feat(analytics): add Profound web traffic tracking

[waleedlatif1]

Summary

• Add Profound analytics custom log integration for AI agent/crawler traffic tracking
• Batches HTTP request logs in memory and flushes to Profound's API every 10s
• Gated behind isHosted — completely inert for self-hosters
• No hardcoded URLs or keys in source — both PROFOUND_API_KEY and PROFOUND_ENDPOINT are env vars

Type of Change

• New feature

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 29, 2026 4:53am

[cursor]

PR Summary

Medium Risk
Adds a new fire-and-forget network export path in the request proxy that runs on every matched request in hosted environments, which could impact latency/throughput or memory usage if the batching/flush behavior misbehaves. Query-string filtering reduces but doesn’t eliminate risk of unintentionally sending sensitive data to a third-party endpoint.

Overview
Adds hosted-only Profound web-traffic logging by buffering request metadata in memory and periodically POSTing batched entries to a configurable Profound endpoint.

The proxy middleware now wraps all returns with a track() helper that calls sendToProfound() using the response status, and the env schema adds PROFOUND_API_KEY and PROFOUND_ENDPOINT to enable/configure the integration.

^{Written by Cursor Bugbot for commit 86a85a3. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds Profound analytics integration for tracking AI agent/crawler web traffic at the Next.js middleware layer. Requests are buffered in-process and flushed in batches to Profound's API every 10 seconds, gated entirely behind isHosted so self-hosters see zero change.

Key changes:

• apps/sim/lib/analytics/profound.ts — new module with an in-memory ring buffer, a periodic flush timer, isProfoundEnabled() guard, and sensitive-parameter stripping (token, callbackUrl, code, state, secret)
• apps/sim/proxy.ts — all middleware return paths now call track(), which delegates to sendToProfound
• apps/sim/lib/core/config/env.ts — PROFOUND_API_KEY and PROFOUND_ENDPOINT registered as optional zod-validated env vars

All three concerns raised in earlier review rounds (missing endpoint guard, status 200 on pass-through, intentional data loss on API failure) have been addressed with code fixes or TSDoc comments. The one remaining minor point is that the referer header is forwarded verbatim and can carry sensitive query params from the source page (e.g., callbackUrl in the referer of a post-login request), bypassing the SENSITIVE_PARAMS filter applied to the current request's query string.

Confidence Score: 5/5

Safe to merge — all prior P1 concerns are resolved; the only remaining finding is a P2 referer-sanitization suggestion that does not block correctness

All three previously flagged P1 issues (missing endpoint guard, undocumented status-200 limitation, undocumented data loss on failure) are fixed or documented. The single new finding (referer leaking stripped params) is P2 and does not affect analytics correctness or introduce a security vulnerability beyond what was already accepted for query params.

apps/sim/lib/analytics/profound.ts — minor referer sanitization opportunity at line 112

Important Files Changed

Filename	Overview
apps/sim/lib/analytics/profound.ts	New Profound analytics module — buffer/flush logic is sound, sensitive param stripping applied to current-request query params, but referer forwarded verbatim can re-expose stripped values
apps/sim/proxy.ts	All proxy return paths correctly wrapped with track(); prior concern about status 200 on pass-through responses is now documented
apps/sim/lib/core/config/env.ts	Two new optional env vars added with appropriate zod validation (string min-length and URL format)

Sequence Diagram

sequenceDiagram
    participant Browser
    participant proxy as proxy.ts (middleware)
    participant track as track()
    participant profound as profound.ts
    participant Timer as setInterval (10s)
    participant API as Profound API

    Browser->>proxy: HTTP request
    proxy->>proxy: Auth/CSP/redirect logic
    proxy->>track: track(request, response)
    track->>profound: sendToProfound(request, statusCode)
    profound->>profound: isProfoundEnabled()?
    alt analytics enabled
        profound->>profound: Strip SENSITIVE_PARAMS from query
        profound->>profound: buffer.push(entry)
        profound->>profound: ensureFlushTimer()
        alt buffer.length >= MAX_BATCH_SIZE (500)
            profound->>profound: flush() — async, fire-and-forget
        end
    end
    track-->>proxy: response (unchanged)
    proxy-->>Browser: response

    loop Every 10 seconds
        Timer->>profound: flush()
        profound->>profound: entries = buffer.splice(0, 500)
        profound->>API: POST /endpoint (x-api-key)
        alt API success
            API-->>profound: 2xx
        else API failure
            profound->>profound: entries dropped (intentional, no retry)
        end
    end

Loading

_{Reviews (4): Last reviewed commit: "chore(analytics): remove unnecessary que..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}