Telemetry
The Checkrd CLI does not collect telemetry. Permanent, audited in CI, no opt-out needed.
Telemetry
The Checkrd CLI does not collect telemetry. No usage analytics, no crash reports, no phone-home, no first-run prompt to disable any of that. The only network calls the binary makes are authenticated requests to api.checkrd.io in response to commands you explicitly invoke (policies publish, events tail, etc.).
This is a permanent posture, audited in CI on every release.
Why no telemetry
Checkrd's core product claim is zero data processor — by design we never see prompts, completions, or PII passing through the proxy. A CLI that phones home with command,args,version,os would undermine that promise the moment a security reviewer reads the install instructions. They will not differentiate "operational metadata about your CLI" from "operational metadata about your AI requests" — both are vendor data exfiltration in their threat model.
This matches the security-CLI cohort: 1Password, Vault, AWS CLI v2, kubectl, cosign all ship with no client-side CLI telemetry. The opt-out telemetry common to dev tools (Vercel, Wrangler, Stripe, gh) is the wrong reference cohort for what we sell.
How to verify
Three ways to confirm, ordered by paranoia:
1. Run the status command
checkrd telemetry status
# Telemetry: OFF (permanent — no opt-out needed)
#
# The checkrd CLI does not collect or transmit telemetry. ...The status text is the same long-form statement that appears here. Always the same text — there's no opt-out toggle to flip.
2. CI guard
Every PR runs tests/no_analytics.rs which parses Cargo.lock and fails if any known analytics SDK appears in the dependency tree. Banned: sentry, posthog, segment, mixpanel, amplitude, datadog, rollbar, bugsnag, honeybadger, snowplow, splunk-otel, plus their *-tracing / *-anyhow companion crates. Allowed: tracing-subscriber (local stderr/file logging only — does not phone home).
A new analytics SDK landing in the binary fails CI before merge. The test source is at tests/no_analytics.rs.
3. Block our domains
Block *.checkrd.io in your firewall and confirm the following commands continue to work without any network call:
checkrd --help
checkrd --version
checkrd keygen
checkrd telemetry status
checkrd debug bundleThese are local-only by design. Any command that needs the control plane (e.g. agents list) will fail with a network error — that's the only network surface the CLI has.
Honored conventions
DO_NOT_TRACK=1(consoledonottrack.com) — no effect on Checkrd because there is nothing to disable. Documented so the answer to your auditor's questionnaire is the same line whether they grep forDO_NOT_TRACK,CHECKRD_TELEMETRY, oranalytics.CHECKRD_NO_*family — there is no env var that disables telemetry because telemetry is already off. Documenting this saves your security team a clarifying email.
What about the update notifier?
The "newer version available" banner that may appear at the end of a command is not telemetry — it's an outbound HTTP GET to api.github.com/repos/checkrd/checkrd/releases/latest, cached for 24 hours, and skipped entirely on CI / non-TTY runs / when any of these env vars is set:
CHECKRD_NO_UPDATE_NOTIFIERNO_UPDATE_NOTIFIERDO_NOT_TRACKCI,GITHUB_ACTIONS,GITLAB_CI,BUILDKITE,TF_BUILD,JENKINS_HOME,TRAVIS,CIRCLECI
The check sends no information about you, your project, or your usage — just a vanilla unauthenticated GET to GitHub's public Releases API. No different from your browser hitting that page.
Sharing diagnostics with us
When you hit a bug and want to share details:
checkrd debug bundle --out ./bundle.jsonWrites a redacted JSON file with: CLI version, OS + architecture, target triple, the name (not value) of your active profile, the configured base URL, and a presence-only summary of well-known env vars. Critically:
- No keychain contents — credentials never enter the bundle.
- No log files — your command history doesn't enter the bundle.
- No file paths beyond the standard config dir.
- Env-var presence only — we record whether
CHECKRD_API_KEYis set, never its value.
You review the JSON before deciding whether to share it. Attach it to a GitHub issue at github.com/checkrd/checkrd/issues when you're ready.
Source
The CLI source is open: github.com/checkrd/checkrd/tree/main/crates/cli. The telemetry posture is enforced by:
commands/telemetry.rs— the status command's text.commands/debug.rs— the bundle generator (review what it captures yourself).tests/no_analytics.rs— the CI guard banning analytics SDKs.update_check.rs— the update notifier with all suppression flags.