Skip to content

Remove app_usage telemetry entirely#366

Open
TeoSlayer wants to merge 3 commits into
mainfrom
fix/consent-truth
Open

Remove app_usage telemetry entirely#366
TeoSlayer wants to merge 3 commits into
mainfrom
fix/consent-truth

Conversation

@TeoSlayer

Copy link
Copy Markdown
Collaborator

Per product decision (2026-07-10): what an agent calls in the app store is nobody's business. The app_usage telemetry event is removed from the wire entirely — not consent-gated, not URL-gated, just gone.

What was happening

Two sites emitted app_usage (payload: app ID + method name):

  • cmd/pilotctl/appstore.go — after a successful pilotctl appstore call.
  • cmd/daemon/appstore_adapter.go — the daemon's app-store adapter, on every network app invocation. This one was gated only by -telemetry-url, so consent.telemetry=false did not stop it (surfaced by the website claim audit).

Change

  • Remove the CLI emission block.
  • Remove telemetryEmitter and pass a nil Telemetry emitter to the appstore service (documented no-op in app-store@v1.0.2).
  • Drop the now-unused telemetryURL/identityPath/getNodeID fields from the adapter construction in main.go.

The other three app-store events (catalogue_viewed, appstore_view, app_installed) are unchanged and remain consent-gated.

Verification

  • GOWORK=off go build ./cmd/daemon/ ./cmd/pilotctl/ — clean.
  • GOWORK=off go vet — clean (no unused imports).
  • GOWORK=off go test ./cmd/pilotctl/... ./pkg/telemetry/... — pass.
  • grep -rn app_usage cmd/ pkg/ — only an explanatory comment remains.

Note: builds require GOWORK=off in this checkout — the repo-local go.work overlays a stale app-store checkout missing CataloguePublisher (pre-existing, unrelated to this change).

🤖 Generated with Claude Code

teovl and others added 3 commits July 10, 2026 15:38
What an agent calls in the app store is nobody's business. Previously a
successful 'pilotctl appstore call' (CLI) and every network app invocation
(daemon appstore adapter) emitted an app_usage telemetry event carrying the
app ID and method name. Both emission sites are removed:

- cmd/pilotctl/appstore.go: drop the post-call telemetry send.
- cmd/daemon/appstore_adapter.go: remove telemetryEmitter; the appstore
  service now runs with a nil Telemetry emitter (documented no-op).
- cmd/daemon/main.go: drop the now-unused telemetryURL/identityPath/getNodeID
  wiring from the adapter literal.

app_usage is gone from the wire — no consent flag, no -telemetry-url can
re-enable it. catalogue_viewed / appstore_view / app_installed events are
unchanged and remain consent-gated.

Verified with GOWORK=off (repo go.work overlays a stale app-store checkout,
pre-existing breakage): go build + go vet clean, cmd/pilotctl + pkg/telemetry
tests pass.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
'disabled' should mean nothing of ours is left on disk, not merely 'stop
future ticks'. set-mode disabled now runs Uninstall after persisting the
mode, deleting the files the injector wrote (skills, markers, helpers) and
stripping our marker block from shared files — matching what
'skills disable all' does. JSON output gains a 'removed' count.

Uses the existing skillinject.Uninstall API (v0.2.3); no dependency bump.
Verified with GOWORK=off (repo go.work overlays stale sibling checkouts,
pre-existing breakage): go build + go vet ./cmd/pilotctl clean, cmd/pilotctl
tests pass.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
govulncheck flags GO-2026-5856 (crypto/tls Encrypted Client Hello privacy
leak), fixed in the standard library at go1.25.12. CI installs the toolchain
via go-version-file: go.mod, so bumping the go directive pulls in the fixed
stdlib and clears the vuln repo-wide. Build verified under go1.25.12.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants