feat(telemetry): add build-time option to compile out telemetry#1845
Merged
TaylorMutch merged 2 commits intoJun 9, 2026
Merged
Conversation
Gate anonymous telemetry emission behind a default-on `telemetry` Cargo feature in openshell-core. The data model (enums, validation, emit_*/enabled* signatures) stays always-compiled, while the endpoint, HTTP client, queue, and emission code are feature-gated. With the feature off, enabled() returns false and emit_* are no-ops, so dependent crates compile unchanged and no telemetry endpoint, HTTP client, or emission code is included in the binary. chrono and reqwest become optional dependencies of openshell-core, dropped from its dependency graph when telemetry is disabled. Thread the switch through the workspace: every crate depends on openshell-core with default-features = false, and the default-on `telemetry` passthrough lives on the binary crates that emit or collect telemetry (openshell-server, openshell-sandbox, openshell-driver-vm). In-process drivers inherit it via resolver v2 feature unification. Build a telemetry-free binary with, e.g.: cargo build --release -p openshell-server --no-default-features The runtime OPENSHELL_TELEMETRY_ENABLED switch is unchanged for default builds. Signed-off-by: Russell Bryant <russell.bryant@gmail.com>
Add tasks/scripts/verify-telemetry-compiled-out.sh, which inspects a built binary for telemetry markers (the telemetry endpoint host and client ID) that exist only when emission code is compiled in. The rust:verify:telemetry-off mise task builds the gateway with default features (positive control: markers must be present, so the absent checks can never be silently vacuous) and with --no-default-features (markers must be absent), and checks the --no-default-features sandbox binary as well. Wire the task into the Rust branch-checks job so a regression that reintroduces telemetry code into a --no-default-features build fails CI. Signed-off-by: Russell Bryant <russell.bryant@gmail.com>
Collaborator
|
/ok to test 3869cec |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
OpenShell collects anonymous telemetry by default and already supports turning it off at runtime via
OPENSHELL_TELEMETRY_ENABLED=false. That runtime switch is enough for most users, but privacy-sensitive operators often need a stronger guarantee than a runtime flag they have to trust, set correctly, and keep set. For them, the goal isn't "telemetry disabled," it's "telemetry not present": no endpoint baked into the binary, no HTTP client, nothing to misconfigure, re-enable, or audit at runtime.This PR adds a default-on
telemetryCargo feature so telemetry can be compiled out entirely. Building with--no-default-featuresproduces binaries that contain no telemetry endpoint, no telemetry HTTP client, and no emission code — provable, build-time absence rather than runtime suppression. On-by-default behavior and the runtime switch are unchanged for everyone else.Related Issue
None — no tracking issue exists for this. Happy to file one if preferred.
Changes
openshell-core: new default-ontelemetryfeature.chronoandreqwestare nowoptionaland gated behind it. Intelemetry.rs, the data model (enums, validation,emit_*/enabled*signatures) stays always-compiled, while the endpoint, HTTP client, queue, and emission code are#[cfg(feature = "telemetry")]. With the feature off,enabled()returnsfalseandemit_*are no-ops, so dependent crates compile unchanged.openshell-corewithdefault-features = false; the default-ontelemetrypassthrough lives on the binary crates that emit/collect —openshell-server(gateway),openshell-sandbox,openshell-driver-vm. In-process drivers (docker/k8s/podman) inherit telemetry via resolver-v2 feature unification and carry no passthrough. The CLI calls no telemetry APIs and stays telemetry-free.tasks/scripts/verify-telemetry-compiled-out.sh+rust:verify:telemetry-offmise task inspect built binaries for telemetry markers (endpoint host + client ID). Wired into thebranch-checksRust job: the default gateway must contain the markers (positive control);--no-default-featuresgateway and sandbox must not.architecture/build.md.Testing
mise run pre-commitpassesdisabled_tests(telemetry-off no-op behavior) inopenshell-core; gated the telemetry-on sandbox collection testAdditional verification:
cargo test -p openshell-core --no-default-features: 156 pass; compiles both ways (gateway, sandbox, driver-vm)clippy --workspace --all-targetsand--no-default-features: cleanmise run rust:verify:telemetry-off: confirms endpoint URL + client ID present in default gateway, absent in--no-default-featuresgateway/sandboxChecklist
architecture/build.md)