Privacy

01 · TL;DR

vibe-hardening runs on your machine. Your code, your secrets, your file paths, your repository names — none of those ever leave your laptop.

If — and only if — you say yes to the first-run prompt, the CLI sends a small anonymous event after each scan: which rule IDs fired, how long the scan took, the AI platform fingerprint it detected, your CLI version, and a randomly-generated UUID. That's it.

You can turn it off any time. Setting DO_NOT_TRACK=1, CI=1, or running inside any CI environment also disables it automatically.

02 · What the CLI sends if you opt in

Every scan ships exactly these fields and nothing else:

• anonymous_id — a random UUID v4 generated on first run. Stored locally; lets us de-duplicate the same machine without identifying you.
• consent_version — schema version of the consent you gave. Currently 1. If we ever widen what we collect, we bump this and re-prompt.
• vh_version — your CLI version (e.g. 0.3.0).
• platform_fingerprint — the AI tool we detected, e.g. cursor, lovable, claude-code. Public labels only — we never send the file paths the detector matched against.
• files_scanned — integer count of files the scanner looked at.
• duration_ms — how long the scan took, in milliseconds.
• score / grade — the 0–100 score and A–F letter the report computed.
• rules_fired — a map of ruleId → trigger count, e.g. {"vh-secret-openai": 2}. Rule IDs are public identifiers from our open-source rules — they reveal nothing about your code beyond which rules matched.
• os — darwin / linux / win32.
• node_version — your Node version (e.g. v20.10.0).

03 · What we never send

The wire payload is a fixed schema. The CLI does not have code paths that send any of the following — and a regression test in the public repo asserts none of these strings can ever reach the wire:

• Source code, snippets, or any string from your files.
• Secrets, API keys, tokens, or anything detected by the secret-scanner.
• File names, file paths, or directory names.
• Repository names, git remote URLs, branch names.
• Commit messages, author names, git config.
• Your IP address (we use Cloudflare which does see the IP at the network layer, but we do not store, log, or correlate it with the event).
• Email, name, GitHub username, or any account identifier.
• Any environment variable beyond the opt-out controls listed below.

04 · How to turn it off

Three ways, ranked by reach:

• vibe-hardening config set telemetry off — persists across runs.
• VH_TELEMETRY=off env var — one-shot override; useful for VH_TELEMETRY=off npx vibe-hardening scan.
• DO_NOT_TRACK=1 or CI=1 — universal opt-outs respected by many tools (yarn, pnpm, Gatsby). vibe-hardening honours either, even if your local config says telemetry is on.

05 · How it's stored

Events are POSTed to a Cloudflare Worker which writes them to a managed database (Supabase or D1). We're a one-person indie team — no Mixpanel, no Segment, no Amplitude, no Google Analytics, no marketing pixels.

We don't sell, share, or licence the data. The only people who look at it are us, when we're deciding which rules need work.

Retention: 12 months. Aggregate rule-fire counts may be kept longer for trend analysis, but rows that contain anonymous_id are dropped after 12 months.

06 · Why we do this

vibe-hardening is a free MIT CLI shipped via npm. We don't see who installs it. We don't see customer support tickets. We don't do sales calls.

Without a small amount of telemetry, the first 1,500 installs after launch are a black box. We can't tell which rules fire most (so we should deepen them) versus which ones never fire (so we should rebuild or remove them). We can't tell which AI platform users care about most. We can't tell whether scans take 3 seconds or 30.

Telemetry is the difference between "shipped a thing, hope it works" and "shipped a thing, learned what to fix in week two."

07 · Source-code receipts

Every claim above maps to code you can read:

• Whitelist of fields: src/core/telemetry.ts → buildEvent (around line 290).
• PII guard test: test/telemetry.test.ts → "NEVER includes PII" (asserts no file paths, snippets, secrets, or platform-detector signal sources reach the wire).
• Opt-out env var enforcement: src/core/telemetry.ts → isUniversallyOptedOut.
• SSRF protection on self-hosted endpoint override: src/core/telemetry.ts → getEndpoint.

08 · Questions

GitHub issue at the repo, or open the CLI source and read it. The whole telemetry surface is ~350 lines of TypeScript with comments.