feat(telemetry): add anonymous usage analytics via Aptabase

Privacy-first, opt-out telemetry using Aptabase (EU-hosted, open source).
Sends only lifecycle events (startup, heartbeat) with version, OS, and an
anonymous install UUID. No IPs, tokens, prompts, or request content.

- New command: cc-router telemetry on/off/status
- Honors DO_NOT_TRACK=1 and CC_ROUTER_TELEMETRY=0
- First-run disclosure shown once after setup wizard
- 6h heartbeat while proxy runs (.unref() — won't block shutdown)
- 13 unit tests covering state, env vars, HTTP client, and silent failure

Author: VictorMinemu

README.md

@@ -513,12 +513,47 @@ Press `q` to quit. Run with `--json` for non-interactive output.
 - The file is excluded by `.gitignore`
 - Writes are atomic (write to `.tmp`, then rename) — no corruption on crash
 - Keychain reads use `execFile` with a fixed argument array — no shell injection
-- No telemetry, no external logging
+- Anonymous opt-out telemetry via [Aptabase](https://aptabase.com) (see [Telemetry](#telemetry) below)
 
 See [docs/security.md](docs/security.md) for details.
 
 ---
 
+## Telemetry
+
+CC-Router sends a handful of anonymous lifecycle events to [Aptabase](https://aptabase.com) (privacy-first, open source, EU-hosted). The goal is simple: know how many people use the project, which versions are live, and roughly how many instances are running — so we can prioritize fixes and features.
+
+**What we send** — the entire payload lives in [`src/utils/telemetry.ts`](src/utils/telemetry.ts), audit it yourself:
+
+| Event                | When                                            | Custom props                             |
+| -------------------- | ------------------------------------------------ | ---------------------------------------- |
+| `app_started`        | First proxy start after install                 | `first_run: true`                        |
+| `setup_completed`    | Setup wizard finishes successfully               | `account_count`                          |
+| `proxy_started`      | Each `cc-router start`                           | `account_count`, `mode`                  |
+| `proxy_heartbeat`    | Every 6h while the proxy is running              | `uptime_hours`, `account_count`          |
+| `telemetry_disabled` | When you run `cc-router telemetry off`           | —                                        |
+
+Plus anonymous system props with every event: `appVersion`, `osName` (macOS/Linux/Windows), `osVersion`, `locale`, `engineVersion` (Node), and an anonymous `installId` (random UUID generated on first run, stored in `~/.cc-router/telemetry.json`).
+
+**What we never send**: IPs, OAuth tokens, account names, request content, prompts, responses, URLs, hostnames, usernames, file paths — nothing that could identify you or your usage patterns.
+
+**Disable it** — three ways, any one works:
+
+```bash
+# 1. Persistent opt-out (recommended)
+cc-router telemetry off
+
+# 2. Respect the de-facto standard (honored by many OSS tools)
+export DO_NOT_TRACK=1
+
+# 3. Project-specific override
+export CC_ROUTER_TELEMETRY=0
+```
+
+Check status anytime: `cc-router telemetry status`.
+
+---
+
 ## Disclaimer
 
 > CC-Router uses the OAuth tokens of your own Claude Max subscriptions.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-cc-router",
-  "version": "0.2.4",
+  "version": "0.2.5",
   "description": "Round-robin proxy for Claude Max OAuth tokens — use multiple Claude Max accounts with Claude Code",
   "type": "module",
   "bin": {

src/__tests__/telemetry.test.ts

@@ -0,0 +1,193 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import * as fs from "fs";
+
+// ─── Isolated temp directory for every run ───────────────────────────────────
+const MOCK_DIR = vi.hoisted(() => {
+  const tmp = process.env["TMPDIR"] ?? process.env["TEMP"] ?? "/tmp";
+  return `${tmp}/cc-router-telemetry-${Date.now()}-${Math.floor(Math.random() * 10_000)}`;
+});
+
+vi.mock("../config/paths.js", () => ({
+  CONFIG_DIR: MOCK_DIR,
+  TELEMETRY_PATH: `${MOCK_DIR}/telemetry.json`,
+  ACCOUNTS_PATH: `${MOCK_DIR}/accounts.json`,
+  CLAUDE_SETTINGS_PATH: `${MOCK_DIR}/settings.json`,
+  CONFIG_PATH: `${MOCK_DIR}/config.json`,
+  PROXY_PORT: 3456,
+  LITELLM_PORT: 4000,
+  LITELLM_URL: undefined,
+}));
+
+import {
+  loadTelemetryState,
+  writeTelemetryState,
+  isTelemetryEnabled,
+  type TelemetryState,
+} from "../config/telemetry.js";
+
+beforeEach(() => {
+  fs.mkdirSync(MOCK_DIR, { recursive: true });
+  // Reset env vars
+  delete process.env["DO_NOT_TRACK"];
+  delete process.env["CC_ROUTER_TELEMETRY"];
+});
+
+afterEach(() => {
+  fs.rmSync(MOCK_DIR, { recursive: true, force: true });
+  delete process.env["DO_NOT_TRACK"];
+  delete process.env["CC_ROUTER_TELEMETRY"];
+});
+
+// ─── TelemetryState persistence ──────────────────────────────────────────────
+
+describe("loadTelemetryState", () => {
+  it("creates fresh state with UUID and persists on first call", () => {
+    const state = loadTelemetryState();
+    expect(state.enabled).toBe(true);
+    expect(state.installId).toMatch(
+      /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i,
+    );
+    expect(state.disclosureShown).toBe(false);
+    expect(new Date(state.firstRunAt).getTime()).toBeGreaterThan(0);
+
+    // Was persisted to disk
+    const onDisk = JSON.parse(
+      fs.readFileSync(`${MOCK_DIR}/telemetry.json`, "utf-8"),
+    ) as TelemetryState;
+    expect(onDisk.installId).toBe(state.installId);
+  });
+
+  it("returns the same installId on subsequent calls", () => {
+    const first = loadTelemetryState();
+    const second = loadTelemetryState();
+    expect(second.installId).toBe(first.installId);
+  });
+
+  it("recovers from corrupted JSON", () => {
+    fs.writeFileSync(`${MOCK_DIR}/telemetry.json`, "NOT_JSON{}", "utf-8");
+    const state = loadTelemetryState();
+    expect(state.enabled).toBe(true);
+    expect(state.installId).toBeDefined();
+  });
+});
+
+describe("writeTelemetryState", () => {
+  it("atomically writes state", () => {
+    const state: TelemetryState = {
+      enabled: false,
+      installId: "test-uuid",
+      firstRunAt: "2026-01-01T00:00:00.000Z",
+      disclosureShown: true,
+    };
+    writeTelemetryState(state);
+    const raw = JSON.parse(
+      fs.readFileSync(`${MOCK_DIR}/telemetry.json`, "utf-8"),
+    ) as TelemetryState;
+    expect(raw).toEqual(state);
+    // .tmp was cleaned up (rename replaces)
+    expect(fs.existsSync(`${MOCK_DIR}/telemetry.json.tmp`)).toBe(false);
+  });
+});
+
+// ─── isTelemetryEnabled ──────────────────────────────────────────────────────
+
+describe("isTelemetryEnabled", () => {
+  it("returns true by default", () => {
+    expect(isTelemetryEnabled()).toBe(true);
+  });
+
+  it("returns false when DO_NOT_TRACK=1", () => {
+    process.env["DO_NOT_TRACK"] = "1";
+    expect(isTelemetryEnabled()).toBe(false);
+  });
+
+  it("returns false when CC_ROUTER_TELEMETRY=0", () => {
+    process.env["CC_ROUTER_TELEMETRY"] = "0";
+    expect(isTelemetryEnabled()).toBe(false);
+  });
+
+  it("returns false when state.enabled is false", () => {
+    const state = loadTelemetryState();
+    state.enabled = false;
+    writeTelemetryState(state);
+    expect(isTelemetryEnabled()).toBe(false);
+  });
+
+  it("env var takes precedence even when state.enabled is true", () => {
+    const state = loadTelemetryState();
+    state.enabled = true;
+    writeTelemetryState(state);
+    process.env["DO_NOT_TRACK"] = "1";
+    expect(isTelemetryEnabled()).toBe(false);
+  });
+});
+
+// ─── trackEvent (HTTP client) ────────────────────────────────────────────────
+
+describe("trackEvent", () => {
+  const fetchSpy = vi.spyOn(globalThis, "fetch");
+
+  beforeEach(() => {
+    fetchSpy.mockReset();
+    fetchSpy.mockResolvedValue(new Response("ok", { status: 200 }));
+  });
+
+  afterEach(() => {
+    fetchSpy.mockRestore();
+  });
+
+  // Import after mocks are in place
+  let trackEvent: typeof import("../utils/telemetry.js").trackEvent;
+
+  beforeEach(async () => {
+    // Dynamic import so the module picks up our mocked paths
+    const mod = await import("../utils/telemetry.js");
+    trackEvent = mod.trackEvent;
+  });
+
+  it("sends event to Aptabase EU endpoint", async () => {
+    // Ensure telemetry state exists (enabled by default)
+    loadTelemetryState();
+
+    await trackEvent("test_event", { key: "value" });
+
+    expect(fetchSpy).toHaveBeenCalledOnce();
+    const [url, opts] = fetchSpy.mock.calls[0];
+    expect(url).toBe("https://eu.aptabase.com/api/v0/event");
+    expect((opts as RequestInit).method).toBe("POST");
+    expect((opts as RequestInit).headers).toEqual(
+      expect.objectContaining({
+        "Content-Type": "application/json",
+        "App-Key": "A-EU-1060569594",
+      }),
+    );
+
+    const body = JSON.parse((opts as RequestInit).body as string);
+    expect(body.eventName).toBe("test_event");
+    expect(body.props.key).toBe("value");
+    expect(body.systemProps.osName).toMatch(/^(macOS|Linux|Windows)$/);
+    expect(body.systemProps.engineName).toBe("node");
+    expect(body.timestamp).toMatch(/^\d{4}-\d{2}-\d{2}T/);
+    expect(body.sessionId).toContain(loadTelemetryState().installId);
+  });
+
+  it("does not call fetch when telemetry is disabled", async () => {
+    process.env["DO_NOT_TRACK"] = "1";
+    await trackEvent("should_not_send");
+    expect(fetchSpy).not.toHaveBeenCalled();
+  });
+
+  it("never throws, even if fetch rejects", async () => {
+    loadTelemetryState();
+    fetchSpy.mockRejectedValue(new Error("network down"));
+    await expect(trackEvent("crash_test")).resolves.toBeUndefined();
+  });
+
+  it("never throws if fetch times out", async () => {
+    loadTelemetryState();
+    fetchSpy.mockImplementation(
+      () => new Promise((_, reject) => setTimeout(() => reject(new Error("timeout")), 10)),
+    );
+    await expect(trackEvent("timeout_test")).resolves.toBeUndefined();
+  });
+});

src/cli/cmd-setup.ts

@@ -28,6 +28,8 @@ import {
   openNetworkExtensionSettings,
 } from "../interceptor/mitmproxy-manager.js";
 import { printDesktopSupportExplainer, printNetworkExtensionInstructions } from "./cmd-client.js";
+import { loadTelemetryState, writeTelemetryState } from "../config/telemetry.js";
+import { trackEvent } from "../utils/telemetry.js";
 
 const execFileAsync = promisify(execFile);
 
@@ -252,10 +254,39 @@ async function runSetupWizard({ addMode }: { addMode: boolean }): Promise<void>
   saveAccounts(merged);
   console.log(chalk.green(`  ✓ ${merged.length} account(s) saved to ~/.cc-router/accounts.json`));
 
+  showTelemetryDisclosureIfNeeded();
+  void trackEvent("setup_completed", { account_count: merged.length });
+
   // ─── Post-setup interactive flow ─────────────────────────────────────────
   await runPostSetupFlow(merged.length);
 }
 
+// Anonymous telemetry disclosure, shown exactly once after a successful setup.
+// Controlled by telemetry.disclosureShown in ~/.cc-router/telemetry.json.
+function showTelemetryDisclosureIfNeeded(): void {
+  try {
+    const state = loadTelemetryState();
+    if (state.disclosureShown) return;
+    console.log();
+    console.log(chalk.dim("─".repeat(60)));
+    console.log(chalk.bold("  Anonymous usage analytics"));
+    console.log();
+    console.log("  CC-Router sends anonymous lifecycle events (version, OS,");
+    console.log("  startup, heartbeat) to help us understand usage and prioritize");
+    console.log("  improvements. No IPs, no tokens, no prompts, no request content.");
+    console.log();
+    console.log(`  Disable:    ${chalk.cyan("cc-router telemetry off")}`);
+    console.log(`  Or set:     ${chalk.cyan("DO_NOT_TRACK=1")}   |   ${chalk.cyan("CC_ROUTER_TELEMETRY=0")}`);
+    console.log(`  Source:     ${chalk.dim("src/utils/telemetry.ts")}`);
+    console.log(chalk.dim("─".repeat(60)));
+    console.log();
+    state.disclosureShown = true;
+    writeTelemetryState(state);
+  } catch {
+    // never block setup on telemetry errors
+  }
+}
+
 // ─── Post-setup interactive flow ─────────────────────────────────────────────
 
 async function runPostSetupFlow(accountCount: number): Promise<void> {

src/cli/cmd-telemetry.ts

@@ -0,0 +1,69 @@
+import type { Command } from "commander";
+import chalk from "chalk";
+import { loadTelemetryState, writeTelemetryState, isTelemetryEnabled } from "../config/telemetry.js";
+import { trackEvent } from "../utils/telemetry.js";
+
+export function registerTelemetry(program: Command): void {
+  program
+    .command("telemetry [action]")
+    .description("Manage anonymous usage analytics: on, off, status (default: status)")
+    .action(async (action?: string) => {
+      const resolved = action ?? "status";
+
+      if (resolved === "status") {
+        showStatus();
+        return;
+      }
+
+      if (resolved === "on") {
+        const state = loadTelemetryState();
+        state.enabled = true;
+        writeTelemetryState(state);
+        console.log(chalk.green("Telemetry enabled."));
+        console.log(chalk.dim(`Install ID: ${state.installId}`));
+        return;
+      }
+
+      if (resolved === "off") {
+        // Send one last event so we know about opt-out rates
+        await trackEvent("telemetry_disabled");
+        const state = loadTelemetryState();
+        state.enabled = false;
+        writeTelemetryState(state);
+        console.log(chalk.yellow("Telemetry disabled. No data will be sent."));
+        console.log(chalk.dim("Re-enable anytime with: cc-router telemetry on"));
+        return;
+      }
+
+      console.error(chalk.red(`Unknown action "${resolved}". Use: on, off, status`));
+      process.exitCode = 1;
+    });
+}
+
+function showStatus(): void {
+  const state = loadTelemetryState();
+  const envDisabled =
+    process.env["DO_NOT_TRACK"] === "1" || process.env["CC_ROUTER_TELEMETRY"] === "0";
+
+  console.log(chalk.bold("Telemetry"));
+  console.log();
+
+  if (envDisabled) {
+    console.log(`  Status:     ${chalk.yellow("disabled")} (by environment variable)`);
+  } else if (state.enabled) {
+    console.log(`  Status:     ${chalk.green("enabled")}`);
+  } else {
+    console.log(`  Status:     ${chalk.yellow("disabled")}`);
+  }
+
+  console.log(`  Active:     ${isTelemetryEnabled() ? chalk.green("yes") : chalk.yellow("no")}`);
+  console.log(`  Install ID: ${chalk.dim(state.installId)}`);
+  console.log(`  Since:      ${chalk.dim(state.firstRunAt)}`);
+  console.log();
+  console.log(chalk.dim("  What we send:  version, OS, locale, lifecycle events (start, heartbeat)"));
+  console.log(chalk.dim("  What we DON'T: IPs, tokens, prompts, request content, account names"));
+  console.log(chalk.dim("  Source code:   src/utils/telemetry.ts"));
+  console.log();
+  console.log(chalk.dim("  Disable:  cc-router telemetry off"));
+  console.log(chalk.dim("  Or set:   DO_NOT_TRACK=1  |  CC_ROUTER_TELEMETRY=0"));
+}

src/cli/index.ts

@@ -10,6 +10,7 @@ import { registerConfigure } from "./cmd-configure.js";
 import { registerDocker } from "./cmd-docker.js";
 import { registerUpdate } from "./cmd-update.js";
 import { registerClient } from "./cmd-client.js";
+import { registerTelemetry } from "./cmd-telemetry.js";
 import { getCurrentVersion, checkForUpdate, printUpdateBanner } from "../utils/self-update.js";
 
 const program = new Command();
@@ -47,6 +48,7 @@ registerConfigure(program);
 registerDocker(program);
 registerUpdate(program);
 registerClient(program);
+registerTelemetry(program);
 
 // Background update check — fires on every CLI invocation, uses 6h disk cache
 // so it's essentially free after the first check. Notify on process exit.

src/config/paths.ts

@@ -20,3 +20,8 @@ export const LITELLM_URL = process.env["LITELLM_URL"];
 export const CONFIG_PATH =
   process.env["CONFIG_PATH"] ??
   path.join(CONFIG_DIR, "config.json");
+
+// Anonymous telemetry state — install id + opt-in flag
+export const TELEMETRY_PATH =
+  process.env["TELEMETRY_PATH"] ??
+  path.join(CONFIG_DIR, "telemetry.json");