Merge pull request #19 from jtrackingai/dev/zzc/v1.0.12

Add telemetry consent gate across workflows and Google site verification file

Author: jtrackingai

README.md

@@ -200,7 +200,7 @@ npm run debug:codegen -- https://www.example.com
 - OAuth credentials are cached in the artifact directory for the current site run
 - generic sites use automated preview verification
 - Shopify uses the Shopify-specific branch and manual post-install validation
-- optional anonymous telemetry is opt-in, stores consent in local user config, and can be disabled with `DO_NOT_TRACK=1` or `EVENT_TRACKING_TELEMETRY=0`
+- optional anonymous usage diagnostics are opt-in and the first explicit choice is stored in local user config; if enabled, future runs send high-level workflow data such as command name, success/failure status, rough counts, site hostname, detected platform, and broad workflow checkpoints so operators can improve the product and troubleshoot reliability; if declined, future runs continue normally without sending diagnostics until the user changes that local config choice; diagnostics do not send full URLs, page paths, query strings, file paths, GTM/GA IDs, selectors, OAuth data, raw errors, or page content; the remaining privacy risk is that the site hostname and workflow metadata still reveal which domain was worked on and broad usage patterns; if a workflow prompt asks for telemetry consent and no stored preference exists, the operator must stop and let the user choose `yes` or `no` instead of answering on the user's behalf
 - installed copy bundles can self-check GitHub for updates and reinstall the same selected bundle set
 
 ## Need A More Advanced Setup?

SKILL.md

@@ -5,7 +5,9 @@ compatibility: >
   Requires Node.js 18+, npm, and Playwright Chromium for browser-backed steps.
   Analyze, selector validation, preview, and GTM sync must run outside sandboxed
   environments. GTM sync uses interactive Google OAuth and caches credentials in
-  the artifact directory. Optional anonymous telemetry is opt-in.
+  the artifact directory. Optional anonymous telemetry is opt-in, used only to
+  improve the skill experience and workflow quality, and is not used for
+  sensitive actions or sensitive behavior tracking.
 ---
 
 # Analytics Tracking Automation
@@ -60,6 +62,10 @@ Once `site-analysis.json` indicates Shopify, keep discovery and grouping shared,
 - Use `./event-tracking status <artifact-dir-or-file>` whenever the current checkpoint or next step is unclear.
 - Use `./event-tracking runs <output-root>` when the artifact directory is unknown but the output root is known.
 - Prefer high-level entry commands for user-facing flows: `run-new-setup`, `run-tracking-update`, `run-upkeep`, `run-health-audit`.
+- Before first workflow command, honor the telemetry consent gate. Treat telemetry consent as a required user-choice checkpoint for the session. Follow [telemetry-consent.md](references/telemetry-consent.md) as the single-source interaction contract. If consent is missing or invalid, explain both outcomes before asking: `yes` stores local consent and enables high-level anonymous usage diagnostics for future runs, while `no` stores local decline and continues the workflow without sending diagnostics.
+- Never decide telemetry consent on the user's behalf. Telemetry consent is recorded only in the local telemetry config file, not through enable/disable environment-variable overrides.
+- If the user agrees, continue through the interactive prompt so it can record local consent. If the user declines, continue through the prompt so it can record the local decline. The workflow can continue either way, but the choice must come from the user.
+- If the current run surfaces a telemetry prompt and the user has not answered it yet, stop and follow [telemetry-consent.md](references/telemetry-consent.md) before asking for a choice. Explain the purpose, what `yes` does, what `no` does, and the remaining privacy tradeoff before asking the user to reply `yes` or `no`. Do not ask a bare `yes`/`no` question with no context, do not answer the prompt for them, and do not continue to the next workflow command until the user makes that choice.
 - Treat workflow mode metadata as an internal workflow-state layer, not a user-facing command surface.
 - Treat Playwright-backed and OAuth-prompting steps as non-sandbox commands by default. In practice: `analyze`, `validate-schema --check-selectors`, `preview`, and `sync`.
 - Run prompt-driven GTM sync with an interactive TTY from the start unless exact `--account-id`, `--container-id`, and `--workspace-id` values are already confirmed.
@@ -110,6 +116,7 @@ If only the root skill is available, follow the same routing logic directly and
   - GTM target selection (account/container/workspace during `sync`)
   - publish decision (before `publish`)
 - If confirmation is missing or ambiguous, stop and ask; do not auto-proceed.
+- Treat telemetry consent the same way as other explicit approval gates: if the user has not chosen `yes` or `no`, stop and ask instead of making the decision for them.
 - A broad request such as "full workflow", "全流程", "end-to-end", or "continue all the way" is scope authorization only. It does not count as checkpoint approval.
 - Never record checkpoint approval on the user's behalf with `confirm-page-groups --yes` or `confirm-schema --yes` unless the user explicitly confirms that checkpoint in the current turn.
 - When live GTM containers are detected on the site, do not bypass the live baseline review before schema generation.
@@ -139,3 +146,4 @@ When a phase or the full workflow ends, keep the closeout answer-first:
 - [architecture.md](references/architecture.md) for lifecycle, checkpoints, and resume semantics
 - [output-contract.md](references/output-contract.md) for artifact files and gate semantics
 - [shopify-workflow.md](references/shopify-workflow.md) for Shopify-specific branch expectations
+- [telemetry-consent.md](references/telemetry-consent.md) for the telemetry consent gate wording and behavior contract

docs/googlecdf2410123e7225d.html

@@ -0,0 +1 @@
+google-site-verification: googlecdf2410123e7225d.html

references/telemetry-consent.md

@@ -0,0 +1,53 @@
+# Telemetry Consent Interaction
+
+This reference defines the single-source interaction contract for the telemetry consent gate.
+
+Use it whenever the workflow reaches the diagnostics consent prompt and the user has not already made a recorded choice.
+
+## Purpose
+
+Telemetry consent is a user-choice checkpoint, not an implementation detail.
+
+The agent must explain the decision in user-facing language before asking for the choice:
+
+- what telemetry is for: improving workflow quality and product reliability
+- what `yes` does: stores local consent and enables high-level anonymous diagnostics for future runs
+- what `no` does: stores local decline and continues the workflow normally without diagnostics
+- what is not sent: full URLs, page paths, query strings, file paths, GTM or GA IDs, selectors, OAuth data, raw errors, and page content
+- remaining privacy tradeoff: the site hostname and broad workflow metadata may still reveal which domain was worked on and the rough type of work performed
+
+## Required Asking Style
+
+When the telemetry gate is reached, ask in plain language for the user's decision.
+
+Recommended shape:
+
+1. one short sentence on purpose
+2. one short sentence on what `yes` does
+3. one short sentence on what `no` does
+4. one direct choice prompt asking the user to reply `yes` or `no`
+
+Recommended wording pattern:
+
+> Before continuing, I need your choice on whether to enable anonymous diagnostics for this workflow.
+> `yes` stores consent in local config and enables high-level anonymous usage diagnostics for future runs so the workflow can be improved and kept reliable.
+> `no` also stores your choice in local config, and the workflow continues normally without sending those diagnostics.
+> These diagnostics do not include full URLs, page content, selectors, GTM or GA IDs, OAuth data, or raw errors, but they do include the site hostname and broad workflow metadata. Reply `yes` or `no`.
+
+The exact wording can vary, but all of the points above must remain present.
+
+## Required Behaviors
+
+- stop when the gate appears and wait for the user's explicit answer
+- keep the explanation concise and user-facing
+- treat `yes` and `no` as equally valid workflow outcomes
+- once the user answers, continue through the interactive CLI prompt so the local telemetry config is written by the tool itself
+
+## Prohibited Behaviors
+
+- do not paste the raw CLI prompt to the user without explanation
+- do not ask only "`yes` or `no`?" with no context
+- do not frame `yes` as the preferred or expected answer
+- do not answer the prompt on the user's behalf
+- do not suggest config-file hacks, env overrides, or pre-seeding consent outside the intended prompt
+- do not continue to the next workflow command before consent is explicitly chosen

skills/tracking-discover/SKILL.md

@@ -22,6 +22,7 @@ In this repository, use the repo-root wrapper:
 ```
 
 Run `analyze` outside sandboxed environments by default. Do not first attempt the Playwright crawl inside the sandbox and then retry after it is intercepted.
+Before `run-new-setup` or `analyze`, if the tool needs a telemetry consent answer and no prior choice is already recorded, stop and follow [../../references/telemetry-consent.md](../../references/telemetry-consent.md). Do not choose on the user's behalf, and do not continue until they answer.
 
 Partial mode:
 
@@ -55,6 +56,7 @@ Report:
 ## Stop Boundary
 
 Unless the user explicitly asks for the next phase, stop after analysis.
+If telemetry consent is still unanswered, stop before analysis starts and wait for the user's explicit choice.
 
 If the user wants to continue, the default next command is:
 
@@ -67,3 +69,4 @@ If the user wants to continue, the default next command is:
 - [../../references/crawl-guide.md](../../references/crawl-guide.md)
 - [../../references/architecture.md](../../references/architecture.md)
 - [../../references/output-contract.md](../../references/output-contract.md)
+- [../../references/telemetry-consent.md](../../references/telemetry-consent.md)