silgi 0.1.0-beta.13 → 0.1.0-beta.15

package/dist/plugins/analytics.mjs

@@ -1,5 +1,10 @@
 import { ValidationError } from "../core/schema.mjs";
 import { SilgiError, toSilgiError } from "../core/error.mjs";
+import { AlertEngine } from "./analytics-alerts.mjs";
+import { CostTracker } from "./analytics-cost.mjs";
+import { parseQueryParams, queryErrors, queryRequests, queryTasks } from "./analytics-query.mjs";
+import { AnalyticsSSEHub } from "./analytics-sse.mjs";
+import { TimeSeriesAggregator } from "./analytics-timeseries.mjs";
 import { useStorage } from "../core/storage.mjs";
 import { readFileSync } from "node:fs";
 import { dirname, resolve } from "node:path";
@@ -52,6 +57,158 @@ var RingBuffer = class {
 		return this.#count;
 	}
 };
+const REDACTED = "[REDACTED]";
+const SENSITIVE_HEADER_KEYS = new Set([
+	"authorization",
+	"cookie",
+	"set-cookie",
+	"x-api-key",
+	"x-auth-token",
+	"proxy-authorization"
+]);
+function shouldRedactSensitiveData() {
+	return process.env.NODE_ENV === "production";
+}
+function redactHeaderValue(key, value) {
+	return shouldRedactSensitiveData() && SENSITIVE_HEADER_KEYS.has(key.toLowerCase()) ? REDACTED : value;
+}
+function asRecord(value) {
+	return value && typeof value === "object" ? value : null;
+}
+function normalizeString(value, fallback = "") {
+	return typeof value === "string" ? value : fallback;
+}
+function normalizeNumber(value, fallback = 0) {
+	return typeof value === "number" && Number.isFinite(value) ? value : fallback;
+}
+function normalizeBoolean(value, fallback = false) {
+	return typeof value === "boolean" ? value : fallback;
+}
+function normalizeStringMap(value) {
+	const record = asRecord(value);
+	if (!record) return {};
+	const result = {};
+	for (const [key, raw] of Object.entries(record)) if (typeof raw === "string") result[key] = raw;
+	return result;
+}
+function normalizeSpanKind(value) {
+	switch (value) {
+		case "db":
+		case "http":
+		case "cache":
+		case "queue":
+		case "email":
+		case "ai":
+		case "custom": return value;
+		default: return "custom";
+	}
+}
+function normalizeTraceSpans(value) {
+	if (!Array.isArray(value)) return [];
+	const spans = [];
+	for (const entry of value) {
+		const span = asRecord(entry);
+		if (!span) continue;
+		const attributes = asRecord(span.attributes);
+		const normalizedAttributes = {};
+		if (attributes) {
+			for (const [key, raw] of Object.entries(attributes)) if (typeof raw === "string" || typeof raw === "number" || typeof raw === "boolean") normalizedAttributes[key] = raw;
+		}
+		spans.push({
+			name: normalizeString(span.name, "unknown"),
+			kind: normalizeSpanKind(span.kind),
+			durationMs: normalizeNumber(span.durationMs),
+			startOffsetMs: typeof span.startOffsetMs === "number" ? span.startOffsetMs : void 0,
+			detail: typeof span.detail === "string" ? span.detail : void 0,
+			input: span.input,
+			output: span.output,
+			error: typeof span.error === "string" ? span.error : void 0,
+			attributes: Object.keys(normalizedAttributes).length > 0 ? normalizedAttributes : void 0
+		});
+	}
+	return spans;
+}
+function inferPathFromUrl(url) {
+	if (!url) return "";
+	try {
+		return new URL(url).pathname || "";
+	} catch {
+		return "";
+	}
+}
+function normalizeProcedureCall(value, fallback) {
+	const record = asRecord(value);
+	return {
+		procedure: normalizeString(record?.procedure, fallback.path.replace(/^\//, "") || fallback.path || "request"),
+		durationMs: normalizeNumber(record?.durationMs, fallback.durationMs),
+		status: normalizeNumber(record?.status, fallback.status),
+		input: record?.input ?? null,
+		output: record?.output ?? null,
+		spans: normalizeTraceSpans(record?.spans),
+		error: typeof record?.error === "string" ? record.error : void 0
+	};
+}
+function normalizeRequestEntry(value, fallbackId) {
+	const record = asRecord(value);
+	if (!record) return null;
+	const url = normalizeString(record.url);
+	const path = normalizeString(record.path, inferPathFromUrl(url));
+	const method = normalizeString(record.method, "GET");
+	const status = normalizeNumber(record.status, 200);
+	const durationMs = normalizeNumber(record.durationMs);
+	const procedureFallback = {
+		path: path || "/",
+		durationMs,
+		status
+	};
+	const proceduresRaw = Array.isArray(record.procedures) ? record.procedures : [];
+	const procedures = proceduresRaw.length > 0 ? proceduresRaw.map((entry) => normalizeProcedureCall(entry, procedureFallback)) : [normalizeProcedureCall(null, procedureFallback)];
+	return {
+		id: normalizeNumber(record.id, fallbackId),
+		requestId: normalizeString(record.requestId, String(normalizeNumber(record.id, fallbackId))),
+		sessionId: normalizeString(record.sessionId),
+		timestamp: normalizeNumber(record.timestamp),
+		durationMs,
+		method,
+		url: url || path,
+		path,
+		ip: normalizeString(record.ip),
+		headers: normalizeStringMap(record.headers),
+		responseHeaders: normalizeStringMap(record.responseHeaders),
+		userAgent: normalizeString(record.userAgent),
+		status,
+		procedures,
+		isBatch: normalizeBoolean(record.isBatch, procedures.length > 1),
+		traceId: normalizeString(record.traceId) || void 0,
+		parentRequestId: normalizeString(record.parentRequestId) || void 0
+	};
+}
+function normalizeErrorEntry(value, fallbackId) {
+	const record = asRecord(value);
+	if (!record) return null;
+	return {
+		id: normalizeNumber(record.id, fallbackId),
+		requestId: normalizeString(record.requestId),
+		timestamp: normalizeNumber(record.timestamp),
+		procedure: normalizeString(record.procedure, "request"),
+		error: normalizeString(record.error, "Unknown error"),
+		code: normalizeString(record.code, "INTERNAL_SERVER_ERROR"),
+		status: normalizeNumber(record.status, 500),
+		stack: normalizeString(record.stack),
+		input: record.input ?? null,
+		headers: normalizeStringMap(record.headers),
+		durationMs: normalizeNumber(record.durationMs),
+		spans: normalizeTraceSpans(record.spans)
+	};
+}
+function normalizeRequestEntries(value) {
+	if (!Array.isArray(value)) return [];
+	return value.map((entry, index) => normalizeRequestEntry(entry, index + 1)).filter((entry) => entry !== null);
+}
+function normalizeErrorEntries(value) {
+	if (!Array.isArray(value)) return [];
+	return value.map((entry, index) => normalizeErrorEntry(entry, index + 1)).filter((entry) => entry !== null);
+}
 let _lastTime = 0;
 let _counter = 0;
 function generateRequestId() {
@@ -147,14 +304,12 @@ var AnalyticsStore = class {
 	#storage;
 	#pendingRequests = [];
 	#pendingErrors = [];
-	#maxRequests;
-	#maxErrors;
+	#retentionMs;
 	#timer = null;
 	#flushing = false;
-	constructor(maxRequests, maxErrors, flushInterval) {
+	constructor(flushInterval, retentionDays) {
 		this.#storage = useStorage("data");
-		this.#maxRequests = maxRequests;
-		this.#maxErrors = maxErrors;
+		this.#retentionMs = retentionDays * 864e5;
 		this.#timer = setInterval(() => this.flush(), flushInterval);
 		if (typeof this.#timer === "object" && "unref" in this.#timer) this.#timer.unref();
 	}
@@ -171,12 +326,13 @@ var AnalyticsStore = class {
 		if (requests.length === 0 && errors.length === 0) return;
 		this.#flushing = true;
 		try {
+			const cutoff = Date.now() - this.#retentionMs;
 			if (requests.length > 0) {
-				const merged = [...await this.#storage.getItem("analytics:requests") ?? [], ...requests].slice(-this.#maxRequests);
+				const merged = [...normalizeRequestEntries(await this.#storage.getItem("analytics:requests")).filter((entry) => isTrackedRequestPath(entry.path)), ...requests].filter((e) => e.timestamp >= cutoff);
 				await this.#storage.setItem("analytics:requests", merged);
 			}
 			if (errors.length > 0) {
-				const merged = [...await this.#storage.getItem("analytics:errors") ?? [], ...errors].slice(-this.#maxErrors);
+				const merged = [...normalizeErrorEntries(await this.#storage.getItem("analytics:errors")).filter((entry) => isTrackedRequestPath(entry.procedure)), ...errors].filter((e) => e.timestamp >= cutoff);
 				await this.#storage.setItem("analytics:errors", merged);
 			}
 		} catch {
@@ -187,14 +343,18 @@ var AnalyticsStore = class {
 		}
 	}
 	async getRequests() {
-		const stored = await this.#storage.getItem("analytics:requests") ?? [];
-		if (this.#pendingRequests.length === 0) return stored;
-		return [...stored, ...this.#pendingRequests].slice(-this.#maxRequests);
+		const cutoff = Date.now() - this.#retentionMs;
+		const stored = normalizeRequestEntries(await this.#storage.getItem("analytics:requests")).filter((entry) => isTrackedRequestPath(entry.path) && entry.timestamp >= cutoff);
+		const pending = this.#pendingRequests.filter((entry) => isTrackedRequestPath(entry.path) && entry.timestamp >= cutoff);
+		if (pending.length === 0) return stored;
+		return [...stored, ...pending];
 	}
 	async getErrors() {
-		const stored = await this.#storage.getItem("analytics:errors") ?? [];
-		if (this.#pendingErrors.length === 0) return stored;
-		return [...stored, ...this.#pendingErrors].slice(-this.#maxErrors);
+		const cutoff = Date.now() - this.#retentionMs;
+		const stored = normalizeErrorEntries(await this.#storage.getItem("analytics:errors")).filter((entry) => isTrackedRequestPath(entry.procedure) && entry.timestamp >= cutoff);
+		const pending = this.#pendingErrors.filter((entry) => isTrackedRequestPath(entry.procedure) && entry.timestamp >= cutoff);
+		if (pending.length === 0) return stored;
+		return [...stored, ...pending];
 	}
 	async hydrate() {
 		try {
@@ -217,12 +377,27 @@ var AnalyticsStore = class {
 			});
 		} catch {}
 	}
+	async loadHiddenPaths() {
+		try {
+			const paths = await this.#storage.getItem("analytics:hiddenPaths");
+			return Array.isArray(paths) ? paths : [];
+		} catch {
+			return [];
+		}
+	}
+	saveHiddenPaths(paths) {
+		this.#storage.setItem("analytics:hiddenPaths", paths).catch(() => {});
+	}
 	async dispose() {
 		if (this.#timer) clearInterval(this.#timer);
 		this.#timer = null;
 		await this.flush();
 	}
 };
+/** Internal in-memory buffer caps — not user-configurable */
+const MEM_MAX_REQUESTS = 1e4;
+const MEM_MAX_ERRORS = 1e4;
+const MEM_MAX_TASKS = 1e4;
 var AnalyticsCollector = class {
 	#procedures = /* @__PURE__ */ new Map();
 	#startTime = Date.now();
@@ -230,9 +405,6 @@ var AnalyticsCollector = class {
 	#totalErrors = 0;
 	#bufferSize;
 	#historySeconds;
-	#maxErrors;
-	#maxRequests;
-	#maxTasks;
 	#timeSeries = [];
 	#currentWindow;
 	#errors = [];
@@ -244,22 +416,65 @@ var AnalyticsCollector = class {
 	#taskStats = /* @__PURE__ */ new Map();
 	#store;
 	#counterFlushCounter = 0;
+	/** Server-side ignore — from config, prevents recording entirely */
+	#ignorePaths;
+	/** Client-side hide — from dashboard, filters display only */
+	#hiddenPaths = /* @__PURE__ */ new Set();
+	/** SSE hub for real-time streaming */
+	sseHub;
+	/** Multi-tier time-series aggregation */
+	timeseries;
+	/** Alert engine */
+	alertEngine = null;
+	/** Cost tracker */
+	costTracker;
 	constructor(options = {}) {
 		this.#bufferSize = options.bufferSize ?? 1024;
 		this.#historySeconds = options.historySeconds ?? 120;
-		this.#maxErrors = options.maxErrors ?? 100;
-		this.#maxRequests = options.maxRequests ?? 200;
-		this.#maxTasks = options.maxTasks ?? 200;
+		this.#ignorePaths = new Set((options.ignorePaths ?? []).map((p) => p.startsWith("/") ? p.slice(1) : p));
 		this.#currentWindow = {
 			time: Math.floor(Date.now() / 1e3),
 			count: 0,
 			errors: 0
 		};
-		this.#store = new AnalyticsStore(this.#maxRequests, this.#maxErrors, options.flushInterval ?? 5e3);
+		this.sseHub = new AnalyticsSSEHub();
+		this.sseHub.startStatsBroadcast(() => this.toJSON());
+		this.timeseries = new TimeSeriesAggregator();
+		this.costTracker = new CostTracker(options.budgets, (rule, current) => {
+			if (this.alertEngine) console.warn(`[silgi:budget] "${rule.name}" exceeded: $${current.toFixed(2)} / $${rule.limit}`);
+		});
+		if (options.alerts && options.alerts.length > 0) this.alertEngine = new AlertEngine(options.alerts);
+		this.#store = new AnalyticsStore(options.flushInterval ?? 5e3, options.retentionDays ?? 30);
 		this.#store.hydrate().then((c) => {
 			this.#totalRequests += c.totalRequests;
 			this.#totalErrors += c.totalErrors;
 		});
+		this.#store.loadHiddenPaths().then((paths) => {
+			for (const p of paths) this.#hiddenPaths.add(p);
+		});
+	}
+	/** Check if a path is server-side ignored (from config). */
+	isIgnored(pathname) {
+		if (this.#ignorePaths.size === 0) return false;
+		return matchesPathPrefix(pathname, this.#ignorePaths);
+	}
+	/** Check if a path is hidden in the dashboard (from runtime API). */
+	isHidden(pathname) {
+		if (this.#hiddenPaths.size === 0) return false;
+		return matchesPathPrefix(pathname, this.#hiddenPaths);
+	}
+	addHiddenPath(path) {
+		const normalized = path.startsWith("/") ? path.slice(1) : path;
+		this.#hiddenPaths.add(normalized);
+		this.#store.saveHiddenPaths([...this.#hiddenPaths]);
+	}
+	removeHiddenPath(path) {
+		const normalized = path.startsWith("/") ? path.slice(1) : path;
+		this.#hiddenPaths.delete(normalized);
+		this.#store.saveHiddenPaths([...this.#hiddenPaths]);
+	}
+	getHiddenPaths() {
+		return [...this.#hiddenPaths];
 	}
 	record(path, durationMs) {
 		this.#totalRequests++;
@@ -267,6 +482,8 @@ var AnalyticsCollector = class {
 		entry.count++;
 		entry.latencies.push(durationMs);
 		this.#tick(false);
+		this.timeseries.record(durationMs, false);
+		this.alertEngine?.record(durationMs, false, path);
 	}
 	recordError(path, durationMs, errorMsg) {
 		this.#totalRequests++;
@@ -278,6 +495,8 @@ var AnalyticsCollector = class {
 		entry.lastError = errorMsg;
 		entry.lastErrorTime = Date.now();
 		this.#tick(true);
+		this.timeseries.record(durationMs, true);
+		this.alertEngine?.record(durationMs, true, path);
 	}
 	recordDetailedError(entry) {
 		const full = {
@@ -285,8 +504,12 @@ var AnalyticsCollector = class {
 			id: this.#nextErrorId++
 		};
 		this.#errors.push(full);
-		if (this.#errors.length > this.#maxErrors) this.#errors.shift();
+		if (this.#errors.length > MEM_MAX_ERRORS) this.#errors.shift();
 		this.#store.enqueueError(full);
+		this.sseHub.broadcast({
+			type: "error",
+			data: full
+		});
 	}
 	recordDetailedRequest(entry) {
 		const full = {
@@ -294,8 +517,12 @@ var AnalyticsCollector = class {
 			id: this.#nextRequestId++
 		};
 		this.#requests.push(full);
-		if (this.#requests.length > this.#maxRequests) this.#requests.shift();
+		if (this.#requests.length > MEM_MAX_REQUESTS) this.#requests.shift();
 		this.#store.enqueueRequest(full);
+		this.sseHub.broadcast({
+			type: "request",
+			data: full
+		});
 		this.#flushCountersIfNeeded();
 	}
 	recordTask(entry) {
@@ -304,7 +531,11 @@ var AnalyticsCollector = class {
 			id: this.#nextTaskId++
 		};
 		this.#taskExecutions.push(full);
-		if (this.#taskExecutions.length > this.#maxTasks) this.#taskExecutions.shift();
+		if (this.#taskExecutions.length > MEM_MAX_TASKS) this.#taskExecutions.shift();
+		this.sseHub.broadcast({
+			type: "task",
+			data: full
+		});
 		let stats = this.#taskStats.get(entry.taskName);
 		if (!stats) {
 			stats = {
@@ -437,14 +668,18 @@ const SESSION_MAX_AGE = 365 * 24 * 60 * 60;
 var RequestAccumulator = class {
 	requestId;
 	sessionId;
+	traceId;
+	parentRequestId;
 	/** True if a new session cookie needs to be set. */
 	isNewSession;
 	t0;
 	#request;
 	#procedures = [];
 	#collector;
-	constructor(request, collector) {
+	constructor(request, collector, traceId, parentRequestId) {
 		this.requestId = generateRequestId();
+		this.traceId = traceId ?? this.requestId;
+		this.parentRequestId = parentRequestId;
 		this.t0 = performance.now();
 		this.#request = request;
 		this.#collector = collector;
@@ -472,11 +707,11 @@ var RequestAccumulator = class {
 		const durationMs = round(performance.now() - this.t0);
 		const headers = {};
 		this.#request.headers.forEach((v, k) => {
-			headers[k] = k === "authorization" || k === "cookie" ? "[REDACTED]" : v;
+			headers[k] = redactHeaderValue(k, v);
 		});
 		const responseHeaders = {};
 		res.headers.forEach((v, k) => {
-			responseHeaders[k] = k === "set-cookie" ? "[REDACTED]" : v;
+			responseHeaders[k] = redactHeaderValue(k, v);
 		});
 		let worstStatus = 200;
 		for (const p of this.#procedures) if (p.status > worstStatus) worstStatus = p.status;
@@ -490,6 +725,7 @@ var RequestAccumulator = class {
 			timestamp: Date.now(),
 			durationMs,
 			method: this.#request.method,
+			url: this.#request.url,
 			path,
 			ip: headers["x-forwarded-for"] || headers["x-real-ip"] || "",
 			headers,
@@ -497,7 +733,9 @@ var RequestAccumulator = class {
 			userAgent: this.#request.headers.get("user-agent") ?? "",
 			status: worstStatus,
 			procedures: this.#procedures,
-			isBatch: this.#procedures.length > 1
+			isBatch: this.#procedures.length > 1,
+			traceId: this.traceId,
+			parentRequestId: this.parentRequestId
 		});
 	}
 	/** Whether any procedures have been recorded. */
@@ -517,8 +755,7 @@ function errorToMarkdown(e) {
 	if (e.stack) md += `### Stack Trace\n\n\`\`\`\n${e.stack}\n\`\`\`\n\n`;
 	if (Object.keys(e.headers).length > 0) {
 		md += `### Request Headers\n\n`;
-		for (const [k, v] of Object.entries(e.headers)) if (k === "authorization") md += `- \`${k}\`: \`[REDACTED]\`\n`;
-		else md += `- \`${k}\`: \`${v}\`\n`;
+		for (const [k, v] of Object.entries(e.headers)) md += `- \`${k}\`: \`${redactHeaderValue(k, v)}\`\n`;
 		md += "\n";
 	}
 	if (e.spans.length > 0) {
@@ -541,6 +778,7 @@ function requestToMarkdown(r) {
 	md += `| Request ID | \`${r.requestId}\` |\n`;
 	md += `| Session ID | \`${r.sessionId}\` |\n`;
 	md += `| Method | ${r.method} |\n`;
+	md += `| URL | \`${r.url}\` |\n`;
 	md += `| Path | \`${r.path}\` |\n`;
 	md += `| Status | ${r.status} |\n`;
 	md += `| Duration | ${r.durationMs}ms |\n`;
@@ -554,6 +792,7 @@ function requestToMarkdown(r) {
 		const pEmoji = p.status >= 400 ? "⚠️" : "✅";
 		md += `### ${pEmoji} ${i + 1}. \`${p.procedure}\` → ${p.status} (${p.durationMs}ms)\n\n`;
 		if (p.input !== void 0 && p.input !== null) md += `#### Input\n\n\`\`\`json\n${safeStringify(p.input)}\n\`\`\`\n\n`;
+		if (p.output !== void 0 && p.output !== null) md += `#### Output\n\n\`\`\`json\n${safeStringify(p.output)}\n\`\`\`\n\n`;
 		if (p.spans.length > 0) {
 			const byKind = /* @__PURE__ */ new Map();
 			for (const s of p.spans) byKind.set(s.kind, (byKind.get(s.kind) ?? 0) + s.durationMs);
@@ -583,6 +822,63 @@ function requestToMarkdown(r) {
 	if (r.durationMs > 100) md += `- ⚠️ This request took ${r.durationMs}ms — what is the bottleneck?\n`;
 	return md;
 }
+async function captureResponseBody(response) {
+	const lowered = (response.headers.get("content-type") ?? "").toLowerCase();
+	if (!response.body || lowered.includes("text/event-stream") || lowered.includes("application/octet-stream")) return { output: null };
+	try {
+		const text = await response.clone().text();
+		if (!text) return { output: null };
+		let output = text;
+		if (lowered.includes("application/json") || lowered.includes("+json")) try {
+			output = JSON.parse(text);
+		} catch {
+			output = text;
+		}
+		if (response.status < 400) return { output };
+		if (output && typeof output === "object") {
+			const record = output;
+			const message = typeof record.message === "string" ? record.message : null;
+			const code = typeof record.code === "string" ? record.code : null;
+			if (message && code) return {
+				output,
+				error: `${code}: ${message}`
+			};
+			if (message) return {
+				output,
+				error: message
+			};
+		}
+		return {
+			output,
+			error: typeof output === "string" ? output : safeStringify(output)
+		};
+	} catch {
+		return { output: null };
+	}
+}
+function extractResponseError(output, status, fallback) {
+	if (output && typeof output === "object") {
+		const record = output;
+		const code = typeof record.code === "string" ? record.code : null;
+		const message = typeof record.message === "string" ? record.message : null;
+		if (code && message) return {
+			code,
+			message
+		};
+		if (message) return {
+			code: `HTTP_${status}`,
+			message
+		};
+	}
+	if (fallback) return {
+		code: `HTTP_${status}`,
+		message: fallback
+	};
+	return {
+		code: `HTTP_${status}`,
+		message: `Request failed with status ${status}`
+	};
+}
 function safeStringify(v) {
 	try {
 		return JSON.stringify(v, null, 2);
@@ -590,6 +886,28 @@ function safeStringify(v) {
 		return String(v);
 	}
 }
+function matchesPathPrefix(pathname, prefixes) {
+	const normalized = pathname.startsWith("/") ? pathname.slice(1) : pathname;
+	for (const prefix of prefixes) if (normalized === prefix || normalized.startsWith(prefix + "/")) return true;
+	return false;
+}
+function isTrackedRequestPath(pathname) {
+	const normalized = pathname.startsWith("/") ? pathname.slice(1) : pathname;
+	return normalized === "api" || normalized.startsWith("api/") || normalized === "graphql" || normalized.startsWith("graphql/");
+}
+function isAnalyticsPath(pathname) {
+	return pathname === "api/analytics" || pathname.startsWith("api/analytics/");
+}
+function parseAnalyticsDetailPath(pathname, prefix) {
+	if (!pathname.startsWith(prefix)) return null;
+	const rawId = pathname.slice(prefix.length);
+	if (!rawId || rawId.includes("/")) return null;
+	const id = Number(rawId);
+	return {
+		id: Number.isFinite(id) ? id : null,
+		rawId: decodeURIComponent(rawId)
+	};
+}
 const __analytics_dirname = dirname(fileURLToPath(import.meta.url));
 let _dashboardCache;
 function analyticsHTML() {
@@ -621,15 +939,8 @@ function checkAnalyticsAuth(request, auth) {
 }
 function sanitizeHeaders(headers) {
 	const result = {};
-	const sensitiveKeys = new Set([
-		"authorization",
-		"cookie",
-		"x-api-key",
-		"x-auth-token",
-		"proxy-authorization"
-	]);
 	headers.forEach((value, key) => {
-		result[key] = sensitiveKeys.has(key.toLowerCase()) ? "[REDACTED]" : value;
+		result[key] = redactHeaderValue(key, value);
 	});
 	return result;
 }
@@ -676,7 +987,7 @@ location.reload();
 /** Return auth-failure response for analytics routes. */
 function analyticsAuthResponse(pathname) {
 	const jsonHeaders = { "content-type": "application/json" };
-	if (pathname !== "api/analytics") return new Response(JSON.stringify({
+	if (pathname !== "api/analytics" && pathname !== "api/analytics/") return new Response(JSON.stringify({
 		code: "UNAUTHORIZED",
 		status: 401,
 		message: "Invalid token"
@@ -693,7 +1004,7 @@ function jsonResponse(data, headers) {
 	return new Response(JSON.stringify(data), { headers });
 }
 /** Serve analytics dashboard and API routes. */
-async function serveAnalyticsRoute(pathname, collector, dashboardHtml) {
+async function serveAnalyticsRoute(pathname, request, collector, dashboardHtml) {
 	const jsonCacheHeaders = {
 		"content-type": "application/json",
 		"cache-control": "no-cache"
@@ -702,32 +1013,96 @@ async function serveAnalyticsRoute(pathname, collector, dashboardHtml) {
 		"content-type": "text/markdown; charset=utf-8",
 		"cache-control": "no-cache"
 	};
+	const url = new URL(request.url);
+	if (pathname === "api/analytics" || pathname === "api/analytics/") return new Response(dashboardHtml, { headers: { "content-type": "text/html" } });
 	if (pathname === "api/analytics/stats") return jsonResponse(collector.toJSON(), jsonCacheHeaders);
-	if (pathname === "api/analytics/errors") return jsonResponse(await collector.getErrors(), jsonCacheHeaders);
-	if (pathname === "api/analytics/requests") return jsonResponse(await collector.getRequests(), jsonCacheHeaders);
-	if (pathname === "api/analytics/tasks") return jsonResponse(await collector.getTaskExecutions(), jsonCacheHeaders);
+	if (pathname === "api/analytics/hidden") {
+		if (request.method === "GET") return jsonResponse(collector.getHiddenPaths(), jsonCacheHeaders);
+		if (request.method === "POST") {
+			const body = await request.json();
+			if (typeof body.path !== "string") return new Response("{\"error\":\"path required\"}", {
+				status: 400,
+				headers: jsonCacheHeaders
+			});
+			collector.addHiddenPath(body.path);
+			return jsonResponse(collector.getHiddenPaths(), jsonCacheHeaders);
+		}
+		if (request.method === "DELETE") {
+			const body = await request.json();
+			if (typeof body.path !== "string") return new Response("{\"error\":\"path required\"}", {
+				status: 400,
+				headers: jsonCacheHeaders
+			});
+			collector.removeHiddenPath(body.path);
+			return jsonResponse(collector.getHiddenPaths(), jsonCacheHeaders);
+		}
+	}
+	if (pathname === "api/analytics/errors") return jsonResponse(queryErrors((await collector.getErrors()).filter((e) => !collector.isHidden(e.procedure)), parseQueryParams(url.searchParams)), jsonCacheHeaders);
+	if (pathname === "api/analytics/requests") return jsonResponse(queryRequests((await collector.getRequests()).filter((r) => !collector.isHidden(r.path)), parseQueryParams(url.searchParams)), jsonCacheHeaders);
+	if (pathname === "api/analytics/tasks") return jsonResponse(queryTasks(await collector.getTaskExecutions(), parseQueryParams(url.searchParams)), jsonCacheHeaders);
 	if (pathname === "api/analytics/scheduled") {
 		const { getScheduledTasks } = await import("../core/task.mjs");
 		return jsonResponse(getScheduledTasks(), jsonCacheHeaders);
 	}
+	if (pathname === "api/analytics/stream") {
+		const stream = collector.sseHub.createStream();
+		return new Response(stream, { headers: {
+			"content-type": "text/event-stream",
+			"cache-control": "no-cache",
+			"connection": "keep-alive"
+		} });
+	}
+	if (pathname === "api/analytics/timeseries") {
+		const range = url.searchParams.get("range") || "1h";
+		return jsonResponse(collector.timeseries.query(range), jsonCacheHeaders);
+	}
+	if (pathname === "api/analytics/alerts") return jsonResponse({
+		history: collector.alertEngine?.getHistory() ?? [],
+		states: collector.alertEngine?.getStates() ?? {}
+	}, jsonCacheHeaders);
+	if (pathname === "api/analytics/cost") return jsonResponse(collector.costTracker.getSummary(), jsonCacheHeaders);
+	if (pathname.startsWith("api/analytics/traces/")) {
+		const traceId = decodeURIComponent(pathname.slice(21));
+		if (traceId) return jsonResponse((await collector.getRequests()).filter((r) => r.traceId === traceId), jsonCacheHeaders);
+	}
 	if (pathname.startsWith("api/analytics/requests/") && pathname.endsWith("/md")) {
-		const id = Number(pathname.slice(23, -3));
-		const entry = (await collector.getRequests()).find((r) => r.id === id);
+		const rawId = pathname.slice(23, -3);
+		const parsedId = Number(rawId);
+		const requestId = decodeURIComponent(rawId);
+		const entry = (await collector.getRequests()).find((r) => r.id === parsedId || r.requestId === requestId);
 		if (entry) return new Response(requestToMarkdown(entry), { headers: mdHeaders });
 		return new Response("not found", { status: 404 });
 	}
+	const requestDetail = parseAnalyticsDetailPath(pathname, "api/analytics/requests/");
+	if (requestDetail) {
+		const entry = (await collector.getRequests()).find((r) => r.id === requestDetail.id || r.requestId === requestDetail.rawId);
+		return entry ? jsonResponse(entry, jsonCacheHeaders) : new Response("not found", { status: 404 });
+	}
 	if (pathname.startsWith("api/analytics/errors/") && pathname.endsWith("/md")) {
-		const id = Number(pathname.slice(21, -3));
+		const rawId = pathname.slice(21, -3);
+		const id = Number(rawId);
 		const entry = (await collector.getErrors()).find((e) => e.id === id);
 		if (entry) return new Response(errorToMarkdown(entry), { headers: mdHeaders });
 		return new Response("not found", { status: 404 });
 	}
+	const errorDetail = parseAnalyticsDetailPath(pathname, "api/analytics/errors/");
+	if (errorDetail) {
+		const entry = (await collector.getErrors()).find((e) => e.id === errorDetail.id);
+		return entry ? jsonResponse(entry, jsonCacheHeaders) : new Response("not found", { status: 404 });
+	}
 	if (pathname === "api/analytics/errors/md") {
 		const errors = await collector.getErrors();
 		const md = errors.length === 0 ? "No errors.\n" : `# Errors (${errors.length})\n\n` + errors.map((e) => errorToMarkdown(e)).join("\n\n---\n\n");
 		return new Response(md, { headers: mdHeaders });
 	}
-	return new Response(dashboardHtml, { headers: { "content-type": "text/html" } });
+	return new Response(JSON.stringify({
+		code: "NOT_FOUND",
+		status: 404,
+		message: "Analytics route not found"
+	}), {
+		status: 404,
+		headers: jsonCacheHeaders
+	});
 }
 /**
 * Wrap a fetch handler with analytics collection.
@@ -749,14 +1124,18 @@ function wrapWithAnalytics(handler, options = {}) {
 		const qMark = url.indexOf("?", pathStart);
 		const fullPath = qMark === -1 ? url.slice(pathStart) : url.slice(pathStart, qMark);
 		const pathname = fullPath.length > 1 ? fullPath.slice(1) : "";
-		if (pathname.startsWith("api/analytics")) {
+		if (isAnalyticsPath(pathname)) {
 			if (auth) {
 				const authResult = checkAnalyticsAuth(request, auth);
 				if (!(authResult instanceof Promise ? await authResult : authResult)) return analyticsAuthResponse(pathname);
 			}
-			return serveAnalyticsRoute(pathname, collector, dashboardHtml);
+			return serveAnalyticsRoute(pathname, request, collector, dashboardHtml);
 		}
-		const acc = new RequestAccumulator(request, collector);
+		if (!isTrackedRequestPath(pathname) || collector.isIgnored(pathname)) return handler(request);
+		const incomingTraceId = request.headers.get("x-trace-id");
+		const parentRequestId = request.headers.get("x-parent-request-id");
+		const traceId = incomingTraceId || generateRequestId();
+		const acc = new RequestAccumulator(request, collector, traceId, parentRequestId ?? void 0);
 		const reqTrace = new RequestTrace();
 		const t0 = performance.now();
 		analyticsTraceMap.set(request, reqTrace);
@@ -764,15 +1143,37 @@ function wrapWithAnalytics(handler, options = {}) {
 		try {
 			response = await handler(request);
 			const durationMs = round(performance.now() - t0);
+			const captured = await captureResponseBody(response);
+			const procedureInput = reqTrace.procedureInput ?? null;
+			const procedureOutput = reqTrace.procedureOutput ?? captured.output;
+			const procedureSpans = reqTrace.spans ?? [];
 			collector.record(pathname, durationMs);
 			acc.addProcedure({
 				procedure: pathname,
 				durationMs,
 				status: response.status,
-				input: null,
-				output: null,
-				spans: reqTrace.spans ?? []
+				input: procedureInput,
+				output: procedureOutput,
+				spans: procedureSpans,
+				error: captured.error
 			});
+			if (response.status >= 400) {
+				const { code, message } = extractResponseError(procedureOutput, response.status, captured.error);
+				collector.recordError(pathname, durationMs, message);
+				collector.recordDetailedError({
+					requestId: acc.requestId,
+					timestamp: Date.now(),
+					procedure: pathname,
+					error: message,
+					code,
+					status: response.status,
+					stack: "",
+					input: procedureInput,
+					headers: sanitizeHeaders(request.headers),
+					durationMs,
+					spans: procedureSpans
+				});
+			}
 		} catch (error) {
 			const durationMs = round(performance.now() - t0);
 			const errorMsg = error instanceof Error ? error.message : String(error);
@@ -799,6 +1200,7 @@ function wrapWithAnalytics(handler, options = {}) {
 		}
 		const headers = new Headers(response.headers);
 		headers.set("x-request-id", acc.requestId);
+		headers.set("x-trace-id", traceId);
 		const cookie = acc.getSessionCookie();
 		if (cookie) headers.append("set-cookie", cookie);
 		const injected = new Response(response.body, {