Summary
The telemetry rollout says Framelink sends anonymous usage data and that file IDs are not sent, but the current implementation still forwards raw error_message strings after only credential redaction. In practice, those messages can contain Figma file keys and node IDs.
This seems like a real contract mismatch rather than an intentional tradeoff:
- PR
#342 explicitly says "No Figma file contents, names, or IDs are sent as telemetry"
- current code still captures
error.message verbatim in telemetry properties
- the recent error-message improvements in
#344 make the leakage easier to hit because the messages are now more actionable and include identifiers
Current behavior
A few examples from current main / v0.10.1:
src/services/figma.ts builds 403 messages like:
Figma API returned 403 Forbidden for '/files/abc123'
src/extractors/design-extractor.ts builds missing-node messages like:
Node 1:2 was not found in the Figma file...
src/telemetry/capture.ts forwards error.messagesrc/telemetry/client.ts only redacts configured secrets (tokens), not file keys / node IDs
Reproduction
I verified this locally by forcing two error paths and inspecting the resulting error messages before telemetry capture:
{
"fileErrorMessage": "Figma API returned 403 Forbidden for '/files/abc123'. ...",
"nodeErrorMessage": "Node 1:2 was not found in the Figma file. ..."
}Because telemetry capture uses the raw message text, those identifiers are currently eligible to leave the process.
Expected behavior
Telemetry should either:
- sanitize file keys / node IDs from
error_message, or
- stop sending raw
error_message entirely
Suggested fix
Add identifier redaction alongside the existing secret redaction before events are captured. A minimal version could sanitize:
/files/<fileKey>/images/<fileKey>node-id=... / ids=...Node <nodeId> was not found
Why this seems worth fixing
- It restores the privacy claim from
#342
- It keeps actionable error analytics without shipping identifiers
- It is especially timely now that
#346 is expanding telemetry around exceptions
Summary
The telemetry rollout says Framelink sends anonymous usage data and that file IDs are not sent, but the current implementation still forwards raw
error_messagestrings after only credential redaction. In practice, those messages can contain Figma file keys and node IDs.This seems like a real contract mismatch rather than an intentional tradeoff:
#342explicitly says "No Figma file contents, names, or IDs are sent as telemetry"error.messageverbatim in telemetry properties#344make the leakage easier to hit because the messages are now more actionable and include identifiersCurrent behavior
A few examples from current
main/v0.10.1:src/services/figma.tsbuilds 403 messages like:Figma API returned 403 Forbidden for '/files/abc123'src/extractors/design-extractor.tsbuilds missing-node messages like:Node 1:2 was not found in the Figma file...src/telemetry/capture.tsforwardserror.messagesrc/telemetry/client.tsonly redacts configured secrets (tokens), not file keys / node IDsReproduction
I verified this locally by forcing two error paths and inspecting the resulting error messages before telemetry capture:
{ "fileErrorMessage": "Figma API returned 403 Forbidden for '/files/abc123'. ...", "nodeErrorMessage": "Node 1:2 was not found in the Figma file. ..." }Because telemetry capture uses the raw message text, those identifiers are currently eligible to leave the process.
Expected behavior
Telemetry should either:
error_message, orerror_messageentirelySuggested fix
Add identifier redaction alongside the existing secret redaction before events are captured. A minimal version could sanitize:
/files/<fileKey>/images/<fileKey>node-id=.../ids=...Node <nodeId> was not foundWhy this seems worth fixing
#342#346is expanding telemetry around exceptions