docs(telemetry): document BAA category restrictions#446
Conversation
Document that orgs with a BAA cannot capture the network, console, and screenshot telemetry categories, that enforcement happens on session create/update, and that the request is rejected with a 400 telemetry_category_restricted.
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Want fixes drafted automatically? Bugbot Autofix can create code changes for findings. A team admin can enable Autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit cb9916f. Configure here.
|
|
||
| If your organization has signed a business associate agreement (BAA) with Kernel, the `network`, `console`, and `screenshot` categories are blocked and can't be captured. These are the categories most likely to record protected health information (PHI): full request and response data, arbitrary page logs, and rendered images of the screen. | ||
|
|
||
| The restriction is enforced when you create a session (`POST /browsers`) or update one (`PATCH /browsers/{id}`). Enabling any blocked category returns a `400` response with the code `telemetry_category_restricted`, and the session's telemetry config is left unchanged. The remaining browser-activity categories (`page` and `interaction`) and all operational categories stay available. |
There was a problem hiding this comment.
Dense BAA enforcement prose
Low Severity
The new BAA enforcement paragraph packs several separable facts—create/update routes, the 400 / telemetry_category_restricted response, unchanged telemetry config, and which categories stay allowed—into one dense sentence. A short lead-in plus bullets would match the guide scannability rule.
Triggered by learned rule: Use bullet lists when covering multiple distinct points in guides
Reviewed by Cursor Bugbot for commit cb9916f. Configure here.
Link BAA to HIPAA for readers unfamiliar with the term, use plainer phrasing for what console captures, and trim redundant guidance from the compliance warning. Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Risk assessment: Very Low
The current diff at 44f6dd7 changes one documentation page only (browsers/telemetry/categories.mdx, +7/−1). It adds explanatory BAA telemetry guidance and adjusts adjacent warning copy; it doesn't modify application code, API behavior, configuration, infrastructure, permissions, or other production paths. The change has a narrow documentation-only blast radius. No CODEOWNERS file or outstanding code-owner review request is present, and the PR had no existing approval when assessed.
Sent by Cursor Automation: Assign PR reviewers
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |




Summary
network,console, andscreenshottelemetry categories.POST /browsers) and update (PATCH /browsers/{id}), returning400 telemetry_category_restrictedwith the config left unchanged.pageandinteractionremain available under a BAA but can still carry personal data, closing a gap where the sensitivity table flagged them as sensitive without explaining their availability.Context
The enforcement already exists in
packages/api(enforceTelemetryBAARestrictionsintelemetry.go, gated on thekernel_org_baaPostHog flag), but was previously undocumented — the categories page only had a soft advisory<Warning>. This makes the enforced behavior explicit.Test plan
mintlify devand the new H3 + updated Warning display correctly.Made with Cursor