Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Co-authored-by: Kristiyan Ivanov <k.ivanow@gmail.com>
|
Thank you for your contribution! Before we can merge this PR, you need to sign our Contributor License Agreement. To sign, please comment below with:
I have read the CLA Document and I hereby sign the CLA 1 out of 2 committers have signed the CLA. |
| const licenseService = this.licenseService as { getLicenseKey?: () => string } | undefined; | ||
| if (typeof licenseService?.getLicenseKey !== 'function') return undefined; | ||
| try { | ||
| return licenseService.getLicenseKey(); |
There was a problem hiding this comment.
It might be good idea to send partial license key - first / last 10 characters for example, if it is considered private data
There was a problem hiding this comment.
I think we are fine for now. The licenses are not identifiable information in the public sense. We can strip it when we improve the telemetry. For now I just want a more accurate tying up the license to the events. The licenses are also free, so even if PostHog has a leak, it won't compromise the user's usage. It is something to revisit once payments are setup in the future
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit aefddb5. Configure here.
| } catch { | ||
| return undefined; | ||
| } | ||
| } |
There was a problem hiding this comment.
Type cast masks null return, leaking null as undefined
Low Severity
The getLicenseKeySafely method's type assertion for licenseService.getLicenseKey() doesn't account for null. This leads to null being returned by getLicenseKeySafely for community-tier users, despite its string | undefined return type. Consequently, telemetry payloads send "licenseKey": null instead of omitting the field as undefined would.
Reviewed by Cursor Bugbot for commit aefddb5. Configure here.
3 participants
Summary
Added license key to the posthog metrics for tracking
Changes
Checklist
roborev review --branchor/roborev-review-branchin Claude Code (internal)Note
Medium Risk
Telemetry now emits license keys, which is sensitive metadata and may have privacy/compliance implications if not properly handled downstream. Logic changes are small and guarded, but any misconfiguration could leak identifiers to analytics.
Overview
Usage telemetry now attaches a
licenseKeyproperty to PostHogidentifyand all captured events, using a defensivegetLicenseKeySafely()helper so telemetry remains best-effort even when the license module/version doesn’t expose the key.LicenseServiceexposes a newgetLicenseKey()accessor, and the migration validation e2e tests now skip when licensing is enforced via either402or403responses.Reviewed by Cursor Bugbot for commit aefddb5. Bugbot is set up for automated code reviews on this repo. Configure here.