feat: add /codeboarding-feedback command to capture PR feedback via PostHog

On an issue_comment whose first word is /codeboarding-feedback, the guard
forwards the comment text and PR context to PostHog as an explicit
codeboarding_feedback_submitted event, reacts to the comment, and exits before
any checkout, engine setup, or LLM-key handling — so feedback never runs the
analysis path.

- scripts/submit_feedback.py: stdlib-only sender. Strips the command token
  (newlines preserved), caps at feedback_max_chars, sends one event, swallows
  all send failures, and never prints the feedback body. Mirrors Core's PostHog
  key/host defaults and DO_NOT_TRACK / CODEBOARDING_TELEMETRY opt-outs.
- action.yml: feedback_command + feedback_max_chars inputs; feedback branch and
  env in the guard; a 👍 Acknowledge feedback step gated on feedback_received.
- README: Feedback command subsection, Inputs rows, and opt-out docs that state
  plainly this is explicit user feedback (text + PR context), not anonymous
  telemetry.
- tests/test_submit_feedback.py: 26 stdlib unittest cases (extraction, multiline,
  truncation, opt-outs, host override, JSON shape, no-leak).

Author: brovatten

README.md

@@ -154,6 +154,29 @@ This table mirrors the engine and may lag it. The source of truth is the engine'
 
 The command needs the `issue_comment` trigger and runs from your default branch (a GitHub rule), so it only works once the workflow is merged there. On-demand runs on fork PRs are refused, so fork code is never analyzed with your secrets.
 
+### Feedback command
+
+In review workflows that include `issue_comment`, anyone whose comment reaches the action can send product feedback with:
+
+```text
+/codeboarding-feedback <message>
+```
+
+The action sends the message text and PR context (repository, PR number, comment URL, commenter) to CodeBoarding via PostHog, then reacts 👍 to the comment. This is **explicit, user-submitted feedback, not anonymous telemetry** — unlike [Core's telemetry](https://github.com/CodeBoarding/CodeBoarding/blob/main/TELEMETRY.md), it intentionally includes the text you wrote and who wrote it. It runs no analysis, checks out no code, and sends no source. The branch exits before engine setup, so a feedback comment is cheap and never starts an LLM job. Change the keyword via `feedback_command`, or cap the text length with `feedback_max_chars` (default `4000`).
+
+Because the feedback path runs no PR-head code, it isn't restricted to trusted collaborators the way the `/codeboarding` analysis command is — your workflow's own `if:` condition decides who can reach it. The quick-start workflow already restricts comment triggers to `OWNER`/`MEMBER`/`COLLABORATOR`; keep that condition if you only want trusted feedback. The default `startsWith(github.event.comment.body, '/codeboarding')` filter already matches `/codeboarding-feedback`, so no workflow change is needed to enable it.
+
+Opt out by setting either in your workflow `env:` (workflow- or job-level):
+
+```yaml
+env:
+  CODEBOARDING_TELEMETRY: 'false'   # CodeBoarding-specific switch
+  # or the cross-tool standard:
+  DO_NOT_TRACK: '1'
+```
+
+When disabled, the feedback comment is acknowledged but nothing is sent. Override the destination with `CODEBOARDING_POSTHOG_KEY` / `CODEBOARDING_POSTHOG_HOST` (same names Core uses).
+
 ## Keep your architecture versioned (sync mode)
 
 With `mode: sync`, the action analyzes the pushed commit and commits the results back to the branch (as `codeboarding[bot]`), so your architecture analysis stays versioned in git and tracks the code instead of drifting from it:
@@ -244,6 +267,8 @@ Be aware that `contents: write` is repo-wide — GitHub does not scope it to a b
 | `parsing_model` | both | `google/gemini-3.1-flash-lite-preview` | Parsing model. OpenRouter default shown; other providers use their own engine default. |
 | `comment_header` | review | `Architecture review` | Heading for the PR comment. |
 | `trigger_command` | review | `/codeboarding` | Slash command for trusted on-demand runs. |
+| `feedback_command` | review | `/codeboarding-feedback` | Slash command that sends a PR comment's text as [explicit product feedback](#feedback-command) to CodeBoarding via PostHog. Runs no analysis; opt out with `CODEBOARDING_TELEMETRY=false` / `DO_NOT_TRACK=1`. |
+| `feedback_max_chars` | review | `4000` | Max feedback characters sent from `feedback_command`; longer text is truncated and flagged. |
 | `cta_base_url` | review | empty | Click-proxy base URL: deep-links the editor link into VS Code/Cursor and adds a "get the extension" link (tracks owner/repo/pr). Empty links to the extension listing instead (GitHub strips `vscode:`/`cursor:` from comments). |
 | `webview_base_url` | review | `https://app.codeboarding.org` | Hosted webview base URL. The PR comment adds an "explore in browser" link to this PR's head-vs-base diff. Needs `commit_head_analysis` (same-repo PRs only); omitted on forks. Set empty to disable. |
 | `commit_head_analysis` | review | `true` | Commit the generated head `.codeboarding/analysis.json` (+ health report) to the PR branch so the webview can read it at the head SHA. Same-repo PRs only (the token is read-only on forks). |

action.yml

@@ -70,6 +70,14 @@ inputs:
     description: 'Review mode: slash-command that triggers the action from a PR comment (issue_comment event). A comment whose first word is this runs the diagram on-demand.'
     required: false
     default: '/codeboarding'
+  feedback_command:
+    description: 'Review mode: slash-command for submitting explicit feedback to CodeBoarding. The command and following text are sent to CodeBoarding via PostHog (not anonymous telemetry, and no analysis runs). Opt out with CODEBOARDING_TELEMETRY=false or DO_NOT_TRACK=1.'
+    required: false
+    default: '/codeboarding-feedback'
+  feedback_max_chars:
+    description: 'Review mode: maximum number of feedback characters sent from /codeboarding-feedback (the text is truncated past this).'
+    required: false
+    default: '4000'
   mode:
     description: 'What the action does. "review" (default): post a Mermaid architecture-diff comment on the PR (pull_request / issue_comment events). "sync": analyze on push and commit the architecture (analysis.json + rendered docs) to target_branch, keeping it versioned and current (the baseline review mode diffs against). Events: push / workflow_dispatch / schedule. Run the two modes from separate workflow files with least-privilege permissions each.'
     required: false
@@ -142,6 +150,26 @@ runs:
         COMMENT_BODY: ${{ github.event.comment.body }}
         AUTHOR_ASSOC: ${{ github.event.comment.author_association }}
         TRIGGER: ${{ inputs.trigger_command }}
+        # Feedback path (/codeboarding-feedback): a lightweight branch that sends
+        # the comment text to PostHog and exits before any checkout/engine setup.
+        # The script reads CODEBOARDING_POSTHOG_KEY/HOST and the opt-outs
+        # DO_NOT_TRACK / CODEBOARDING_TELEMETRY straight from the caller's env: a
+        # composite action inherits the calling workflow/job `env:` as real env
+        # vars, so those need no re-mapping here. POSTHOG_KEY/HOST below are a
+        # redundant alias the script only falls back to if the canonical vars are
+        # unset — kept as a hint that the destination is overridable.
+        FEEDBACK_COMMAND: ${{ inputs.feedback_command }}
+        FEEDBACK_MAX_CHARS: ${{ inputs.feedback_max_chars }}
+        POSTHOG_KEY: ${{ env.CODEBOARDING_POSTHOG_KEY }}
+        POSTHOG_HOST: ${{ env.CODEBOARDING_POSTHOG_HOST }}
+        SENDER_LOGIN: ${{ github.event.sender.login }}
+        SENDER_ID: ${{ github.event.sender.id }}
+        COMMENT_ID: ${{ github.event.comment.id }}
+        COMMENT_URL: ${{ github.event.comment.html_url }}
+        REPOSITORY_ID: ${{ github.event.repository.id }}
+        RUN_ATTEMPT: ${{ github.run_attempt }}
+        ACTION_PATH: ${{ github.action_path }}
+        ACTION_REF: ${{ github.action_ref || github.sha }}
         EVENT: ${{ github.event_name }}
         REPOSITORY: ${{ github.repository }}
         PR_NUMBER_PULL: ${{ github.event.pull_request.number }}
@@ -243,6 +271,18 @@ runs:
           # word is the trigger; the payload lacks SHAs so we query the API.
           [ -n "$ISSUE_PR_URL" ] || skip "Comment is on a plain issue, not a PR."
           FIRST_WORD="$(printf '%s' "$COMMENT_BODY" | tr -d '\r' | awk 'NR==1{print $1; exit}')"
+          # Feedback command: forward the comment text to PostHog, then stop BEFORE
+          # the trusted-association check, checkout, engine setup, and LLM key.
+          # Sending user-written feedback runs no PR code, so it doesn't need the
+          # collaborator gate the analysis path does — the workflow's own `if:`
+          # decides who can reach this step. The script swallows its own failures
+          # and the guard has no `set -e`, so feedback can never block the action.
+          if [ "$FIRST_WORD" = "$FEEDBACK_COMMAND" ]; then
+            python3 "$ACTION_PATH/scripts/submit_feedback.py"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            echo "feedback_received=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
           [ "$FIRST_WORD" = "$TRIGGER" ] || skip "Comment does not start with '$TRIGGER'."
           # SECURITY (pwn-request guard): issue_comment runs in the base repo WITH
           # secrets for ANY commenter. Only a trusted collaborator may trigger an
@@ -281,6 +321,21 @@ runs:
         } >> "$GITHUB_OUTPUT"
         echo "Resolved PR #$PR_NUMBER (base=$BASE_REPO@$BASE_SHA head=$HEAD_REPO@$HEAD_SHA) via $EVENT"
 
+    # Feedback exits the guard with skip=true, so the analysis "Acknowledge
+    # command" step below (gated on skip != 'true') never fires for it; this one
+    # reacts instead, keyed on the feedback_received flag the guard set.
+    - name: Acknowledge feedback
+      if: steps.guard.outputs.feedback_received == 'true'
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+        REPOSITORY: ${{ github.repository }}
+        COMMENT_ID: ${{ github.event.comment.id }}
+      run: |
+        # 👍 react to the feedback comment so the user knows it was received.
+        gh api -X POST "repos/${REPOSITORY}/issues/comments/${COMMENT_ID}/reactions" \
+          -f content='+1' >/dev/null 2>&1 || true
+
     - name: Acknowledge command
       if: steps.guard.outputs.skip != 'true' && github.event_name == 'issue_comment'
       shell: bash

scripts/submit_feedback.py

@@ -0,0 +1,176 @@
+"""Submit explicit user feedback (/codeboarding-feedback) to PostHog.
+
+Standard-library only, on purpose: this runs in the action's guard phase, before
+the engine checkout and any dependency install, so it must not import third-party
+packages. Unlike Core's anonymous telemetry, this event intentionally carries the
+user-written feedback text and PR context — that difference is documented in the
+README. All sending failures are swallowed; feedback must never break a PR.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import sys
+import urllib.error
+import urllib.request
+
+# Public PostHog ingest key — the same write-only project key Core ships.
+DEFAULT_POSTHOG_KEY = "phc_BQWpoXuPYQhW7mPWQcRv4yzSfuoAmh48EmXuUpeXPUB2"
+DEFAULT_POSTHOG_HOST = "https://us.i.posthog.com"
+DEFAULT_COMMAND = "/codeboarding-feedback"
+DEFAULT_MAX_CHARS = 4000
+EVENT_NAME = "codeboarding_feedback_submitted"
+SOURCE = "github_action_feedback"
+
+
+def telemetry_disabled(env: dict) -> bool:
+    """Mirror Core's opt-out: DO_NOT_TRACK or CODEBOARDING_TELEMETRY=false."""
+    if env.get("DO_NOT_TRACK", "").strip().lower() in ("1", "true", "yes"):
+        return True
+    return env.get("CODEBOARDING_TELEMETRY", "true").strip().lower() == "false"
+
+
+def resolve_key(env: dict) -> str:
+    return (env.get("CODEBOARDING_POSTHOG_KEY") or env.get("POSTHOG_KEY") or DEFAULT_POSTHOG_KEY).strip()
+
+
+def resolve_host(env: dict) -> str:
+    host = (env.get("CODEBOARDING_POSTHOG_HOST") or env.get("POSTHOG_HOST") or DEFAULT_POSTHOG_HOST).strip()
+    return host.rstrip("/") or DEFAULT_POSTHOG_HOST
+
+
+def resolve_command(env: dict) -> str:
+    return (env.get("FEEDBACK_COMMAND") or "").strip() or DEFAULT_COMMAND
+
+
+def resolve_max_chars(env: dict) -> int:
+    try:
+        n = int((env.get("FEEDBACK_MAX_CHARS") or "").strip())
+    except ValueError:
+        return DEFAULT_MAX_CHARS
+    return n if n > 0 else DEFAULT_MAX_CHARS
+
+
+def extract_feedback(comment_body: str, command: str) -> str:
+    """Return everything after the leading command token, newlines preserved.
+
+    The command is the first whitespace-delimited token of the comment. Only that
+    one token is removed; the remainder (including any later lines) is kept
+    verbatim, then outer whitespace is trimmed. Returns "" when the comment does
+    not actually start with the command, or carries no text after it.
+    """
+    body = (comment_body or "").replace("\r\n", "\n").replace("\r", "\n").lstrip()
+    if not body:
+        return ""
+    parts = body.split(None, 1)  # split once on the first run of whitespace
+    if parts[0] != command:
+        return ""
+    return parts[1].strip() if len(parts) > 1 else ""
+
+
+def cap_feedback(text: str, max_chars: int) -> tuple[str, int, bool]:
+    """Return (capped_text, original_length, truncated)."""
+    original_length = len(text)
+    truncated = original_length > max_chars
+    return (text[:max_chars] if truncated else text), original_length, truncated
+
+
+def _first(env: dict, *names: str) -> str:
+    for name in names:
+        value = (env.get(name) or "").strip()
+        if value:
+            return value
+    return ""
+
+
+def distinct_id(env: dict) -> str:
+    sender_id = _first(env, "SENDER_ID")
+    if sender_id:
+        return f"github-user:{sender_id}"
+    return f"github-run:{_first(env, 'RUN_ID', 'GITHUB_RUN_ID')}"
+
+
+def build_properties(env: dict, command: str, feedback_text: str, feedback_length: int, truncated: bool) -> dict:
+    props: dict = {
+        "source": SOURCE,
+        "command": command,
+        "feedback_text": feedback_text,
+        "feedback_length": feedback_length,
+        "feedback_truncated": truncated,
+    }
+    optional = {
+        "repository": _first(env, "REPOSITORY"),
+        "repository_id": _first(env, "REPOSITORY_ID"),
+        "pr_number": _first(env, "PR_NUMBER", "ISSUE_NUMBER"),
+        "comment_id": _first(env, "COMMENT_ID"),
+        "comment_url": _first(env, "COMMENT_URL"),
+        "author_association": _first(env, "AUTHOR_ASSOC", "AUTHOR_ASSOCIATION"),
+        "sender_login": _first(env, "SENDER_LOGIN"),
+        "sender_id": _first(env, "SENDER_ID"),
+        "run_id": _first(env, "RUN_ID", "GITHUB_RUN_ID"),
+        "run_attempt": _first(env, "RUN_ATTEMPT", "GITHUB_RUN_ATTEMPT"),
+        "action_ref": _first(env, "ACTION_REF", "GITHUB_ACTION_REF", "GITHUB_SHA"),
+    }
+    props.update({key: value for key, value in optional.items() if value})
+    return props
+
+
+def build_payload(env: dict) -> dict | None:
+    """Build the PostHog event payload, or None when there is nothing to send."""
+    command = resolve_command(env)
+    feedback_text, feedback_length, truncated = cap_feedback(
+        extract_feedback(env.get("COMMENT_BODY", ""), command), resolve_max_chars(env)
+    )
+    if not feedback_text:
+        return None
+    return {
+        "api_key": resolve_key(env),
+        "event": EVENT_NAME,
+        "distinct_id": distinct_id(env),
+        "properties": build_properties(env, command, feedback_text, feedback_length, truncated),
+    }
+
+
+def post(payload: dict, host: str, timeout: int = 10) -> int:
+    """POST one event to PostHog's ingest endpoint; return the HTTP status."""
+    request = urllib.request.Request(
+        f"{host}/i/v0/e/",
+        data=json.dumps(payload).encode("utf-8"),
+        headers={"Content-Type": "application/json"},
+        method="POST",
+    )
+    with urllib.request.urlopen(request, timeout=timeout) as response:
+        return response.status
+
+
+def main(env: dict | None = None) -> int:
+    env = os.environ if env is None else env
+
+    if telemetry_disabled(env):
+        print("Feedback disabled via DO_NOT_TRACK / CODEBOARDING_TELEMETRY; not sending.")
+        return 0
+
+    payload = build_payload(env)
+    if payload is None:
+        print("No feedback text after the command; nothing to send.")
+        return 0
+    if not payload["api_key"]:
+        print("No PostHog key configured; skipping feedback send.")
+        return 0
+
+    truncated = payload["properties"].get("feedback_truncated")
+    try:
+        status = post(payload, resolve_host(env))
+        print(f"Feedback submitted (HTTP {status}, truncated={truncated}).")
+    except urllib.error.HTTPError as exc:
+        print(f"Feedback endpoint returned HTTP {exc.code}; ignoring.")
+    except urllib.error.URLError as exc:
+        print(f"Feedback endpoint unreachable ({type(exc.reason).__name__}); ignoring.")
+    except Exception as exc:  # never let feedback break the action
+        print(f"Feedback send failed ({type(exc).__name__}); ignoring.")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())