Telemetry¶
Bullpen CLI can send two kinds of telemetry from official release builds:
- Error telemetry for crashes and command failures.
- Usage telemetry for broad command lifecycle analytics.
Error telemetry is delivered through Sentry. Usage telemetry is delivered through PostHog when an official release build includes a PostHog publishable token.
Telemetry is best-effort. It never changes a command result, never writes to stdout or stderr, and never blocks trading.
Quick Summary¶
| Question | Answer |
|---|---|
| Can I turn it off? | Yes. Run bullpen config telemetry off, set BULLPEN_DISABLE_TELEMETRY=1, or set DO_NOT_TRACK=1. |
| Does Bullpen collect wallet addresses? | No. Addresses, transaction hashes, JWTs, provider URLs, order IDs, market IDs, amounts, prices, and raw command arguments are excluded or redacted. |
| Does usage telemetry run in local builds? | No. Debug builds, CI, and builds without a release PostHog token do not emit usage telemetry. |
| Does telemetry affect trading? | No. Events are queued after command output is rendered and sent best-effort. |
What We Collect¶
Error telemetry may include:
- CLI version, OS, architecture, and release environment.
- Error type and sanitized error context.
- Panic backtrace symbols when a panic occurs.
Usage telemetry may include:
- Command path, such as
polymarket.buyorhyperliquid.copy.start. - Output mode, such as table or JSON.
- Coarse execution mode, such as read, preview, live, or interactive.
- Exit class and coarse duration bucket.
- Coarse product area, such as onboarding, funding, wallet, trading, tracker, automation, diagnostics, or system.
Usage telemetry uses either the cached Bullpen app user ID for logged-in users or a random anonymous ID for logged-out users. The anonymous ID is not derived from a wallet, email, hostname, JWT, or device identifier.
What We Do Not Collect¶
Telemetry events do not include:
- Raw command arguments.
- Wallet, EVM, Solana, or Hyperliquid addresses.
- Market slugs, market titles, condition IDs, token IDs, order IDs, or transaction hashes.
- Amounts, prices, shares, balances, fills, or PnL.
- JWTs, API keys, signatures, seed phrases, private keys, or provider URLs.
- Usernames, emails, hostnames, local usernames, IP addresses, or raw terminal environment values.
- Raw error messages in usage analytics.
send_default_pii is disabled for error telemetry.
Opting Out¶
Both error telemetry and usage telemetry share one opt-out story. Any of the following disables all telemetry:
# Persisted config opt-out:
bullpen config telemetry off
# Re-enable:
bullpen config telemetry on
# Check status:
bullpen config telemetry status
There is no separate PostHog-specific opt-out variable. The single opt-out switch governs both telemetry streams.
Disabled Automatically¶
Telemetry is disabled automatically in:
- Debug builds, such as
cargo runor debugcargo install --pathbuilds. - Continuous integration environments.
- Builds without an embedded PostHog publishable token, for usage telemetry.
Details¶
Redaction patterns
Outgoing error events are scrubbed before delivery. Bullpen redacts common sensitive patterns, including:
| Pattern | Replacement |
|---|---|
0x + 64 hex chars |
0x<REDACTED_HASH> |
0x + 40 hex chars |
0x<REDACTED_EVM_ADDR> |
Bearer <token> |
Bearer <REDACTED> |
| JWT-shaped strings | <REDACTED_JWT> |
| Token-bearing RPC/API provider URLs | path and query collapsed |
Secret-named fields such as api_key, token, secret, signature, or authorization |
<redacted> |
Provider URL scrubbing covers common RPC and API providers such as Alchemy, Infura, QuickNode, Helius, Jupiter, Tenderly, Ankr, dRPC, BlockPi, GetBlock, Polygonscan, Etherscan, and similar endpoints.
Usage event fields
Usage analytics is built from a strict allowlist. Fields are coarse and low-cardinality:
| Field | Example |
|---|---|
command_path |
polymarket.buy |
session_id |
random UUID for one CLI process |
output_mode |
json or table |
stdout_is_tty |
true or false |
non_interactive |
true or false |
parent_process |
claude, cron, shell, node, python, or other |
terminal_client |
iterm, vscode, tmux, or other |
exit_class |
success, validation, auth, network, or internal |
duration_bucket |
a coarse duration range |
cli_version, os, arch |
release and platform metadata |
product_surface, product_area, product_action |
broad workflow taxonomy |
execution_mode |
read, preview, live_or_prompt, configure, manage, or interactive |
Delivery model
Usage telemetry is queued locally under ~/.bullpen/analytics/ after command
output or error text is rendered. The queue is bounded by byte and event
count limits and flushes best-effort over HTTPS on this or a later command.
Flush attempts are cadence-limited, batch-limited, time-boxed, and backed off after HTTP failures or timeouts. A telemetry outage cannot make order submission or another CLI command unusable.
Reporting A Privacy Issue¶
If you find an unredacted secret or address in a telemetry event you forwarded to us, file a private security report through Responsible Disclosure. Do not paste the leaked content into a public issue.