Skip to content

docs(telemetry): document BAA category restrictions#446

Closed
Sayan- wants to merge 2 commits into
mainfrom
docs/telemetry-baa-restrictions
Closed

docs(telemetry): document BAA category restrictions#446
Sayan- wants to merge 2 commits into
mainfrom
docs/telemetry-baa-restrictions

Conversation

@Sayan-

@Sayan- Sayan- commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Documents that organizations with a signed BAA cannot capture the network, console, and screenshot telemetry categories.
  • Clarifies that enforcement happens on session create (POST /browsers) and update (PATCH /browsers/{id}), returning 400 telemetry_category_restricted with the config left unchanged.
  • Notes that page and interaction remain available under a BAA but can still carry personal data, closing a gap where the sensitivity table flagged them as sensitive without explaining their availability.

Context

The enforcement already exists in packages/api (enforceTelemetryBAARestrictions in telemetry.go, gated on the kernel_org_baa PostHog flag), but was previously undocumented — the categories page only had a soft advisory <Warning>. This makes the enforced behavior explicit.

Test plan

  • Verify the page renders in mintlify dev and the new H3 + updated Warning display correctly.

Made with Cursor

Document that orgs with a BAA cannot capture the network, console, and
screenshot telemetry categories, that enforcement happens on session
create/update, and that the request is rejected with a 400
telemetry_category_restricted.
@mintlify

mintlify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
Kernel 🟢 Ready View Preview Jul 14, 2026, 7:37 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Want fixes drafted automatically? Bugbot Autofix can create code changes for findings. A team admin can enable Autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit cb9916f. Configure here.


If your organization has signed a business associate agreement (BAA) with Kernel, the `network`, `console`, and `screenshot` categories are blocked and can't be captured. These are the categories most likely to record protected health information (PHI): full request and response data, arbitrary page logs, and rendered images of the screen.

The restriction is enforced when you create a session (`POST /browsers`) or update one (`PATCH /browsers/{id}`). Enabling any blocked category returns a `400` response with the code `telemetry_category_restricted`, and the session's telemetry config is left unchanged. The remaining browser-activity categories (`page` and `interaction`) and all operational categories stay available.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dense BAA enforcement prose

Low Severity

The new BAA enforcement paragraph packs several separable facts—create/update routes, the 400 / telemetry_category_restricted response, unchanged telemetry config, and which categories stay allowed—into one dense sentence. A short lead-in plus bullets would match the guide scannability rule.

Fix in Cursor Fix in Web

Triggered by learned rule: Use bullet lists when covering multiple distinct points in guides

Reviewed by Cursor Bugbot for commit cb9916f. Configure here.

Link BAA to HIPAA for readers unfamiliar with the term, use plainer
phrasing for what console captures, and trim redundant guidance from
the compliance warning.

Co-authored-by: Cursor <cursoragent@cursor.com>

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk assessment: Very Low

The current diff at 44f6dd7 changes one documentation page only (browsers/telemetry/categories.mdx, +7/−1). It adds explanatory BAA telemetry guidance and adjusts adjacent warning copy; it doesn't modify application code, API behavior, configuration, infrastructure, permissions, or other production paths. The change has a narrow documentation-only blast radius. No CODEOWNERS file or outstanding code-owner review request is present, and the PR had no existing approval when assessed.

Open in Web View Automation 

Sent by Cursor Automation: Assign PR reviewers

@mintlify

mintlify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
Kernel 🟡 Building Jul 14, 2026, 7:36 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant