cilock CLI telemetry & privacy

What the cilock CLI sends, when it sends it, what it will never send, and how to turn it off. This page also covers the web-analytics privacy basics for the TestifySec properties.

Telemetry flows ONLY from an authenticated platform session. cilock running standalone or offline — with no logged-in TestifySec platform session — sends nothing. The telemetry endpoint (POST /cli/t) requires a platform bearer token and rejects anonymous requests. No platform session ⇒ no telemetry.

What the CLI sends

Each completed invocation may send a single record of usage metadata only. The exact fields stored are:

Field	Type	What it is
ts	epoch ms	When the run completed.
account	string	Platform org / tenant id from the authenticated session.
user_ref	string (opt.)	Opaque platform user id — not a name or email.
run_id	string	Ephemeral, per-invocation id.
cli_version	string	cilock version, e.g. v0.4.1.
os	string	Go GOOS (linux / darwin / windows / …).
arch	string	Go GOARCH (amd64 / arm64 / …).
go_version	string	Go runtime version that built the binary.
command	string	Top-level verb only (e.g. run, sign, verify) — never arguments.
attestors	string[]	Attestor type names only (e.g. ["git","commandrun","sbom"]) — never their contents.
signer_type	enum	The kind of signer: fulcio \| kms \| file \| spiffe — never an identity, key, or subject.
ci	0/1	Whether the run happened in CI.
ci_provider	enum	github_actions \| gitlab \| jenkins \| circleci \| local \| unknown.
outcome	enum	success \| error.
error_category	enum	A fixed category (config / auth / signing / verification / policy / network / …) — never a raw error message.
duration_ms	integer	Wall-clock duration of the run.
ip	string	Edge IP, kept for abuse prevention and coarse geo only.
country	string	Coarse country derived at the edge.

The ingest endpoint enforces this list with an explicit allow-list, length clamping, and enum validation. Anything outside these fields is dropped at the edge.

What it will NEVER send or store.

Artifact digests, file hashes, or any artifact content.
File paths, directory names, or working-directory layout.
Repository, organization, project, or branch names.
Signer identities or subjects (Fulcio SAN, KMS key id, SPIFFE id, certificate subject).
Secrets, tokens, credentials, or environment-variable values.
Attestation contents, policy documents, or rego.
Raw error messages or stack traces (only a fixed category).

How to turn it off

Telemetry is off unless you are in an authenticated platform session. To disable it entirely even when signed in, use any of:

DO_NOT_TRACK=1 — honoured (the consoledonottrack.com convention).
CILOCK_TELEMETRY=0 — explicit per-environment opt-out.
Your platform account setting — an org/account-level toggle disables it for everyone under that account.

Note: the opt-out controls live in the cilock CLI itself. This page documents the contract that the CLI honours; it does not change CLI behaviour on its own.

Web-analytics privacy (TestifySec properties)

The TestifySec web properties (testifysec.com, cilock.aflock.ai) use first-party analytics to understand how the sites are used. Those properties push usage events to this hub.

What is collected

A persistent first-party visitor id (cl_vid) and a short session id (cl_sid) to distinguish new vs returning readers and group page views into sessions.
Pages viewed, referring URL, on-site search queries, link clicks, copied code snippets, and engagement signals (time on page, scroll depth).
Server-side request signals: IP address, approximate location (country / region / city), network operator / ASN, browser and device, and a derived TLS fingerprint used for bot filtering.

Consent

In regions where prior consent is legally required (EU/EEA, UK, Switzerland, Brazil, and others), none of the analytics runs until the visitor accepts via the property's cookie banner. Visitors can withdraw consent at any time by clearing the property's cookies. Raw visitor ids never leave the edge — the dashboard sees only stable pseudonyms and an opaque reader token.

Why & sharing

To measure documentation/marketing usage and improve content. TestifySec does not sell personal data and does not attempt to identify individuals. Data is processed by Cloudflare (hosting/edge) as a processor.

This notice is provided for transparency and is not legal advice; it should be reviewed by counsel before being relied upon for compliance. Questions: [email protected].