Some checks are pending
Auto-update PR branches / Update open PR branches (push) Waiting to run
CI / Frontend Static Quality Checks (push) Waiting to run
CI / Frontend Tests & Coverage (push) Waiting to run
CI / Rust Tests & Quality Checks (push) Waiting to run
CI / Linux build verification (push) Waiting to run
Deploy docs / Build VitePress site (push) Waiting to run
Deploy docs / Deploy to GitHub Pages (push) Blocked by required conditions
Release (Alpha) / Compute alpha version (push) Waiting to run
Release (Alpha) / Build release artifacts (push) Blocked by required conditions
Release (Alpha) / GitHub Release (alpha) (push) Blocked by required conditions
Release (Alpha) / Update docs and release pages (push) Blocked by required conditions
Source snapshot: 514ab1975951d94342ea38e64101d5a0f1c51c77
1.8 KiB
1.8 KiB
type, id, title, status, date
| type | id | title | status | date |
|---|---|---|---|---|
| ADR | 0016 | Sentry crash reporting + PostHog analytics with consent | active | 2026-03-25 |
Context
As Laputa approaches public release, crash reports and usage analytics are needed to identify bugs and understand feature adoption. However, as a personal knowledge management app that handles sensitive data, user privacy is paramount. Any telemetry must be opt-in with clear consent.
Decision
Integrate Sentry for crash reporting and PostHog for product analytics, both gated behind an explicit consent dialog on first launch. Users can toggle each independently in Settings. No telemetry is sent without affirmative consent.
Options considered
- Option A (chosen): Sentry + PostHog with consent dialog — industry-standard tools, separate crash/analytics toggles, privacy-respecting opt-in. Downside: two external dependencies, two services to manage.
- Option B: Self-hosted error tracking — full data control. Downside: operational burden, limited analytics features.
- Option C: No telemetry — simplest, most private. Downside: blind to crashes and usage patterns, harder to prioritize features.
Consequences
TelemetryConsentDialogshows on first launch with accept/decline buttons.- Accepting generates an
anonymous_id(no PII) and setstelemetry_consent: truein settings. useTelemetryhook reactively initializes/tears down Sentry and PostHog based on settings.- Both frontend (
src/lib/telemetry.ts) and Rust backend (src-tauri/src/telemetry.rs) have path scrubbers inbeforeSendhooks to strip vault paths. - DSN/keys come from
VITE_SENTRY_DSN/VITE_POSTHOG_KEYenv vars. reinit_telemetryTauri command toggles Rust-side Sentry at runtime.- Re-evaluation trigger: if a unified telemetry platform (e.g., OpenTelemetry) could replace both services.