InitRunner

Usage Telemetry

InitRunner can report anonymous usage so the maintainers can see whether it is used and which parts are used, and decide what to work on next. It is opt-in: nothing is sent until you accept (since v2026.6.3; introduced as opt-out in v2026.6.2). The CLI asks once, on the first interactive run, and the dashboard asks once with a consent banner. Until then, and in any non-interactive context, it stays off and sends nothing.

This is separate from two things it is often confused with:

  • Agent observability (OpenTelemetry) traces your agent runs to your backend. InitRunner never receives that data.
  • The audit trail is a local, HMAC-signed log of agent actions. It is never transmitted.

What Is Sent

Telemetry is built from a fixed allowlist of safe primitives, never by reflecting over arguments, prompts, or role files. Per command it sends:

PropertyExampleNotes
commandrun, new, doctorCommand name only, from a known list; anything else becomes other. Never arguments.
statusok, errorOutcome.
exit_code0, 1Process exit code.
error_kindFileNotFoundErrorException class name only, from a known list, else OtherError. Never the message or traceback.
duration_bucket<1s, 1-5s, 5-30s, 30s+Coarse bucket, never the raw time.
is_ttytrueWhether stdin is a terminal.
is_cifalseWhether a CI environment was detected.

Every event also carries os (Linux / Darwin / Windows), python_version (major.minor, e.g. 3.12), and initrunner_version, tied to a random install_id. A separate one-time cli_first_run event records a best-effort install_method (pip, pipx, uv, docker, or unknown) so distinct installs can be counted.

What Is Never Sent

Prompts, role or skill file contents, file paths, command arguments or flag values, API keys, model names or aliases, MCP server names or URLs, exception messages or tracebacks, raw durations, hostnames, and usernames. As a second layer, every string value passes through the audit secret scrubber before it leaves the process.

Events are anonymous. No PostHog person profiles are created ($process_person_profile: false), geolocation is skipped ($geoip_disable: true), and $ip is overridden to 0.0.0.0 so the real source IP is never stored.

When the CLI Prompts

On the first interactive run, a real subcommand with a terminal attached, the CLI prints a short explanation and asks once whether to enable telemetry. Answering no records the choice; answering yes sends the first event.

Non-interactive runs (pipes, scripts, daemons), --help, completion, and the telemetry subcommands never prompt and never send, so automation is never blocked and nothing leaves the machine before you choose. Telemetry is also off by default in CI (when a CI environment variable is set).

Controls

Set the choice explicitly at any time:

initrunner telemetry status      # show current state, reason, install id, and config path
initrunner telemetry enable      # opt in
initrunner telemetry disable     # opt out
initrunner telemetry reset       # rotate the anonymous install id

initrunner doctor also prints a telemetry status line.

Environment variables take precedence over the stored choice:

VariableEffect
DO_NOT_TRACK=1The cross-tool standard. Forces telemetry off; checked first, so it beats an explicit opt-in.
INITRUNNER_TELEMETRY=offProject-specific switch (on / off).
INITRUNNER_TELEMETRY_DEBUG=1Print the event JSON to stderr and send nothing.

To see exactly what an invocation would send without sending it:

INITRUNNER_TELEMETRY_DEBUG=1 initrunner doctor

The Anonymous Install ID

Telemetry is tied to a random install_id generated once and stored in ~/.initrunner/telemetry.json (mode 0600). It is not derived from your username, hostname, or home directory, so it carries no identifying information. It exists only so distinct installs can be counted. Rotate it any time with initrunner telemetry reset.

Behavior on Upgrade

The persisted state file uses schema v2, a tri-state consent value (unset, granted, or denied), and is migrated in place. When upgrading from a release that defaulted telemetry on, an explicit prior initrunner telemetry disable is preserved (you stay opted out). Any other prior state is reset to undecided, so you are asked once under the opt-in default.

The Dashboard

The web dashboard uses posthog-js with the same posture: no autocapture, no session recording, no heatmaps, no input contents, and anonymous events. It is opt-in too. PostHog is not initialized until you choose Enable on the consent banner shown on first load. It never starts when the browser sets Do Not Track, when you choose No thanks, or when no key is configured at build time. The choice is stored in the browser's local storage, and a prior opt-out is preserved.

Where the Data Goes

Events go to PostHog US Cloud. PostHog is the data processor. The shipped project key is a public, write-only ingestion key that grants capture-only access. To request deletion, run initrunner telemetry status to find your install_id and email contact@initrunner.ai with it.

On this page