feat: telemetry instrumentation, CI/CD, docs, and CLI improvements

- Comprehensive telemetry instrumentation across session, processor, MCP, auth, and engine
- Enhanced telemetry module with event retry, buffer overflow tracking, SHA256 email hashing
- Added 15+ new telemetry event types (tool_call, agent_outcome, context_utilization, etc.)
- CI/CD pipeline optimization with caching and parallel builds
- Command loading resilience (graceful MCP/Skill failure handling)
- Postinstall welcome banner and changelog display
- TUI worker crash fix (circular dependency resolution)
- Build-time constants for engine version and changelog bundling
- CLI error handling improvements and telemetry flush on exit
- Added discover command for data stack scanning
- 15 new test files for telemetry, processor, MCP, bridge, CLI, and install
- Full documentation site with 40+ pages covering configuration, usage, and data engineering

Co-Authored-By: Kai (Claude Opus 4.6) <noreply@anthropic.com>

Author: 2 people

.github/workflows/ci.yml

@@ -11,9 +11,19 @@ jobs:
     name: TypeScript
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2
+        with:
+          bun-version: "1.3.9"
+
+      - name: Cache Bun dependencies
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: ~/.bun/install/cache
+          key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          restore-keys: |
+            bun-${{ runner.os }}-
 
       - name: Configure git for tests
         run: |
@@ -27,18 +37,37 @@ jobs:
         run: bun test
         working-directory: packages/altimate-code
 
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.12"
+
+      - name: Install linter
+        run: pip install ruff==0.9.10
+
+      - name: Lint
+        run: ruff check src
+        working-directory: packages/altimate-engine
+
   python:
     name: Python ${{ matrix.python-version }}
     runs-on: ubuntu-latest
     strategy:
       matrix:
         python-version: ["3.10", "3.11", "3.12"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+          cache-dependency-path: packages/altimate-engine/pyproject.toml
 
       - name: Install dependencies
         run: pip install -e ".[dev,warehouses]"
@@ -47,7 +76,3 @@ jobs:
       - name: Run tests
         run: pytest
         working-directory: packages/altimate-engine
-
-      - name: Lint
-        run: ruff check src
-        working-directory: packages/altimate-engine

.github/workflows/docs.yml

@@ -20,12 +20,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.12"
+          cache: "pip"
+          cache-dependency-path: docs/requirements.txt
 
       - name: Install mkdocs-material
         run: pip install mkdocs-material
@@ -34,10 +36,10 @@ jobs:
         run: mkdocs build -f docs/mkdocs.yml -d site
 
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
         with:
           path: docs/site
 
@@ -50,4 +52,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

.github/workflows/publish-engine.yml

@@ -13,20 +13,23 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.12"
+          cache: "pip"
+          cache-dependency-path: packages/altimate-engine/pyproject.toml
 
       - name: Install build tools
-        run: pip install build
+        run: pip install build==1.2.2
 
       - name: Build package
         run: python -m build
         working-directory: packages/altimate-engine
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
         with:
           packages-dir: packages/altimate-engine/dist/
+          skip-existing: true

.github/workflows/release.yml

@@ -5,27 +5,43 @@ on:
     tags:
       - "v*"
 
-permissions:
-  contents: write
-  id-token: write
+concurrency:
+  group: release
+  cancel-in-progress: false
 
 env:
   GH_REPO: AltimateAI/altimate-code
 
 jobs:
   build:
-    name: Build
+    name: Build (${{ matrix.os }})
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [linux, darwin, win32]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2
+        with:
+          bun-version: "1.3.9"
 
-      - uses: oven-sh/setup-bun@v2
+      - name: Cache Bun dependencies
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: ~/.bun/install/cache
+          key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          restore-keys: |
+            bun-${{ runner.os }}-
 
       - name: Install dependencies
         run: bun install
 
-      - name: Build all targets
-        run: bun run packages/altimate-code/script/build.ts
+      - name: Build ${{ matrix.os }} targets
+        run: bun run packages/altimate-code/script/build.ts --targets=${{ matrix.os }}
         env:
           OPENCODE_VERSION: ${{ github.ref_name }}
           OPENCODE_CHANNEL: latest
@@ -34,28 +50,41 @@ jobs:
           MODELS_DEV_API_JSON: test/tool/fixtures/models-api.json
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
-          name: dist
+          name: dist-${{ matrix.os }}
           path: packages/altimate-code/dist/
 
   publish-npm:
     name: Publish to npm
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2
+        with:
+          bun-version: "1.3.9"
+
+      - name: Cache Bun dependencies
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: ~/.bun/install/cache
+          key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          restore-keys: |
+            bun-${{ runner.os }}-
 
       - name: Install dependencies
         run: bun install
 
-      - name: Download build artifacts
-        uses: actions/download-artifact@v4
+      - name: Download all build artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
-          name: dist
+          pattern: dist-*
           path: packages/altimate-code/dist/
+          merge-multiple: true
 
       - name: Configure npm auth
         run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
@@ -89,30 +118,33 @@ jobs:
           GH_REPO: ${{ env.GH_REPO }}
           GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
 
+  # Engine publish runs without waiting for build — it builds from source and
+  # doesn't need CLI binary artifacts. This allows it to run in parallel.
   publish-engine:
     name: Publish engine to PyPI
-    needs: build
     runs-on: ubuntu-latest
     environment: pypi
     permissions:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.12"
+          cache: 'pip'
+          cache-dependency-path: packages/altimate-engine/pyproject.toml
 
       - name: Install build tools
-        run: pip install build
+        run: pip install build==1.2.2
 
       - name: Build package
         run: python -m build
         working-directory: packages/altimate-engine
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
         with:
           packages-dir: packages/altimate-engine/dist/
           skip-existing: true
@@ -124,7 +156,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
@@ -177,14 +209,15 @@ jobs:
           GH_REPO: ${{ env.GH_REPO }}
           CURRENT_TAG: ${{ github.ref_name }}
 
-      - name: Download build artifacts
-        uses: actions/download-artifact@v4
+      - name: Download all build artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
-          name: dist
+          pattern: dist-*
           path: packages/altimate-code/dist/
+          merge-multiple: true
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         with:
           body_path: notes.md
           draft: false

CHANGELOG.md

@@ -5,6 +5,75 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.4] - 2026-03-04
+
+### Added
+
+- E2E tests for npm install pipeline: postinstall script, bin wrapper, and publish output (#50)
+
+## [0.2.3] - 2026-03-04
+
+### Added
+
+- Postinstall welcome banner and changelog display after upgrade (#48)
+
+### Fixed
+
+- Security: validate well-known auth command type before execution, add confirmation prompt (#45)
+- CI/CD: SHA-pin all GitHub Actions, per-job least-privilege permissions (#45)
+- MCP: fix copy-paste log messages, log init errors, prefix floating promises (#45)
+- Session compaction: clean up compactionAttempts on abort to prevent memory leak (#45)
+- Telemetry: retry failed flush events once with buffer-size cap (#45, #46)
+- Telemetry: flush events before process exit (#46)
+- TUI: resolve worker startup crash from circular dependency (#47)
+- CLI: define ALTIMATE_CLI build-time constants for correct version reporting (#41)
+- Address 4 issues found in post-v0.2.2 commits (#49)
+- Address remaining code review issues from PR #39 (#43)
+
+### Changed
+
+- CI/CD: optimize pipeline with caching and parallel builds (#42)
+
+### Docs
+
+- Add security FAQ (#44)
+
+## [0.2.2] - 2026-03-05
+
+### Fixed
+
+- Telemetry init: `Config.get()` failure outside Instance context no longer silently disables telemetry
+- Telemetry init: called early in CLI middleware and worker thread so MCP/engine/auth events are captured
+- Telemetry init: promise deduplication prevents concurrent init race conditions
+- Telemetry: pre-init events are now buffered and flushed (previously silently dropped)
+- Telemetry: user email is SHA-256 hashed before sending (privacy)
+- Telemetry: error message truncation standardized to 500 chars across all event types
+- Telemetry: `ALTIMATE_TELEMETRY_DISABLED` env var now actually checked in init
+- Telemetry: MCP disconnect reports correct transport type instead of hardcoded `stdio`
+- Telemetry: `agent_outcome` now correctly reports `"error"` outcome for failed sessions
+
+### Changed
+
+- Auth telemetry events use session context when available instead of hardcoded `"cli"`
+
+## [0.2.1] - 2026-03-05
+
+### Added
+
+- Comprehensive telemetry instrumentation: 25 event types across auth, MCP servers, Python engine, provider errors, permissions, upgrades, context utilization, agent outcomes, workflow sequencing, and environment census
+- Telemetry docs page with event table, privacy policy, opt-out instructions, and contributor guide
+- AppInsights endpoint added to network firewall documentation
+- `categorizeToolName()` helper for tool classification (sql, schema, dbt, finops, warehouse, lineage, file, mcp)
+- `bucketCount()` helper for privacy-safe count bucketing
+
+### Fixed
+
+- Command loading made resilient to MCP/Skill initialization failures
+
+### Changed
+
+- CLI binary renamed from `altimate-code` to `altimate`
+
 ## [0.2.0] - 2026-03-04
 
 ### Added