webspresso 0.0.51 → 0.0.53

package/README.md

@@ -1164,9 +1164,13 @@ const User = defineModel({
     timestamps: true,     // Auto-manage created_at/updated_at
     tenant: 'tenant_id',  // Multi-tenant column (optional)
   },
+
+  hidden: ['password_hash', 'api_token'],  // Never expose in API/templates (security)
 });
 ```
 
+**Hidden columns:** Add column names to `hidden` so they are never exposed in admin API responses, exports, or when passing to templates. Use for sensitive data like `password_hash`, `api_token`, `secret_key`. The admin panel will exclude these from list views and forms automatically.
+
 ### Auto-Loading Models
 
 Models are automatically loaded from the `models/` directory when you create a database instance:

package/core/orm/index.js

@@ -13,6 +13,7 @@ const { createMigrationManager } = require('./migrations');
 const { createSeeder } = require('./seeder');
 const { createScopeContext } = require('./scopes');
 const { ModelEvents, Hooks, HookCancellationError, createEventContext } = require('./events');
+const { omitHiddenColumns, sanitizeForOutput } = require('./utils');
 
 /**
  * Create a database instance
@@ -272,6 +273,9 @@ module.exports = {
   // Column utilities
   extractColumnsFromSchema,
   getColumnMeta,
+  // Output sanitization (exclude hidden columns from API/templates)
+  omitHiddenColumns,
+  sanitizeForOutput,
   // Events/Signals
   ModelEvents,
   Hooks,

package/core/orm/model.js

@@ -28,6 +28,7 @@ function defineModel(options) {
     scopes = {},
     admin = {},
     hooks = {},
+    hidden = [],
   } = options;
 
   // Validate required fields
@@ -88,6 +89,7 @@ function defineModel(options) {
       customFields: admin.customFields || {},
       queries: admin.queries || {},
     },
+    hidden: Array.isArray(hidden) ? hidden : [],
     hooks: {},
   };
 

package/core/orm/types.js

@@ -147,6 +147,7 @@
  * @property {RelationsMap} [relations={}] - Relation definitions
  * @property {ScopeOptions} [scopes={}] - Scope options
  * @property {AdminMetadata} [admin] - Admin panel metadata
+ * @property {string[]} [hidden=[]] - Column names to never expose in API/templates (e.g. password_hash, api_token)
  */
 
 /**
@@ -159,6 +160,7 @@
  * @property {ScopeOptions} scopes - Scope options
  * @property {Map<string, ColumnMeta>} columns - Parsed column metadata
  * @property {AdminMetadata} [admin] - Admin panel metadata
+ * @property {string[]} hidden - Column names never exposed in API/templates
  */
 
 // ============================================================================

package/core/orm/utils.js

@@ -114,9 +114,37 @@ function deepClone(obj) {
   return cloned;
 }
 
+/**
+ * Remove hidden columns from a record for safe API/template output
+ * @param {Object} record - Record from database
+ * @param {import('./types').ModelDefinition} model - Model definition with hidden columns
+ * @returns {Object} Record without hidden columns
+ */
+function omitHiddenColumns(record, model) {
+  if (!record) return record;
+  if (!model?.hidden?.length) return record;
+  return omit(record, model.hidden);
+}
+
+/**
+ * Remove hidden columns from records (array or single) for safe output
+ * @param {Object|Object[]} records - Record(s) from database
+ * @param {import('./types').ModelDefinition} model - Model definition
+ * @returns {Object|Object[]} Sanitized record(s)
+ */
+function sanitizeForOutput(records, model) {
+  if (!model?.hidden?.length) return records;
+  if (Array.isArray(records)) {
+    return records.map((r) => omit(r, model.hidden));
+  }
+  return omit(records, model.hidden);
+}
+
 module.exports = {
   pick,
   omit,
+  omitHiddenColumns,
+  sanitizeForOutput,
   formatDateForDb,
   generateMigrationTimestamp,
   snakeToCamel,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "webspresso",
-  "version": "0.0.51",
+  "version": "0.0.53",
   "description": "Minimal, production-ready SSR framework for Node.js with file-based routing, Nunjucks templating, built-in i18n, and CLI tooling",
   "main": "index.js",
   "bin": {

package/plugins/admin-panel/admin-user-model.js

@@ -33,6 +33,7 @@ function createAdminUserModel() {
     scopes: {
       timestamps: true,
     },
+    hidden: ['password'], // Never expose in API/templates
   });
 }
 

package/plugins/admin-panel/api.js

@@ -5,6 +5,7 @@
  */
 
 const { getAllModels, getModel } = require('../../core/orm/model');
+const { sanitizeForOutput } = require('../../core/orm/utils');
 const { checkAdminExists, setupAdmin, login, logout, requireAuth } = require('./auth');
 
 /**
@@ -198,9 +199,11 @@ function createApiHandlers(options) {
         return res.status(403).json({ error: 'Model not enabled in admin panel' });
       }
 
-      // Build column metadata
+      // Build column metadata (hidden columns excluded from list/forms for security)
+      const hiddenSet = new Set(model.hidden || []);
       const columns = [];
       for (const [name, meta] of model.columns) {
+        const isHidden = hiddenSet.has(name);
         columns.push({
           name,
           type: meta.type,
@@ -214,7 +217,8 @@ function createApiHandlers(options) {
           autoIncrement: meta.autoIncrement || false,
           customField: model.admin.customFields?.[name] || null,
           validations: meta.validations || null,
-          ui: meta.ui || null,
+          ui: meta.ui ? { ...meta.ui, hidden: isHidden || meta.ui.hidden } : (isHidden ? { hidden: true } : null),
+          hidden: isHidden, // Excluded from list display and API responses
         });
       }
 
@@ -394,7 +398,7 @@ function createApiHandlers(options) {
       const records = await query.list();
 
       res.json({
-        data: records,
+        data: sanitizeForOutput(records, model),
         pagination: {
           page,
           perPage,
@@ -426,7 +430,7 @@ function createApiHandlers(options) {
         return res.status(404).json({ error: 'Record not found' });
       }
 
-      res.json({ data: record });
+      res.json({ data: sanitizeForOutput(record, model) });
     } catch (error) {
       res.status(500).json({ error: error.message });
     }
@@ -459,7 +463,7 @@ function createApiHandlers(options) {
       const repo = db.getRepository(model.name);
       const record = await repo.create(req.body);
 
-      res.status(201).json({ data: record });
+      res.status(201).json({ data: sanitizeForOutput(record, model) });
     } catch (error) {
       res.status(400).json({ error: error.message });
     }
@@ -496,7 +500,7 @@ function createApiHandlers(options) {
         return res.status(404).json({ error: 'Record not found' });
       }
 
-      res.json({ data: record });
+      res.json({ data: sanitizeForOutput(record, model) });
     } catch (error) {
       res.status(400).json({ error: error.message });
     }
@@ -550,7 +554,7 @@ function createApiHandlers(options) {
         return res.status(404).json({ error: 'Record not found in trash' });
       }
 
-      res.json({ success: true, data: record });
+      res.json({ success: true, data: sanitizeForOutput(record, model) });
     } catch (error) {
       res.status(500).json({ error: error.message });
     }
@@ -579,7 +583,7 @@ function createApiHandlers(options) {
       // Get all related records (for dropdown/select)
       const records = await relatedRepo.findAll();
 
-      res.json({ data: records });
+      res.json({ data: sanitizeForOutput(records, relatedModel) });
     } catch (error) {
       res.status(500).json({ error: error.message });
     }

package/plugins/admin-panel/components.js

@@ -1484,12 +1484,15 @@ const BulkFieldUpdateDropdown = {
 // Get columns to display in table (limit to reasonable number)
 function getDisplayColumns(columns) {
   if (!columns || columns.length === 0) return [];
-  
+
+  // Filter out hidden columns (password_hash, api_token, etc.)
+  const visible = [...columns].filter((col) => !col.hidden);
+
   // Prioritize: id, name/title, then others (excluding long text/json fields)
   const priority = ['id', 'name', 'title', 'email', 'slug', 'status', 'published', 'created_at'];
   const exclude = ['password', 'content', 'body', 'description']; // Usually too long
-  
-  const sorted = [...columns].sort((a, b) => {
+
+  const sorted = visible.sort((a, b) => {
     const aIdx = priority.indexOf(a.name);
     const bIdx = priority.indexOf(b.name);
     if (aIdx !== -1 && bIdx !== -1) return aIdx - bIdx;

package/plugins/admin-panel/core/api-extensions.js

@@ -4,6 +4,8 @@
  * @module plugins/admin-panel/core/api-extensions
  */
 
+const { sanitizeForOutput } = require('../../../core/orm/utils');
+
 /**
  * Build query with filters applied
  * @param {Object} repo - Repository instance
@@ -573,8 +575,9 @@ function createExtensionApiHandlers(options) {
       }
 
       if (format === 'csv') {
-        // CSV export
-        const columns = Array.from(model.columns.keys());
+        // CSV export (exclude hidden columns)
+        const hiddenSet = new Set(model.hidden || []);
+        const columns = Array.from(model.columns.keys()).filter((c) => !hiddenSet.has(c));
         const header = columns.join(',');
         const rows = records.map(record => {
           return columns.map(col => {
@@ -595,8 +598,8 @@ function createExtensionApiHandlers(options) {
         res.setHeader('Content-Disposition', `attachment; filename="${modelName}_export.csv"`);
         res.json({ data: csvContent, format: 'csv' });
       } else {
-        // JSON export
-        res.json({ data: records, model: modelName, exportedAt: new Date().toISOString() });
+        // JSON export (exclude hidden columns)
+        res.json({ data: sanitizeForOutput(records, model), model: modelName, exportedAt: new Date().toISOString() });
       }
     } catch (error) {
       console.error('Export error:', error);

package/plugins/site-analytics/admin-component.js

@@ -218,6 +218,7 @@ var AnalyticsPage = {
       analyticsApi('top-pages', days),
       analyticsApi('bot-activity', days),
       analyticsApi('countries', days),
+      analyticsApi('client-errors', days),
       analyticsApi('recent', days),
     ]).then(function(results) {
       vnode.state.stats = results[0];
@@ -225,7 +226,8 @@ var AnalyticsPage = {
       vnode.state.topPages = results[2];
       vnode.state.botActivity = results[3];
       vnode.state.countries = results[4];
-      vnode.state.recent = results[5];
+      vnode.state.clientErrors = results[5];
+      vnode.state.recent = results[6];
       vnode.state.loading = false;
 
       if (chartInstance) {
@@ -384,6 +386,33 @@ var AnalyticsPage = {
             ]),
           ]),
 
+          // Client Errors
+          m('div.bg-white.rounded-lg.shadow.mb-6', [
+            m('div.px-5.py-4.border-b.border-gray-100.flex.items-center.justify-between', [
+              m('h3.text-sm.font-semibold.text-gray-900.flex.items-center.gap-2', [
+                m('span', '⚠️'),
+                'Client Errors',
+              ]),
+              m('span.text-xs.text-gray-400', 'Last ' + s.days + ' days'),
+            ]),
+            m('div.p-4.max-h-64.overflow-y-auto', [
+              !s.clientErrors || s.clientErrors.length === 0
+                ? m('p.text-gray-400.text-sm.text-center.py-6', 'No client errors')
+                : s.clientErrors.slice(0, 15).map(function(err) {
+                    return m('div.border-b.border-gray-50.pb-3.mb-3.last:border-0.last:mb-0.last:pb-0', [
+                      m('div.flex.items-start.gap-2', [
+                        m('span.text-xs.px-1.5.py-0.5.rounded.bg-red-100.text-red-700', err.error_type || 'error'),
+                        m('span.text-xs.text-gray-500', relativeTime(err.created_at)),
+                      ]),
+                      m('p.text-sm.text-gray-800.font-mono.break-all.mt-1', {
+                        title: err.stack || err.message,
+                      }, (err.message || '').slice(0, 120) + (err.message && err.message.length > 120 ? '…' : '')),
+                      err.path && m('p.text-xs.text-gray-500.mt-0.5', err.path),
+                    ]);
+                  }),
+            ]),
+          ]),
+
           // Country Stats
           m('div.bg-white.rounded-lg.shadow.mb-6', [
             m('div.px-5.py-4.border-b.border-gray-100.flex.items-center.justify-between', [

package/plugins/site-analytics/api-handlers.js

@@ -11,7 +11,11 @@
  * @param {string} [options.tableName='analytics_page_views']
  */
 function createAnalyticsApiHandlers(options) {
-  const { knex, tableName = 'analytics_page_views' } = options;
+  const {
+    knex,
+    tableName = 'analytics_page_views',
+    errorsTableName = 'analytics_client_errors',
+  } = options;
 
   function parseDays(req) {
     const days = parseInt(req.query.days) || 30;
@@ -208,6 +212,32 @@ function createAnalyticsApiHandlers(options) {
     }
   }
 
+  /**
+   * GET /client-errors - Recent client-side JS errors
+   */
+  async function getClientErrors(req, res) {
+    try {
+      const days = parseDays(req);
+      const since = sinceDate(days);
+      const limit = Math.min(parseInt(req.query.limit) || 50, 200);
+
+      const hasTable = await knex.schema.hasTable(errorsTableName);
+      if (!hasTable) {
+        return res.json([]);
+      }
+
+      const rows = await knex(errorsTableName)
+        .select('id', 'error_type', 'message', 'stack', 'path', 'created_at')
+        .where('created_at', '>=', since)
+        .orderBy('created_at', 'desc')
+        .limit(limit);
+
+      res.json(rows);
+    } catch (e) {
+      res.status(500).json({ error: e.message });
+    }
+  }
+
   /**
    * GET /recent - Recent page views
    */
@@ -233,6 +263,7 @@ function createAnalyticsApiHandlers(options) {
     getTopPages,
     getBotActivity,
     getCountries,
+    getClientErrors,
     getRecent,
   };
 }

package/plugins/site-analytics/client-error-handler.js

@@ -0,0 +1,84 @@
+/**
+ * Client Error Report Handler
+ * Receives error reports from browser and stores in DB
+ * @module plugins/site-analytics/client-error-handler
+ */
+
+const DEFAULT_TABLE = 'analytics_client_errors';
+
+/**
+ * Create the client errors table
+ */
+async function ensureErrorsTable(knex, tableName = DEFAULT_TABLE) {
+  const exists = await knex.schema.hasTable(tableName);
+  if (!exists) {
+    await knex.schema.createTable(tableName, (table) => {
+      table.bigIncrements('id').primary();
+      table.string('error_type', 50).index(); // 'error' | 'unhandledrejection'
+      table.string('message', 500).index();
+      table.text('stack');
+      table.string('path', 500).index();
+      table.string('referrer', 500);
+      table.text('user_agent');
+      table.string('source', 500); // script url
+      table.integer('line');
+      table.integer('column');
+      table.timestamp('created_at').defaultTo(knex.fn.now()).index();
+    });
+  }
+}
+
+/**
+ * Create error report handler
+ * @param {Object} options
+ * @param {Object} options.knex - Knex instance
+ * @param {string} [options.tableName='analytics_client_errors']
+ */
+function createErrorReportHandler(options) {
+  const { knex, tableName = DEFAULT_TABLE } = options;
+  let tableReady = false;
+
+  return async function errorReportHandler(req, res) {
+    if (req.method !== 'POST') {
+      return res.status(405).json({ error: 'Method not allowed' });
+    }
+
+    try {
+      if (!tableReady) {
+        await ensureErrorsTable(knex, tableName);
+        tableReady = true;
+      }
+
+      const body = req.body || {};
+      const { type, message, stack, path, referrer, userAgent, source, line, column } = body;
+
+      if (!message && !stack) {
+        return res.status(400).json({ error: 'message or stack required' });
+      }
+
+      await knex(tableName).insert({
+        error_type: type || 'error',
+        message: String(message || '').slice(0, 500),
+        stack: stack ? String(stack).slice(0, 5000) : null,
+        path: path ? String(path).slice(0, 500) : null,
+        referrer: referrer ? String(referrer).slice(0, 500) : null,
+        user_agent: userAgent ? String(userAgent).slice(0, 1000) : null,
+        source: source ? String(source).slice(0, 500) : null,
+        line: line != null ? parseInt(line) : null,
+        column: column != null ? parseInt(column) : null,
+        created_at: knex.fn.now(),
+      });
+
+      res.status(202).json({ ok: true });
+    } catch (e) {
+      console.error('[site-analytics] Client error report failed:', e.message);
+      res.status(500).json({ error: 'Report failed' });
+    }
+  };
+}
+
+module.exports = {
+  createErrorReportHandler,
+  ensureErrorsTable,
+  DEFAULT_TABLE,
+};

package/plugins/site-analytics/client-error-tracker.js

@@ -0,0 +1,69 @@
+/**
+ * Client Error Tracker
+ * Generates inline script to catch JS errors and unhandled rejections, reports to backend
+ * @module plugins/site-analytics/client-error-tracker
+ */
+
+/**
+ * Generate client-side error tracking script
+ * @param {Object} options
+ * @param {string} [options.endpoint='/_analytics/report-error'] - POST endpoint for error reports
+ * @returns {string} Inline script content
+ */
+function generateErrorTrackerScript(options = {}) {
+  const endpoint = options.endpoint || '/_analytics/report-error';
+
+  return `
+(function() {
+  var endpoint = ${JSON.stringify(endpoint)};
+  var reported = {};
+  var MAX_STACK = 2000;
+
+  function report(type, message, stack, extra) {
+    var key = type + ':' + (message || '').slice(0, 100);
+    if (reported[key]) return;
+    reported[key] = true;
+
+    var payload = {
+      type: type,
+      message: String(message || 'Unknown error').slice(0, 500),
+      stack: stack ? String(stack).slice(0, MAX_STACK) : null,
+      path: window.location.pathname || '/',
+      referrer: document.referrer || null,
+      userAgent: navigator.userAgent || null
+    };
+    if (extra) {
+      for (var k in extra) payload[k] = extra[k];
+    }
+
+    try {
+      fetch(endpoint, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(payload),
+        keepalive: true
+      }).catch(function(){});
+    } catch (e) {}
+  }
+
+  window.onerror = function(msg, url, line, col, err) {
+    report('error', err ? err.message : msg, err ? err.stack : null, { line: line, column: col, source: url });
+    return false;
+  };
+
+  window.addEventListener('unhandledrejection', function(e) {
+    var msg = e.reason;
+    var stack = null;
+    if (msg && typeof msg === 'object') {
+      stack = msg.stack;
+      msg = msg.message || String(msg);
+    } else {
+      msg = String(msg);
+    }
+    report('unhandledrejection', msg, stack);
+  });
+})();
+`.trim();
+}
+
+module.exports = { generateErrorTrackerScript };

package/plugins/site-analytics/index.js

@@ -7,6 +7,8 @@
 const { createTrackingMiddleware } = require('./tracking');
 const { createAnalyticsApiHandlers } = require('./api-handlers');
 const { generateAnalyticsComponent } = require('./admin-component');
+const { generateErrorTrackerScript } = require('./client-error-tracker');
+const { createErrorReportHandler } = require('./client-error-handler');
 
 /**
  * Site Analytics Plugin Factory
@@ -15,6 +17,10 @@ const { generateAnalyticsComponent } = require('./admin-component');
  * @param {string[]} [options.excludePaths=[]] - Extra paths to exclude from tracking
  * @param {boolean} [options.trackBots=true] - Record bot visits (still counted separately)
  * @param {string} [options.tableName='analytics_page_views'] - DB table name
+ * @param {number} [options.batchSize=20] - Flush page view queue when it reaches this size
+ * @param {number} [options.flushIntervalMs=3000] - Flush interval for low traffic
+ * @param {boolean} [options.trackClientErrors=true] - Capture and report client-side JS errors
+ * @param {string} [options.errorsTableName='analytics_client_errors'] - Client errors table
  * @returns {Object} Plugin definition
  */
 function siteAnalyticsPlugin(options = {}) {
@@ -23,6 +29,8 @@ function siteAnalyticsPlugin(options = {}) {
     excludePaths = [],
     trackBots = true,
     tableName = 'analytics_page_views',
+    trackClientErrors = true,
+    errorsTableName = 'analytics_client_errors',
   } = options;
 
   if (!db) {
@@ -48,9 +56,20 @@ function siteAnalyticsPlugin(options = {}) {
         excludePaths,
         trackBots,
         tableName,
+        batchSize: options.batchSize ?? 20,
+        flushIntervalMs: options.flushIntervalMs ?? 3000,
       });
 
       ctx.app.use(trackingMiddleware);
+
+      // Client error tracking: public POST endpoint + inject script
+      if (trackClientErrors) {
+        const errorHandler = createErrorReportHandler({ knex, tableName: errorsTableName });
+        ctx.addRoute('post', '/_analytics/report-error', errorHandler);
+
+        const script = generateErrorTrackerScript({ endpoint: '/_analytics/report-error' });
+        ctx.injectBody(`<script>${script}</script>`, { id: 'site-analytics-error-tracker', priority: 5 });
+      }
     },
 
     onRoutesReady(ctx) {
@@ -61,7 +80,11 @@ function siteAnalyticsPlugin(options = {}) {
       }
 
       const knex = db.knex || db;
-      const handlers = createAnalyticsApiHandlers({ knex, tableName });
+      const handlers = createAnalyticsApiHandlers({
+        knex,
+        tableName,
+        errorsTableName,
+      });
 
       adminApi.registerModule({
         id: 'analytics',
@@ -90,6 +113,7 @@ function siteAnalyticsPlugin(options = {}) {
             { method: 'get', path: '/top-pages', handler: handlers.getTopPages },
             { method: 'get', path: '/bot-activity', handler: handlers.getBotActivity },
             { method: 'get', path: '/countries', handler: handlers.getCountries },
+            { method: 'get', path: '/client-errors', handler: handlers.getClientErrors },
             { method: 'get', path: '/recent', handler: handlers.getRecent },
           ],
         },

package/plugins/site-analytics/tracking.js

@@ -36,6 +36,8 @@ function getClientIp(req) {
  * @param {string[]} [options.excludePaths] - Paths to exclude from tracking
  * @param {boolean} [options.trackBots=true] - Whether to record bot visits
  * @param {string} [options.tableName='analytics_page_views'] - DB table name
+ * @param {number} [options.batchSize=20] - Flush when queue reaches this size
+ * @param {number} [options.flushIntervalMs=3000] - Flush interval for low traffic
  */
 function createTrackingMiddleware(options) {
   const {
@@ -43,10 +45,14 @@ function createTrackingMiddleware(options) {
     excludePaths = [],
     trackBots = true,
     tableName = 'analytics_page_views',
+    batchSize = 20,
+    flushIntervalMs = 3000,
   } = options;
 
   const allExcludes = [...DEFAULT_EXCLUDE, ...excludePaths];
   let tableReady = false;
+  const queue = [];
+  let flushScheduled = false;
 
   async function ensureTable() {
     if (tableReady) return;
@@ -101,6 +107,37 @@ function createTrackingMiddleware(options) {
     return sessionId;
   }
 
+  async function flushQueue() {
+    if (queue.length === 0) return;
+    const batch = queue.splice(0, queue.length);
+
+    try {
+      await ensureTable();
+      for (const row of batch) {
+        row.created_at = knex.fn.now();
+      }
+      await knex(tableName).insert(batch);
+    } catch (e) {
+      console.error('[site-analytics] Batch insert failed:', e.message);
+      // Re-queue failed items (optional - could drop to avoid loops)
+      queue.unshift(...batch);
+    }
+  }
+
+  function scheduleFlush() {
+    if (flushScheduled || queue.length === 0) return;
+    flushScheduled = true;
+    setTimeout(() => {
+      flushScheduled = false;
+      flushQueue().catch(() => {});
+    }, flushIntervalMs);
+  }
+
+  // Periodic flush (catches low-traffic case)
+  setInterval(() => {
+    if (queue.length > 0) flushQueue().catch(() => {});
+  }, flushIntervalMs).unref();
+
   return async function trackingMiddleware(req, res, next) {
     next();
 
@@ -111,8 +148,6 @@ function createTrackingMiddleware(options) {
     if (allExcludes.some(prefix => path.startsWith(prefix))) return;
 
     try {
-      await ensureTable();
-
       const userAgent = req.headers['user-agent'] || '';
       const ip = getClientIp(req);
       const { isBot, botName } = detectBot(userAgent);
@@ -125,7 +160,7 @@ function createTrackingMiddleware(options) {
       const country = detectCountry(req);
       const referrer = req.headers['referer'] || req.headers['referrer'] || null;
 
-      await knex(tableName).insert({
+      queue.push({
         session_id: sessionId,
         visitor_id: visitorId,
         path,
@@ -135,8 +170,13 @@ function createTrackingMiddleware(options) {
         country,
         is_bot: isBot,
         bot_name: botName,
-        created_at: knex.fn.now(),
       });
+
+      if (queue.length >= batchSize) {
+        flushQueue().catch(() => {});
+      } else {
+        scheduleFlush();
+      }
     } catch (e) {
       // Non-blocking: don't let tracking errors affect the app
     }