fix: hash emails before sending as PostHog distinct_id (#2002)

cherkanovart · claude · web-flow · commit 8dff5c123d0a · 2026-02-23T14:46:50.000+01:00
Use SHA-256 hash of email instead of raw email for PostHog distinct_id
across cli, compiler, and new-compiler packages to avoid sending PII.

Closes ENG-378

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.changeset/fix-emails-posthog.md b/.changeset/fix-emails-posthog.md
@@ -0,0 +1,7 @@
+---
+"lingo.dev": patch
+"@lingo.dev/_compiler": patch
+"@lingo.dev/compiler": patch
+---
+
+fix: hash emails before sending as PostHog distinct_id
diff --git a/packages/cli/src/cli/utils/observability.ts b/packages/cli/src/cli/utils/observability.ts
@@ -1,6 +1,7 @@
 import pkg from "node-machine-id";
 const { machineIdSync } = pkg;
 import https from "https";
+import crypto from "crypto";
 import { getOrgId } from "./org-id";
 
 const POSTHOG_API_KEY = "phc_eR0iSoQufBxNY36k0f0T15UvHJdTfHlh8rJcxsfhfXk";
@@ -17,8 +18,9 @@ function determineDistinctId(email: string | null | undefined): {
   const orgId = getOrgId();
 
   if (email) {
+    const hashedEmail = crypto.createHash("sha256").update(email).digest("hex");
     return {
-      distinct_id: email,
+      distinct_id: hashedEmail,
       distinct_id_source: "email",
       org_id: orgId,
     };
diff --git a/packages/compiler/src/utils/observability.ts b/packages/compiler/src/utils/observability.ts
@@ -1,4 +1,5 @@
 import * as machineIdLib from "node-machine-id";
+import crypto from "crypto";
 import { getRc } from "./rc";
 import { getOrgId } from "./org-id";
 
@@ -64,8 +65,9 @@ async function getDistinctId(): Promise<{
   const email = await tryGetEmail();
 
   if (email) {
+    const hashedEmail = crypto.createHash("sha256").update(email).digest("hex");
     return {
-      distinct_id: email,
+      distinct_id: hashedEmail,
       distinct_id_source: "email",
       org_id: orgId,
     };
diff --git a/packages/new-compiler/src/utils/observability.ts b/packages/new-compiler/src/utils/observability.ts
@@ -1,4 +1,5 @@
 import * as machineIdLib from "node-machine-id";
+import crypto from "crypto";
 import { getRc } from "./rc";
 import { getOrgId } from "./org-id";
 import { TRACKING_VERSION, COMPILER_PACKAGE } from "./tracking-events";
@@ -64,8 +65,9 @@ async function getDistinctId(): Promise<{
   const email = await tryGetEmail();
 
   if (email) {
+    const hashedEmail = crypto.createHash("sha256").update(email).digest("hex");
     return {
-      distinct_id: email,
+      distinct_id: hashedEmail,
       distinct_id_source: "email",
       org_id: orgId,
     };
