guanghu/docs/adr/0016-sentry-posthog-telemetry.md
Guanghu Domestic Migration 9b41d51231
Some checks are pending
Auto-update PR branches / Update open PR branches (push) Waiting to run
CI / Frontend Static Quality Checks (push) Waiting to run
CI / Frontend Tests & Coverage (push) Waiting to run
CI / Rust Tests & Quality Checks (push) Waiting to run
CI / Linux build verification (push) Waiting to run
Deploy docs / Build VitePress site (push) Waiting to run
Deploy docs / Deploy to GitHub Pages (push) Blocked by required conditions
Release (Alpha) / Compute alpha version (push) Waiting to run
Release (Alpha) / Build release artifacts (push) Blocked by required conditions
Release (Alpha) / GitHub Release (alpha) (push) Blocked by required conditions
Release (Alpha) / Update docs and release pages (push) Blocked by required conditions
chore: import sanitized domestic snapshot for REPO-004
Source snapshot: 514ab1975951d94342ea38e64101d5a0f1c51c77
2026-07-17 15:55:28 +08:00

1.8 KiB

type, id, title, status, date
type id title status date
ADR 0016 Sentry crash reporting + PostHog analytics with consent active 2026-03-25

Context

As Laputa approaches public release, crash reports and usage analytics are needed to identify bugs and understand feature adoption. However, as a personal knowledge management app that handles sensitive data, user privacy is paramount. Any telemetry must be opt-in with clear consent.

Decision

Integrate Sentry for crash reporting and PostHog for product analytics, both gated behind an explicit consent dialog on first launch. Users can toggle each independently in Settings. No telemetry is sent without affirmative consent.

Options considered

  • Option A (chosen): Sentry + PostHog with consent dialog — industry-standard tools, separate crash/analytics toggles, privacy-respecting opt-in. Downside: two external dependencies, two services to manage.
  • Option B: Self-hosted error tracking — full data control. Downside: operational burden, limited analytics features.
  • Option C: No telemetry — simplest, most private. Downside: blind to crashes and usage patterns, harder to prioritize features.

Consequences

  • TelemetryConsentDialog shows on first launch with accept/decline buttons.
  • Accepting generates an anonymous_id (no PII) and sets telemetry_consent: true in settings.
  • useTelemetry hook reactively initializes/tears down Sentry and PostHog based on settings.
  • Both frontend (src/lib/telemetry.ts) and Rust backend (src-tauri/src/telemetry.rs) have path scrubbers in beforeSend hooks to strip vault paths.
  • DSN/keys come from VITE_SENTRY_DSN / VITE_POSTHOG_KEY env vars.
  • reinit_telemetry Tauri command toggles Rust-side Sentry at runtime.
  • Re-evaluation trigger: if a unified telemetry platform (e.g., OpenTelemetry) could replace both services.