Some checks failed
Auto-update PR branches / Update open PR branches (push) Has been cancelled
CI / Frontend Static Quality Checks (push) Has been cancelled
CI / Frontend Tests & Coverage (push) Has been cancelled
CI / Rust Tests & Quality Checks (push) Has been cancelled
CI / Linux build verification (push) Has been cancelled
Release (Alpha) / Compute alpha version (push) Has been cancelled
Release (Alpha) / Build release artifacts (push) Has been cancelled
Release (Alpha) / GitHub Release (alpha) (push) Has been cancelled
Release (Alpha) / Update docs and release pages (push) Has been cancelled
Deploy docs / Build VitePress site (push) Has been cancelled
Deploy docs / Deploy to GitHub Pages (push) Has been cancelled
1.8 KiB
1.8 KiB
type, id, title, status, date
| type | id | title | status | date |
|---|---|---|---|---|
| ADR | 0016 | Sentry crash reporting + PostHog analytics with consent | active | 2026-03-25 |
Context
As Laputa approaches public release, crash reports and usage analytics are needed to identify bugs and understand feature adoption. However, as a personal knowledge management app that handles sensitive data, user privacy is paramount. Any telemetry must be opt-in with clear consent.
Decision
Integrate Sentry for crash reporting and PostHog for product analytics, both gated behind an explicit consent dialog on first launch. Users can toggle each independently in Settings. No telemetry is sent without affirmative consent.
Options considered
- Option A (chosen): Sentry + PostHog with consent dialog — industry-standard tools, separate crash/analytics toggles, privacy-respecting opt-in. Downside: two external dependencies, two services to manage.
- Option B: Self-hosted error tracking — full data control. Downside: operational burden, limited analytics features.
- Option C: No telemetry — simplest, most private. Downside: blind to crashes and usage patterns, harder to prioritize features.
Consequences
TelemetryConsentDialogshows on first launch with accept/decline buttons.- Accepting generates an
anonymous_id(no PII) and setstelemetry_consent: truein settings. useTelemetryhook reactively initializes/tears down Sentry and PostHog based on settings.- Both frontend (
src/lib/telemetry.ts) and Rust backend (src-tauri/src/telemetry.rs) have path scrubbers inbeforeSendhooks to strip vault paths. - DSN/keys come from
VITE_SENTRY_DSN/VITE_POSTHOG_KEYenv vars. reinit_telemetryTauri command toggles Rust-side Sentry at runtime.- Re-evaluation trigger: if a unified telemetry platform (e.g., OpenTelemetry) could replace both services.