Enforce Opt-In-Only Data Collection/External Calls

All external communications now require explicit opt-in via
environment variables as opposed to requiring users to find and
explicitly apply opt-outs from data collection. Relevant for GRC
concerns such as GDPR and other regional privacy regulations as
well as basic user-retention/adoption - adress sentiment concern.

Summary:
- Auto-update checks blocked by default (requires
`STAKPAK_ENABLE_UPDATES=1`)
- Machine fingerprinting blocked by default (requires
`STAKPAK_GENERATE_MACHINE_ID=1`)
- Telemetry payload fields blocked individually (requires
`STAKPAK_ENABLE_TELEMETRY=1` + per-field opts)
- Fixed interactive mode telemetry bypass
(`collect_telemetry.unwrap_or(false)`)

Privacy Impact:
- Zero external calls unless user explicitly opts in
- No persistent machine identification without consent
- Granular control over telemetry data fields
- Sovereign workflow enforced by default

Author: RageLtMan

cli/src/commands/agent/run/mode_interactive.rs

@@ -678,7 +678,7 @@ pub async fn run_interactive(
                         // Capture telemetry when not using Stakpak API (local mode)
                         if !has_stakpak_key
                             && let Some(ref anonymous_id) = ctx_clone.anonymous_id
-                            && ctx_clone.collect_telemetry.unwrap_or(true)
+                            && ctx_clone.collect_telemetry.unwrap_or(false)
                         {
                             capture_event(
                                 anonymous_id,

cli/src/config/file.rs

@@ -26,8 +26,10 @@ impl Default for ConfigFile {
             settings: Settings {
                 machine_name: None,
                 auto_append_gitignore: Some(true),
-                anonymous_id: Some(uuid::Uuid::new_v4().to_string()),
-                collect_telemetry: Some(true),
+                // DO NOT generate anonymous_id by default - only if telemetry is enabled
+                anonymous_id: None,
+                // DEFAULT: Telemetry is OPT-IN, never OPT-OUT
+                collect_telemetry: Some(false),
                 editor: Some("nano".to_string()),
             },
         }
@@ -38,15 +40,16 @@ impl ConfigFile {
     /// Create a config file with a default profile.
     pub(crate) fn with_default_profile() -> Self {
         ConfigFile {
-            profiles: HashMap::from([(
-                "default".into(),
+            profiles: HashMap::from([("default".into(),
                 ProfileConfig::with_api_endpoint(STAKPAK_API_ENDPOINT),
             )]),
             settings: Settings {
                 machine_name: None,
                 auto_append_gitignore: Some(true),
-                anonymous_id: Some(uuid::Uuid::new_v4().to_string()),
-                collect_telemetry: Some(true),
+                // DO NOT generate anonymous_id by default - only if telemetry is enabled
+                anonymous_id: None,
+                // DEFAULT: Telemetry is OPT-IN, never OPT-OUT
+                collect_telemetry: Some(false),
                 editor: Some("nano".to_string()),
             },
         }
@@ -97,7 +100,9 @@ impl ConfigFile {
         self.settings = Settings {
             machine_name: config.machine_name,
             auto_append_gitignore: config.auto_append_gitignore,
+            // Only set anonymous_id if config explicitly provides it (telemetry enabled)
             anonymous_id: config.anonymous_id.or(existing_anonymous_id),
+            // Only set collect_telemetry if config explicitly provides it
             collect_telemetry: config.collect_telemetry.or(existing_collect_telemetry),
             editor: config.editor.or(existing_editor),
         };
@@ -173,11 +178,10 @@ impl From<OldAppConfig> for ConfigFile {
     fn from(old_config: OldAppConfig) -> Self {
         let settings: Settings = old_config.clone().into();
         ConfigFile {
-            profiles: HashMap::from([(
-                "default".to_string(),
+            profiles: HashMap::from([("default".to_string(),
                 ProfileConfig::migrated_from_old_config(old_config),
             )]),
             settings,
         }
     }
-}
+}

cli/src/config/types.rs

@@ -24,6 +24,8 @@ pub struct Settings {
     #[serde(alias = "user_id")]
     pub anonymous_id: Option<String>,
     /// Whether to collect telemetry data
+    /// **DEFAULT: false (opt-in required for privacy)**
+    /// Users must explicitly set this to `true` to enable telemetry
     pub collect_telemetry: Option<bool>,
     /// Preferred external editor (e.g. vim, nano, code)
     pub editor: Option<String>,
@@ -43,9 +45,11 @@ impl From<OldAppConfig> for Settings {
         Settings {
             machine_name: old_config.machine_name,
             auto_append_gitignore: old_config.auto_append_gitignore,
-            anonymous_id: Some(uuid::Uuid::new_v4().to_string()),
-            collect_telemetry: Some(true),
+            // Do NOT generate anonymous_id by default - only if telemetry is enabled
+            anonymous_id: None,
+            // DEFAULT: Telemetry is OPT-IN, never OPT-OUT
+            collect_telemetry: Some(false),
             editor: Some("nano".to_string()),
         }
     }
-}
+}

cli/src/main.rs

@@ -237,8 +237,14 @@ async fn main() {
         Cli::parse()
     };
 
-    // Only run auto-update in interactive mode (when no command is specified)
-    if cli.command.is_none()
+    // AUTO-UPDATE: BLOCKED BY DEFAULT - requires explicit OPT-IN
+    // Only run auto-update if user sets STAKPAK_ENABLE_UPDATES=1 (dangerous)
+    let should_check_updates = std::env::var("STAKPAK_ENABLE_UPDATES")
+        .unwrap_or_else(|_| "0".to_string())
+        .eq_ignore_ascii_case("1");
+    
+    if should_check_updates
+        && cli.command.is_none()
         && !cli.r#async
         && !cli.print
         && let Err(e) = auto_update().await
@@ -291,17 +297,26 @@ async fn main() {
                 return; // Exit after warden execution completes
             }
 
-            if config.machine_name.is_none() {
-                // Generate a random machine name
+            // MACHINE FINGERPRINTING: BLOCKED BY DEFAULT - requires explicit OPT-IN
+            // Only generate machine name if user sets STAKPAK_GENERATE_MACHINE_ID=1 (dangerous)
+            let should_generate_machine_id = std::env::var("STAKPAK_GENERATE_MACHINE_ID")
+                .unwrap_or_else(|_| "0".to_string())
+                .eq_ignore_ascii_case("1");
+            
+            if should_generate_machine_id && config.machine_name.is_none() {
+                // Generate a random machine name (user opted-in)
                 let random_name = names::Generator::with_naming(Name::Numbered)
                     .next()
                     .unwrap_or_else(|| "unknown-machine".to_string());
 
                 config.machine_name = Some(random_name);
 
                 if let Err(e) = config.save() {
-                    eprintln!("Failed to save config: {}", e);
+                    eprintln!("Failed to save machine name to config: {}", e);
                 }
+            } else if !should_generate_machine_id && config.machine_name.is_none() {
+                // Log warning that machine name is not generated (safe default)
+                tracing::debug!("Machine name not generated - set STAKPAK_GENERATE_MACHINE_ID=1 to enable");
             }
 
             // Run interactive/async agent when no subcommand or Init; otherwise run the subcommand
@@ -380,14 +395,20 @@ async fn main() {
                         std::process::exit(1);
                     }));
 
-                // Parallelize HTTP calls for faster startup
+                // PARALLELIZE ONLY IF OPT-IN: update checks blocked by default
                 let current_version = format!("v{}", env!("CARGO_PKG_VERSION"));
                 let client_for_rulebooks = client.clone();
                 let config_for_rulebooks = config.clone();
 
-                let (api_result, update_result, rulebooks_result) = tokio::join!(
+                // Check updates sequentially to avoid type inference issues
+                let update_result = if should_check_updates {
+                    check_update(&current_version).await
+                } else {
+                    Ok(())
+                };
+
+                let (api_result, rulebooks_result) = tokio::join!(
                     client.get_my_account(),
-                    check_update(&current_version),
                     async {
                         client_for_rulebooks
                             .list_rulebooks()
@@ -1025,4 +1046,4 @@ mod tests {
             .requires_auth()
         );
     }
-}
+}

cli/src/onboarding/save_config.rs

@@ -3,7 +3,7 @@
 use crate::config::{ConfigFile, ProfileConfig, ProviderType};
 use crate::onboarding::config_templates::config_to_toml_preview;
 use crate::onboarding::styled_output;
-use stakpak_shared::telemetry::{TelemetryEvent, capture_event};
+use stakpak_shared::telemetry::{TelemetryEvent, capture_event, is_telemetry_enabled, is_telemetry_env_enabled};
 use std::fs;
 use std::path::PathBuf;
 
@@ -36,11 +36,21 @@ pub fn save_to_profile(
     let is_local_provider = matches!(profile.provider, Some(ProviderType::Local));
     let is_first_telemetry_setup = config_file.settings.anonymous_id.is_none();
 
-    if is_local_provider && config_file.settings.anonymous_id.is_none() {
+    // SOVEREIGNTY GUARD: Only generate anonymous_id if telemetry is explicitly enabled
+    // Both config AND environment variable must opt-in
+    if is_local_provider 
+        && config_file.settings.anonymous_id.is_none()
+        && is_telemetry_enabled(config_file.settings.collect_telemetry)
+        && is_telemetry_env_enabled()
+    {
         config_file.settings.anonymous_id = Some(uuid::Uuid::new_v4().to_string());
     }
+
+    // DO NOT set collect_telemetry to true by default - maintain opt-in only
+    // If user hasn't explicitly set it, keep it as None (will default to false)
     if is_local_provider && config_file.settings.collect_telemetry.is_none() {
-        config_file.settings.collect_telemetry = Some(true);
+        // Never auto-enable telemetry - keep it disabled by default
+        config_file.settings.collect_telemetry = Some(false);
     }
 
     config_file
@@ -56,15 +66,19 @@ pub fn save_to_profile(
         .save_to(&path)
         .map_err(|e| format!("Failed to save config file: {}", e))?;
 
+    // SOVEREIGNTY GUARD: Only capture telemetry if user explicitly enabled it
+    // Requires: config opt-in AND env var opt-in AND anonymous_id generated
     if is_local_provider
         && is_first_telemetry_setup
+        && is_telemetry_enabled(config_file.settings.collect_telemetry)
+        && is_telemetry_env_enabled()
+        && config_file.settings.collect_telemetry.unwrap_or(false)
         && let Some(ref anonymous_id) = config_file.settings.anonymous_id
-        && config_file.settings.collect_telemetry.unwrap_or(true)
     {
         capture_event(
             anonymous_id,
             config_file.settings.machine_name.as_deref(),
-            true,
+            true, // telemetry is enabled
             TelemetryEvent::FirstOpen,
         );
     }
@@ -95,4 +109,4 @@ pub fn preview_and_save_to_profile(
     println!();
 
     Ok(telemetry_settings)
-}
+}

cli/src/utils/check_update.rs

@@ -4,9 +4,20 @@ use serde::Deserialize;
 use stakpak_shared::tls_client::{TlsClientConfig, create_tls_client};
 use std::error::Error;
 
+// UPDATE CHECKS: DEFAULT DISABLED - requires STAKPAK_ENABLE_UPDATES=1
+// This prevents mandatory external calls during startup
+const UPDATE_CHECK_ENABLED: &str = "STAKPAK_ENABLE_UPDATES";
+
 use crate::commands::auto_update::run_auto_update;
 use crate::utils::cli_colors::CliColors;
 
+/// Check if update checks are enabled (default: disabled for sovereignty)
+fn is_update_check_enabled() -> bool {
+    std::env::var(UPDATE_CHECK_ENABLED)
+        .unwrap_or_else(|_| "0".to_string())
+        .eq_ignore_ascii_case("1")
+}
+
 /// Parse version string (with or without 'v' prefix) into semver Version
 fn parse_version(version_str: &str) -> Option<Version> {
     let cleaned = version_str.strip_prefix('v').unwrap_or(version_str);
@@ -125,6 +136,11 @@ fn format_changelog(body: &str) -> String {
 }
 
 pub async fn check_update(current_version: &str) -> Result<(), Box<dyn Error>> {
+    // BLOCKED BY DEFAULT - requires explicit opt-in
+    if !is_update_check_enabled() {
+        return Ok(());
+    }
+
     let release = get_latest_release().await?;
     if is_newer_version(current_version, &release.tag_name) {
         let blue = CliColors::blue();
@@ -141,33 +157,32 @@ pub async fn check_update(current_version: &str) -> Result<(), Box<dyn Error>> {
             "{}┃{}{}⮕ {} Version Update Available!{}{}┃{}",
             blue, reset, cyan, text, reset, blue, reset
         );
-        println!("{}┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛{}", blue, reset);
         println!(
             "{} {}{}{} → {}{}{}",
             text, yellow, current_version, reset, green, release.tag_name, reset
         );
-        println!("{}", sep);
+        println!("{}{}", sep, reset);
 
         if let Some(body) = &release.body
             && !body.trim().is_empty()
         {
             println!("{} What's new in this update:{}", text, reset);
-            println!("{}", sep);
+            println!("{}{}", sep, reset);
             let changelog = format_changelog(body);
-            println!("{}", changelog);
-            println!("{}", sep);
+            println!("{}{}", changelog, reset);
+            println!("{}{}", sep, reset);
             println!(
                 "{} View full changelog: {}{}{}{}",
                 text, reset, cyan, release.html_url, reset
             );
-            println!("{}", sep);
+            println!("{}{}", sep, reset);
         }
 
         println!(
             "{} Upgrade to access the latest features! 🚀{}",
             text, reset
         );
-        println!("{}", sep);
+        println!("{}{}", sep, reset);
     }
 
     Ok(())
@@ -197,6 +212,11 @@ pub async fn get_latest_cli_version() -> Result<String, Box<dyn Error>> {
 }
 
 pub async fn auto_update() -> Result<(), Box<dyn Error>> {
+    // BLOCKED BY DEFAULT - requires explicit opt-in
+    if !is_update_check_enabled() {
+        return Ok(());
+    }
+
     let release = get_latest_release().await?;
     let current_version = format!("v{}", env!("CARGO_PKG_VERSION"));
     if is_newer_version(&current_version, &release.tag_name) {
@@ -217,7 +237,7 @@ pub async fn auto_update() -> Result<(), Box<dyn Error>> {
             println!("{} What's new in this update:{}", text, reset);
             println!("{}{}{}", cyan, "─".repeat(50), reset);
             let changelog = format_changelog(body);
-            println!("{}", changelog);
+            println!("{}{}", changelog, reset);
             println!("{}{}{}", cyan, "─".repeat(50), reset);
             println!(
                 "{} View full changelog: {}{}{}\n",
@@ -246,6 +266,11 @@ pub async fn auto_update() -> Result<(), Box<dyn Error>> {
 /// Force auto-update without prompting (for ACP mode).
 /// Returns true if an update was performed and the process should restart.
 pub async fn force_auto_update() -> Result<bool, Box<dyn Error>> {
+    // BLOCKED BY DEFAULT - requires explicit opt-in
+    if !is_update_check_enabled() {
+        return Ok(false);
+    }
+
     let release = get_latest_release().await?;
     let current_version = format!("v{}", env!("CARGO_PKG_VERSION"));
     if is_newer_version(&current_version, &release.tag_name) {
@@ -260,4 +285,4 @@ pub async fn force_auto_update() -> Result<bool, Box<dyn Error>> {
     } else {
         Ok(false)
     }
-}
+}