Skip to content
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
150 changes: 150 additions & 0 deletions docs/privacy-policy-update-meeting.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
# Privacy Policy Update - Team Discussion

**Date:** December 8, 2025
**PR:** https://github.com/wonderwhy-er/DesktopCommanderMCP/pull/287
**Duration:** 15-20 minutes

---

## Context: Why This Update?

1. **Code audit revealed inconsistencies** between what the privacy policy said and what the code actually does
2. **Australian Privacy Act complaint** highlighted specific issues (APP 1, 2, 3, 5)
3. **No changes to actual data collection** — this is about making the policy accurate, not changing behavior

---

## Summary of Changes

### 1. "Anonymous" → "Pseudonymous"

**Before:** "Anonymous client ID... is not connected to any other telemetry event data"

**After:** "Pseudonymous client ID... is included with telemetry events"

**Why:** The UUID is sent with every event (we need this for retention metrics). Calling it "anonymous" and "isolated" was factually incorrect. Under GDPR, pseudonymous data is still personal data.

---

### 2. Removed "No PII" Claim

**Before:** "avoiding any personally identifiable information (PII)"

**After:** Lists specifically what we don't collect (names, emails, usernames, file paths)

**Why:**
- Under US law: UUID might not be PII
- Under GDPR: UUID IS personal data
- Safer to be specific about what we don't collect rather than make broad claims

---

### 3. Added Missing Data Fields

**Added disclosures for:**
- Client info (Claude Desktop, VS Code version)
- Container/Docker metadata
- File sizes
- Runtime source

**Why:** These were being collected but not documented. Full transparency.

---

### 4. Named Google Analytics Explicitly

**Before:** "sent securely via HTTPS to Google Analytics" (buried in text)

**After:** Dedicated "Analytics Provider" section naming GA4

**Why:** Industry standard for developer tools. Users expect to know who processes their data.

---

### 5. IP Address Clarification

**Added:** "We do not store IP addresses. However, Google Analytics receives them via HTTPS and auto-anonymizes them."

**Why:** We can't claim "we don't collect IPs" when our analytics provider sees them. This is honest about the technical reality.

---

### 6. Added "Your Rights" Section

**New section includes:**
- List of GDPR rights (access, deletion, objection, withdraw consent)
- How to find your UUID (ask AI or check config file)
- Explanation that we can only process requests with UUID
- 30-day response commitment

**Why:**
- GDPR/Australian Privacy Act require this
- Explains the privacy paradox: we're SO private we can't identify users
- This is actually a strength, not a weakness

---

### 7. Added Legal Contact Email

**Added:** legal@desktopcommander.app for privacy/legal matters

**Why:**
- GitHub issues are public — not appropriate for legal matters
- Required for compliance
- We already have this email, just wasn't in the policy

---

### 8. Simplified README Section

**Before:** ~25 lines of privacy details in README

**After:** 5 lines + link to PRIVACY.md

**Why:** Single source of truth, easier maintenance, README was already 960+ lines

---

## Discussion Points

### A. Are we comfortable with "pseudonymous" language?
- Legally accurate
- Might sound scarier than "anonymous" to some users
- But: honesty > marketing

### B. The Australian complaint
- Changes address APP 1 (clear policy), APP 5 (proper notice)
- APP 2 (anonymity option) — we can argue UUID-based system IS effectively anonymous since we can't re-identify
- APP 3 (necessity) — retention metrics are legitimate business need

### C. Should we add anything else?
- Children's data statement? ("Not directed at under-18s")
- Cross-border transfer note? (Data processed in US)
- More detailed retention explanation?

---

## Decisions Needed

1. ✅ / ❌ Approve PR as-is?
2. ✅ / ❌ Add children's data statement?
3. ✅ / ❌ Add cross-border transfer note?
4. ✅ / ❌ Update website privacy policy to match?

---

## Files Changed

| File | Changes |
|------|---------|
| `PRIVACY.md` | Major rewrite — all changes above |
| `README.md` | Simplified privacy section, links to PRIVACY.md |

---

## Post-Meeting Actions

- [ ] Merge PR
- [ ] Update https://legal.desktopcommander.app/privacy_desktop_commander_mcp
- [ ] Mention in next release notes
- [ ] Respond to Discord complaint with link to updated policy
11 changes: 10 additions & 1 deletion package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

42 changes: 22 additions & 20 deletions src/server.ts
Original file line number Diff line number Diff line change
Expand Up @@ -780,35 +780,37 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
{
name: "read_process_output",
description: `
Read output from a running process with intelligent completion detection.
Read output from a running process with file-like pagination support.

Automatically detects when process is ready for more input instead of timing out.
Supports partial output reading with offset and length parameters (like read_file):
- 'offset' (start line, default: 0)
* offset=0: Read NEW output since last read (default, like old behavior)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The documentation for the process output tool incorrectly states that offset=0 always reads "NEW output since last read", but in the implementation this only holds for active sessions and not for completed sessions where repeated offset=0 calls re-read from the beginning, which can lead callers to misuse the API and repeatedly stream the same output. [logic error]

Severity Level: Minor ⚠️

Suggested change
* offset=0: Read NEW output since last read (default, like old behavior)
* offset=0: For running processes, read NEW output since last read (default behavior)
Why it matters? ⭐

This is a documentation correctness suggestion, not a code bug fix. The current comment in the tool description implies a guarantee that may not hold for completed sessions (many process-read implementations will return from start for finished processes or when there is no last-read cursor). Clarifying the text to "For running processes, read NEW output since last read (default behavior)" avoids misleading callers and reduces incorrect assumptions about API semantics. It's a safe, useful clarification that improves developer UX and prevents subtle misuse.

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** src/server.ts
**Line:** 787:787
**Comment:**
	*Logic Error: The documentation for the process output tool incorrectly states that `offset=0` always reads "NEW output since last read", but in the implementation this only holds for active sessions and not for completed sessions where repeated `offset=0` calls re-read from the beginning, which can lead callers to misuse the API and repeatedly stream the same output.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

* Positive: Read from absolute line position
* Negative: Read last N lines from end (tail behavior)
- 'length' (max lines to read, default: configurable via 'fileReadLineLimit' setting)

SMART FEATURES:
- Early exit when REPL shows prompt (>>>, >, etc.)
- Detects process completion vs still running
- Prevents hanging on interactive prompts
- Clear status messages about process state
Examples:
- offset: 0, length: 100 → First 100 NEW lines since last read
- offset: 0 → All new lines (respects config limit)
- offset: 500, length: 50 → Lines 500-549 (absolute position)
- offset: -20 → Last 20 lines (tail)
- offset: -50, length: 10 → Start 50 from end, read 10 lines

OUTPUT PROTECTION:
- Uses same fileReadLineLimit as read_file (default: 1000 lines)
- Returns status like: [Reading 100 lines from line 0 (total: 5000 lines, 4900 remaining)]
- Prevents context overflow from verbose processes

REPL USAGE:
- Stops immediately when REPL prompt detected
- Shows clear status: waiting for input vs finished
- Shorter timeouts needed due to smart detection
- Works with Python, Node.js, R, Julia, etc.
SMART FEATURES:
- For offset=0, waits up to timeout_ms for new output to arrive
- Detects REPL prompts and process completion
- Shows process state (waiting for input, finished, etc.)

DETECTION STATES:
Process waiting for input (ready for interact_with_process)
Process finished execution
Timeout reached (may still be running)

PERFORMANCE DEBUGGING (verbose_timing parameter):
Set verbose_timing: true to get detailed timing information including:
- Exit reason (early_exit_quick_pattern, early_exit_periodic_check, process_finished, timeout)
- Total duration and time to first output
- Complete timeline of all output events with timestamps
- Which detection mechanism triggered early exit
Use this to identify when timeouts could be reduced or detection patterns improved.

${CMD_PREFIX_DESCRIPTION}`,
inputSchema: zodToJsonSchema(ReadProcessOutputArgsSchema),
annotations: {
Expand Down
Loading