fix(cli): switch identity stitch to hybrid stitch+stamp attribution#5559
Draft
seanoliver wants to merge 6 commits into
Draft
fix(cli): switch identity stitch to hybrid stitch+stamp attribution#5559seanoliver wants to merge 6 commits into
seanoliver wants to merge 6 commits into
Conversation
Two concurrent writers in the same millisecond shared a tmp path and raced the rename into ENOENT. Surfaced as a cross-file flake in the login/logout integration tests, but two real CLI processes could hit it the same way.
After the first authenticated API call, the user UUID is stashed in process memory and used as distinct_id on all subsequent capture events (stamping, zero extra PostHog events). The $create_alias merge and the telemetry.json write now only happen in persistent runtimes, and the gate lives inside the stitch owner on every surface (Go StitchLogin, legacy TS stitchLogin + platform-api layer, next TS login) so no call site can forget it. Logout clears both the in-memory and persisted identity on all surfaces, and the redundant $identify that GROWTH-890 missed in next/login is gone. This restores per-user attribution for cli_* events in CI/Docker/npx (lost to the #5366 gate) without re-introducing the identify/alias volume spike. See docs/adr/0013-hybrid-stitch-stamp-identity-attribution.md. GROWTH-891
Supabase CLI previewnpx --yes https://pkg.pr.new/supabase@5559Preview package for commit |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 57e05b28ef
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Three fixes from an independent review of the hybrid stitch+stamp change: - Stamp the in-memory identity from the first authenticated response even when a persisted distinct_id already exists (stale disk identity + a different live token previously kept attributing events to the old user). Alias only the first identity a device ever sees — re-aliasing on re-login, or on the login command's direct StitchLogin call after the response hook already stitched, would merge a second user into the device's existing person graph. - Mark the legacy TS stitch attempt before its first yield point so concurrent authenticated responses cannot double-stitch. - Clear the telemetry identity on logout even when no token exists; a stale distinct_id can outlive the token.
Second-round review findings: - Login as A, logout, login as B re-aliased the same device — a device already merged into A's person graph. Logout now resets the identity entirely (new ResetIdentity / resetIdentity): forget the user AND rotate the device id, so the next login aliases a fresh device. Transient failure paths keep ClearDistinctID and preserve the device id. - A failed alias enqueue left the in-memory identity set, so the login command's follow-up StitchLogin treated the identity as already aliased and permanently skipped the history merge. The identity is now un-stashed on enqueue failure, keeping the first-identity gate retryable.
jgoux
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The gate from #5366 stopped the ephemeral-env
$identifyspike (730K/day → ~15K/day) but at the cost of attribution: in CI, Docker, andnpx supabase,cli_*events stay orphaned on throwaway device IDs and never link to the authenticated user. Those populations are 31–85% of CLI volume and feed the Agent-Led Growth dashboards.Problem
$create_aliaswas doing two jobs: labeling future events with the user ID, and retroactively merging pre-login device history into the person. In ephemeral environments the persistence assumption behind stitching is false, so every run re-stitched — that was the spike. But dropping stitching entirely (the original GROWTH-891 "Option C") would also drop the history merge on developer laptops, where it has real value and was never the volume problem.There was also a quieter leak: the #5366 gate only covered the
OnGotrueIDhook. Thelogincommand callsStitchLogindirectly, sosupabase login --tokenin CI still fired an alias and wrote state to a doomed home directory on every run.Fix
Hybrid of stitching and stamping, per ADR 0013 (included in this PR):
X-Gotrue-Idis stashed in process memory and used asdistinct_idon all subsequent captures. Zero extra PostHog events; restores attribution in CI/Docker/npx.$create_alias+telemetry.jsonwrite on a laptop's first login; nothing in ephemeral environments. The branch lives inside the stitch owner on every surface — GoStitchLogin, legacy TSstitchLoginand the platform-api layer,next/login — so call sites can't forget the gate. Thelogin-in-CI leak closes as a side effect.$identifyinnext/login that fix(cli): drop redundant identify from identity stitch #5396 missed, andcli_*capture volume from CI is unchanged — only identity-linking behavior moves.The first commit fixes a separate concurrency bug this work surfaced: telemetry config writes used millisecond-timestamp temp filenames, so two same-millisecond writers raced the rename into ENOENT.
Beyond the test suites, we verified the live event streams: both binaries rebuilt against a local PostHog capture server and a stub API serving
X-Gotrue-Id, run across first-run/persistent/steady-state/CI homes — ephemeral runs fire zero alias/identify with captures stamped by the real UUID, persistent first-run fires exactly one alias and persists the UUID.GROWTH-891