@socialneuron/mcp-server 1.3.2 → 1.4.0

package/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to `@socialneuron/mcp-server` will be documented in this file.
 
+## [1.4.0] - 2026-03-13
+
+### Changed
+- **Telemetry is now opt-IN**: No data is sent unless `SOCIALNEURON_TELEMETRY=1` is explicitly set. Previously telemetry was opt-out.
+- **PostHog moved to optionalDependencies**: `posthog-node` is no longer a required runtime dependency. The package works fully without it installed. This reduces supply chain surface and resolves socket.dev security flags.
+- **Dynamic import**: PostHog is loaded via `import()` at runtime, silently skipped if unavailable.
+- `DO_NOT_TRACK=1` continues to override and disable telemetry in all cases.
+
 ## [1.3.2] - 2026-03-13
 
 ### Fixed

package/README.md

@@ -250,17 +250,26 @@ Each iteration produces smarter content as performance data feeds back into the
 - SSRF protection on all URL parameters with DNS rebinding prevention
 - Rate limiting per user with per-tool limits for expensive operations
 - Agent loop detection prevents runaway automation
-- Set `DO_NOT_TRACK=1` to disable anonymous usage telemetry
+- Telemetry is off by default — opt in with `SOCIALNEURON_TELEMETRY=1`
 
 See [SECURITY.md](./SECURITY.md) for our vulnerability disclosure policy and credential safety details.
 
 ## Telemetry
 
-This package collects anonymous usage metrics (tool name, duration, success/failure) to improve the product. Your user ID is hashed before transmission.
+Telemetry is **off by default**. No data is collected unless you explicitly opt in.
 
-**To disable**: Set `DO_NOT_TRACK=1` or `SOCIALNEURON_NO_TELEMETRY=1` in your environment.
+**To enable**: Set `SOCIALNEURON_TELEMETRY=1` in your environment.
 
-No personal content, API keys, or request payloads are ever collected.
+**To disable**: `DO_NOT_TRACK=1` or `SOCIALNEURON_NO_TELEMETRY=1` always disables telemetry, even if `SOCIALNEURON_TELEMETRY=1` is set.
+
+When enabled, the following anonymous metrics are collected via PostHog:
+- Tool name invoked
+- Success or failure status
+- Invocation duration (ms)
+
+No personal content, API keys, or request payloads are ever collected. Your user ID is hashed (SHA-256) before transmission.
+
+`posthog-node` is an optional dependency — if it is not installed, telemetry is a silent no-op regardless of environment variables.
 
 ## Examples
 

package/dist/http.js

@@ -10,16 +10,24 @@ var __export = (target, all) => {
 
 // src/lib/posthog.ts
 import { createHash } from "node:crypto";
-import { PostHog } from "posthog-node";
 function hashUserId(userId) {
   return createHash("sha256").update(`${POSTHOG_SALT}:${userId}`).digest("hex").substring(0, 32);
 }
+function isTelemetryOptedIn() {
+  if (process.env.DO_NOT_TRACK === "1" || process.env.DO_NOT_TRACK === "true" || process.env.SOCIALNEURON_NO_TELEMETRY === "1") {
+    return false;
+  }
+  return process.env.SOCIALNEURON_TELEMETRY === "1";
+}
 function initPostHog() {
-  if (isTelemetryDisabled()) return;
+  if (!isTelemetryOptedIn()) return;
   const key = process.env.POSTHOG_KEY || process.env.VITE_POSTHOG_KEY;
   const host = process.env.POSTHOG_HOST || process.env.VITE_POSTHOG_HOST || "https://eu.i.posthog.com";
   if (!key) return;
-  client = new PostHog(key, { host, flushAt: 5, flushInterval: 1e4 });
+  import("posthog-node").then(({ PostHog }) => {
+    client = new PostHog(key, { host, flushAt: 5, flushInterval: 1e4 });
+  }).catch(() => {
+  });
 }
 async function captureToolEvent(args) {
   if (!client) return;
@@ -6215,7 +6223,7 @@ init_supabase();
 import { z as z14 } from "zod";
 
 // src/lib/version.ts
-var MCP_VERSION = "1.3.2";
+var MCP_VERSION = "1.4.0";
 
 // src/tools/usage.ts
 function asEnvelope10(data) {

package/dist/index.js

@@ -14,22 +14,30 @@ var MCP_VERSION;
 var init_version = __esm({
   "src/lib/version.ts"() {
     "use strict";
-    MCP_VERSION = "1.3.2";
+    MCP_VERSION = "1.4.0";
   }
 });
 
 // src/lib/posthog.ts
 import { createHash } from "node:crypto";
-import { PostHog } from "posthog-node";
 function hashUserId(userId) {
   return createHash("sha256").update(`${POSTHOG_SALT}:${userId}`).digest("hex").substring(0, 32);
 }
+function isTelemetryOptedIn() {
+  if (process.env.DO_NOT_TRACK === "1" || process.env.DO_NOT_TRACK === "true" || process.env.SOCIALNEURON_NO_TELEMETRY === "1") {
+    return false;
+  }
+  return process.env.SOCIALNEURON_TELEMETRY === "1";
+}
 function initPostHog() {
-  if (isTelemetryDisabled()) return;
+  if (!isTelemetryOptedIn()) return;
   const key = process.env.POSTHOG_KEY || process.env.VITE_POSTHOG_KEY;
   const host = process.env.POSTHOG_HOST || process.env.VITE_POSTHOG_HOST || "https://eu.i.posthog.com";
   if (!key) return;
-  client = new PostHog(key, { host, flushAt: 5, flushInterval: 1e4 });
+  import("posthog-node").then(({ PostHog }) => {
+    client = new PostHog(key, { host, flushAt: 5, flushInterval: 1e4 });
+  }).catch(() => {
+  });
 }
 async function captureToolEvent(args) {
   if (!client) return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socialneuron/mcp-server",
-  "version": "1.3.2",
+  "version": "1.4.0",
   "description": "MCP server for Social Neuron - AI content creation platform",
   "type": "module",
   "main": "dist/index.js",
@@ -65,9 +65,11 @@
     "express": "^5.1.0",
     "jose": "^6.2.1",
     "open": "10.0.0",
-    "posthog-node": "^5.28.0",
     "zod": "^4.0.0"
   },
+  "optionalDependencies": {
+    "posthog-node": "^5.28.0"
+  },
   "devDependencies": {
     "@types/express": "^5.0.6",
     "@types/node": "^25.3.5",