Skip to content

feat(telemetry): enable OTel Claude Code telemetry#150

Open
maxchampoux wants to merge 2 commits into
mainfrom
feat/otel-telemetry
Open

feat(telemetry): enable OTel Claude Code telemetry#150
maxchampoux wants to merge 2 commits into
mainfrom
feat/otel-telemetry

Conversation

@maxchampoux

@maxchampoux maxchampoux commented Apr 3, 2026

Copy link
Copy Markdown

Summary

  • Adds .claude/settings.json with OTel exporter config
  • All Claude Code sessions in this repo will automatically export telemetry (tool usage, metrics, events) to the observability dashboard
  • Zero setup required from team members — works out of the box

What this enables

  • Per-member tool usage tracking (including Agent dispatches)
  • Token consumption and cost metrics
  • Session and workflow type analytics

🤖 Generated with Claude Code


Note

Medium Risk
Introduces default telemetry export settings for Claude Code sessions, which can impact privacy/compliance by sending tool usage and logs to an external OTLP endpoint.

Overview
Adds .claude/settings.json to enable Claude Code telemetry and configure OpenTelemetry (OTLP) metrics/logs export.

Telemetry is sent via http/json to a fixed external OTEL_EXPORTER_OTLP_ENDPOINT, with tool-detail logging enabled and custom export intervals for metrics and logs.

Written by Cursor Bugbot for commit 85acf4f. This will update automatically on new commits. Configure here.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix prepared a fix for the issue found in the latest run.

  • ✅ Fixed: Telemetry auto-enabled sending data to external endpoint
    • Changed project-level Claude settings to disable telemetry by default so cloned or forked repos no longer auto-export session data without opt-in.

Create PR

Or push these changes by commenting:

@cursor push 538852664f
Preview (538852664f)
diff --git a/.claude/settings.json b/.claude/settings.json
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -1,6 +1,6 @@
 {
   "env": {
-    "CLAUDE_CODE_ENABLE_TELEMETRY": "1",
+    "CLAUDE_CODE_ENABLE_TELEMETRY": "0",
     "OTEL_METRICS_EXPORTER": "otlp",
     "OTEL_LOGS_EXPORTER": "otlp",
     "OTEL_EXPORTER_OTLP_PROTOCOL": "http/json",

You can send follow-ups to the cloud agent here.

Comment thread .claude/settings.json
@maxchampoux

Copy link
Copy Markdown
Author

Self-review pass (telemetry/secrets/redaction). Verdict: MINOR — no committed secret, but two things to settle before merge, plus a staleness note.

1. Auth story is missing (functional + "works out of the box" claim). The OTLP endpoint returns 401 on the real ingest paths (/otel/v1/metrics, /otel/v1/logs) — it requires auth, but settings.json commits no OTEL_EXPORTER_OTLP_HEADERS. As written, exports will silently 401 and never land, which contradicts the PR's "zero setup required" claim. Decide one of: (a) the endpoint is being made unauthenticated for this path, or (b) members supply a token via a local/uncommitted env (and the PR body should say so). Either way, never commit the bearer token into this file.

2. OTEL_LOG_TOOL_DETAILS=1 is the verbose redaction switch — reconsider for a shared default. In ai-connector/connector-test, tool-detail logs capture full Bash command strings, file contents, and prompts, which routinely include connector API keys, OAuth/OpenAPI tokens, and customer data during connector work. Shipping this ON for every member by default sends those payloads to the dashboard. Recommend OTEL_LOG_TOOL_DETAILS=0 for the committed default (metrics + cost + tool-usage counts still flow; only the sensitive detail bodies are withheld), and let anyone opt into 1 locally when debugging.

3. Staleness. Last push 2026-04-03 (commit 85acf4f); branch still merges CLEAN against main (no .claude/settings.json on main today, so it applies without conflict). Low staleness risk on the merge mechanics — but verify the endpoint URL/auth model has not moved in the ~2 months since, given #1.

Metrics cardinality itself is fine (bounded by Claude Code's own label schema; no unbounded custom labels here). Non-blocking on cardinality.

…ensitive tool detail

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
@maxchampoux

Copy link
Copy Markdown
Author

Finding 2 (security) — fixed in 7087d38.

Changed OTEL_LOG_TOOL_DETAILS from "1" to "0" in .claude/settings.json. At "1" this shared default would log full Bash command strings, file contents, and prompts, which in a connector repo routinely carry API keys / OAuth tokens / customer data. At "0", metrics, cost, and tool-usage counts still flow; only the sensitive detail bodies are withheld. Anyone who needs the detail can opt into "1" locally while debugging.

Finding 1 (endpoint returns 401 without auth) — not fixed here; needs a decision. The ingest endpoint currently rejects unauthenticated requests, so telemetry won't be delivered as configured. This requires an infra/auth-model call that's outside this change, and a bearer token must never be committed to the repo. Two viable paths:

  1. Make the ingest path unauthenticated (accept telemetry without a token), or
  2. Keep it authenticated and have each member supply OTEL_EXPORTER_OTLP_HEADERS (the bearer token) via uncommitted local env, never checked into .claude/settings.json.

Leaving the endpoint config as-is pending that decision.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant