* docs(download): add redesign plan and copy positioning source of truth Captures motivation (Desktop is Multica's native form; CLI is a distinct scenario for servers/remote boxes, not a Desktop fallback), four-step execution plan, and every touchpoint's current-vs-new copy in EN + ZH. Subsequent UI steps read strings from the positioning doc instead of inventing them inline. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(web): /download page with OS auto-detection New landing-group route that serves as the single canonical download destination. Auto-detects OS + arch via navigator.userAgentData (Chromium) with UA-string fallback, then surfaces the matching Desktop installer as the primary CTA. All platforms stay visible below, plus a CLI section (positioned for servers / remote boxes / headless setups, not as a lightweight Desktop) and a Cloud waitlist. Version + asset URLs come from api.github.com/repos/.../releases/latest with Vercel ISR (revalidate=300) so every release automatically propagates — no manual redeploy. Optional GITHUB_TOKEN env var lifts the 60/hr unauthenticated rate limit for local dev. Failure degrades cleanly to "Version unavailable" + a link to GitHub releases. Also points landing hero + footer Download links at /download (previously pointed at the GitHub releases page directly), and re-exports CloudWaitlistExpand from @multica/views/onboarding so the new Cloud section can reuse the existing form. Intel Mac has no binary today (electron-builder targets mac arm64 only); the page is honest about it and routes Intel users to CLI. i18n copy sourced verbatim from docs/download-positioning.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(onboarding): rewrite Step 3 fork + web Welcome Desktop CTA Welcome screen now self-segments: on web (runtimeInstructions present), the primary CTA is "Download Desktop" with a benefit-led subtitle ("Desktop bundles the runtime — nothing to install. Continue on web to connect your own CLI.") that lets developers with their own CLI recognize their path while guiding everyone else toward the desktop app. Desktop branch drops the "3 minutes" estimate in favor of the aha promise. Download button is a real <a href> link so middle-click / copy-link / screen readers all behave correctly. Step 3 fork drops the stale isMac gate — Windows / Linux binaries now ship, the macOS-only muted card was a lie. The single Desktop card now routes to /download (not GitHub releases directly) so users land on the auto-detect page. CLI card is reframed around its real scenario (servers, remote dev boxes, headless) rather than posing as a lightweight Desktop, and the CLI dialog's stall tier redirects users to Desktop instead of Cloud waitlist when the daemon never registers — Desktop is the genuine retreat. cli-install-instructions gets a one-liner acknowledging the CLI's server use case, mirroring the card copy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(web,auth): desktop promotion on login + solid landing hero download LoginPage accepts a new `extra?: ReactNode` slot rendered below the Google button. The web shell injects a hardcoded-EN "Prefer the desktop app? Download →" nudge there — catching users at their lowest-investment moment, before they've typed an email. Desktop's login wrapper omits the slot (a download prompt inside the app would be absurd), so only the web surface renders it. Copy is English-only for now because the /login route sits outside the landing group's LocaleProvider. Lifting locale detection into the root layout would force every page dynamic and kill the Router Cache — a trade-off not worth two strings. The `auth.login.extra*` i18n keys added during Step 2 are removed for the same reason: they're dead code without a LocaleProvider wrapping login. Landing hero "Download Desktop" upgrades from ghost to solid and swaps its handwritten monitor SVG for lucide-react's Download icon. Both hero CTAs are now solid-weighted — the icon + distinct label differentiates them. href already points to /download from the Step 2 landing nav pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(web/download): anchor dark LandingHeader with relative wrapper LandingHeader's dark variant uses `absolute top-0 inset-x-0`, which only reads correctly when wrapped by a positioned ancestor — see multica-landing.tsx:14 for the canonical pattern. Without the wrapper the header escaped to the initial containing block and appeared fixed as users scrolled the page. Also drops the <main> element around the body sections for consistency with the rest of the landing group (neither multica-landing nor about-page-client wraps in <main>). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(landing/hero): keep Download Desktop as ghost to preserve CTA hierarchy Upgrading to solid alongside the existing "Start free trial" CTA killed the primary / secondary distinction — both buttons were white on dark, competing for attention. Revert to ghost so the conversion CTA (trial) stays the visual primary. The lucide Download icon swap stays (cleaner than the handwritten monitor SVG). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(onboarding): update platform-fork assertions for /download route The Desktop card in Step 3 now opens the new /download page instead of GitHub releases, and the post-click feedback text changed to match ("Continuing on the download page…" in place of "Downloading Multica…"). Update the expectations and drop the isMac navigator stub that was only needed when the component had a macOS-only primary branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Merge origin/main into NevilleQingNY/download-redesign Main added onboarding funnel analytics (#1489) that captures `is_mac` as a dimension for each Step 3 path selection. This branch had removed the `isMac` state because the UI no longer branches on it (Windows / Linux desktop builds ship now). Git auto-merged the two diffs into a file that referenced a deleted variable. Reintroduce `isMac` as a lazy client-only computation scoped to analytics capture only — the UI stays platform-agnostic. Handlers fire client-side so SSR safety isn't needed; a plain const reads navigator on first render. typecheck passes across all 6 packages; all 166 views tests green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(analytics): instrument download funnel across 5 surfaces + /download Closes the gap left by PR #1489: onboarding analytics captured Step 3 path selection but missed the four surfaces that advertise the desktop app earlier in the funnel (landing hero, landing footer, login, Welcome), and the /download page itself had zero coverage — so we could see the last-mile path but not the top-of-funnel entry nor the page-to-installer conversion. Three new events, wired via `@multica/core/analytics`: 1. `download_intent_expressed` fires on any CTA pointing at /download. `source` splits the five surfaces cleanly; every authenticated emission also writes `platform_preference=desktop` on the person (same convention Step 3 already uses). 2. `download_page_viewed` fires once per /download mount after OS detect resolves. Carries `detected_os`, `detected_arch`, `detect_confident` (Chromium userAgentData vs UA fallback), and `version_available` so the Safari-on-Mac arm64-default cohort and GitHub-rate-limited degraded sessions are each isolable. Also $set_once's `first_detected_os/arch` on the person so every downstream event gains a platform dimension without re-emitting. 3. `download_initiated` fires on every installer click — Hero's primary CTA and each All Platforms matrix row. `primary_cta` splits hero-recommended from manual picks; `matched_detect` quantifies detect accuracy from the single event (no cross-join to download_page_viewed needed). Augments the existing `onboarding_runtime_path_selected` with a `source: "step3"` property — literal today, reserved for future surfaces reusing the same event name. `is_mac` kept for backward-compat with PR #1489's dashboards; the new events use `detected_os` + `detected_arch` instead. New `setPersonPropertiesOnce` wire helper in `packages/core/analytics/download.ts` for `$set_once` — mirrors the backend's `Event.SetOnce` semantics. docs/analytics.md update lands in the follow-up commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(analytics): document download_intent_expressed / page_viewed / initiated Adds the three new download-funnel events to the frontend-only section. Also notes the semantic shift on onboarding_runtime_path_selected: its `path: "download_desktop"` now signals Step 3 path choice, not actual download start — download_intent_expressed is the new canonical "user expressed intent to download desktop" signal across surfaces. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
16 KiB
Product Analytics
This document is the source of truth for the analytics events Multica ships to PostHog. Events feed the acquisition → activation → expansion funnel that drives our weekly Active Workspaces (WAW) north-star metric.
See MUL-1122 for the design context.
Configuration
All analytics shipping is toggled by environment variables (see .env.example):
| Variable | Meaning | Default |
|---|---|---|
POSTHOG_API_KEY |
PostHog project API key. Empty = no events are shipped. | "" |
POSTHOG_HOST |
PostHog host (US or EU cloud, or self-hosted URL). | https://us.i.posthog.com |
ANALYTICS_DISABLED |
Set to true/1 to force the no-op client even when POSTHOG_API_KEY is set. |
"" |
Local dev and self-hosted instances run with POSTHOG_API_KEY="", so no
events leave the process unless the operator explicitly opts in.
Self-hosted instances
Self-hosters should never inherit a Multica-issued POSTHOG_API_KEY —
that would route their users' behavior to our analytics project. The
defaults guarantee this:
.env.exampleshipsPOSTHOG_API_KEY=empty. The Docker self-host compose does not set a default either.- With the key unset,
NewFromEnvreturnsNoopClientand logsanalytics: POSTHOG_API_KEY not set, using noop clientat startup — a visible confirmation that nothing is shipped. - Operators who want their own analytics can set
POSTHOG_API_KEYandPOSTHOG_HOSTto point at their own PostHog project (Cloud or self-hosted PostHog). - The frontend receives the key via
/api/config(planned for PR 2), so self-hosts' blank server config also disables frontend event shipping automatically — no separate frontend opt-out plumbing required.
Architecture
handler → analytics.Client.Capture(Event) ← non-blocking, returns immediately
│
▼
bounded queue (1024 events)
│
▼
background worker: batch + POST /batch/
│
▼
PostHog
analytics.Captureis never allowed to block a request handler. A broken backend must not degrade the product — when the queue is full, events are dropped and counted (visible viaslog+ thedroppedcounter on shutdown).- Batches flush either when
BatchSizeis reached or everyFlushEvery(default 10 s), whichever comes first. Close()drains remaining events during graceful shutdown. Called fromserver/cmd/server/main.goviadefer.
Identity model
distinct_id— always the user's UUID for logged-in events. The frontend'sposthog.identify(user.id)merges any prior anonymous events under the same identity, so acquisition attribution (UTM / referrer) stays intact across signup.workspace_id— added to every event as a property when present. v1 uses event property filtering (free tier) rather than PostHog Groups Analytics (paid) to compute workspace-level metrics.- PII — events carry
email_domain(e.g.gmail.com), not the full email. Full email is stored once in person properties via$set_onceso it's available for individual debugging but not broadcast with every event. - Person properties (
$set) — use for mutable cohort signals (role, use_case, team_size, platform_preference) that a user can legitimately change during onboarding.Event.Seton the backend maps to$set; the frontend helper issetPersonProperties()in@multica/core/analytics. Use$set_onceonly for values that must never be overwritten (email, initial attribution, first-completion timestamp).
Event contract
signup
Fires when a new user is created. Covers both verification-code and Google
OAuth entry points (findOrCreateUser is the single emission site).
| Property | Type | Description |
|---|---|---|
email_domain |
string | Lower-cased domain portion of the user's email. |
signup_source |
string | Opaque attribution bundle from the frontend cookie multica_signup_source (UTM + referrer). Empty when the cookie is absent. |
auth_method |
string | Optional. "google" for Google OAuth signups. Absent for verification-code signups. |
Person properties set with $set_once:
| Property | Type | Description |
|---|---|---|
email |
string | Full email. Never broadcast per-event. |
signup_source |
string | Same as above; kept on the person for later segmentation. |
workspace_created
Fires after a CreateWorkspace transaction commits successfully.
| Property | Type | Description |
|---|---|---|
workspace_id |
string (UUID) | Added globally; present here for clarity. |
Note on "first workspace" segmentation — we deliberately do not stamp
an is_first_workspace boolean at emit time. Computing it correctly would
require an extra column or transaction-scoped logic that still races under
concurrent creates. Instead, PostHog answers the same question exactly by
looking at whether the user has a prior workspace_created event (use a
funnel with "first time user does X" or a cohort on
person_properties.$initial_event). No information is lost.
runtime_registered
Fires the first time a (workspace_id, daemon_id, provider) tuple is
upserted. Heartbeats and repeat registrations never re-emit. First-time
detection uses Postgres xmax = 0 on the upsert RETURNING clause — no
extra query, no race.
| Property | Type | Description |
|---|---|---|
runtime_id |
string (UUID) | The newly created agent_runtime row id. |
provider |
string | e.g. "codex", "claude". |
runtime_version |
string | Version of the agent runtime binary. |
cli_version |
string | Version of the multica CLI that registered it. |
distinct_id is the authenticated owner's user id when the daemon was
registered via a member's JWT/PAT; daemon-token registrations fall back to
workspace:<workspace_id> so PostHog doesn't bucket unrelated daemons
under a single "anonymous" person.
issue_executed
Fires at most once per issue — when the first task on that issue
reaches terminal done state. Backed by an atomic
UPDATE issue SET first_executed_at = now() WHERE id = $1 AND first_executed_at IS NULL RETURNING *;
retries, re-assignments, and comment-triggered follow-up tasks all hit the
WHERE clause and no-op, so the ≥1 / ≥2 / ≥5 / ≥10 funnel buckets count
distinct issues, not tasks.
| Property | Type | Description |
|---|---|---|
issue_id |
string (UUID) | |
task_duration_ms |
int64 | Wall-clock time between task.started_at and task.completed_at. Zero when the task was created in a completed state (rare). |
distinct_id prefers the issue's human creator so agent-executed events
flow into the issue-author's person profile (same place signup and
workspace_created land). Agent-created issues prefix with agent: to
keep PostHog from merging the agent into a user record.
Note on workspace-Nth ordinals — we deliberately do not stamp
nth_issue_for_workspace at emit time. Computing it correctly would
require either a serialised transaction or an advisory lock per workspace;
two concurrent first-completions could otherwise both read count=1 and
emit n=1. PostHog answers the same question at query time via
row_number() OVER (PARTITION BY properties.workspace_id ORDER BY timestamp),
and funnel steps of the form "workspace has had ≥2 issue_executed
events" are expressible without the property. No information is lost.
team_invite_sent
Fires from CreateInvitation after the DB row is written.
| Property | Type | Description |
|---|---|---|
invited_email_domain |
string | Lower-cased domain; full email lives in the invitation row, not the event. |
invite_method |
string | Currently always "email". Future non-email invite flows (share link, SCIM) should pass their own value. |
distinct_id is the inviter's user id.
team_invite_accepted
Fires from AcceptInvitation after both the invitation row is marked
accepted and the member row is inserted in the same transaction.
| Property | Type | Description |
|---|---|---|
days_since_invite |
int64 | Whole days from invitation creation to acceptance. Lets us segment "accepted same day" (warm) from "dug out of email weeks later" (cold). |
distinct_id is the invitee's user id — this is the event that closes the
expansion funnel.
onboarding_questionnaire_submitted
Fires on the first PatchOnboarding that transitions the user's questionnaire JSONB from "at least one slot empty" to "all three filled" (team_size, role, use_case). Revisions past that point don't re-emit — the funnel counts users, not edits.
| Property | Type | Description |
|---|---|---|
team_size |
string | solo / team / other. |
role |
string | developer / product_lead / writer / founder / other. |
use_case |
string | coding / planning / writing_research / explore / other. |
team_size_has_other |
bool | true when the user filled the Q1 free-text escape. |
role_has_other |
bool | Ditto Q2. |
use_case_has_other |
bool | Ditto Q3. |
Person properties set with $set (not once — users can go back and
change answers before submitting again):
| Property | Type | Description |
|---|---|---|
team_size |
string | Mirrors the event property for cohort queries. |
role |
string | Same. |
use_case |
string | Same. |
distinct_id is the user's id. No workspace_id — the questionnaire is
per-user, not per-workspace.
agent_created
Fires on every successful POST /api/workspaces/:id/agents. Not
onboarding-specific — the is_first_agent_in_workspace property
isolates the Step 4 signal from later agent additions.
| Property | Type | Description |
|---|---|---|
agent_id |
string (UUID) | |
provider |
string | Runtime provider the agent is bound to (claude, codex, etc). |
template |
string | Template slug used to seed the agent (coding / planning / writing / assistant). Empty when the caller didn't come from a template picker. |
is_first_agent_in_workspace |
bool | true when the workspace had zero agents before this insert. |
distinct_id is the authenticated owner's user id.
onboarding_completed
Fires from CompleteOnboarding on the first call that actually flips
user.onboarded_at from NULL. Retries are idempotent server-side but
deliberately do NOT re-emit, so the funnel counts first-completions
only. The client sends completion_path in the POST body to label
which exit the user took.
| Property | Type | Description |
|---|---|---|
completion_path |
string | One of full / runtime_skipped / cloud_waitlist / skip_existing / unknown. See below. |
joined_cloud_waitlist |
bool | Derived from user.cloud_waitlist_email. Orthogonal to completion_path — a user may submit the waitlist form and still pick CLI. |
Person properties set with $set_once:
| Property | Type | Description |
|---|---|---|
onboarded_at |
string (RFC3339) | Timestamp the first completion landed. Enables cohort queries like "users onboarded before X" directly from person_properties. |
completion_path values:
full— Reached Step 5 (first_issue) with a runtime connected.runtime_skipped— Completed without connecting a runtime (user hit Skip in Step 3).cloud_waitlist— Submitted the cloud waitlist form and skipped Step 3.skip_existing— "I've done this before" from Welcome. The user already had a workspace.unknown— Legacy fallback when the client didn't send a path. Should stay near zero after rollout.
cloud_waitlist_joined
Fires from JoinCloudWaitlist whenever a user submits the Step 3 cloud waitlist form. Not a completion signal — it's orthogonal to the main funnel and used to size hosted-runtime interest.
| Property | Type | Description |
|---|---|---|
has_reason |
bool | Presence flag for the free-text reason field. The free text stays in the DB; we don't broadcast it. |
distinct_id is the user's id.
starter_content_decided
Fires on the atomic NULL → terminal state transition in both
ImportStarterContent and DismissStarterContent. The branch property
mirrors what ImportStarterContent would emit for the same workspace,
so import-vs-dismiss rates split cleanly by branch.
| Property | Type | Description |
|---|---|---|
decision |
string | imported or dismissed. |
branch |
string | agent_guided (workspace had ≥1 agent at decision time) or self_serve (no agents). |
distinct_id is the user's id; workspace_id is attached from the
request payload.
Frontend-only events
-
$pageview— fired byapps/web/components/pageview-tracker.tsxon every Next.js App Router path or query-string change. The tracker mounts once underWebProvidersand drives the acquisition funnel's/ → signupstep. posthog-js's automatic pageview capture is disabled ininitAnalyticsso we own the event shape. -
onboarding_runtime_path_selected— fired frompackages/views/onboarding/steps/step-platform-fork.tsxwhen the web user clicks one of the three Step 3 fork cards (before any server call happens, so it's frontend-only). Properties:path(download_desktop/cli/cloud_waitlist),source(step3; literal today but reserved for future surfaces reusing this event),is_mac. Also writesplatform_preference(web/desktop) to person properties so every subsequent event on the user can be broken down by chosen platform. Note: semantic "download intent" is now better served bydownload_intent_expressedbelow —path: "download_desktop"signals Step 3 path choice specifically, not actual download start. -
download_intent_expressed— fired whenever a user clicks a CTA that points at the/downloadpage. Surfaces five sources across the funnel, letting the top-of-funnel entry be split cleanly. Wrapper lives inpackages/core/analytics/download.ts(captureDownloadIntent). Properties:source:landing_hero/landing_footer/login/welcome/step3Also writesplatform_preference: "desktop"to person properties.
-
download_page_viewed— fired once per/downloadmount after OS detect resolves (apps/web/app/(landing)/download/download-client.tsx). Properties:detected_os:mac/windows/linux/unknowndetected_arch:arm64/x64/unknowndetect_confident:truewhen detect useduserAgentData.getHighEntropyValues(Chromium);falsewhen it fell back to the UA string (Safari on Mac always lands here — lets us isolate the arm64-default-for-Intel risk cohort).version_available:falsewhen the GitHub API fetch failed and the page is in the "Version unavailable" degraded state. Also writesfirst_detected_os/first_detected_archvia$set_onceso every downstream event gains a platform dimension without re-emitting.
-
download_initiated— fired when the user clicks a specific installer link on/download. Both the hero CTA and the All Platforms matrix rows emit this; split byprimary_cta. Properties:platform:mac/windows/linuxarch:arm64/x64format:dmg/zip/exe/appimage/deb/rpmversion: release tag (e.g.v0.2.13) — correlates adoption with release cadence.primary_cta:truefor the hero-recommended installer,falsefor a manual pick from the All Platforms matrix.matched_detect:truewhen the chosen platform+arch matches what the page detected.falselets us quantify detect misses from the single event (no cross-join needed).
-
Attribution is NOT a separate event; UTM + referrer origin are written to the
multica_signup_sourcecookie on the first anonymous pageview and read by the backend'ssignupemission. The cookie carries a JSON payload URL-encoded at write time (encodeURIComponent) and URL-decoded at read time (url.QueryUnescape) — the JSON is never mid-truncated; individual values are capped at 96 chars beforeJSON.stringify, and the entire payload is dropped if it still exceeds 512 chars. That way PostHog sees either intact JSON or nothing at all.
Governance
Before adding, renaming, or removing any event:
- Update this document first.
- Update
server/internal/analytics/events.goconstants and helpers to match. - PR description must state which existing funnel / insight is affected.