v3/docs/adr/ADR-309-funnel-governance-privacy-ecosystem.md
The funnel turns an open-source developer tool into an acquisition channel for a proprietary service. That carries package-ecosystem risk, privacy-regulation obligations, and a content-governance burden that no technical ADR covers. This ADR is the single place those are decided.
funding/standard incident. The funnel is materially different — runtime, first-party, in ruflo's own CLI, fully disableable — but the reputational blast radius of that precedent is the reference point for every content decision.npm install / postinstall time. The funnel exists only inside interactive ruflo commands.DELETE /v1/events/{subject_id} (ADR-308) keyed by the local funnel ID, which the CLI can print on demand (ruflo funnel id). Deletion returns a durable receipt.policyVersion).interface FunnelEvent {
schemaVersion: 1;
event:
| "disclosure_shown"
| "funnel_disabled"
| "signup_opened"
| "account_created"
| "proxy_activated";
surface: "statusline" | "init" | "credit_exhaustion";
release: string; // ruflo version, e.g. "3.8.0"
region?: string; // coarse, self-declared only
pseudonymousId?: string; // ADR-305 funnel ID; absent when attribution consent is off
timestampBucket: string; // "2026-07-10" or "2026-07-10T18" — never full timestamps
}
timestampBucket is daily by default, hourly at most. Full timestamps are never transmitted — bucket granularity is chosen per metric, and daily suffices for every ADR-305 North Star metric.MAINTAINERS/CODEOWNERS) approves every message entering the ADR-301 rotation; message changes are PRs with the owner as required reviewer.NO_COLOR modes (ADR-301).