Skip to content

Telemetry

Bullpen CLI can send two kinds of telemetry from official release builds:

  • Error telemetry for crashes and command failures.
  • Usage telemetry for broad command lifecycle analytics.

Error telemetry is delivered through Sentry. Usage telemetry is delivered through PostHog when an official release build includes a PostHog publishable token.

Telemetry is best-effort. It never changes a command result, never writes to stdout or stderr, and never blocks trading.

Quick Summary

Question Answer
Can I turn it off? Yes. Run bullpen config telemetry off, set BULLPEN_DISABLE_TELEMETRY=1, or set DO_NOT_TRACK=1.
Does Bullpen collect wallet addresses? No. Addresses, transaction hashes, JWTs, provider URLs, order IDs, market IDs, amounts, prices, and raw command arguments are excluded or redacted.
Does usage telemetry run in local builds? No. Debug builds, CI, and builds without a release PostHog token do not emit usage telemetry.
Does telemetry affect trading? No. Events are queued after command output is rendered and sent best-effort.

What We Collect

Error telemetry may include:

  • CLI version, OS, architecture, and release environment.
  • Error type and sanitized error context.
  • Panic backtrace symbols when a panic occurs.

Usage telemetry may include:

  • Command path, such as polymarket.buy or hyperliquid.copy.start.
  • Output mode, such as table or JSON.
  • Coarse execution mode, such as read, preview, live, or interactive.
  • Exit class and coarse duration bucket.
  • Coarse product area, such as onboarding, funding, wallet, trading, tracker, automation, diagnostics, or system.

Usage telemetry uses either the cached Bullpen app user ID for logged-in users or a random anonymous ID for logged-out users. The anonymous ID is not derived from a wallet, email, hostname, JWT, or device identifier.

What We Do Not Collect

Telemetry events do not include:

  • Raw command arguments.
  • Wallet, EVM, Solana, or Hyperliquid addresses.
  • Market slugs, market titles, condition IDs, token IDs, order IDs, or transaction hashes.
  • Amounts, prices, shares, balances, fills, or PnL.
  • JWTs, API keys, signatures, seed phrases, private keys, or provider URLs.
  • Usernames, emails, hostnames, local usernames, IP addresses, or raw terminal environment values.
  • Raw error messages in usage analytics.

send_default_pii is disabled for error telemetry.

Opting Out

Both error telemetry and usage telemetry share one opt-out story. Any of the following disables all telemetry:

# Persisted config opt-out:
bullpen config telemetry off

# Re-enable:
bullpen config telemetry on

# Check status:
bullpen config telemetry status
export BULLPEN_DISABLE_TELEMETRY=1
export DO_NOT_TRACK=1

There is no separate PostHog-specific opt-out variable. The single opt-out switch governs both telemetry streams.

Disabled Automatically

Telemetry is disabled automatically in:

  • Debug builds, such as cargo run or debug cargo install --path builds.
  • Continuous integration environments.
  • Builds without an embedded PostHog publishable token, for usage telemetry.

Details

Redaction patterns

Outgoing error events are scrubbed before delivery. Bullpen redacts common sensitive patterns, including:

Pattern Replacement
0x + 64 hex chars 0x<REDACTED_HASH>
0x + 40 hex chars 0x<REDACTED_EVM_ADDR>
Bearer <token> Bearer <REDACTED>
JWT-shaped strings <REDACTED_JWT>
Token-bearing RPC/API provider URLs path and query collapsed
Secret-named fields such as api_key, token, secret, signature, or authorization <redacted>

Provider URL scrubbing covers common RPC and API providers such as Alchemy, Infura, QuickNode, Helius, Jupiter, Tenderly, Ankr, dRPC, BlockPi, GetBlock, Polygonscan, Etherscan, and similar endpoints.

Usage event fields

Usage analytics is built from a strict allowlist. Fields are coarse and low-cardinality:

Field Example
command_path polymarket.buy
session_id random UUID for one CLI process
output_mode json or table
stdout_is_tty true or false
non_interactive true or false
parent_process claude, cron, shell, node, python, or other
terminal_client iterm, vscode, tmux, or other
exit_class success, validation, auth, network, or internal
duration_bucket a coarse duration range
cli_version, os, arch release and platform metadata
product_surface, product_area, product_action broad workflow taxonomy
execution_mode read, preview, live_or_prompt, configure, manage, or interactive
Delivery model

Usage telemetry is queued locally under ~/.bullpen/analytics/ after command output or error text is rendered. The queue is bounded by byte and event count limits and flushes best-effort over HTTPS on this or a later command.

Flush attempts are cadence-limited, batch-limited, time-boxed, and backed off after HTTP failures or timeouts. A telemetry outage cannot make order submission or another CLI command unusable.

Reporting A Privacy Issue

If you find an unredacted secret or address in a telemetry event you forwarded to us, file a private security report through Responsible Disclosure. Do not paste the leaked content into a public issue.