) {\n console.warn(\n '[autotel-web] Failed to inject traceparent on XHR:',\n error\n );\n }\n }\n }\n }\n }\n\n // Call original handler if it exists\n if (originalOnReadyStateChange) {\n return originalOnReadyStateChange.call(xhr, event);\n }\n };\n\n return result;\n };\n}\n\n/\n Validate configuration at initialization time\n * Catches common misconfigurations early\n /\nfunction validateConfig(userConfig: AutotelWebConfig): void {\n // Validate service name\n if (!userConfig.service \|\| typeof userConfig.service !== 'string') {\n throw new Error('[autotel-web] service name is required and must be a string');\n }\n\n if (userConfig.service.length === 0) {\n throw new Error('[autotel-web] service name cannot be empty');\n }\n\n if (userConfig.service.length > 255) {\n console.warn(\n '[autotel-web] service name is very long (> 255 chars). Consider using a shorter name.'\n );\n }\n\n // Validate privacy config if provided\n if (userConfig.privacy) {\n const { allowedOrigins, blockedOrigins } = userConfig.privacy;\n\n // Warn if both allowlist and blocklist are empty\n if (\n (!allowedOrigins \|\| allowedOrigins.length === 0) &&\n (!blockedOrigins \|\| blockedOrigins.length === 0) &&\n !userConfig.privacy.respectDoNotTrack &&\n !userConfig.privacy.respectGPC\n ) {\n console.warn(\n '[autotel-web] privacy config provided but all options are empty/disabled. This has no effect.'\n );\n }\n\n // Warn about overlapping origins\n if (allowedOrigins && blockedOrigins) {\n const overlap = allowedOrigins.filter((allowed) =>\n blockedOrigins.some((blocked) =>\n allowed.toLowerCase().includes(blocked.toLowerCase())\n )\n );\n if (overlap.length > 0) {\n console.warn(\n '[autotel-web] Some allowedOrigins match blockedOrigins. Blocklist takes precedence:',\n overlap\n );\n }\n }\n\n // Validate origin format (warn if looks invalid)\n const allOrigins = [\n ...(allowedOrigins ?? []),\n ...(blockedOrigins ?? []),\n ];\n allOrigins.forEach((origin) => {\n if (origin.includes('://')) {\n console.warn(\n `[autotel-web] Origin \"${origin}\" includes protocol (://) - this is usually not needed. Just use the domain name.`\n );\n }\n });\n }\n}\n\n/\n Reset initialization state (for testing)\n * @internal\n /\nexport function resetForTesting(): void {\n isInitialized = false;\n config = undefined;\n privacyManager = undefined;\n\n // Restore original fetch/XHR if they were patched\n // Then clear the stored originals so next test can set up fresh mocks\n if (typeof window !== 'undefined') {\n if (originalFetch) {\n window.fetch = originalFetch;\n originalFetch = undefined;\n }\n if (originalXHROpen) {\n XMLHttpRequest.prototype.open = originalXHROpen;\n originalXHROpen = undefined;\n }\n if (originalXHRSetRequestHeader) {\n XMLHttpRequest.prototype.setRequestHeader = originalXHRSetRequestHeader;\n originalXHRSetRequestHeader = undefined;\n }\n }\n}\n\n/\n Get current configuration\n * @internal\n /\nexport function getConfig(): AutotelWebConfig \| undefined {\n return config;\n}\n\n/\n Get current privacy manager\n * @internal\n */\nexport function getPrivacyManager(): PrivacyManager \| undefined {\n return privacyManager;\n}\n"]}
1	+ {"version":3,"sources":["../src/privacy.ts","../src/span-exporter.ts","../src/init.ts"],"names":["config","privacyManager","init"],"mappings":";;;;AAiEO,IAAM,iBAAN,MAAqB;AAAA,EAC1B,YAA6BA,OAAAA,EAAuB;AAAvB,IAAA,aAAA,CAAA,IAAA,EAAA,QAAA,EAAAA,OAAAA,CAAAA;AAAA,EAAwB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAerD,wBAAwB,GAAA,EAAsB;AAE5C,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,iBAAA,IAAqB,IAAA,CAAK,qBAAoB,EAAG;AAC/D,MAAA,OAAO,KAAA;AAAA,IACT;AAGA,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,UAAA,IAAc,IAAA,CAAK,cAAa,EAAG;AACjD,MAAA,OAAO,KAAA;AAAA,IACT;AAGA,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,aAAA,CAAc,GAAG,CAAA;AAG3C,IAAA,IACE,IAAA,CAAK,OAAO,cAAA,IACZ,IAAA,CAAK,iBAAiB,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,cAAc,CAAA,EAC9D;AACA,MAAA,OAAO,KAAA;AAAA,IACT;AAGA,IAAA,IAAI,KAAK,MAAA,CAAO,cAAA,IAAkB,KAAK,MAAA,CAAO,cAAA,CAAe,SAAS,CAAA,EAAG;AACvE,MAAA,OAAO,IAAA,CAAK,gBAAA,CAAiB,YAAA,EAAc,IAAA,CAAK,OAAO,cAAc,CAAA;AAAA,IACvE;AAGA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,mBAAA,GAA+B;AACrC,IAAA,IAAI,OAAO,SAAA,KAAc,WAAA,EAAa,OAAO,KAAA;AAG7C,IAAA,OAAO,UAAU,UAAA,KAAe,GAAA;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAA,GAAwB;AAC9B,IAAA,IAAI,OAAO,SAAA,KAAc,WAAA,EAAa,OAAO,KAAA;AAI7C,IAAA,MAAM,GAAA,GAAM,SAAA;AACZ,IAAA,OAAO,IAAI,oBAAA,KAAyB,IAAA;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,cAAc,GAAA,EAAqB;AACzC,IAAA,IAAI;AAEF,MAAA,IAAI,IAAI,UAAA,CAAW,SAAS,KAAK,GAAA,CAAI,UAAA,CAAW,UAAU,CAAA,EAAG;AAC3D,QAAA,OAAO,IAAI,GAAA,CAAI,GAAG,CAAA,CAAE,MAAA;AAAA,MACtB;AAGA,MAAA,IAAI,OAAO,WAAW,WAAA,EAAa;AACjC,QAAA,OAAO,IAAI,GAAA,CAAI,GAAA,EAAK,MAAA,CAAO,QAAA,CAAS,IAAI,CAAA,CAAE,MAAA;AAAA,MAC5C;AAGA,MAAA,OAAO,EAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AAEN,MAAA,OAAO,EAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWQ,gBAAA,CACN,cACA,iBAAA,EACS;AACT,IAAA,OAAO,iBAAA,CAAkB,IAAA,CAAK,CAAC,gBAAA,KAAqB;AAElD,MAAA,MAAM,gBAAA,GAAmB,aAAa,WAAA,EAAY;AAClD,MAAA,MAAM,oBAAA,GAAuB,iBAAiB,WAAA,EAAY;AAI1D,MAAA,OAAO,gBAAA,CAAiB,SAAS,oBAAoB,CAAA;AAAA,IACvD,CAAC,CAAA;AAAA,EACH;AACF,CAAA;AAqBO,SAAS,eAAA,CACdC,iBACA,GAAA,EACe;AAGf,EAAA,MAAMD,UAAUC,eAAAA,CAAuB,MAAA;AAGvC,EAAA,IAAID,OAAAA,CAAO,iBAAA,IAAqB,OAAO,SAAA,KAAc,WAAA,EAAa;AAChE,IAAA,IAAI,SAAA,CAAU,eAAe,GAAA,EAAK;AAChC,MAAA,OAAO,yBAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,IAAIA,OAAAA,CAAO,UAAA,IAAc,OAAO,SAAA,KAAc,WAAA,EAAa;AACzD,IAAA,MAAM,GAAA,GAAM,SAAA;AACZ,IAAA,IAAI,GAAA,CAAI,yBAAyB,IAAA,EAAM;AACrC,MAAA,OAAO,mCAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,IAAI,YAAA,GAAe,EAAA;AACnB,EAAA,IAAI;AACF,IAAA,IAAI,IAAI,UAAA,CAAW,SAAS,KAAK,GAAA,CAAI,UAAA,CAAW,UAAU,CAAA,EAAG;AAC3D,MAAA,YAAA,GAAe,IAAI,GAAA,CAAI,GAAG,CAAA,CAAE,MAAA;AAAA,IAC9B,CAAA,MAAA,IAAW,OAAO,MAAA,KAAW,WAAA,EAAa;AACxC,MAAA,YAAA,GAAe,IAAI,GAAA,CAAI,GAAA,EAAK,MAAA,CAAO,QAAA,CAAS,IAAI,CAAA,CAAE,MAAA;AAAA,IACpD;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,aAAA;AAAA,EACT;AAGA,EAAA,IAAIA,QAAO,cAAA,EAAgB;AACzB,IAAA,MAAM,OAAA,GAAUA,QAAO,cAAA,CAAe,IAAA;AAAA,MAAK,CAAC,WAC1C,YAAA,CAAa,WAAA,GAAc,QAAA,CAAS,MAAA,CAAO,aAAa;AAAA,KAC1D;AACA,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,OAAO,UAAU,YAAY,CAAA,0BAAA,CAAA;AAAA,IAC/B;AAAA,EACF;AAGA,EAAA,IAAIA,OAAAA,CAAO,cAAA,IAAkBA,OAAAA,CAAO,cAAA,CAAe,SAAS,CAAA,EAAG;AAC7D,IAAA,MAAM,OAAA,GAAUA,QAAO,cAAA,CAAe,IAAA;AAAA,MAAK,CAAC,WAC1C,YAAA,CAAa,WAAA,GAAc,QAAA,CAAS,MAAA,CAAO,aAAa;AAAA,KAC1D;AACA,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,UAAU,YAAY,CAAA,8BAAA,CAAA;AAAA,IAC/B;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;;;AC9PA,IAAI,KAAA,GAAQ,KAAA;AACZ,IAAI,WAAA,GAAc,SAAA;AAClB,IAAI,cAAA;AACJ,IAAI,eAA0B,EAAC;AAC/B,IAAI,UAAA;AACJ,IAAI,QAAA;AAMG,SAAS,YAAY,EAAA,EAAmC;AAC7D,EAAA,QAAA,GAAW,EAAA;AACb;AAEO,SAAS,iBAAA,CAAkB,OAAA,EAAiB,QAAA,EAAkB,WAAA,GAAc,KAAA,EAAa;AAC9F,EAAA,KAAA,GAAQ,WAAA;AACR,EAAA,WAAA,GAAc,OAAA;AACd,EAAA,cAAA,GAAiB,QAAA,CAAS,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AAC3C,EAAA,IAAI,CAAC,cAAA,CAAe,QAAA,CAAS,YAAY,CAAA,EAAG;AAC1C,IAAA,cAAA,IAAkB,YAAA;AAAA,EACpB;AACA,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAA,UAAA,GAAa,WAAA,CAAY,YAAY,GAAI,CAAA;AAAA,EAC3C;AACF;AAEO,SAAS,WACd,OAAA,EACA,MAAA,EACA,IAAA,EACA,OAAA,EACA,OACA,KAAA,EACM;AACN,EAAA,IAAI,CAAC,cAAA,EAAgB;AACrB,EAAA,IAAI,KAAA,EAAO,OAAA,CAAQ,GAAA,CAAI,CAAA,0BAAA,EAA6B,IAAI,CAAA,EAAA,EAAK,OAAA,CAAQ,KAAA,CAAM,CAAA,EAAG,CAAC,CAAC,CAAA,OAAA,CAAI,CAAA;AACpF,EAAA,MAAM,UAAA,GAAa,KAAA,GACf,MAAA,CAAO,OAAA,CAAQ,KAAK,CAAA,CAAE,GAAA,CAAI,CAAC,CAAC,GAAA,EAAK,KAAK,CAAA,MAAO;AAAA,IAC3C,GAAA;AAAA,IACA,KAAA,EAAO,OAAO,KAAA,KAAU,QAAA,GAAW,EAAE,QAAA,EAAU,MAAA,CAAO,KAAK,CAAA,EAAE,GAAI,EAAE,WAAA,EAAa,KAAA;AAAM,IACtF,CAAA,GACF,MAAA;AACJ,EAAA,YAAA,CAAa,IAAA,CAAK;AAAA,IAChB,OAAA;AAAA,IACA,MAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA,EAAM,CAAA;AAAA;AAAA,IACN,mBAAmB,MAAA,CAAO,IAAA,CAAK,KAAA,CAAM,OAAA,GAAU,GAAS,CAAC,CAAA;AAAA,IACzD,iBAAiB,MAAA,CAAO,IAAA,CAAK,KAAA,CAAM,KAAA,GAAQ,GAAS,CAAC,CAAA;AAAA,IACrD;AAAA,GACD,CAAA;AAED,EAAA,UAAA,EAAW;AACb;AAEO,SAAS,UAAA,GAAmB;AACjC,EAAA,IAAI,CAAC,cAAA,IAAkB,YAAA,CAAa,MAAA,KAAW,CAAA,EAAG;AAClD,EAAA,IAAI,KAAA,UAAe,GAAA,CAAI,CAAA,kCAAA,EAAqC,aAAa,MAAM,CAAA,YAAA,EAAe,cAAc,CAAA,CAAE,CAAA;AAC9G,EAAA,MAAM,KAAA,GAAQ,YAAA;AACd,EAAA,YAAA,GAAe,EAAC;AAChB,EAAA,MAAM,OAAA,GAAU,KAAK,SAAA,CAAU;AAAA,IAC7B,eAAe,CAAC;AAAA,MACd,QAAA,EAAU,EAAE,UAAA,EAAY,CAAC,EAAE,GAAA,EAAK,cAAA,EAAgB,KAAA,EAAO,EAAE,WAAA,EAAa,WAAA,EAAY,EAAG,CAAA,EAAE;AAAA,MACvF,UAAA,EAAY,CAAC,EAAE,KAAA,EAAO,EAAE,IAAA,EAAM,aAAA,EAAc,EAAG,KAAA,EAAO;AAAA,KACvD;AAAA,GACF,CAAA;AACD,EAAA,MAAM,IAAA,GAAO,IAAI,IAAA,CAAK,CAAC,OAAO,CAAA,EAAG,EAAE,IAAA,EAAM,kBAAA,EAAoB,CAAA;AAC7D,EAAA,MAAM,IAAA,GAAO,OAAO,SAAA,EAAW,UAAA,KAAe,cAAc,SAAA,CAAU,UAAA,CAAW,gBAAgB,IAAI,CAAA;AACrG,EAAA,IAAI,CAAC,QAAQ,QAAA,EAAU;AACrB,IAAA,QAAA,CAAS,cAAA,EAAgB;AAAA,MACvB,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,MAC9C,IAAA,EAAM,OAAA;AAAA,MACN,SAAA,EAAW;AAAA,KACZ,CAAA,CAAE,KAAA,CAAM,MAAM;AAAA,IAAC,CAAC,CAAA;AAAA,EACnB;AACF;AAEO,SAAS,YAAA,GAAwB;AACtC,EAAA,OAAO,cAAA,KAAmB,MAAA;AAC5B;;;ACbA,IAAI,aAAA,GAAgB,KAAA;AACpB,IAAI,MAAA;AACJ,IAAI,cAAA;AACJ,IAAI,aAAA;AACJ,IAAI,eAAA;AACJ,IAAI,2BAAA;AAkCG,SAAS,KAAK,UAAA,EAAoC;AAEvD,EAAA,IAAI,OAAO,WAAW,WAAA,EAAa;AACjC,IAAA;AAAA,EACF;AAEA,EAAA,IAAI,aAAA,EAAe;AACjB,IAAA,IAAI,WAAW,KAAA,EAAO;AACpB,MAAA,OAAA,CAAQ,KAAK,8CAA8C,CAAA;AAAA,IAC7D;AACA,IAAA;AAAA,EACF;AAGA,EAAA,cAAA,CAAe,UAAU,CAAA;AAEzB,EAAA,MAAA,GAAS,UAAA;AAGT,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,cAAA,GAAiB,IAAI,cAAA,CAAe,MAAA,CAAO,OAAO,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,MAAA,CAAO,aAAa,MAAA,EAAW;AACjC,IAAA,WAAA,CAAY,MAAA,CAAO,KAAA,CAAM,IAAA,CAAK,MAAM,CAAC,CAAA;AACrC,IAAA,iBAAA,CAAkB,MAAA,CAAO,OAAA,EAAS,MAAA,CAAO,QAAA,EAAU,OAAO,KAAK,CAAA;AAAA,EACjE;AAGA,EAAA,IAAI,MAAA,CAAO,oBAAoB,KAAA,EAAO;AACpC,IAAA,UAAA,EAAW;AAAA,EACb;AAGA,EAAA,IAAI,MAAA,CAAO,kBAAkB,KAAA,EAAO;AAClC,IAAA,mBAAA,EAAoB;AAAA,EACtB;AAEA,EAAA,IAAI,MAAA,CAAO,aAAa,MAAA,EAAW;AACjC,IAAA,MAAA,CAAO,gBAAA,CAAiB,oBAAoB,MAAM;AAChD,MAAA,IAAI,QAAA,CAAS,eAAA,KAAoB,QAAA,EAAU,UAAA,EAAW;AAAA,IACxD,CAAC,CAAA;AAAA,EACH;AAEA,EAAA,aAAA,GAAgB,IAAA;AAEhB,EAAA,IAAI,OAAO,KAAA,EAAO;AAChB,IAAA,OAAA,CAAQ,IAAI,wCAAA,EAA0C;AAAA,MACpD,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,eAAA,EAAiB,OAAO,eAAA,KAAoB,KAAA;AAAA,MAC5C,aAAA,EAAe,OAAO,aAAA,KAAkB,KAAA;AAAA,MACxC,cAAA,EAAgB,CAAC,CAAC,MAAA,CAAO,OAAA;AAAA,MACzB,aAAA,EAAe,OAAO,OAAA,GAClB;AAAA,QACE,cAAA,EAAgB,MAAA,CAAO,OAAA,CAAQ,cAAA,EAAgB,MAAA,IAAU,CAAA;AAAA,QACzD,cAAA,EAAgB,MAAA,CAAO,OAAA,CAAQ,cAAA,EAAgB,MAAA,IAAU,CAAA;AAAA,QACzD,iBAAA,EAAmB,MAAA,CAAO,OAAA,CAAQ,iBAAA,IAAqB,KAAA;AAAA,QACvD,UAAA,EAAY,MAAA,CAAO,OAAA,CAAQ,UAAA,IAAc;AAAA,OAC3C,GACA;AAAA,KACL,CAAA;AAAA,EACH;AACF;AAKA,SAAS,UAAA,GAAmB;AAG1B,EAAA,aAAA,GAAgB,MAAA,CAAO,KAAA,CAAM,IAAA,CAAK,MAAM,CAAA;AAExC,EAAA,MAAA,CAAO,KAAA,GAAQ,SACb,KAAA,EACAE,KAAAA,EACmB;AAEnB,IAAA,MAAM,GAAA,GACJ,OAAO,KAAA,KAAU,QAAA,GACb,KAAA,GACA,iBAAiB,GAAA,GACf,KAAA,CAAM,QAAA,EAAS,GACf,KAAA,CAAM,GAAA;AAGd,IAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQA,KAAAA,EAAM,OAAO,CAAA;AAGzC,IAAA,IAAI,mBAAA;AACJ,IAAA,IAAI,CAAC,OAAA,CAAQ,GAAA,CAAI,aAAa,CAAA,EAAG;AAE/B,MAAA,IAAI,cAAA,IAAkB,CAAC,cAAA,CAAe,uBAAA,CAAwB,GAAG,CAAA,EAAG;AAClE,QAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,UAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,cAAA,EAAgB,GAAG,CAAA;AAClD,UAAA,OAAA,CAAQ,GAAA;AAAA,YACN,uDAAA;AAAA,YACA,GAAA;AAAA,YACA;AAAA,WACF;AAAA,QACF;AAAA,MACF,CAAA,MAAO;AACL,QAAA,mBAAA,GAAsB,iBAAA,EAAkB;AACxC,QAAA,OAAA,CAAQ,GAAA,CAAI,eAAe,mBAAmB,CAAA;AAE9C,QAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,UAAA,OAAA,CAAQ,GAAA;AAAA,YACN,8CAAA;AAAA,YACA,GAAA;AAAA,YACA;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,SAASA,KAAAA,EAAM,MAAA,KACf,iBAAiB,OAAA,GAAU,KAAA,CAAM,SAAS,MAAA,CAAA,IAC3C,KAAA;AAGL,IAAA,MAAM,SAAA,GAAY,WAAA,CAAY,UAAA,GAAa,WAAA,CAAY,GAAA,EAAI;AAC3D,IAAA,MAAM,eAAe,aAAA,CAAe,KAAA,EAAO,EAAE,GAAGA,KAAAA,EAAM,SAAS,CAAA;AAG/D,IAAA,IAAI,mBAAA,IAAuB,cAAa,EAAG;AACzC,MAAA,YAAA,CAAa,IAAA;AAAA,QACX,CAAC,QAAA,KAAa;AACZ,UAAA,MAAM,OAAA,GAAU,WAAA,CAAY,UAAA,GAAa,WAAA,CAAY,GAAA,EAAI;AACzD,UAAA,MAAM,MAAA,GAAS,iBAAiB,mBAAoB,CAAA;AACpD,UAAA,IAAI,MAAA,EAAQ;AACV,YAAA,IAAI,QAAA;AACJ,YAAA,IAAI;AAAE,cAAA,QAAA,GAAW,IAAI,GAAA,CAAI,GAAA,EAAK,MAAA,CAAO,QAAA,CAAS,MAAM,CAAA,CAAE,QAAA;AAAA,YAAU,CAAA,CAAA,MAAQ;AAAE,cAAA,QAAA,GAAW,GAAA;AAAA,YAAK;AAC1F,YAAA,UAAA,CAAW,MAAA,CAAO,SAAS,MAAA,CAAO,MAAA,EAAQ,WAAW,QAAQ,CAAA,CAAA,EAAI,WAAW,OAAA,EAAS;AAAA,cACnF,aAAA,EAAe,MAAA;AAAA,cACf,UAAA,EAAY,GAAA;AAAA,cACZ,oBAAoB,QAAA,CAAS;AAAA,aAC9B,CAAA;AAAA,UACH;AAAA,QACF,CAAA;AAAA,QACA,MAAM;AACJ,UAAA,MAAM,OAAA,GAAU,WAAA,CAAY,UAAA,GAAa,WAAA,CAAY,GAAA,EAAI;AACzD,UAAA,MAAM,MAAA,GAAS,iBAAiB,mBAAoB,CAAA;AACpD,UAAA,IAAI,MAAA,EAAQ;AACV,YAAA,IAAI,QAAA;AACJ,YAAA,IAAI;AAAE,cAAA,QAAA,GAAW,IAAI,GAAA,CAAI,GAAA,EAAK,MAAA,CAAO,QAAA,CAAS,MAAM,CAAA,CAAE,QAAA;AAAA,YAAU,CAAA,CAAA,MAAQ;AAAE,cAAA,QAAA,GAAW,GAAA;AAAA,YAAK;AAC1F,YAAA,UAAA,CAAW,MAAA,CAAO,SAAS,MAAA,CAAO,MAAA,EAAQ,WAAW,QAAQ,CAAA,CAAA,EAAI,WAAW,OAAA,EAAS;AAAA,cACnF,aAAA,EAAe,MAAA;AAAA,cACf,UAAA,EAAY;AAAA,aACb,CAAA;AAAA,UACH;AAAA,QACF;AAAA,OACF;AAAA,IACF;AAEA,IAAA,OAAO,YAAA;AAAA,EACT,CAAA;AACF;AAKA,SAAS,mBAAA,GAA4B;AAGnC,EAAA,eAAA,GAAkB,eAAe,SAAA,CAAU,IAAA;AAC3C,EAAA,2BAAA,GAA8B,eAAe,SAAA,CAAU,gBAAA;AAGvD,EAAA,MAAM,iBAAA,uBAAwB,OAAA,EAAwB;AAGtD,EAAA,cAAA,CAAe,SAAA,CAAU,gBAAA,GAAmB,SAC1C,IAAA,EACA,KAAA,EACM;AACN,IAAA,IAAI,IAAA,CAAK,WAAA,EAAY,KAAM,aAAA,EAAe;AACxC,MAAA,iBAAA,CAAkB,IAAI,IAAI,CAAA;AAAA,IAC5B;AAEA,IAAA,OAAO,2BAAA,CAA6B,IAAA,CAAK,IAAA,EAAM,IAAA,EAAM,KAAK,CAAA;AAAA,EAC5D,CAAA;AAGA,EAAA,cAAA,CAAe,SAAA,CAAU,OAAO,SAC9B,MAAA,EACA,KACA,KAAA,GAAiB,IAAA,EACjB,UACA,QAAA,EACM;AAGN,IAAA,MAAM,MAAA,GAAS,gBAAiB,IAAA,CAAK,IAAA,EAAM,QAAQ,GAAA,EAAK,KAAA,EAAO,UAAU,QAAQ,CAAA;AAGjF,IAAA,MAAM,SAAS,OAAO,GAAA,KAAQ,QAAA,GAAW,GAAA,GAAM,IAAI,QAAA,EAAS;AAG5D,IAAA,MAAM,GAAA,GAAM,IAAA;AACZ,IAAA,MAAM,6BAA6B,GAAA,CAAI,kBAAA;AAEvC,IAAA,GAAA,CAAI,kBAAA,GAAqB,SAAU,KAAA,EAAc;AAE/C,MAAA,IAAI,GAAA,CAAI,UAAA,KAAe,cAAA,CAAe,MAAA,EAAQ;AAE5C,QAAA,IAAI,CAAC,iBAAA,CAAkB,GAAA,CAAI,GAAG,CAAA,EAAG;AAE/B,UAAA,IAAI,cAAA,IAAkB,CAAC,cAAA,CAAe,uBAAA,CAAwB,MAAM,CAAA,EAAG;AACrE,YAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,cAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,cAAA,EAAgB,MAAM,CAAA;AACrD,cAAA,OAAA,CAAQ,GAAA;AAAA,gBACN,qDAAA;AAAA,gBACA,MAAA;AAAA,gBACA;AAAA,eACF;AAAA,YACF;AAAA,UACF,CAAA,MAAO;AAEL,YAAA,IAAI;AACF,cAAA,MAAM,cAAc,iBAAA,EAAkB;AAEtC,cAAA,2BAAA,CAA6B,IAAA,CAAK,GAAA,EAAK,aAAA,EAAe,WAAW,CAAA;AAEjE,cAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,gBAAA,OAAA,CAAQ,GAAA;AAAA,kBACN,4CAAA;AAAA,kBACA,MAAA;AAAA,kBACA;AAAA,iBACF;AAAA,cACF;AAAA,YACF,SAAS,KAAA,EAAO;AAEd,cAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,gBAAA,OAAA,CAAQ,IAAA;AAAA,kBACN,oDAAA;AAAA,kBACA;AAAA,iBACF;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAGA,MAAA,IAAI,0BAAA,EAA4B;AAC9B,QAAA,OAAO,0BAAA,CAA2B,IAAA,CAAK,GAAA,EAAK,KAAK,CAAA;AAAA,MACnD;AAAA,IACF,CAAA;AAEA,IAAA,OAAO,MAAA;AAAA,EACT,CAAA;AACF;AAMA,SAAS,eAAe,UAAA,EAAoC;AAE1D,EAAA,IAAI,CAAC,UAAA,CAAW,OAAA,IAAW,OAAO,UAAA,CAAW,YAAY,QAAA,EAAU;AACjE,IAAA,MAAM,IAAI,MAAM,6DAA6D,CAAA;AAAA,EAC/E;AAEA,EAAA,IAAI,UAAA,CAAW,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG;AACnC,IAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,EAC9D;AAEA,EAAA,IAAI,UAAA,CAAW,OAAA,CAAQ,MAAA,GAAS,GAAA,EAAK;AACnC,IAAA,OAAA,CAAQ,IAAA;AAAA,MACN;AAAA,KACF;AAAA,EACF;AAGA,EAAA,IAAI,WAAW,OAAA,EAAS;AACtB,IAAA,MAAM,EAAE,cAAA,EAAgB,cAAA,EAAe,GAAI,UAAA,CAAW,OAAA;AAGtD,IAAA,IAAA,CACG,CAAC,cAAA,IAAkB,cAAA,CAAe,MAAA,KAAW,CAAA,MAC7C,CAAC,cAAA,IAAkB,cAAA,CAAe,MAAA,KAAW,CAAA,CAAA,IAC9C,CAAC,UAAA,CAAW,OAAA,CAAQ,qBACpB,CAAC,UAAA,CAAW,QAAQ,UAAA,EACpB;AACA,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN;AAAA,OACF;AAAA,IACF;AAGA,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,MAAM,UAAU,cAAA,CAAe,MAAA;AAAA,QAAO,CAAC,YACrC,cAAA,CAAe,IAAA;AAAA,UAAK,CAAC,YACnB,OAAA,CAAQ,WAAA,GAAc,QAAA,CAAS,OAAA,CAAQ,aAAa;AAAA;AACtD,OACF;AACA,MAAA,IAAI,OAAA,CAAQ,SAAS,CAAA,EAAG;AACtB,QAAA,OAAA,CAAQ,IAAA;AAAA,UACN,qFAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,UAAA,GAAa;AAAA,MACjB,GAAI,kBAAkB,EAAC;AAAA,MACvB,GAAI,kBAAkB;AAAC,KACzB;AACA,IAAA,UAAA,CAAW,OAAA,CAAQ,CAAC,MAAA,KAAW;AAC7B,MAAA,IAAI,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,EAAG;AAC1B,QAAA,OAAA,CAAQ,IAAA;AAAA,UACN,yBAAyB,MAAM,CAAA,iFAAA;AAAA,SACjC;AAAA,MACF;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AACF","file":"index.js","sourcesContent":["/*\n Privacy controls for autotel-web\n \n Provides origin filtering and privacy signal respecting (DNT, GPC)\n * to ensure compliance with GDPR, CCPA, and user privacy preferences.\n /\n\nexport interface PrivacyConfig {\n /\n Only inject traceparent headers on requests to these origins (whitelist)\n \n If specified, traceparent will ONLY be injected on matching origins.\n * Origins are matched using substring matching (e.g., \"example.com\" matches \"https://api.example.com\").\n \n @example\n * ```typescript\n * {\n * allowedOrigins: ['api.myapp.com', 'myapp.com']\n * }\n * ```\n /\n allowedOrigins?: string[];\n\n /\n Never inject traceparent headers on requests to these origins (blacklist)\n \n Takes precedence over allowedOrigins.\n * Origins are matched using substring matching.\n \n @example\n * ```typescript\n * {\n * blockedOrigins: ['analytics.google.com', 'facebook.com']\n * }\n * ```\n /\n blockedOrigins?: string[];\n\n /\n Respect the Do Not Track (DNT) browser setting\n \n If true and user has DNT enabled, no traceparent headers will be injected.\n \n @default false\n * @see https://developer.mozilla.org/en-US/docs/Web/API/Navigator/doNotTrack\n /\n respectDoNotTrack?: boolean;\n\n /\n Respect the Global Privacy Control (GPC) browser signal\n \n If true and user has GPC enabled, no traceparent headers will be injected.\n \n @default false\n * @see https://globalprivacycontrol.org/\n /\n respectGPC?: boolean;\n}\n\n/\n Manages privacy controls for traceparent header injection\n \n Checks user privacy preferences (DNT, GPC) and origin filtering rules\n * to determine if traceparent headers should be injected on a given request.\n /\nexport class PrivacyManager {\n constructor(private readonly config: PrivacyConfig) {}\n\n /\n Check if traceparent header should be injected for a given URL\n \n Decision order:\n * 1. Check Do Not Track (if enabled)\n * 2. Check Global Privacy Control (if enabled)\n * 3. Check blockedOrigins (explicit deny)\n * 4. Check allowedOrigins (explicit allow, if configured)\n * 5. Default: allow\n \n @param url - Full URL or relative path of the request\n * @returns true if traceparent should be injected, false otherwise\n /\n shouldInjectTraceparent(url: string): boolean {\n // Check Do Not Track\n if (this.config.respectDoNotTrack && this.isDoNotTrackEnabled()) {\n return false;\n }\n\n // Check Global Privacy Control\n if (this.config.respectGPC && this.isGPCEnabled()) {\n return false;\n }\n\n // Get the origin of the target URL\n const targetOrigin = this.extractOrigin(url);\n\n // Check blocklist first (explicit deny takes precedence)\n if (\n this.config.blockedOrigins &&\n this.matchesAnyOrigin(targetOrigin, this.config.blockedOrigins)\n ) {\n return false;\n }\n\n // If allowlist exists, only allow those origins\n if (this.config.allowedOrigins && this.config.allowedOrigins.length > 0) {\n return this.matchesAnyOrigin(targetOrigin, this.config.allowedOrigins);\n }\n\n // Default: allow (backward compatible behavior)\n return true;\n }\n\n /\n Check if Do Not Track is enabled in the browser\n /\n private isDoNotTrackEnabled(): boolean {\n if (typeof navigator === 'undefined') return false;\n\n // DNT header can be \"1\" (enabled), \"0\" (disabled), or null (not set)\n return navigator.doNotTrack === '1';\n }\n\n /\n Check if Global Privacy Control is enabled in the browser\n /\n private isGPCEnabled(): boolean {\n if (typeof navigator === 'undefined') return false;\n\n // GPC is a newer spec, not all browsers support it yet\n // TypeScript doesn't have types for this yet, so we cast\n const nav = navigator as Navigator & { globalPrivacyControl?: boolean };\n return nav.globalPrivacyControl === true;\n }\n\n /\n Extract origin from a URL (handles both absolute and relative URLs)\n \n @param url - Full URL or relative path\n * @returns Origin string (e.g., \"https://api.example.com\")\n /\n private extractOrigin(url: string): string {\n try {\n // Handle absolute URLs\n if (url.startsWith('http://') \|\| url.startsWith('https://')) {\n return new URL(url).origin;\n }\n\n // Handle relative URLs - use current window location\n if (typeof window !== 'undefined') {\n return new URL(url, window.location.href).origin;\n }\n\n // Fallback for SSR or unknown cases\n return '';\n } catch {\n // Invalid URL - return empty string\n return '';\n }\n }\n\n /\n Check if a target origin matches any of the configured origins\n \n Uses substring matching for flexibility (e.g., \"example.com\" matches \"https://api.example.com\")\n \n @param targetOrigin - Origin to check\n * @param configuredOrigins - List of allowed or blocked origins\n * @returns true if any origin matches\n /\n private matchesAnyOrigin(\n targetOrigin: string,\n configuredOrigins: string[]\n ): boolean {\n return configuredOrigins.some((configuredOrigin) => {\n // Normalize both strings to lowercase for case-insensitive matching\n const normalizedTarget = targetOrigin.toLowerCase();\n const normalizedConfigured = configuredOrigin.toLowerCase();\n\n // Check if target origin contains the configured origin\n // This allows \"example.com\" to match \"https://api.example.com\"\n return normalizedTarget.includes(normalizedConfigured);\n });\n }\n}\n\n/\n Get reason why traceparent injection was denied (for debugging)\n \n Returns a human-readable reason if injection would be blocked,\n * or null if injection would be allowed.\n \n @param privacyManager - Configured PrivacyManager instance\n * @param url - URL to check\n * @returns Denial reason or null if allowed\n \n @example\n * ```typescript\n * const manager = new PrivacyManager({ respectDoNotTrack: true })\n * const reason = getDenialReason(manager, 'https://api.example.com')\n * if (reason) {\n * console.log('Traceparent blocked:', reason)\n * }\n * ```\n /\nexport function getDenialReason(\n privacyManager: PrivacyManager,\n url: string\n): string \| null {\n // This is a helper for debugging - it re-checks the conditions\n // to provide a user-friendly reason string\n const config = (privacyManager as any).config as PrivacyConfig;\n\n // Check DNT\n if (config.respectDoNotTrack && typeof navigator !== 'undefined') {\n if (navigator.doNotTrack === '1') {\n return 'Do Not Track is enabled';\n }\n }\n\n // Check GPC\n if (config.respectGPC && typeof navigator !== 'undefined') {\n const nav = navigator as Navigator & { globalPrivacyControl?: boolean };\n if (nav.globalPrivacyControl === true) {\n return 'Global Privacy Control is enabled';\n }\n }\n\n // Extract origin\n let targetOrigin = '';\n try {\n if (url.startsWith('http://') \|\| url.startsWith('https://')) {\n targetOrigin = new URL(url).origin;\n } else if (typeof window !== 'undefined') {\n targetOrigin = new URL(url, window.location.href).origin;\n }\n } catch {\n return 'Invalid URL';\n }\n\n // Check blocklist\n if (config.blockedOrigins) {\n const blocked = config.blockedOrigins.some((origin) =>\n targetOrigin.toLowerCase().includes(origin.toLowerCase())\n );\n if (blocked) {\n return `Origin ${targetOrigin} is in blockedOrigins list`;\n }\n }\n\n // Check allowlist\n if (config.allowedOrigins && config.allowedOrigins.length > 0) {\n const allowed = config.allowedOrigins.some((origin) =>\n targetOrigin.toLowerCase().includes(origin.toLowerCase())\n );\n if (!allowed) {\n return `Origin ${targetOrigin} is not in allowedOrigins list`;\n }\n }\n\n return null;\n}\n","/\n Lightweight browser span exporter via sendBeacon/fetch.\n * Sends OTLP/JSON spans so the browser's traceparent spanId\n * exists as a real span in the collector.\n /\n\nlet debug = false;\nlet serviceName = 'browser';\nlet exportEndpoint: string \| undefined;\nlet pendingSpans: unknown[] = [];\nlet flushTimer: ReturnType<typeof setTimeout> \| undefined;\nlet rawFetch: typeof globalThis.fetch \| undefined;\n\n/\n Provide the unpatched fetch so the exporter bypasses instrumentation.\n * Must be called before init() patches window.fetch.\n /\nexport function setRawFetch(fn: typeof globalThis.fetch): void {\n rawFetch = fn;\n}\n\nexport function configureExporter(service: string, endpoint: string, enableDebug = false): void {\n debug = enableDebug;\n serviceName = service;\n exportEndpoint = endpoint.replace(/\\/$/, '');\n if (!exportEndpoint.endsWith('/v1/traces')) {\n exportEndpoint += '/v1/traces';\n }\n if (!flushTimer) {\n flushTimer = setInterval(flushSpans, 2000);\n }\n}\n\nexport function recordSpan(\n traceId: string,\n spanId: string,\n name: string,\n startMs: number,\n endMs: number,\n attrs?: Record<string, string \| number>,\n): void {\n if (!exportEndpoint) return;\n if (debug) console.log(`[autotel-web] recordSpan: ${name} (${traceId.slice(0, 8)}…)`);\n const attributes = attrs\n ? Object.entries(attrs).map(([key, value]) => ({\n key,\n value: typeof value === 'number' ? { intValue: String(value) } : { stringValue: value },\n }))\n : undefined;\n pendingSpans.push({\n traceId,\n spanId,\n name,\n kind: 3, // CLIENT\n startTimeUnixNano: String(Math.round(startMs 1_000_000)),\n endTimeUnixNano: String(Math.round(endMs * 1_000_000)),\n attributes,\n });\n // Flush immediately — browser spans are infrequent\n flushSpans();\n}\n\nexport function flushSpans(): void {\n if (!exportEndpoint \|\| pendingSpans.length === 0) return;\n if (debug) console.log(`[autotel-web] flushSpans: sending ${pendingSpans.length} span(s) to ${exportEndpoint}`);\n const spans = pendingSpans;\n pendingSpans = [];\n const payload = JSON.stringify({\n resourceSpans: [{\n resource: { attributes: [{ key: 'service.name', value: { stringValue: serviceName } }] },\n scopeSpans: [{ scope: { name: 'autotel-web' }, spans }],\n }],\n });\n const blob = new Blob([payload], { type: 'application/json' });\n const sent = typeof navigator?.sendBeacon === 'function' && navigator.sendBeacon(exportEndpoint, blob);\n if (!sent && rawFetch) {\n rawFetch(exportEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: payload,\n keepalive: true,\n }).catch(() => {});\n }\n}\n\nexport function isConfigured(): boolean {\n return exportEndpoint !== undefined;\n}\n\nexport function resetForTesting(): void {\n exportEndpoint = undefined;\n pendingSpans = [];\n if (flushTimer) { clearInterval(flushTimer); flushTimer = undefined; }\n}\n","/*\n Minimal browser SDK initialization\n \n Patches fetch() and XMLHttpRequest to automatically inject W3C traceparent headers.\n * NO OpenTelemetry dependencies - just native browser APIs.\n \n Bundle size: ~2-5KB gzipped\n /\n\nimport { createTraceparent, parseTraceparent } from './traceparent';\nimport { PrivacyManager, PrivacyConfig, getDenialReason } from './privacy';\nimport { configureExporter, setRawFetch, recordSpan, flushSpans, isConfigured, resetForTesting as resetExporter } from './span-exporter';\n\nexport interface AutotelWebConfig {\n /\n Service name for the browser application\n * Used only for logging/debugging - not sent in headers\n /\n service: string;\n\n /\n Enable debug logging to console\n * @default false\n /\n debug?: boolean;\n\n /\n Enable automatic traceparent injection on fetch calls\n * @default true\n /\n instrumentFetch?: boolean;\n\n /\n Enable automatic traceparent injection on XMLHttpRequest\n * @default true\n /\n instrumentXHR?: boolean;\n\n /\n OTLP endpoint for exporting browser spans.\n * When set, browser spans are sent via sendBeacon so the traceparent\n * spanId exists as a real span in the collector.\n * Use '' (empty string) for same-origin (requires /v1/traces proxy).\n /\n endpoint?: string;\n\n /\n Privacy controls for traceparent header injection\n \n Configure origin filtering and privacy signal respecting (DNT, GPC)\n * to ensure compliance with GDPR, CCPA, and user privacy preferences.\n \n @example Basic origin filtering\n * ```typescript\n * {\n * privacy: {\n * allowedOrigins: ['api.myapp.com'], // Only inject on API calls\n * respectDoNotTrack: true // Respect user's DNT setting\n * }\n * }\n * ```\n \n @example Block third-party analytics\n * ```typescript\n * {\n * privacy: {\n * blockedOrigins: ['analytics.google.com', 'facebook.com']\n * }\n * }\n * ```\n /\n privacy?: PrivacyConfig;\n}\n\nlet isInitialized = false;\nlet config: AutotelWebConfig \| undefined;\nlet privacyManager: PrivacyManager \| undefined;\nlet originalFetch: typeof window.fetch \| undefined;\nlet originalXHROpen: typeof XMLHttpRequest.prototype.open \| undefined;\nlet originalXHRSetRequestHeader: typeof XMLHttpRequest.prototype.setRequestHeader \| undefined;\n\n/\n Initialize autotel-web\n \n Patches fetch() and XMLHttpRequest to auto-inject traceparent headers.\n \n SSR-safe: Safe to call in SSR environments (checks for window).\n * Call once: Subsequent calls are ignored.\n \n @example\n * ```typescript\n * import { init } from 'autotel-web'\n \n init({ service: 'my-frontend-app' })\n \n // Now all fetch/XHR calls include traceparent headers!\n * fetch('/api/users') // <-- traceparent header automatically injected\n * ```\n \n @example With React (client-only)\n * ```typescript\n * import { useEffect } from 'react'\n * import { init } from 'autotel-web'\n \n function App() {\n * useEffect(() => {\n * init({ service: 'my-spa' })\n * }, [])\n \n return <div>...</div>\n * }\n * ```\n /\nexport function init(userConfig: AutotelWebConfig): void {\n // SSR-safe: do nothing on the server\n if (typeof window === 'undefined') {\n return;\n }\n\n if (isInitialized) {\n if (userConfig.debug) {\n console.warn('[autotel-web] Already initialized. Skipping.');\n }\n return;\n }\n\n // Validate configuration\n validateConfig(userConfig);\n\n config = userConfig;\n\n // Initialize privacy manager if privacy config provided\n if (config.privacy) {\n privacyManager = new PrivacyManager(config.privacy);\n }\n\n // Capture unpatched fetch for the exporter before we patch it\n if (config.endpoint !== undefined) {\n setRawFetch(window.fetch.bind(window));\n configureExporter(config.service, config.endpoint, config.debug);\n }\n\n // Patch fetch\n if (config.instrumentFetch !== false) {\n patchFetch();\n }\n\n // Patch XHR\n if (config.instrumentXHR !== false) {\n patchXMLHttpRequest();\n }\n\n if (config.endpoint !== undefined) {\n window.addEventListener('visibilitychange', () => {\n if (document.visibilityState === 'hidden') flushSpans();\n });\n }\n\n isInitialized = true;\n\n if (config.debug) {\n console.log('[autotel-web] Initialized successfully', {\n service: config.service,\n instrumentFetch: config.instrumentFetch !== false,\n instrumentXHR: config.instrumentXHR !== false,\n privacyEnabled: !!config.privacy,\n privacyConfig: config.privacy\n ? {\n allowedOrigins: config.privacy.allowedOrigins?.length ?? 0,\n blockedOrigins: config.privacy.blockedOrigins?.length ?? 0,\n respectDoNotTrack: config.privacy.respectDoNotTrack ?? false,\n respectGPC: config.privacy.respectGPC ?? false,\n }\n : null,\n });\n }\n}\n\n/\n Patch fetch() to auto-inject traceparent headers\n /\nfunction patchFetch(): void {\n // Always get the current window.fetch as the original\n // This allows tests to set up mocks before calling init()\n originalFetch = window.fetch.bind(window);\n\n window.fetch = function (\n input: RequestInfo \| URL,\n init?: RequestInit\n ): Promise<Response> {\n // Get URL string for logging and privacy checks\n const url =\n typeof input === 'string'\n ? input\n : input instanceof URL\n ? input.toString()\n : input.url;\n\n // Create headers object\n const headers = new Headers(init?.headers);\n\n // Only inject if traceparent doesn't already exist\n let injectedTraceparent: string \| undefined;\n if (!headers.has('traceparent')) {\n // Check privacy controls\n if (privacyManager && !privacyManager.shouldInjectTraceparent(url)) {\n if (config?.debug) {\n const reason = getDenialReason(privacyManager, url);\n console.log(\n '[autotel-web] Skipped traceparent on fetch (privacy):',\n url,\n reason\n );\n }\n } else {\n injectedTraceparent = createTraceparent();\n headers.set('traceparent', injectedTraceparent);\n\n if (config?.debug) {\n console.log(\n '[autotel-web] Injected traceparent on fetch:',\n url,\n injectedTraceparent\n );\n }\n }\n }\n\n // Resolve HTTP method: prefer init override, then Request.method, then default GET\n const method = init?.method\n ?? (input instanceof Request ? input.method : undefined)\n ?? 'GET';\n\n // Call original fetch with updated headers\n const startTime = performance.timeOrigin + performance.now();\n const fetchPromise = originalFetch!(input, { ...init, headers });\n\n // Export browser span if exporter is configured\n if (injectedTraceparent && isConfigured()) {\n fetchPromise.then(\n (response) => {\n const endTime = performance.timeOrigin + performance.now();\n const parsed = parseTraceparent(injectedTraceparent!);\n if (parsed) {\n let pathname: string;\n try { pathname = new URL(url, window.location.origin).pathname; } catch { pathname = url; }\n recordSpan(parsed.traceId, parsed.spanId, `browser ${pathname}`, startTime, endTime, {\n 'http.method': method,\n 'http.url': url,\n 'http.status_code': response.status,\n });\n }\n },\n () => {\n const endTime = performance.timeOrigin + performance.now();\n const parsed = parseTraceparent(injectedTraceparent!);\n if (parsed) {\n let pathname: string;\n try { pathname = new URL(url, window.location.origin).pathname; } catch { pathname = url; }\n recordSpan(parsed.traceId, parsed.spanId, `browser ${pathname}`, startTime, endTime, {\n 'http.method': method,\n 'http.url': url,\n });\n }\n },\n );\n }\n\n return fetchPromise;\n };\n}\n\n/\n Patch XMLHttpRequest to auto-inject traceparent headers\n /\nfunction patchXMLHttpRequest(): void {\n // Always get the current prototypes as the originals\n // This allows tests to set up mocks before calling init()\n originalXHROpen = XMLHttpRequest.prototype.open;\n originalXHRSetRequestHeader = XMLHttpRequest.prototype.setRequestHeader;\n\n // Track which XHR instances have traceparent set\n const xhrHasTraceparent = new WeakSet<XMLHttpRequest>();\n\n // Patch setRequestHeader to track manual traceparent headers\n XMLHttpRequest.prototype.setRequestHeader = function (\n name: string,\n value: string\n ): void {\n if (name.toLowerCase() === 'traceparent') {\n xhrHasTraceparent.add(this);\n }\n // originalXHRSetRequestHeader is always defined here because patchXMLHttpRequest() sets it before patching\n return originalXHRSetRequestHeader!.call(this, name, value);\n };\n\n // Patch open to inject traceparent after headers are ready\n XMLHttpRequest.prototype.open = function (\n method: string,\n url: string \| URL,\n async: boolean = true,\n username?: string \| null,\n password?: string \| null\n ): void {\n // Call original open\n // originalXHROpen is always defined here because patchXMLHttpRequest() sets it before patching\n const result = originalXHROpen!.call(this, method, url, async, username, password);\n\n // Convert URL to string for logging and privacy checks\n const urlStr = typeof url === 'string' ? url : url.toString();\n\n // Listen for readyState change to inject header at the right time\n const xhr = this;\n const originalOnReadyStateChange = xhr.onreadystatechange;\n\n xhr.onreadystatechange = function (event: Event) {\n // OPENED state (1) - headers can now be set\n if (xhr.readyState === XMLHttpRequest.OPENED) {\n // Only inject if not already set\n if (!xhrHasTraceparent.has(xhr)) {\n // Check privacy controls\n if (privacyManager && !privacyManager.shouldInjectTraceparent(urlStr)) {\n if (config?.debug) {\n const reason = getDenialReason(privacyManager, urlStr);\n console.log(\n '[autotel-web] Skipped traceparent on XHR (privacy):',\n urlStr,\n reason\n );\n }\n } else {\n // Inject traceparent header\n try {\n const traceparent = createTraceparent();\n // originalXHRSetRequestHeader is always defined here because patchXMLHttpRequest() sets it before patching\n originalXHRSetRequestHeader!.call(xhr, 'traceparent', traceparent);\n\n if (config?.debug) {\n console.log(\n '[autotel-web] Injected traceparent on XHR:',\n urlStr,\n traceparent\n );\n }\n } catch (error) {\n // Silently ignore if setRequestHeader fails\n if (config?.debug) {\n console.warn(\n '[autotel-web] Failed to inject traceparent on XHR:',\n error\n );\n }\n }\n }\n }\n }\n\n // Call original handler if it exists\n if (originalOnReadyStateChange) {\n return originalOnReadyStateChange.call(xhr, event);\n }\n };\n\n return result;\n };\n}\n\n/\n Validate configuration at initialization time\n * Catches common misconfigurations early\n /\nfunction validateConfig(userConfig: AutotelWebConfig): void {\n // Validate service name\n if (!userConfig.service \|\| typeof userConfig.service !== 'string') {\n throw new Error('[autotel-web] service name is required and must be a string');\n }\n\n if (userConfig.service.length === 0) {\n throw new Error('[autotel-web] service name cannot be empty');\n }\n\n if (userConfig.service.length > 255) {\n console.warn(\n '[autotel-web] service name is very long (> 255 chars). Consider using a shorter name.'\n );\n }\n\n // Validate privacy config if provided\n if (userConfig.privacy) {\n const { allowedOrigins, blockedOrigins } = userConfig.privacy;\n\n // Warn if both allowlist and blocklist are empty\n if (\n (!allowedOrigins \|\| allowedOrigins.length === 0) &&\n (!blockedOrigins \|\| blockedOrigins.length === 0) &&\n !userConfig.privacy.respectDoNotTrack &&\n !userConfig.privacy.respectGPC\n ) {\n console.warn(\n '[autotel-web] privacy config provided but all options are empty/disabled. This has no effect.'\n );\n }\n\n // Warn about overlapping origins\n if (allowedOrigins && blockedOrigins) {\n const overlap = allowedOrigins.filter((allowed) =>\n blockedOrigins.some((blocked) =>\n allowed.toLowerCase().includes(blocked.toLowerCase())\n )\n );\n if (overlap.length > 0) {\n console.warn(\n '[autotel-web] Some allowedOrigins match blockedOrigins. Blocklist takes precedence:',\n overlap\n );\n }\n }\n\n // Validate origin format (warn if looks invalid)\n const allOrigins = [\n ...(allowedOrigins ?? []),\n ...(blockedOrigins ?? []),\n ];\n allOrigins.forEach((origin) => {\n if (origin.includes('://')) {\n console.warn(\n `[autotel-web] Origin \"${origin}\" includes protocol (://) - this is usually not needed. Just use the domain name.`\n );\n }\n });\n }\n}\n\n/\n Reset initialization state (for testing)\n * @internal\n /\nexport function resetForTesting(): void {\n isInitialized = false;\n config = undefined;\n privacyManager = undefined;\n resetExporter();\n\n // Restore original fetch/XHR if they were patched\n // Then clear the stored originals so next test can set up fresh mocks\n if (typeof window !== 'undefined') {\n if (originalFetch) {\n window.fetch = originalFetch;\n originalFetch = undefined;\n }\n if (originalXHROpen) {\n XMLHttpRequest.prototype.open = originalXHROpen;\n originalXHROpen = undefined;\n }\n if (originalXHRSetRequestHeader) {\n XMLHttpRequest.prototype.setRequestHeader = originalXHRSetRequestHeader;\n originalXHRSetRequestHeader = undefined;\n }\n }\n}\n\n/\n Get current configuration\n * @internal\n /\nexport function getConfig(): AutotelWebConfig \| undefined {\n return config;\n}\n\n/\n Get current privacy manager\n * @internal\n */\nexport function getPrivacyManager(): PrivacyManager \| undefined {\n return privacyManager;\n}\n"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "autotel-web",
-  "version": "1.11.0",
+  "version": "1.11.2",
   "description": "Ultra-lightweight browser SDK for distributed tracing - propagates W3C traceparent headers to backends using Autotel (~2-5KB gzipped)",
   "type": "module",
   "main": "./dist/index.js",
@@ -43,25 +43,25 @@
   "author": "Jag Reehal <jag@jagreehal.com> (https://jagreehal.com)",
   "license": "MIT",
   "dependencies": {
-    "@opentelemetry/api": "^1.9.0",
-    "@opentelemetry/core": "^2.6.0",
-    "@opentelemetry/exporter-trace-otlp-http": "^0.213.0",
-    "@opentelemetry/instrumentation": "^0.213.0",
-    "@opentelemetry/instrumentation-document-load": "^0.58.0",
-    "@opentelemetry/instrumentation-fetch": "^0.213.0",
-    "@opentelemetry/instrumentation-xml-http-request": "^0.213.0",
-    "@opentelemetry/resources": "^2.6.0",
-    "@opentelemetry/sdk-trace-base": "^2.6.0",
-    "@opentelemetry/sdk-trace-web": "^2.6.0",
-    "web-vitals": "^5.1.0"
+    "@opentelemetry/api": "^1.9.1",
+    "@opentelemetry/core": "^2.7.0",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.215.0",
+    "@opentelemetry/instrumentation": "^0.215.0",
+    "@opentelemetry/instrumentation-document-load": "^0.60.0",
+    "@opentelemetry/instrumentation-fetch": "^0.215.0",
+    "@opentelemetry/instrumentation-xml-http-request": "^0.215.0",
+    "@opentelemetry/resources": "^2.7.0",
+    "@opentelemetry/sdk-trace-base": "^2.7.0",
+    "@opentelemetry/sdk-trace-web": "^2.7.0",
+    "web-vitals": "^5.2.0"
   },
   "devDependencies": {
-    "@types/node": "^25.3.5",
+    "@types/node": "^25.6.0",
     "rimraf": "^6.1.3",
     "tsup": "^8.5.1",
-    "typescript": "^5.9.3",
-    "vitest": "^4.0.18",
-    "vitest-mock-extended": "^3.1.0"
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.5",
+    "vitest-mock-extended": "^4.0.0"
   },
   "repository": {
     "type": "git",

package/src/index.ts CHANGED Viewed

@@ -49,6 +49,9 @@
 // Core initialization
 export { init, type AutotelWebConfig } from './init';
+// Span exporter
+export { flushSpans } from './span-exporter';
 // Privacy types (re-exported from init.ts which imports from privacy.ts)
 export type { PrivacyConfig } from './privacy';

package/src/init.ts CHANGED Viewed

@@ -7,8 +7,9 @@
  * Bundle size: ~2-5KB gzipped
  */
-import { createTraceparent } from './traceparent';
+import { createTraceparent, parseTraceparent } from './traceparent';
 import { PrivacyManager, PrivacyConfig, getDenialReason } from './privacy';
+import { configureExporter, setRawFetch, recordSpan, flushSpans, isConfigured, resetForTesting as resetExporter } from './span-exporter';
 export interface AutotelWebConfig {
   /**
@@ -35,6 +36,14 @@ export interface AutotelWebConfig {
    */
   instrumentXHR?: boolean;
+  /**
+   * OTLP endpoint for exporting browser spans.
+   * When set, browser spans are sent via sendBeacon so the traceparent
+   * spanId exists as a real span in the collector.
+   * Use '' (empty string) for same-origin (requires /v1/traces proxy).
+   */
+  endpoint?: string;
   /**
    * Privacy controls for traceparent header injection
    *
@@ -125,6 +134,12 @@ export function init(userConfig: AutotelWebConfig): void {
     privacyManager = new PrivacyManager(config.privacy);
   }
+  // Capture unpatched fetch for the exporter before we patch it
+  if (config.endpoint !== undefined) {
+    setRawFetch(window.fetch.bind(window));
+    configureExporter(config.service, config.endpoint, config.debug);
+  }
   // Patch fetch
   if (config.instrumentFetch !== false) {
     patchFetch();
@@ -135,6 +150,12 @@ export function init(userConfig: AutotelWebConfig): void {
     patchXMLHttpRequest();
   }
+  if (config.endpoint !== undefined) {
+    window.addEventListener('visibilitychange', () => {
+      if (document.visibilityState === 'hidden') flushSpans();
+    });
+  }
   isInitialized = true;
   if (config.debug) {
@@ -179,6 +200,7 @@ function patchFetch(): void {
     const headers = new Headers(init?.headers);
     // Only inject if traceparent doesn't already exist
+    let injectedTraceparent: string | undefined;
     if (!headers.has('traceparent')) {
       // Check privacy controls
       if (privacyManager && !privacyManager.shouldInjectTraceparent(url)) {
@@ -191,22 +213,60 @@ function patchFetch(): void {
           );
         }
       } else {
-        // Inject traceparent header
-        headers.set('traceparent', createTraceparent());
+        injectedTraceparent = createTraceparent();
+        headers.set('traceparent', injectedTraceparent);
         if (config?.debug) {
           console.log(
             '[autotel-web] Injected traceparent on fetch:',
             url,
-            headers.get('traceparent')
+            injectedTraceparent
           );
         }
       }
     }
+    // Resolve HTTP method: prefer init override, then Request.method, then default GET
+    const method = init?.method
+      ?? (input instanceof Request ? input.method : undefined)
+      ?? 'GET';
     // Call original fetch with updated headers
-    // originalFetch is always defined here because patchFetch() sets it before patching
-    return originalFetch!(input, { ...init, headers });
+    const startTime = performance.timeOrigin + performance.now();
+    const fetchPromise = originalFetch!(input, { ...init, headers });
+    // Export browser span if exporter is configured
+    if (injectedTraceparent && isConfigured()) {
+      fetchPromise.then(
+        (response) => {
+          const endTime = performance.timeOrigin + performance.now();
+          const parsed = parseTraceparent(injectedTraceparent!);
+          if (parsed) {
+            let pathname: string;
+            try { pathname = new URL(url, window.location.origin).pathname; } catch { pathname = url; }
+            recordSpan(parsed.traceId, parsed.spanId, `browser ${pathname}`, startTime, endTime, {
+              'http.method': method,
+              'http.url': url,
+              'http.status_code': response.status,
+            });
+          }
+        },
+        () => {
+          const endTime = performance.timeOrigin + performance.now();
+          const parsed = parseTraceparent(injectedTraceparent!);
+          if (parsed) {
+            let pathname: string;
+            try { pathname = new URL(url, window.location.origin).pathname; } catch { pathname = url; }
+            recordSpan(parsed.traceId, parsed.spanId, `browser ${pathname}`, startTime, endTime, {
+              'http.method': method,
+              'http.url': url,
+            });
+          }
+        },
+      );
+    }
+    return fetchPromise;
   };
 }
@@ -379,6 +439,7 @@ export function resetForTesting(): void {
   isInitialized = false;
   config = undefined;
   privacyManager = undefined;
+  resetExporter();
   // Restore original fetch/XHR if they were patched
   // Then clear the stored originals so next test can set up fresh mocks

package/src/span-exporter.ts ADDED Viewed

@@ -0,0 +1,94 @@
+/**
+ * Lightweight browser span exporter via sendBeacon/fetch.
+ * Sends OTLP/JSON spans so the browser's traceparent spanId
+ * exists as a real span in the collector.
+ */
+let debug = false;
+let serviceName = 'browser';
+let exportEndpoint: string | undefined;
+let pendingSpans: unknown[] = [];
+let flushTimer: ReturnType<typeof setTimeout> | undefined;
+let rawFetch: typeof globalThis.fetch | undefined;
+/**
+ * Provide the unpatched fetch so the exporter bypasses instrumentation.
+ * Must be called before init() patches window.fetch.
+ */
+export function setRawFetch(fn: typeof globalThis.fetch): void {
+  rawFetch = fn;
+}
+export function configureExporter(service: string, endpoint: string, enableDebug = false): void {
+  debug = enableDebug;
+  serviceName = service;
+  exportEndpoint = endpoint.replace(/\/$/, '');
+  if (!exportEndpoint.endsWith('/v1/traces')) {
+    exportEndpoint += '/v1/traces';
+  }
+  if (!flushTimer) {
+    flushTimer = setInterval(flushSpans, 2000);
+  }
+}
+export function recordSpan(
+  traceId: string,
+  spanId: string,
+  name: string,
+  startMs: number,
+  endMs: number,
+  attrs?: Record<string, string | number>,
+): void {
+  if (!exportEndpoint) return;
+  if (debug) console.log(`[autotel-web] recordSpan: ${name} (${traceId.slice(0, 8)}…)`);
+  const attributes = attrs
+    ? Object.entries(attrs).map(([key, value]) => ({
+        key,
+        value: typeof value === 'number' ? { intValue: String(value) } : { stringValue: value },
+      }))
+    : undefined;
+  pendingSpans.push({
+    traceId,
+    spanId,
+    name,
+    kind: 3, // CLIENT
+    startTimeUnixNano: String(Math.round(startMs * 1_000_000)),
+    endTimeUnixNano: String(Math.round(endMs * 1_000_000)),
+    attributes,
+  });
+  // Flush immediately — browser spans are infrequent
+  flushSpans();
+}
+export function flushSpans(): void {
+  if (!exportEndpoint || pendingSpans.length === 0) return;
+  if (debug) console.log(`[autotel-web] flushSpans: sending ${pendingSpans.length} span(s) to ${exportEndpoint}`);
+  const spans = pendingSpans;
+  pendingSpans = [];
+  const payload = JSON.stringify({
+    resourceSpans: [{
+      resource: { attributes: [{ key: 'service.name', value: { stringValue: serviceName } }] },
+      scopeSpans: [{ scope: { name: 'autotel-web' }, spans }],
+    }],
+  });
+  const blob = new Blob([payload], { type: 'application/json' });
+  const sent = typeof navigator?.sendBeacon === 'function' && navigator.sendBeacon(exportEndpoint, blob);
+  if (!sent && rawFetch) {
+    rawFetch(exportEndpoint, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: payload,
+      keepalive: true,
+    }).catch(() => {});
+  }
+}
+export function isConfigured(): boolean {
+  return exportEndpoint !== undefined;
+}
+export function resetForTesting(): void {
+  exportEndpoint = undefined;
+  pendingSpans = [];
+  if (flushTimer) { clearInterval(flushTimer); flushTimer = undefined; }
+}