feat: anonymous usage analytics + fix all code scanning alerts

[WellDunDun]

Summary

• Add fire-and-forget anonymous telemetry (selftune telemetry command, opt-out via env or config)
• Fix incomplete regex sanitization in llm-call.ts (high severity CodeQL alert)
• Pin all Docker base images to SHA256 digests (9 medium severity alerts)
• Pin all curl-piped Bun installs to bun-v1.3.10 (medium severity alerts)

Telemetry endpoint (telemetry.selftune.dev) is being deployed separately via selftune-cloud-app. Until live, trackEvent silently fails (fire-and-forget design).

Test plan

• bun test tests/analytics/ — 17 tests pass (privacy, opt-out, fire-and-forget)
• CI lint + test pass
• Verify CodeQL alerts resolve on next scan after merge
• selftune telemetry status shows correct state
• selftune telemetry disable / enable toggles config

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@WellDunDun has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 49 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4ce74c41-a89e-4c89-8f90-7ef4c028bf6b

📥 Commits

Reviewing files that changed from the base of the PR and between cb3fdf8 and 60f7b3f.

📒 Files selected for processing (4)

• cli/selftune/analytics.ts
• skill/SKILL.md
• skill/Workflows/Telemetry.md
• tests/analytics/analytics.test.ts

📝 Walkthrough

Walkthrough

Adds a privacy-preserving, opt-outable analytics subsystem and CLI telemetry command, integrates disclosure notices into init flow, extends config types, strengthens markdown fence escaping, pins Node/Bun images by digest/version, and bumps package version to 0.2.3.

Changes

Cohort / File(s)	Summary
Analytics module & tests cli/selftune/analytics.ts, tests/analytics/analytics.test.ts	New analytics implementation: anonymous ID generation/storage, cached config with analytics_disabled, env/CI gating (SELFTUNE_NO_ANALYTICS), buildEvent/trackEvent (fire-and-forget POST, 3s timeout, errors swallowed), CLI subcommands (status/enable/disable). Comprehensive tests validate behavior and PII exclusion. Review for filesystem error paths and test isolation.
CLI integration cli/selftune/index.ts, cli/selftune/init.ts	Adds telemetry command and lazy-loads analytics; emits TELEMETRY_NOTICE at two init points. Check lazy-import safety and CLI help output.
Config types cli/selftune/types.ts	Adds optional analytics_disabled?: boolean to SelftuneConfig. Confirm downstream config reads/writes handle the new field.
Utility tweak cli/selftune/utils/llm-call.ts	Improves escaping when building closing-markdown-fence regex to cover more metacharacters. Verify no unintended regex behavior regressions.
Devcontainer & sandbox Dockerfiles .devcontainer/Dockerfile, tests/sandbox/docker/Dockerfile, tests/sandbox/docker/Dockerfile.openclaw	Pin Node base images by digest and pin Bun installer to bun-v1.3.10. Validate digest correctness and build reproducibility.
Docs & metadata README.md, skill/SKILL.md, skill/Workflows/Telemetry.md, package.json	Adds telemetry CLI docs and Telemetry workflow doc; bumps package version 0.2.2 → 0.2.3. Confirm documentation wording matches implementation.

Sequence Diagram(s)

sequenceDiagram
    participant CLI as CLI Command
    participant Analytics as Analytics Module
    participant FS as Local Config/FS
    participant Endpoint as Telemetry Endpoint

    CLI->>Analytics: trackEvent(eventName, props)
    Analytics->>FS: isAnalyticsEnabled() (env/config/CI)
    FS-->>Analytics: enabled / disabled

    alt enabled
        Analytics->>Analytics: buildEvent(eventName, props)<br/>(anonymous_id, os, arch, versions)
        Analytics->>Endpoint: POST /v1/events (async, 3s timeout, fire-and-forget)
        Endpoint-->>Analytics: response (ignored)
    else disabled
        Analytics-->>CLI: return immediately (no network)
    end

    Analytics-->>CLI: return void (non-blocking)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: sandbox test harness, multi-agent expansion plan, and project roadmap #17 — Changes to Dockerfiles and Bun installer flags that overlap with pinned base-image digests and explicit Bun version used in this PR.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 69.23% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows conventional commits format (feat:) and accurately describes the two main changes: anonymous usage analytics feature and code scanning alert fixes.
Description check	✅ Passed	Description is directly related to the changeset, detailing the telemetry feature, security fixes, and test plan that correspond to the actual changes in the PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/analytics-and-security-fixes

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.devcontainer/Dockerfile:
- Line 34: Replace the POSIX /bin/sh usage for the RUN lines that start with
"set -euo pipefail && curl -fsSL https://bun.sh/install | bash -s ..." by
executing the command under bash explicitly (e.g., invoke /bin/bash -lc 'set
-euo pipefail && curl -fsSL https://bun.sh/install | bash -s "bun-v1.3.10"' ),
and apply the same change to the second identical RUN occurrence; this ensures
pipefail is supported by running the install line under bash instead of the
default dash shell.

In `@cli/selftune/analytics.ts`:
- Around line 80-84: getAnonymousId currently derives an identifier from
hostname and username (via cachedAnonymousId), which is reversible; change it to
generate a cryptographically-random, non-PII identifier and persist it so it’s
stable across runs: update getAnonymousId to first try reading a persisted
anonymous id from the app's config/storage, return cachedAnonymousId if set,
otherwise generate a random id (e.g., crypto.randomBytes), store it in the
config and set cachedAnonymousId, and then return it; reference the existing
cachedAnonymousId and getAnonymousId symbols when making this change so you
replace the hostname/username derivation with secure random generation +
persistence.

In `@cli/selftune/index.ts`:
- Line 25: Add the new telemetry CLI command to all required docs: update
README.md Commands table to include a row "selftune telemetry | Manage anonymous
usage analytics", add a Quick Reference entry in skill/SKILL.md like "selftune
telemetry [status|enable|disable]", update the Workflow Routing section in
skill/SKILL.md to include trigger keywords (e.g., "telemetry, analytics, disable
analytics, opt out") and link those triggers to a new
skill/Workflows/Telemetry.md, and create skill/Workflows/Telemetry.md describing
when agents should invoke the telemetry command, expected inputs
(status/enable/disable), sample invocations, and any routing notes so the
implementations in analytics.ts and the wiring in index.ts are discoverable and
routable.

In `@tests/analytics/analytics.test.ts`:
- Around line 166-218: The test suite is nondeterministic because trackEvent's
enablement reads cached loadConfig() from the user's real home; to fix, isolate
config/home before importing the analytics module: in
tests/analytics/analytics.test.ts ensure you set a temporary HOME (or CI config
path env) and/or mock loadConfig() to return analytics_enabled before
requiring/importing the module that exports trackEvent, then import trackEvent
(or require the analytics module) after that setup so the module-level cache
uses the isolated config; update setup/teardown to restore original env and
clear module cache (e.g., delete require.cache for the analytics module) so
other tests remain unaffected.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: cc18a84c-6606-495d-ba51-ad657b30adaa

📥 Commits

Reviewing files that changed from the base of the PR and between eedba09 and 0b886b3.

📒 Files selected for processing (10)

• .devcontainer/Dockerfile
• cli/selftune/analytics.ts
• cli/selftune/index.ts
• cli/selftune/init.ts
• cli/selftune/types.ts
• cli/selftune/utils/llm-call.ts
• package.json
• tests/analytics/analytics.test.ts
• tests/sandbox/docker/Dockerfile
• tests/sandbox/docker/Dockerfile.openclaw

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Required command-surface docs =="
for f in "README.md" "AGENTS.md" "skill/SKILL.md"; do
  if [ -f "$f" ]; then
    echo "--- $f"
    rg -n "selftune telemetry|telemetry" "$f" || true
  else
    echo "--- MISSING: $f"
  fi
done

echo
echo "== Workflow docs mentioning telemetry (if present) =="
if [ -d "skill/Workflows" ]; then
  fd -HI '\.md$' skill/Workflows --exec rg -n "selftune telemetry|SELFTUNE_NO_ANALYTICS|analytics" {}
else
  echo "skill/Workflows directory not found"
fi

Repository: selftune-dev/selftune

Length of output: 442

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check the relevant lines in index.ts
echo "=== Lines 20-30 (around line 25) ==="
sed -n '20,30p' cli/selftune/index.ts | cat -n

echo
echo "=== Lines 52-62 (around line 57) ==="
sed -n '52,62p' cli/selftune/index.ts | cat -n

echo
echo "=== Lines 466-480 (around line 471) ==="
sed -n '466,480p' cli/selftune/index.ts | cat -n

echo
echo "=== Checking full file size ==="
wc -l cli/selftune/index.ts

Repository: selftune-dev/selftune

Length of output: 2175

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== README.md: Commands section ==="
if grep -n "^| \`selftune" README.md >/dev/null 2>&1; then
  sed -n '/^## Commands/,/^##/p' README.md | head -40
else
  echo "Looking for Commands table..."
  rg -A 30 "Commands" README.md | head -50
fi

echo
echo "=== AGENTS.md: project tree / command list ==="
rg -A 25 "project tree|selftune [a-z]" AGENTS.md | head -50

echo
echo "=== skill/SKILL.md: Quick Reference section ==="
if [ -f "skill/SKILL.md" ]; then
  rg -A 30 "Quick Reference|Commands" skill/SKILL.md | head -50
else
  echo "skill/SKILL.md not found"
fi

echo
echo "=== Check if analytics.js exists ==="
fd -t f analytics.js cli/selftune/

Repository: selftune-dev/selftune

Length of output: 6345

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking if telemetry/analytics is mentioned anywhere else ==="
rg -l "telemetry|analytics" skill/ --type md || true

echo
echo "=== Looking at existing Workflow docs as template ==="
ls -1 skill/Workflows/*.md | head -5 | xargs -I {} bash -c "echo '=== {} ===' && head -10 {}"

echo
echo "=== Check if analytics.js referenced anywhere ==="
rg "analytics\.js|analytics\.ts" cli/

Repository: selftune-dev/selftune

Length of output: 2763

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Check if analytics.ts or analytics.js exists ==="
find cli/selftune -name "*analytic*" -o -name "*telemetry*"

echo
echo "=== Check init.ts for TELEMETRY_NOTICE import ==="
rg -B 2 -A 2 "TELEMETRY_NOTICE" cli/selftune/init.ts

echo
echo "=== List all files in cli/selftune/ ==="
ls -1 cli/selftune/*.ts | head -20

Repository: selftune-dev/selftune

Length of output: 1059

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Check analytics.ts for cliMain export ==="
head -50 cli/selftune/analytics.ts

echo
echo "=== Search for status/enable/disable commands in analytics.ts ==="
rg "case|enable|disable|status" cli/selftune/analytics.ts | head -20

echo
echo "=== Check if Telemetry.md or Analytics.md workflow exists ==="
ls -1 skill/Workflows/ | grep -i "telemetry\|analytic" || echo "No Telemetry/Analytics workflow doc found"

echo
echo "=== Check Workflows.md for telemetry routing ==="
rg "telemetry|analytics" skill/Workflows/Workflows.md || echo "Not found in Workflows.md"

Repository: selftune-dev/selftune

Length of output: 3364

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Check skill/SKILL.md for any telemetry routing ==="
rg -i "telemetry|analytics" skill/SKILL.md

echo
echo "=== Check if there's a Workflow Routing table in SKILL.md ==="
rg -B 2 -A 15 "Workflow.*Routing|Routing.*[Tt]able" skill/SKILL.md | head -50

echo
echo "=== Full list of workflow docs ==="
ls -1 skill/Workflows/*.md | sed 's|.*/||' | sort

Repository: selftune-dev/selftune

Length of output: 2080

---

Add telemetry command to all required documentation.

The telemetry command (status, enable, disable) is implemented in analytics.ts and wired into index.ts, but is missing from:

• README.md Commands table — Add row for selftune telemetry | Manage anonymous usage analytics
• skill/SKILL.md Quick Reference — Add entry: selftune telemetry [status|enable|disable]
• skill/SKILL.md Workflow Routing — Add trigger keywords (e.g., "telemetry, analytics, disable analytics, opt out") and link to new Workflows/Telemetry.md
• skill/Workflows/Telemetry.md — Create workflow doc explaining when/how agents invoke this command

Per coding guidelines: CLI command additions must be reflected in these four documentation surfaces so agents can discover and route to the feature.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cli/selftune/index.ts` at line 25, Add the new telemetry CLI command to all
required docs: update README.md Commands table to include a row "selftune
telemetry | Manage anonymous usage analytics", add a Quick Reference entry in
skill/SKILL.md like "selftune telemetry [status|enable|disable]", update the
Workflow Routing section in skill/SKILL.md to include trigger keywords (e.g.,
"telemetry, analytics, disable analytics, opt out") and link those triggers to a
new skill/Workflows/Telemetry.md, and create skill/Workflows/Telemetry.md
describing when agents should invoke the telemetry command, expected inputs
(status/enable/disable), sample invocations, and any routing notes so the
implementations in analytics.ts and the wiring in index.ts are discoverable and
routable.

[coderabbitai]

Actionable comments posted: 5

♻️ Duplicate comments (1)

tests/analytics/analytics.test.ts (1)

3-10: ⚠️ Potential issue | 🟠 Major

Tests are still environment-coupled via early module import.

Because analytics is imported at Lines 3-10 before setup runs, config-path resolution can still reflect real user home/config. resetAnalyticsState() clears caches, but it does not isolate filesystem inputs, so Line 135 can fail nondeterministically on machines with analytics_disabled: true.

As per coding guidelines tests/**/*.ts: "Isolated tests with proper setup/teardown".

Also applies to: 18-24, 132-136

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/analytics/analytics.test.ts` around lines 3 - 10, The tests import
analytics at module scope which causes real-home/config resolution; to fix, stop
importing Analytics statically and instead dynamic-import it after test setup so
filesystem/env can be isolated: in your test setup (beforeEach) call
jest.resetModules(), set up a temp HOME/XDG_CONFIG_HOME or mock fs, then do
const { getAnonymousId, buildEvent, trackEvent, isAnalyticsEnabled,
resetAnalyticsState } = await import("../../cli/selftune/analytics.js"); ensure
resetAnalyticsState() is called between tests/after setting mocks so caches
clear; this removes early module-side config reads that made Line 135 flaky.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cli/selftune/analytics.ts`:
- Around line 220-227: The current fire-and-forget call in trackEvent can throw
synchronously if fetchFn throws before returning a Promise, bypassing the
.catch; wrap the invocation so synchronous throws are converted to a promise
rejection — e.g., call Promise.resolve().then(() => fetchFn(endpoint, { ... }))
and keep the existing .catch(...) handler (or perform a try/catch that then
returns a resolved Promise) to ensure trackEvent never throws; update the call
site where fetchFn is invoked in trackEvent to use this pattern and retain the
AbortSignal.timeout and JSON body logic.
- Around line 245-247: Wrap the filesystem operations that create the directory
and write the telemetry config (the block using mkdirSync(SELFTUNE_CONFIG_DIR,
...), writeFileSync(SELFTUNE_CONFIG_PATH, ...), and invalidateConfigCache()) in
a try/catch inside the enable and disable telemetry handlers; on catch log an
agent-actionable error (e.g., "Unable to save telemetry settings: check file
permissions or run with appropriate privileges") using the same CLI logger and
then call process.exit(1). Apply the same protection to the redundant write
block referenced around the other handler (the block at 273-283) so both
enable/disable flows behave consistently.

In `@skill/SKILL.md`:
- Line 106: The Resource Index is missing an entry for the new workflow file
referenced in the routing table; add a corresponding row in skill/SKILL.md’s
Resource Index table that registers Workflows/Telemetry.md (use the same
keywords/label used in the routing row: "telemetry, analytics, disable
analytics, opt out, usage data, tracking, privacy" and the display name
"Telemetry") so Workflows/Telemetry.md is discoverable and consistent with the
Workflow Routing entry.

In `@skill/Workflows/Telemetry.md`:
- Around line 38-43: The "What Is NOT Collected" section currently overstates
unlinkability; either remove linkable fields from telemetry payloads or update
the wording to accurately reflect that telemetry includes sent_at and
anonymous_id which can link events. Edit the "What Is NOT Collected" wording
(under the "What Is NOT Collected" header) to explicitly note that timestamps
(sent_at) and stable anonymous identifiers (anonymous_id) are collected and can
be used to correlate events, or implement changes to the telemetry payload to
drop those fields (sent_at / anonymous_id) if true unlinkability is required.
Ensure the change references the sent_at and anonymous_id symbols in the updated
text so consumers are aware.

In `@tests/analytics/analytics.test.ts`:
- Line 187: Replace the fragile fixed 50ms sleep and any micro-threshold
assertions in analytics.test.ts with a bounded polling helper that repeatedly
checks the expected state until success or a timeout; specifically remove uses
of await new Promise((r) => setTimeout(r, 50)) and instead call a reusable
wait/poll utility (e.g., waitFor, pollUntil, or a custom retryUntil) to assert
the immediate state and then poll until the condition is true (with a sensible
timeout and interval), and update the related assertions that relied on "<50ms"
timing to use the same polling helper; apply this change for the occurrences
around the current snippet and the other spots mentioned (lines near 212-213 and
253-255) and reference the test functions/assertions that currently use the
sleep and timing assertions when implementing the helper.

---

Duplicate comments:
In `@tests/analytics/analytics.test.ts`:
- Around line 3-10: The tests import analytics at module scope which causes
real-home/config resolution; to fix, stop importing Analytics statically and
instead dynamic-import it after test setup so filesystem/env can be isolated: in
your test setup (beforeEach) call jest.resetModules(), set up a temp
HOME/XDG_CONFIG_HOME or mock fs, then do const { getAnonymousId, buildEvent,
trackEvent, isAnalyticsEnabled, resetAnalyticsState } = await
import("../../cli/selftune/analytics.js"); ensure resetAnalyticsState() is
called between tests/after setting mocks so caches clear; this removes early
module-side config reads that made Line 135 flaky.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8a255c75-23e4-42d6-910d-579ac00286d6

📥 Commits

Reviewing files that changed from the base of the PR and between 0b886b3 and cb3fdf8.

📒 Files selected for processing (6)

• .devcontainer/Dockerfile
• README.md
• cli/selftune/analytics.ts
• skill/SKILL.md
• skill/Workflows/Telemetry.md
• tests/analytics/analytics.test.ts