feat: add telemetry tracking to npm scripts

[seanmcgary]

Send events to posthog when running npm scripts for build, dev and start

[Copilot]

Pull Request Overview

This PR adds telemetry tracking to npm scripts by introducing a bash script that sends events to PostHog when running build, dev, and start commands. The implementation checks for user consent via a config file before sending telemetry data.

Key Changes:

• Created a bash script (sendEvent.sh) that wraps npm script commands and sends telemetry events to PostHog
• Modified all npm scripts (build, start, dev) to execute through the telemetry wrapper script

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.

File	Description
templates/minimal/typescript/scripts/sendEvent.sh	New bash script that sends telemetry events to PostHog and executes the wrapped command
templates/minimal/typescript/package.json	Updated npm scripts to wrap commands with the telemetry tracking script

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The PostHog API key is hardcoded in the script. This is a security risk as the key is exposed in version control and could be misused. Consider storing the API key in an environment variable or secure configuration file.

Suggested change

	POSTHOG_API_KEY="phc_BiKfywNft5iBI8N7MxmuVCkb4GGZj4mDFXYPmOPUAI8"
	# Read PostHog API key from environment variable
	if [ -z "$POSTHOG_API_KEY" ]; then
	echo "Error: POSTHOG_API_KEY environment variable is not set."
	exit 2
	fi

[Copilot]

The command execution is not properly quoted, which will cause issues with commands containing spaces or special characters. Change to exec $@ or eval \"$COMMAND\" to properly handle arguments.

Suggested change

	exec $COMMAND
	exec "$@"

[Copilot]

The curl request runs in the foreground, which will block npm script execution until the HTTP request completes or times out. Add & at the end of the curl command to run it in the background and avoid blocking the user's command.

Suggested change

	}'
	}' &

[Copilot]

The COMMAND and EVENT_NAME variables are directly interpolated into JSON without sanitization, creating a potential injection vulnerability if these values contain special characters like quotes or backslashes. Use jq to properly escape JSON values or implement proper string escaping.

Suggested change

	curl -s -X POST "${POSTHOG_HOST}/capture/" \
	-H "Content-Type: application/json" \
	-d '{
	"api_key": "'"${POSTHOG_API_KEY}"'",
	"event": "'"${EVENT_NAME}"'",
	"distinct_id": "'"${user_uuid}"'",
	"properties": {
	"command": "'"${COMMAND}"'",
	"timestamp": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"
	}
	}'
	if ! command -v jq >/dev/null 2>&1; then
	echo "Error: jq is required but not installed." >&2
	exit 2
	fi
	curl -s -X POST "${POSTHOG_HOST}/capture/" \
	-H "Content-Type: application/json" \
	-d "$(
	jq -n \
	--arg api_key "$POSTHOG_API_KEY" \
	--arg event "$EVENT_NAME" \
	--arg distinct_id "$user_uuid" \
	--arg command "$COMMAND" \
	--arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
	'{
	api_key: $api_key,
	event: $event,
	distinct_id: $distinct_id,
	properties: {
	command: $command,
	timestamp: $timestamp
	}
	}'
	)"