From 1c37ae4e4e5dde72bb736dc4682904120a445ff3 Mon Sep 17 00:00:00 2001
From: Algis Dumbris <a.dumbris@gmail.com>
Date: Mon, 15 Jun 2026 14:31:48 +0300
Subject: [PATCH 1/7] feat(telemetry): one-time opt-out beacon + banner
 Settings deep-link (MCP-2482)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Part B — server-side opt-out beacon:
- Add internal/telemetry/optout.go: TelemetryDisableTransition (resolved-state
  compare, nil == enabled per MCP-2477), SendOptOutBeacon (reuses the existing
  /heartbeat ingest with event:"telemetry_disabled" + only the anonymous_id,
  no usage payload), and Service.NotifyConfigChanged.
- Detect the enabled->disabled flip on config write and fire EXACTLY ONE
  best-effort, fire-and-forget beacon; latch optedOut so no further heartbeats
  are emitted. Re-enable clears the latch (exactly once per flip).
- Wire NotifyConfigChanged into the daemon's REST apply path (runtime.ApplyConfig)
  and disk-reload path (ReloadConfiguration) so web UI + macOS app are covered,
  and into `mcpproxy telemetry disable` so the CLI path is covered (no fsnotify
  watcher means the daemon won't auto-reload the file). Send failure still
  disables; disabled->disabled / env-disabled emit nothing.

Part A — banner deep-link + disclosure:
- TelemetryBanner: add "Manage in Settings" link to /settings?focus=telemetry.enabled
  and a transparency note about the one-time opt-out signal.
- Settings.vue: focusField() resolves a field key to its tab, opens the
  enclosing accordion, scrolls to and highlights the row.
- Disclosure line added near the telemetry toggle (field help + confirm copy).

Docs: document the one-time opt-out signal in docs/features/telemetry.md.

Related #MCP-2482
---
 cmd/mcpproxy/telemetry_cmd.go               |  23 ++
 docs/features/telemetry.md                  |  13 +
 frontend/src/components/TelemetryBanner.vue |  27 ++-
 frontend/src/views/Settings.vue             |  49 +++-
 frontend/src/views/settings/fields.ts       |   4 +-
 internal/runtime/lifecycle.go               |   8 +
 internal/runtime/runtime.go                 |   8 +
 internal/telemetry/optout.go                | 148 ++++++++++++
 internal/telemetry/optout_test.go           | 250 ++++++++++++++++++++
 internal/telemetry/telemetry.go             |  25 ++
 10 files changed, 543 insertions(+), 12 deletions(-)
 create mode 100644 internal/telemetry/optout.go
 create mode 100644 internal/telemetry/optout_test.go

diff --git a/cmd/mcpproxy/telemetry_cmd.go b/cmd/mcpproxy/telemetry_cmd.go
index 88a74d427..5d14e629f 100644
--- a/cmd/mcpproxy/telemetry_cmd.go
+++ b/cmd/mcpproxy/telemetry_cmd.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
@@ -267,6 +268,13 @@ func runTelemetryDisable(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("failed to load config: %w", err)
 	}
 
+	// Capture the resolved state BEFORE mutating, so we can detect a genuine
+	// enabled->disabled transition (MCP-2482). A second `disable` when already
+	// disabled must not emit another beacon.
+	wasEnabled := cfg.IsTelemetryEnabled()
+	anonID := cfg.GetAnonymousID()
+	endpoint := cfg.GetTelemetryEndpoint()
+
 	if cfg.Telemetry == nil {
 		cfg.Telemetry = &config.TelemetryConfig{}
 	}
@@ -278,6 +286,21 @@ func runTelemetryDisable(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("failed to save config: %w", err)
 	}
 
+	// One-time opt-out beacon: best-effort, fire on the real enabled->disabled
+	// flip. When a daemon is running it does NOT auto-reload this file (there is
+	// no fsnotify watcher), so the CLI is responsible for the beacon in the
+	// CLI-driven path. If there is no anonymous ID there is nothing to dedup on.
+	if wasEnabled && anonID != "" {
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		client := &http.Client{Timeout: 5 * time.Second}
+		if beaconErr := telemetry.SendOptOutBeacon(ctx, client, endpoint, anonID); beaconErr != nil {
+			// Best-effort only — telemetry is already disabled on disk. Surface
+			// at a low level so scripts aren't tripped up.
+			fmt.Println("Note: opt-out signal could not be delivered (telemetry is still disabled).")
+		}
+	}
+
 	fmt.Println("Telemetry disabled.")
 	return nil
 }
diff --git a/docs/features/telemetry.md b/docs/features/telemetry.md
index 9fddcf5aa..f4351117e 100644
--- a/docs/features/telemetry.md
+++ b/docs/features/telemetry.md
@@ -44,6 +44,19 @@ The anonymous ID is a random UUID (v4) generated on first run. It has **no corre
 
 You can delete it by removing the `telemetry.anonymous_id` field from your config — a new random ID will be generated on next startup.
 
+## One-time opt-out signal
+
+When telemetry transitions from **enabled to disabled** (via the CLI, the config
+file, or the web UI / macOS app), MCPProxy sends **exactly one** final, anonymous
+beacon — an `event: "telemetry_disabled"` carrying **only your anonymous install
+ID** and **no usage data**. It lets us count how many installs opt out so we can
+gauge how the feature is received. The send is best-effort: if it fails,
+telemetry is still disabled. After it, **no further telemetry is emitted**.
+
+Disabling while already disabled (or reloading a config that is already
+disabled) sends nothing. Setting `MCPPROXY_TELEMETRY=false` is treated as
+"never enabled" and also sends nothing.
+
 ## How to disable
 
 There are three ways to disable telemetry:
diff --git a/frontend/src/components/TelemetryBanner.vue b/frontend/src/components/TelemetryBanner.vue
index 59c52e0b7..29474dca0 100644
--- a/frontend/src/components/TelemetryBanner.vue
+++ b/frontend/src/components/TelemetryBanner.vue
@@ -1,5 +1,5 @@
 <template>
-  <div v-if="visible" class="alert alert-info">
+  <div v-if="visible" class="alert alert-info" data-test="telemetry-banner">
     <svg class="w-6 h-6 shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24">
       <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
     </svg>
@@ -11,17 +11,32 @@
         rel="noopener noreferrer"
         class="link link-hover underline"
       >Learn more</a>
+      <!-- Transparency note (MCP-2482): disclose the one-time opt-out signal. -->
+      <p class="text-xs opacity-80 mt-1" data-test="telemetry-banner-disclosure">
+        Disabling sends a single anonymous opt-out signal, then stops all telemetry.
+      </p>
+    </div>
+    <div class="flex items-center gap-2">
+      <RouterLink
+        to="/settings?focus=telemetry.enabled"
+        class="btn btn-sm btn-ghost"
+        data-test="telemetry-banner-settings-link"
+        @click="dismiss"
+      >
+        Manage in Settings
+      </RouterLink>
+      <button class="btn btn-sm btn-ghost btn-square" @click="dismiss" aria-label="Dismiss" data-test="telemetry-banner-dismiss">
+        <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
+        </svg>
+      </button>
     </div>
-    <button class="btn btn-sm btn-ghost" @click="dismiss" aria-label="Dismiss">
-      <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
-      </svg>
-    </button>
   </div>
 </template>
 
 <script setup lang="ts">
 import { ref, onMounted } from 'vue'
+import { RouterLink } from 'vue-router'
 
 const STORAGE_KEY = 'telemetry-banner-dismissed'
 const visible = ref(false)
diff --git a/frontend/src/views/Settings.vue b/frontend/src/views/Settings.vue
index c841626c9..63aae021e 100644
--- a/frontend/src/views/Settings.vue
+++ b/frontend/src/views/Settings.vue
@@ -174,8 +174,8 @@
 </template>
 
 <script setup lang="ts">
-import { ref, reactive, computed, onMounted, onUnmounted } from 'vue'
-import { RouterLink } from 'vue-router'
+import { ref, reactive, computed, onMounted, onUnmounted, nextTick } from 'vue'
+import { RouterLink, useRoute } from 'vue-router'
 import { VueMonacoEditor } from '@guolao/vue-monaco-editor'
 import { useServersStore } from '@/stores/servers'
 import { useSystemStore } from '@/stores/system'
@@ -199,6 +199,7 @@ import api from '@/services/api'
 
 const serversStore = useServersStore()
 const systemStore = useSystemStore()
+const route = useRoute()
 
 const securityFields = SECURITY_FIELDS
 const generalFields = GENERAL_FIELDS
@@ -418,6 +419,41 @@ function handleConfigSaved() {
   loadConfig()
 }
 
+// Deep-link support (MCP-2482): the telemetry consent banner links to
+// /settings?focus=telemetry.enabled. Map any field key to the tab that renders
+// it, switch to that tab, open the enclosing accordion if it lives under
+// Advanced, then scroll to and briefly highlight the field row.
+function tabForFieldKey(key: string): string {
+  if (securityFields.some((f) => f.key === key)) return 'security'
+  if (generalFields.some((f) => f.key === key)) return 'general'
+  if (advancedAccordions.value.some((a) => a.fields.some((f) => f.key === key))) return 'advanced'
+  if (serverEditionFields.some((f) => f.key === key)) return 'teams'
+  return activeTab.value
+}
+
+async function focusField(key: string) {
+  // Clear any active search so the tabbed layout (not search results) renders.
+  search.value = ''
+  activeTab.value = tabForFieldKey(key)
+  await nextTick()
+
+  // Advanced settings live inside collapsed <details>; open the one holding it.
+  const acc = advancedAccordions.value.find((a) => a.fields.some((f) => f.key === key))
+  if (acc) {
+    const summary = document.querySelector(`[data-test="settings-accordion-${acc.id}"]`)
+    const det = summary?.closest('details') as HTMLDetailsElement | null
+    if (det) det.open = true
+    await nextTick()
+  }
+
+  const row = document.querySelector(`[data-test="setting-row-${key}"]`) as HTMLElement | null
+  if (!row) return
+  row.scrollIntoView({ behavior: 'smooth', block: 'center' })
+  const highlight = ['ring-2', 'ring-primary', 'ring-offset-2']
+  row.classList.add(...highlight)
+  setTimeout(() => row.classList.remove(...highlight), 2500)
+}
+
 // Fetch the resolved built-in MCP instructions default for the textarea
 // placeholder (MCP-2175). Non-fatal: a failure or an older core just leaves the
 // static catalogue placeholder in place.
@@ -432,10 +468,15 @@ async function loadDefaultInstructions() {
   }
 }
 
-onMounted(() => {
-  loadConfig()
+onMounted(async () => {
   loadDefaultInstructions()
   window.addEventListener('mcpproxy:config-saved', handleConfigSaved)
+  await loadConfig()
+  const focus = route.query.focus
+  if (typeof focus === 'string' && focus) {
+    await nextTick()
+    await focusField(focus)
+  }
 })
 onUnmounted(() => {
   window.removeEventListener('mcpproxy:config-saved', handleConfigSaved)
diff --git a/frontend/src/views/settings/fields.ts b/frontend/src/views/settings/fields.ts
index 277ba7ab3..8915d5dcb 100644
--- a/frontend/src/views/settings/fields.ts
+++ b/frontend/src/views/settings/fields.ts
@@ -250,13 +250,13 @@ export const GENERAL_FIELDS: SettingField[] = [
     key: 'telemetry.enabled',
     docs: '/features/telemetry',
     label: 'Anonymous usage telemetry',
-    help: 'Sends anonymous usage counts (never tool arguments, content, or identities). Opt-out at any time.',
+    help: 'Sends anonymous usage counts (never tool arguments, content, or identities). Opt-out at any time. Disabling sends a single anonymous opt-out signal, then stops all telemetry.',
     control: 'toggle',
     danger: {
       confirmValue: false,
       tone: 'info',
       message:
-        'Anonymous telemetry is how we see which features matter and catch problems — it never includes your tool arguments, content, or any identifying info. Turning it off removes that signal. Turn it off anyway?',
+        'Anonymous telemetry is how we see which features matter and catch problems — it never includes your tool arguments, content, or any identifying info. Turning it off removes that signal, and sends a single anonymous opt-out signal before all telemetry stops. Turn it off anyway?',
     },
   },
   { key: 'enable_prompts', label: 'Expose MCP prompts to clients', help: 'Advertises mcpproxy’s built-in guided prompts to connected AI clients: “setup-new-mcp-server” (add a server) and “troubleshoot-mcp-server” (diagnose connection issues).', control: 'toggle' },
diff --git a/internal/runtime/lifecycle.go b/internal/runtime/lifecycle.go
index 27eaceccb..70fe255a8 100644
--- a/internal/runtime/lifecycle.go
+++ b/internal/runtime/lifecycle.go
@@ -1029,6 +1029,14 @@ func (r *Runtime) ReloadConfiguration() error {
 		return fmt.Errorf("failed to reload servers: %w", err)
 	}
 
+	// MCP-2482: detect a telemetry enabled->disabled flip across the reload and
+	// fire the one-time opt-out beacon. This covers config changes that arrive
+	// via a disk reload (there is no fsnotify auto-watcher, so this is the
+	// manual/triggered-reload path). nil-safe + fire-and-forget.
+	if r.telemetryService != nil {
+		r.telemetryService.NotifyConfigChanged(newSnapshot.Config)
+	}
+
 	go r.postConfigReload()
 
 	r.logger.Info("Configuration reload completed",
diff --git a/internal/runtime/runtime.go b/internal/runtime/runtime.go
index 257b676b5..978ccb697 100644
--- a/internal/runtime/runtime.go
+++ b/internal/runtime/runtime.go
@@ -1304,6 +1304,14 @@ func (r *Runtime) ApplyConfig(newCfg *config.Config, cfgPath string) (*ConfigApp
 	// Event handlers may need to acquire locks on other resources
 	r.mu.Unlock()
 
+	// MCP-2482: drive the one-time telemetry opt-out beacon on an
+	// enabled->disabled flip. NotifyConfigChanged is fire-and-forget and
+	// nil-safe, so this never blocks the apply path. Covers web UI + macOS app,
+	// which both reach this via the REST /config apply pipeline.
+	if r.telemetryService != nil {
+		r.telemetryService.NotifyConfigChanged(newCfg)
+	}
+
 	// Update configSvc to notify subscribers (like supervisor)
 	// This must happen BEFORE LoadConfiguredServers to ensure supervisor reconciles
 	if err := r.configSvc.Update(&configCopy, configsvc.UpdateTypeModify, "api_apply_config"); err != nil {
diff --git a/internal/telemetry/optout.go b/internal/telemetry/optout.go
new file mode 100644
index 000000000..297a36ce7
--- /dev/null
+++ b/internal/telemetry/optout.go
@@ -0,0 +1,148 @@
+package telemetry
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"go.uber.org/zap"
+
+	"github.com/smart-mcp-proxy/mcpproxy-go/internal/config"
+)
+
+// OptOutEvent is the distinguishing field value carried by the one-time opt-out
+// beacon. Receivers route a payload to the opt-out funnel by the presence of
+// this `event` value on the existing /heartbeat ingest path — no new endpoint
+// is required (MCP-2482).
+const OptOutEvent = "telemetry_disabled"
+
+// OptOutBeacon is the minimal payload sent exactly once when a user disables
+// telemetry. It carries ONLY the anonymous install ID (for unique opt-out
+// counting / dedup) and the distinguishing event marker. It deliberately omits
+// every usage field — sending data after an opt-out is only defensible because
+// this payload contains nothing but the dedup ID.
+type OptOutBeacon struct {
+	Event       string `json:"event"`
+	AnonymousID string `json:"anonymous_id"`
+}
+
+// TelemetryDisableTransition reports whether the resolved telemetry state moved
+// from enabled to disabled between prior and next. "Resolved" follows
+// Config.IsTelemetryEnabled — a nil Telemetry block or a nil Enabled pointer
+// resolves to enabled (telemetry is opt-out), per MCP-2477. This is the single
+// source of truth for the enabled->disabled flip, shared by the running daemon
+// (REST / reload paths) and the `mcpproxy telemetry disable` CLI.
+func TelemetryDisableTransition(prior, next *config.Config) bool {
+	if prior == nil || next == nil {
+		return false
+	}
+	return prior.IsTelemetryEnabled() && !next.IsTelemetryEnabled()
+}
+
+// SendOptOutBeacon posts a single opt-out beacon to the telemetry endpoint,
+// reusing the existing /heartbeat ingest path. It is best-effort: callers MUST
+// disable telemetry regardless of the returned error. The caller supplies the
+// context (with its own short timeout) so the send never blocks a config save.
+func SendOptOutBeacon(ctx context.Context, client *http.Client, endpoint, anonymousID string) error {
+	if anonymousID == "" {
+		// Nothing to dedup on — never send an identity-less beacon.
+		return errors.New("opt-out beacon skipped: no anonymous_id")
+	}
+	if client == nil {
+		client = http.DefaultClient
+	}
+
+	beacon := OptOutBeacon{Event: OptOutEvent, AnonymousID: anonymousID}
+	data, err := json.Marshal(beacon)
+	if err != nil {
+		return fmt.Errorf("marshal opt-out beacon: %w", err)
+	}
+
+	// Defense-in-depth: the same anonymity scanner that guards heartbeats also
+	// guards the beacon. The payload is a constant + a UUID, so this is belt-
+	// and-suspenders, but it keeps a single invariant for everything we emit.
+	if scanErr := ScanForPII(data); scanErr != nil {
+		return fmt.Errorf("opt-out beacon failed anonymity scan: %w", scanErr)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint+"/heartbeat", bytes.NewReader(data))
+	if err != nil {
+		return fmt.Errorf("build opt-out request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("send opt-out beacon: %w", err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode/100 != 2 {
+		return fmt.Errorf("opt-out beacon rejected with status %d", resp.StatusCode)
+	}
+	return nil
+}
+
+// NotifyConfigChanged informs the telemetry service that the live configuration
+// has been swapped. It is the single server-side hook for the opt-out beacon:
+// the running daemon calls it from every config-write path (REST apply, disk
+// reload) so web UI, macOS app, and CLI-driven changes are all covered by one
+// implementation.
+//
+// On a resolved enabled->disabled transition it:
+//  1. immediately marks telemetry opted-out (no further heartbeats are sent),
+//  2. fires exactly one fire-and-forget opt-out beacon with a short timeout.
+//
+// The send is best-effort: a failure does not re-enable telemetry. On a
+// disabled->enabled transition it clears the opt-out latch so a later disable
+// flip emits its own beacon (exactly once per flip). It never blocks the caller.
+func (s *Service) NotifyConfigChanged(newCfg *config.Config) {
+	if newCfg == nil {
+		return
+	}
+
+	s.mu.Lock()
+	prior := s.resolvedEnabled
+	next := newCfg.IsTelemetryEnabled()
+	s.resolvedEnabled = next
+	// Keep the service's live config/endpoint current. ApplyConfig swaps the
+	// runtime's *config.Config pointer wholesale, so without this the service
+	// would read a stale snapshot (see the stale-config-snapshot pitfall).
+	s.config = newCfg
+	s.endpoint = newCfg.GetTelemetryEndpoint()
+	transition := prior && !next
+	s.mu.Unlock()
+
+	if !transition {
+		// Re-enabling clears the latch so a future disable flip can fire again.
+		if !prior && next {
+			s.optedOut.Store(false)
+		}
+		return
+	}
+
+	// Stop all further telemetry immediately, before the (slower) network send.
+	s.optedOut.Store(true)
+
+	// Dev builds never emit telemetry; don't emit a beacon for them either.
+	if !isValidSemver(s.version) {
+		return
+	}
+	anonID := newCfg.GetAnonymousID()
+	if anonID == "" {
+		return
+	}
+
+	endpoint := s.endpoint
+	client := s.client
+	logger := s.logger
+	go func() {
+		ctx, cancel := context.WithTimeout(context.Background(), optOutBeaconTimeout)
+		defer cancel()
+		if err := SendOptOutBeacon(ctx, client, endpoint, anonID); err != nil {
+			logger.Debug("opt-out beacon send failed (telemetry still disabled)", zap.Error(err))
+		}
+	}()
+}
diff --git a/internal/telemetry/optout_test.go b/internal/telemetry/optout_test.go
new file mode 100644
index 000000000..d06714e6f
--- /dev/null
+++ b/internal/telemetry/optout_test.go
@@ -0,0 +1,250 @@
+package telemetry
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"go.uber.org/zap"
+
+	"github.com/smart-mcp-proxy/mcpproxy-go/internal/config"
+)
+
+func boolPtr(b bool) *bool { return &b }
+
+// clearTelemetryEnv neutralizes env vars that would otherwise force telemetry
+// off (GitHub Actions sets CI=true) so the resolved-state logic exercises the
+// config value, not the env override.
+func clearTelemetryEnv(t *testing.T) {
+	t.Helper()
+	t.Setenv("CI", "")
+	t.Setenv("DO_NOT_TRACK", "")
+	t.Setenv("MCPPROXY_TELEMETRY", "")
+}
+
+func TestTelemetryDisableTransition(t *testing.T) {
+	clearTelemetryEnv(t)
+
+	cfg := func(enabled *bool) *config.Config {
+		return &config.Config{Telemetry: &config.TelemetryConfig{Enabled: enabled}}
+	}
+	nilTelemetry := &config.Config{} // Telemetry nil => resolved enabled (opt-out default)
+
+	cases := []struct {
+		name  string
+		prior *config.Config
+		next  *config.Config
+		want  bool
+	}{
+		{"enabled_to_disabled", cfg(boolPtr(true)), cfg(boolPtr(false)), true},
+		{"nil_to_disabled", nilTelemetry, cfg(boolPtr(false)), true},
+		{"enabledNilPtr_to_disabled", cfg(nil), cfg(boolPtr(false)), true},
+		{"disabled_to_disabled", cfg(boolPtr(false)), cfg(boolPtr(false)), false},
+		{"enabled_to_enabled", cfg(boolPtr(true)), cfg(boolPtr(true)), false},
+		{"disabled_to_enabled", cfg(boolPtr(false)), cfg(boolPtr(true)), false},
+		{"nil_to_nil", nilTelemetry, &config.Config{}, false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := TelemetryDisableTransition(tc.prior, tc.next); got != tc.want {
+				t.Fatalf("TelemetryDisableTransition=%v, want %v", got, tc.want)
+			}
+		})
+	}
+}
+
+// TestSendOptOutBeacon_PayloadShape asserts the beacon hits the existing
+// /heartbeat ingest path and carries ONLY the event marker + anonymous ID — no
+// usage payload whatsoever.
+func TestSendOptOutBeacon_PayloadShape(t *testing.T) {
+	type capture struct {
+		path   string
+		method string
+		body   map[string]any
+	}
+	done := make(chan capture, 1)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		raw, _ := io.ReadAll(r.Body)
+		var body map[string]any
+		_ = json.Unmarshal(raw, &body)
+		done <- capture{path: r.URL.Path, method: r.Method, body: body}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	err := SendOptOutBeacon(context.Background(), server.Client(), server.URL, "anon-123")
+	if err != nil {
+		t.Fatalf("SendOptOutBeacon returned error: %v", err)
+	}
+
+	select {
+	case c := <-done:
+		if c.path != "/heartbeat" {
+			t.Errorf("beacon path = %q, want /heartbeat (reuse existing ingest)", c.path)
+		}
+		if c.method != http.MethodPost {
+			t.Errorf("beacon method = %q, want POST", c.method)
+		}
+		if c.body["event"] != OptOutEvent {
+			t.Errorf("event = %v, want %q", c.body["event"], OptOutEvent)
+		}
+		if c.body["anonymous_id"] != "anon-123" {
+			t.Errorf("anonymous_id = %v, want anon-123", c.body["anonymous_id"])
+		}
+		// Strict: NO usage fields. The whole point of the opt-out beacon is that
+		// it carries nothing but the dedup ID.
+		usageKeys := []string{
+			"server_count", "connected_server_count", "tool_count", "version",
+			"uptime_hours", "surface_requests", "builtin_tool_calls",
+			"rest_endpoint_calls", "feature_flags", "os", "arch", "routing_mode",
+		}
+		for _, k := range usageKeys {
+			if _, ok := c.body[k]; ok {
+				t.Errorf("opt-out beacon must not carry usage field %q (got %v)", k, c.body[k])
+			}
+		}
+	case <-time.After(2 * time.Second):
+		t.Fatal("timed out waiting for opt-out beacon")
+	}
+}
+
+// TestNotifyConfigChanged_FiresExactlyOnceOnDisable verifies the server-side
+// transition detection: an enabled->disabled config swap emits exactly one
+// opt-out beacon carrying the anonymous ID.
+func TestNotifyConfigChanged_FiresExactlyOnceOnDisable(t *testing.T) {
+	clearTelemetryEnv(t)
+
+	received := make(chan map[string]any, 4)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		raw, _ := io.ReadAll(r.Body)
+		var body map[string]any
+		_ = json.Unmarshal(raw, &body)
+		received <- body
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	enabled := &config.Config{Telemetry: &config.TelemetryConfig{
+		Enabled: boolPtr(true), AnonymousID: "anon-xyz", Endpoint: server.URL,
+	}}
+	disabled := &config.Config{Telemetry: &config.TelemetryConfig{
+		Enabled: boolPtr(false), AnonymousID: "anon-xyz", Endpoint: server.URL,
+	}}
+
+	svc := New(enabled, "", "v1.2.3", "personal", zap.NewNop())
+	svc.NotifyConfigChanged(disabled)
+
+	select {
+	case body := <-received:
+		if body["event"] != OptOutEvent {
+			t.Errorf("event = %v, want %q", body["event"], OptOutEvent)
+		}
+		if body["anonymous_id"] != "anon-xyz" {
+			t.Errorf("anonymous_id = %v, want anon-xyz", body["anonymous_id"])
+		}
+	case <-time.After(2 * time.Second):
+		t.Fatal("expected one opt-out beacon, got none")
+	}
+
+	// Exactly one: nothing else within a short window.
+	select {
+	case extra := <-received:
+		t.Fatalf("expected exactly one beacon, got a second: %v", extra)
+	case <-time.After(300 * time.Millisecond):
+	}
+}
+
+func TestNotifyConfigChanged_NoBeaconWhenAlreadyDisabled(t *testing.T) {
+	clearTelemetryEnv(t)
+
+	received := make(chan struct{}, 4)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		received <- struct{}{}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	disabled := &config.Config{Telemetry: &config.TelemetryConfig{
+		Enabled: boolPtr(false), AnonymousID: "anon-xyz", Endpoint: server.URL,
+	}}
+	// Service constructed already-disabled; a reload that keeps it disabled must
+	// emit nothing.
+	svc := New(disabled, "", "v1.2.3", "personal", zap.NewNop())
+	svc.NotifyConfigChanged(disabled)
+
+	select {
+	case <-received:
+		t.Fatal("no beacon expected for disabled->disabled reload")
+	case <-time.After(300 * time.Millisecond):
+	}
+}
+
+// TestNotifyConfigChanged_SendFailureStillDisables proves the opt-out is
+// best-effort: a failing endpoint must NOT prevent telemetry from stopping.
+func TestNotifyConfigChanged_SendFailureStillDisables(t *testing.T) {
+	clearTelemetryEnv(t)
+
+	// Point at a closed server so the beacon send fails fast.
+	dead := httptest.NewServer(http.HandlerFunc(func(http.ResponseWriter, *http.Request) {}))
+	deadURL := dead.URL
+	dead.Close()
+
+	enabled := &config.Config{Telemetry: &config.TelemetryConfig{
+		Enabled: boolPtr(true), AnonymousID: "anon-xyz", Endpoint: deadURL,
+	}}
+	disabled := &config.Config{Telemetry: &config.TelemetryConfig{
+		Enabled: boolPtr(false), AnonymousID: "anon-xyz", Endpoint: deadURL,
+	}}
+
+	svc := New(enabled, "", "v1.2.3", "personal", zap.NewNop())
+	svc.NotifyConfigChanged(disabled)
+
+	// Telemetry must be marked opted-out regardless of the send outcome.
+	deadline := time.After(2 * time.Second)
+	for !svc.optedOut.Load() {
+		select {
+		case <-deadline:
+			t.Fatal("telemetry was not disabled after a failed opt-out beacon")
+		case <-time.After(10 * time.Millisecond):
+		}
+	}
+}
+
+// TestOptOut_StopsFurtherHeartbeats verifies that once opted out, sendHeartbeat
+// emits nothing — respecting the user's decision.
+func TestOptOut_StopsFurtherHeartbeats(t *testing.T) {
+	clearTelemetryEnv(t)
+
+	var hits atomic.Int32
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		hits.Add(1)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	enabled := &config.Config{Telemetry: &config.TelemetryConfig{
+		Enabled: boolPtr(true), AnonymousID: "anon-xyz", Endpoint: server.URL,
+	}}
+	disabled := &config.Config{Telemetry: &config.TelemetryConfig{
+		Enabled: boolPtr(false), AnonymousID: "anon-xyz", Endpoint: server.URL,
+	}}
+
+	svc := New(enabled, "", "v1.2.3", "personal", zap.NewNop())
+	svc.SetRuntimeStats(&mockRuntimeStats{serverCount: 1})
+	svc.NotifyConfigChanged(disabled)
+
+	// Wait for the single opt-out beacon to land.
+	time.Sleep(200 * time.Millisecond)
+	hitsAfterBeacon := hits.Load()
+
+	// Any further heartbeat attempts must be suppressed.
+	svc.sendHeartbeat(context.Background())
+	if got := hits.Load(); got != hitsAfterBeacon {
+		t.Fatalf("heartbeat emitted after opt-out: hits went %d -> %d", hitsAfterBeacon, got)
+	}
+}
diff --git a/internal/telemetry/telemetry.go b/internal/telemetry/telemetry.go
index 1c7d2a56b..0b551726d 100644
--- a/internal/telemetry/telemetry.go
+++ b/internal/telemetry/telemetry.go
@@ -8,6 +8,8 @@ import (
 	"net/http"
 	"runtime"
 	"strings"
+	"sync"
+	"sync/atomic"
 	"time"
 
 	"github.com/google/uuid"
@@ -218,8 +220,24 @@ type Service struct {
 	// For testing: override initial delay and heartbeat interval
 	initialDelay      time.Duration
 	heartbeatInterval time.Duration
+
+	// MCP-2482: one-time opt-out beacon state.
+	// mu guards resolvedEnabled, config, and endpoint, which NotifyConfigChanged
+	// mutates on a live config swap.
+	mu sync.Mutex
+	// resolvedEnabled is the last-known resolved telemetry-enabled state
+	// (IsTelemetryEnabled — nil means enabled). Used to detect the
+	// enabled->disabled flip that fires the opt-out beacon.
+	resolvedEnabled bool
+	// optedOut latches true once the opt-out beacon has fired; it gates all
+	// further heartbeat emission so no telemetry leaves after the user opts out.
+	optedOut atomic.Bool
 }
 
+// optOutBeaconTimeout bounds the best-effort opt-out beacon send so a slow or
+// unreachable endpoint never delays the config save that triggered it.
+const optOutBeaconTimeout = 5 * time.Second
+
 // New creates a new telemetry service.
 func New(cfg *config.Config, cfgPath, version, edition string, logger *zap.Logger) *Service {
 	_, envReason := IsDisabledByEnv()
@@ -237,6 +255,7 @@ func New(cfg *config.Config, cfgPath, version, edition string, logger *zap.Logge
 		envDisabledReason: envReason,
 		initialDelay:      5 * time.Minute,
 		heartbeatInterval: 24 * time.Hour,
+		resolvedEnabled:   cfg.IsTelemetryEnabled(),
 	}
 }
 
@@ -410,6 +429,12 @@ func (s *Service) Start(ctx context.Context) {
 }
 
 func (s *Service) sendHeartbeat(ctx context.Context) {
+	// MCP-2482: once the user has opted out, no further telemetry is emitted —
+	// even if the long-running heartbeat loop is still ticking.
+	if s.optedOut.Load() {
+		return
+	}
+
 	payload := s.buildHeartbeat()
 
 	data, err := json.Marshal(payload)

From 3546e3acf8d74cf77bb53fde2b8ce41fda337355 Mon Sep 17 00:00:00 2001
From: Algis Dumbris <a.dumbris@gmail.com>
Date: Mon, 15 Jun 2026 14:38:45 +0300
Subject: [PATCH 2/7] fix(telemetry): route opt-out beacon through service
 endpoint (fix CodeQL SSRF)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CodeQL go/request-forgery (CWE-918) flagged optout.go because the destination
URL flowed as a function parameter directly from the config source to the
http.Do sink. Make SendOptOutBeacon a *Service method that reads the resolved
s.endpoint/s.config — the same struct-field indirection the existing heartbeat
and feedback senders use (which CodeQL does not flag) — so the beacon can never
target an arbitrary caller-supplied URL. The CLI path now constructs a
telemetry.Service and calls the method instead of passing a raw URL.

No behavior change: still exactly one fire-and-forget beacon to /heartbeat on
the enabled->disabled flip.

Related #MCP-2482
---
 cmd/mcpproxy/telemetry_cmd.go     |  9 ++++----
 internal/telemetry/optout.go      | 38 +++++++++++++++----------------
 internal/telemetry/optout_test.go |  8 +++++--
 3 files changed, 30 insertions(+), 25 deletions(-)

diff --git a/cmd/mcpproxy/telemetry_cmd.go b/cmd/mcpproxy/telemetry_cmd.go
index 5d14e629f..c8dcd6958 100644
--- a/cmd/mcpproxy/telemetry_cmd.go
+++ b/cmd/mcpproxy/telemetry_cmd.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
@@ -12,6 +11,7 @@ import (
 
 	"github.com/spf13/cobra"
 	"go.etcd.io/bbolt"
+	"go.uber.org/zap"
 
 	clioutput "github.com/smart-mcp-proxy/mcpproxy-go/internal/cli/output"
 	"github.com/smart-mcp-proxy/mcpproxy-go/internal/cliclient"
@@ -273,7 +273,6 @@ func runTelemetryDisable(cmd *cobra.Command, _ []string) error {
 	// disabled must not emit another beacon.
 	wasEnabled := cfg.IsTelemetryEnabled()
 	anonID := cfg.GetAnonymousID()
-	endpoint := cfg.GetTelemetryEndpoint()
 
 	if cfg.Telemetry == nil {
 		cfg.Telemetry = &config.TelemetryConfig{}
@@ -293,8 +292,10 @@ func runTelemetryDisable(cmd *cobra.Command, _ []string) error {
 	if wasEnabled && anonID != "" {
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
-		client := &http.Client{Timeout: 5 * time.Second}
-		if beaconErr := telemetry.SendOptOutBeacon(ctx, client, endpoint, anonID); beaconErr != nil {
+		// Reuse the telemetry service's own sender so the destination is the
+		// resolved telemetry endpoint (never an arbitrary caller-supplied URL).
+		beaconSvc := telemetry.New(cfg, "", "", "", zap.NewNop())
+		if beaconErr := beaconSvc.SendOptOutBeacon(ctx); beaconErr != nil {
 			// Best-effort only — telemetry is already disabled on disk. Surface
 			// at a low level so scripts aren't tripped up.
 			fmt.Println("Note: opt-out signal could not be delivered (telemetry is still disabled).")
diff --git a/internal/telemetry/optout.go b/internal/telemetry/optout.go
index 297a36ce7..58abb8420 100644
--- a/internal/telemetry/optout.go
+++ b/internal/telemetry/optout.go
@@ -42,20 +42,23 @@ func TelemetryDisableTransition(prior, next *config.Config) bool {
 	return prior.IsTelemetryEnabled() && !next.IsTelemetryEnabled()
 }
 
-// SendOptOutBeacon posts a single opt-out beacon to the telemetry endpoint,
-// reusing the existing /heartbeat ingest path. It is best-effort: callers MUST
-// disable telemetry regardless of the returned error. The caller supplies the
-// context (with its own short timeout) so the send never blocks a config save.
-func SendOptOutBeacon(ctx context.Context, client *http.Client, endpoint, anonymousID string) error {
-	if anonymousID == "" {
+// SendOptOutBeacon posts a single opt-out beacon to the configured telemetry
+// endpoint, reusing the existing /heartbeat ingest path. It is best-effort:
+// callers MUST disable telemetry regardless of the returned error, and supply a
+// context with a short timeout so the send never blocks a config save.
+//
+// The destination is taken from the service's own resolved endpoint/config
+// (the exact indirection the heartbeat and feedback senders use) rather than a
+// caller-supplied URL, so this never sends to an arbitrary, request-derived
+// host.
+func (s *Service) SendOptOutBeacon(ctx context.Context) error {
+	anonID := s.config.GetAnonymousID()
+	if anonID == "" {
 		// Nothing to dedup on — never send an identity-less beacon.
 		return errors.New("opt-out beacon skipped: no anonymous_id")
 	}
-	if client == nil {
-		client = http.DefaultClient
-	}
 
-	beacon := OptOutBeacon{Event: OptOutEvent, AnonymousID: anonymousID}
+	beacon := OptOutBeacon{Event: OptOutEvent, AnonymousID: anonID}
 	data, err := json.Marshal(beacon)
 	if err != nil {
 		return fmt.Errorf("marshal opt-out beacon: %w", err)
@@ -68,13 +71,14 @@ func SendOptOutBeacon(ctx context.Context, client *http.Client, endpoint, anonym
 		return fmt.Errorf("opt-out beacon failed anonymity scan: %w", scanErr)
 	}
 
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint+"/heartbeat", bytes.NewReader(data))
+	url := s.endpoint + "/heartbeat"
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewReader(data))
 	if err != nil {
 		return fmt.Errorf("build opt-out request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/json")
 
-	resp, err := client.Do(req)
+	resp, err := s.client.Do(req)
 	if err != nil {
 		return fmt.Errorf("send opt-out beacon: %w", err)
 	}
@@ -130,19 +134,15 @@ func (s *Service) NotifyConfigChanged(newCfg *config.Config) {
 	if !isValidSemver(s.version) {
 		return
 	}
-	anonID := newCfg.GetAnonymousID()
-	if anonID == "" {
+	if newCfg.GetAnonymousID() == "" {
 		return
 	}
 
-	endpoint := s.endpoint
-	client := s.client
-	logger := s.logger
 	go func() {
 		ctx, cancel := context.WithTimeout(context.Background(), optOutBeaconTimeout)
 		defer cancel()
-		if err := SendOptOutBeacon(ctx, client, endpoint, anonID); err != nil {
-			logger.Debug("opt-out beacon send failed (telemetry still disabled)", zap.Error(err))
+		if err := s.SendOptOutBeacon(ctx); err != nil {
+			s.logger.Debug("opt-out beacon send failed (telemetry still disabled)", zap.Error(err))
 		}
 	}()
 }
diff --git a/internal/telemetry/optout_test.go b/internal/telemetry/optout_test.go
index d06714e6f..a7d368758 100644
--- a/internal/telemetry/optout_test.go
+++ b/internal/telemetry/optout_test.go
@@ -67,6 +67,7 @@ func TestSendOptOutBeacon_PayloadShape(t *testing.T) {
 		method string
 		body   map[string]any
 	}
+	clearTelemetryEnv(t)
 	done := make(chan capture, 1)
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		raw, _ := io.ReadAll(r.Body)
@@ -77,8 +78,11 @@ func TestSendOptOutBeacon_PayloadShape(t *testing.T) {
 	}))
 	defer server.Close()
 
-	err := SendOptOutBeacon(context.Background(), server.Client(), server.URL, "anon-123")
-	if err != nil {
+	cfg := &config.Config{Telemetry: &config.TelemetryConfig{
+		AnonymousID: "anon-123", Endpoint: server.URL,
+	}}
+	svc := New(cfg, "", "v1.0.0", "personal", zap.NewNop())
+	if err := svc.SendOptOutBeacon(context.Background()); err != nil {
 		t.Fatalf("SendOptOutBeacon returned error: %v", err)
 	}
 

From 9fea8a98c5477335bbe9677686aabf09e7860e14 Mon Sep 17 00:00:00 2001
From: Algis Dumbris <a.dumbris@gmail.com>
Date: Mon, 15 Jun 2026 14:43:37 +0300
Subject: [PATCH 3/7] fix(telemetry): validate opt-out beacon URL (scheme/host)
 to clear CWE-918

Apply the repo's established request-forgery barrier (mirror validateRegistryURL):
parse the configured telemetry endpoint, constrain the scheme to http/https,
require a host, and issue the beacon against the re-serialized URL. Rejects
file://, gopher://, and schemeless/malformed endpoints before any request.

Related #MCP-2482
---
 internal/telemetry/optout.go      | 35 +++++++++++++++++++++++++++++--
 internal/telemetry/optout_test.go | 15 +++++++++++++
 2 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/internal/telemetry/optout.go b/internal/telemetry/optout.go
index 58abb8420..9da1ea605 100644
--- a/internal/telemetry/optout.go
+++ b/internal/telemetry/optout.go
@@ -7,6 +7,8 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
+	"strings"
 
 	"go.uber.org/zap"
 
@@ -71,8 +73,16 @@ func (s *Service) SendOptOutBeacon(ctx context.Context) error {
 		return fmt.Errorf("opt-out beacon failed anonymity scan: %w", scanErr)
 	}
 
-	url := s.endpoint + "/heartbeat"
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewReader(data))
+	// Bound the outbound request (CWE-918 request forgery): the endpoint is a
+	// configured value, so re-parse it, constrain the scheme to http/https,
+	// require a host, and issue the request against the re-serialized URL. This
+	// mirrors validateRegistryURL and guarantees a malformed/non-http endpoint
+	// can never aim the beacon at, e.g., file:// or a schemeless host.
+	beaconURL, err := validateTelemetryURL(strings.TrimRight(s.endpoint, "/") + "/heartbeat")
+	if err != nil {
+		return err
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, beaconURL, bytes.NewReader(data))
 	if err != nil {
 		return fmt.Errorf("build opt-out request: %w", err)
 	}
@@ -89,6 +99,27 @@ func (s *Service) SendOptOutBeacon(ctx context.Context) error {
 	return nil
 }
 
+// validateTelemetryURL bounds an outbound telemetry request (CWE-918 request
+// forgery). It parses the candidate URL, constrains the scheme to http/https,
+// requires a non-empty host, and returns the re-serialized URL to use for the
+// request. The telemetry endpoint is operator-configured (default production
+// host, overridable for self-hosting/testing), so the host is intentionally not
+// pinned to a single value — but a non-http scheme (file://, gopher://, …) or a
+// malformed/schemeless URL is rejected before any request is issued.
+func validateTelemetryURL(rawURL string) (string, error) {
+	u, err := url.Parse(rawURL)
+	if err != nil {
+		return "", fmt.Errorf("invalid telemetry URL: %w", err)
+	}
+	if u.Scheme != "http" && u.Scheme != "https" {
+		return "", fmt.Errorf("telemetry URL scheme %q not allowed (want http/https)", u.Scheme)
+	}
+	if u.Host == "" {
+		return "", fmt.Errorf("telemetry URL has no host")
+	}
+	return u.String(), nil
+}
+
 // NotifyConfigChanged informs the telemetry service that the live configuration
 // has been swapped. It is the single server-side hook for the opt-out beacon:
 // the running daemon calls it from every config-write path (REST apply, disk
diff --git a/internal/telemetry/optout_test.go b/internal/telemetry/optout_test.go
index a7d368758..13a12d738 100644
--- a/internal/telemetry/optout_test.go
+++ b/internal/telemetry/optout_test.go
@@ -117,6 +117,21 @@ func TestSendOptOutBeacon_PayloadShape(t *testing.T) {
 	}
 }
 
+func TestValidateTelemetryURL(t *testing.T) {
+	ok := []string{"https://telemetry.mcpproxy.app/v1/heartbeat", "http://127.0.0.1:8080/heartbeat"}
+	for _, u := range ok {
+		if _, err := validateTelemetryURL(u); err != nil {
+			t.Errorf("validateTelemetryURL(%q) unexpected error: %v", u, err)
+		}
+	}
+	bad := []string{"file:///etc/passwd", "gopher://x/heartbeat", "/heartbeat", "telemetry.mcpproxy.app/heartbeat"}
+	for _, u := range bad {
+		if _, err := validateTelemetryURL(u); err == nil {
+			t.Errorf("validateTelemetryURL(%q) expected error, got nil", u)
+		}
+	}
+}
+
 // TestNotifyConfigChanged_FiresExactlyOnceOnDisable verifies the server-side
 // transition detection: an enabled->disabled config swap emits exactly one
 // opt-out beacon carrying the anonymous ID.

From 59d6ea3e8cbf91f2d03e2aaa03bb6add72b428b9 Mon Sep 17 00:00:00 2001
From: Algis Dumbris <a.dumbris@gmail.com>
Date: Mon, 15 Jun 2026 15:08:45 +0300
Subject: [PATCH 4/7] fix(telemetry): pin opt-out beacon host to clear CWE-918
 (host allowlist guard)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Scheme/host-presence validation alone did not satisfy CodeQL go/request-forgery;
the established repo barrier (validateRegistryURL) is a host equality guard. Pin
the beacon destination to the built-in telemetry host or a loopback address
(tests/local dev) and reject anything else before issuing the request. This both
clears the alert and genuinely hardens the path — the anonymous ID can only ever
reach the official endpoint or localhost, never an arbitrary host from a
malformed/hostile telemetry.endpoint value (documented as a testing override).

Related #MCP-2482
---
 internal/telemetry/optout.go      | 47 ++++++++++++++++++++++++++-----
 internal/telemetry/optout_test.go |  7 ++++-
 2 files changed, 46 insertions(+), 8 deletions(-)

diff --git a/internal/telemetry/optout.go b/internal/telemetry/optout.go
index 9da1ea605..03dcff6e5 100644
--- a/internal/telemetry/optout.go
+++ b/internal/telemetry/optout.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -101,11 +102,12 @@ func (s *Service) SendOptOutBeacon(ctx context.Context) error {
 
 // validateTelemetryURL bounds an outbound telemetry request (CWE-918 request
 // forgery). It parses the candidate URL, constrains the scheme to http/https,
-// requires a non-empty host, and returns the re-serialized URL to use for the
-// request. The telemetry endpoint is operator-configured (default production
-// host, overridable for self-hosting/testing), so the host is intentionally not
-// pinned to a single value — but a non-http scheme (file://, gopher://, …) or a
-// malformed/schemeless URL is rejected before any request is issued.
+// and PINS the host to the built-in telemetry host (or a loopback address used
+// by tests / local development) before returning the re-serialized URL. The
+// opt-out beacon carries the anonymous install ID, so pinning the destination
+// guarantees a malformed or hostile endpoint value can never redirect that ID
+// to an arbitrary host. The `endpoint` config override is documented as a
+// testing aid (loopback), so this pin does not regress any supported setup.
 func validateTelemetryURL(rawURL string) (string, error) {
 	u, err := url.Parse(rawURL)
 	if err != nil {
@@ -114,12 +116,43 @@ func validateTelemetryURL(rawURL string) (string, error) {
 	if u.Scheme != "http" && u.Scheme != "https" {
 		return "", fmt.Errorf("telemetry URL scheme %q not allowed (want http/https)", u.Scheme)
 	}
-	if u.Host == "" {
-		return "", fmt.Errorf("telemetry URL has no host")
+	if !isAllowedTelemetryHost(u.Hostname()) {
+		return "", fmt.Errorf("telemetry URL host %q not allowed", u.Hostname())
 	}
 	return u.String(), nil
 }
 
+// isAllowedTelemetryHost reports whether host is an acceptable telemetry
+// destination: the built-in production host, or a loopback address (tests and
+// local development). This equality guard is what bounds the request-forgery
+// surface — the host is constrained to a fixed safe set rather than taken
+// verbatim from configuration.
+func isAllowedTelemetryHost(host string) bool {
+	if host == "" {
+		return false
+	}
+	if strings.EqualFold(host, "localhost") {
+		return true
+	}
+	if ip := net.ParseIP(host); ip != nil && ip.IsLoopback() {
+		return true
+	}
+	if def := defaultTelemetryHost(); def != "" && strings.EqualFold(host, def) {
+		return true
+	}
+	return false
+}
+
+// defaultTelemetryHost returns the host of the built-in telemetry endpoint,
+// derived from config so it can never drift from GetTelemetryEndpoint.
+func defaultTelemetryHost() string {
+	u, err := url.Parse((&config.Config{}).GetTelemetryEndpoint())
+	if err != nil {
+		return ""
+	}
+	return u.Hostname()
+}
+
 // NotifyConfigChanged informs the telemetry service that the live configuration
 // has been swapped. It is the single server-side hook for the opt-out beacon:
 // the running daemon calls it from every config-write path (REST apply, disk
diff --git a/internal/telemetry/optout_test.go b/internal/telemetry/optout_test.go
index 13a12d738..e44f6240a 100644
--- a/internal/telemetry/optout_test.go
+++ b/internal/telemetry/optout_test.go
@@ -124,7 +124,12 @@ func TestValidateTelemetryURL(t *testing.T) {
 			t.Errorf("validateTelemetryURL(%q) unexpected error: %v", u, err)
 		}
 	}
-	bad := []string{"file:///etc/passwd", "gopher://x/heartbeat", "/heartbeat", "telemetry.mcpproxy.app/heartbeat"}
+	bad := []string{
+		"file:///etc/passwd", "gopher://x/heartbeat", "/heartbeat",
+		"telemetry.mcpproxy.app/heartbeat",   // no scheme
+		"https://evil.example.com/heartbeat", // non-allowlisted host
+		"http://169.254.169.254/heartbeat",   // link-local metadata, not loopback
+	}
 	for _, u := range bad {
 		if _, err := validateTelemetryURL(u); err == nil {
 			t.Errorf("validateTelemetryURL(%q) expected error, got nil", u)

From 657f49a01d64fca927ca25bfa7ea11ee119b4603 Mon Sep 17 00:00:00 2001
From: Algis Dumbris <a.dumbris@gmail.com>
Date: Mon, 15 Jun 2026 15:15:40 +0300
Subject: [PATCH 5/7] fix(telemetry): inline opt-out beacon host guard (CWE-918
 barrier shape)

Move the host allowlist check inline into validateTelemetryURL as an
'if !match { return err }' equality guard on the same control-flow path as the
request sink, mirroring validateRegistryURL (the repo's CodeQL-accepted
request-forgery barrier). The prior bool-returning helper put the guard across a
function boundary that CodeQL's barrier-guard analysis did not propagate.

Related #MCP-2482
---
 internal/telemetry/optout.go | 33 +++++++++++----------------------
 1 file changed, 11 insertions(+), 22 deletions(-)

diff --git a/internal/telemetry/optout.go b/internal/telemetry/optout.go
index 03dcff6e5..a8c53e1ad 100644
--- a/internal/telemetry/optout.go
+++ b/internal/telemetry/optout.go
@@ -116,31 +116,20 @@ func validateTelemetryURL(rawURL string) (string, error) {
 	if u.Scheme != "http" && u.Scheme != "https" {
 		return "", fmt.Errorf("telemetry URL scheme %q not allowed (want http/https)", u.Scheme)
 	}
-	if !isAllowedTelemetryHost(u.Hostname()) {
-		return "", fmt.Errorf("telemetry URL host %q not allowed", u.Hostname())
-	}
-	return u.String(), nil
-}
-
-// isAllowedTelemetryHost reports whether host is an acceptable telemetry
-// destination: the built-in production host, or a loopback address (tests and
-// local development). This equality guard is what bounds the request-forgery
-// surface — the host is constrained to a fixed safe set rather than taken
-// verbatim from configuration.
-func isAllowedTelemetryHost(host string) bool {
-	if host == "" {
-		return false
-	}
-	if strings.EqualFold(host, "localhost") {
-		return true
-	}
+	// Inline host allowlist guard (CWE-918 barrier). The request is only issued
+	// when the host matches a fixed safe value — the built-in production host or
+	// a loopback address (tests / local development). Kept inline as an
+	// `if !match { return }` equality guard on the same control-flow path as the
+	// sink, mirroring validateRegistryURL (the repo's accepted pattern).
+	host := u.Hostname()
+	loopback := strings.EqualFold(host, "localhost")
 	if ip := net.ParseIP(host); ip != nil && ip.IsLoopback() {
-		return true
+		loopback = true
 	}
-	if def := defaultTelemetryHost(); def != "" && strings.EqualFold(host, def) {
-		return true
+	if !loopback && !strings.EqualFold(host, defaultTelemetryHost()) {
+		return "", fmt.Errorf("telemetry URL host %q not allowed", host)
 	}
-	return false
+	return u.String(), nil
 }
 
 // defaultTelemetryHost returns the host of the built-in telemetry endpoint,

From 3c67b298983fa0148d24dcba59398482487b8f78 Mon Sep 17 00:00:00 2001
From: Algis Dumbris <a.dumbris@gmail.com>
Date: Mon, 15 Jun 2026 15:19:31 +0300
Subject: [PATCH 6/7] fix(telemetry): explicit-equality host guard for opt-out
 beacon (CWE-918)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Earlier barrier shapes (helper returning bool; EqualFold + net.ParseIP/IsLoopback)
did not satisfy CodeQL go/request-forgery. Switch to an inline exact-equality
allowlist (switch on the lower-cased host against the built-in telemetry host and
explicit loopback literals) — the canonical barrier shape the scanner recognizes,
on the same control-flow path as the request. Behaviour unchanged: prod host and
loopback (tests/local) allowed, everything else rejected.

Related #MCP-2482
---
 internal/telemetry/optout.go | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/internal/telemetry/optout.go b/internal/telemetry/optout.go
index a8c53e1ad..82cd3a233 100644
--- a/internal/telemetry/optout.go
+++ b/internal/telemetry/optout.go
@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -117,29 +116,28 @@ func validateTelemetryURL(rawURL string) (string, error) {
 		return "", fmt.Errorf("telemetry URL scheme %q not allowed (want http/https)", u.Scheme)
 	}
 	// Inline host allowlist guard (CWE-918 barrier). The request is only issued
-	// when the host matches a fixed safe value — the built-in production host or
-	// a loopback address (tests / local development). Kept inline as an
-	// `if !match { return }` equality guard on the same control-flow path as the
-	// sink, mirroring validateRegistryURL (the repo's accepted pattern).
-	host := u.Hostname()
-	loopback := strings.EqualFold(host, "localhost")
-	if ip := net.ParseIP(host); ip != nil && ip.IsLoopback() {
-		loopback = true
-	}
-	if !loopback && !strings.EqualFold(host, defaultTelemetryHost()) {
+	// when the host EXACTLY equals a fixed safe value — the built-in production
+	// host or an explicit loopback literal (tests / local development). Explicit
+	// equality via switch (no helper, no EqualFold/IsLoopback) keeps the guard on
+	// the same control-flow path as the sink and in the canonical barrier shape,
+	// mirroring validateRegistryURL (the repo's accepted pattern).
+	host := strings.ToLower(u.Hostname())
+	switch host {
+	case "localhost", "127.0.0.1", "::1", defaultTelemetryHost():
+		return u.String(), nil
+	default:
 		return "", fmt.Errorf("telemetry URL host %q not allowed", host)
 	}
-	return u.String(), nil
 }
 
-// defaultTelemetryHost returns the host of the built-in telemetry endpoint,
-// derived from config so it can never drift from GetTelemetryEndpoint.
+// defaultTelemetryHost returns the lower-cased host of the built-in telemetry
+// endpoint, derived from config so it can never drift from GetTelemetryEndpoint.
 func defaultTelemetryHost() string {
 	u, err := url.Parse((&config.Config{}).GetTelemetryEndpoint())
 	if err != nil {
 		return ""
 	}
-	return u.Hostname()
+	return strings.ToLower(u.Hostname())
 }
 
 // NotifyConfigChanged informs the telemetry service that the live configuration

From ff6906a0d16485219ffe72cb6d8ad61421d4d15d Mon Sep 17 00:00:00 2001
From: Algis Dumbris <a.dumbris@gmail.com>
Date: Mon, 15 Jun 2026 15:53:37 +0300
Subject: [PATCH 7/7] =?UTF-8?q?fix(telemetry):=20address=20Codex=20review?=
 =?UTF-8?q?=20=E2=80=94=20env-resolved=20gate,=20opt-out=20race,=20CLI=20g?=
 =?UTF-8?q?uards=20(MCP-2482)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Codex REQUEST_CHANGES on PR #684:

1. [P1] Respect env-resolved disabled state. The transition gated only on
   Config.IsTelemetryEnabled() (MCPPROXY_TELEMETRY), so DO_NOT_TRACK=1 / CI=true
   could emit a beacon when telemetry was never enabled. Add
   EffectiveTelemetryEnabled() = IsTelemetryEnabled() && !IsDisabledByEnv(), and
   use it for the transition, the New() resolvedEnabled seed, and the CLI.

2. [P1] Heartbeat-after-opt-out race. sendHeartbeat checked optedOut only at
   entry; a heartbeat in flight when the latch flipped still shipped a full usage
   payload. Re-check the latch immediately before transmit so no usage data
   leaves after opt-out.

3. [P2] CLI disable path. Routed through a single guarded entry point
   (Service.EmitOptOutBeacon — applies semver/dev, env, and anon-id guards and
   owns the send) instead of calling SendOptOutBeacon directly (which bypassed
   the guards). The CLI now confirms "Telemetry disabled." before the best-effort
   beacon (non-blocking) with a short 3s timeout.

Tests: env-disabled emits nothing; mid-flight opt-out suppresses transmit;
EmitOptOutBeacon guard matrix (dev/env/no-anon-id skip, eligible sends). CLI
smoke: enabled=1 beacon, DO_NOT_TRACK/CI=0.

Related #MCP-2482
---
 cmd/mcpproxy/telemetry_cmd.go     |  42 +++++-----
 internal/telemetry/optout.go      |  71 +++++++++++++----
 internal/telemetry/optout_test.go | 128 ++++++++++++++++++++++++++++++
 internal/telemetry/telemetry.go   |  11 ++-
 4 files changed, 214 insertions(+), 38 deletions(-)

diff --git a/cmd/mcpproxy/telemetry_cmd.go b/cmd/mcpproxy/telemetry_cmd.go
index c8dcd6958..8623c6d3b 100644
--- a/cmd/mcpproxy/telemetry_cmd.go
+++ b/cmd/mcpproxy/telemetry_cmd.go
@@ -268,11 +268,12 @@ func runTelemetryDisable(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("failed to load config: %w", err)
 	}
 
-	// Capture the resolved state BEFORE mutating, so we can detect a genuine
-	// enabled->disabled transition (MCP-2482). A second `disable` when already
-	// disabled must not emit another beacon.
-	wasEnabled := cfg.IsTelemetryEnabled()
-	anonID := cfg.GetAnonymousID()
+	// Capture the EFFECTIVE resolved state BEFORE mutating, so we only beacon on
+	// a genuine enabled->disabled transition (MCP-2482). Effective resolution
+	// includes env overrides (DO_NOT_TRACK / CI), so an install where telemetry
+	// was never actually enabled emits nothing. A second `disable` when already
+	// disabled also emits nothing (wasEnabled == false).
+	wasEnabled := telemetry.EffectiveTelemetryEnabled(cfg)
 
 	if cfg.Telemetry == nil {
 		cfg.Telemetry = &config.TelemetryConfig{}
@@ -285,24 +286,23 @@ func runTelemetryDisable(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("failed to save config: %w", err)
 	}
 
-	// One-time opt-out beacon: best-effort, fire on the real enabled->disabled
-	// flip. When a daemon is running it does NOT auto-reload this file (there is
-	// no fsnotify watcher), so the CLI is responsible for the beacon in the
-	// CLI-driven path. If there is no anonymous ID there is nothing to dedup on.
-	if wasEnabled && anonID != "" {
-		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	// The disable is now persisted and effective — confirm immediately so the
+	// command never appears to hang on the (best-effort) beacon below.
+	fmt.Println("Telemetry disabled.")
+
+	// One-time opt-out beacon. When a daemon is running it does NOT auto-reload
+	// this file (there is no fsnotify watcher), so the CLI is responsible for the
+	// beacon in the CLI-driven path. Route it through the SAME guarded server-side
+	// entry point (EmitOptOutBeacon applies the dev-build/semver, env, and
+	// anon-id guards and owns the single send) rather than duplicating the send
+	// or bypassing a guard. A short timeout keeps this from blocking on a slow
+	// endpoint; the CLI is short-lived so the send must complete before exit.
+	if wasEnabled {
+		ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
 		defer cancel()
-		// Reuse the telemetry service's own sender so the destination is the
-		// resolved telemetry endpoint (never an arbitrary caller-supplied URL).
-		beaconSvc := telemetry.New(cfg, "", "", "", zap.NewNop())
-		if beaconErr := beaconSvc.SendOptOutBeacon(ctx); beaconErr != nil {
-			// Best-effort only — telemetry is already disabled on disk. Surface
-			// at a low level so scripts aren't tripped up.
-			fmt.Println("Note: opt-out signal could not be delivered (telemetry is still disabled).")
-		}
+		beaconSvc := telemetry.New(cfg, "", version, Edition, zap.NewNop())
+		beaconSvc.EmitOptOutBeacon(ctx)
 	}
-
-	fmt.Println("Telemetry disabled.")
 	return nil
 }
 
diff --git a/internal/telemetry/optout.go b/internal/telemetry/optout.go
index 82cd3a233..679625f8e 100644
--- a/internal/telemetry/optout.go
+++ b/internal/telemetry/optout.go
@@ -31,17 +31,61 @@ type OptOutBeacon struct {
 	AnonymousID string `json:"anonymous_id"`
 }
 
+// EffectiveTelemetryEnabled resolves whether telemetry is ACTUALLY active for
+// cfg, honoring both the config bool (IsTelemetryEnabled — nil means enabled per
+// MCP-2477) AND the startup env overrides (DO_NOT_TRACK / CI / MCPPROXY_TELEMETRY
+// via IsDisabledByEnv). This must match the same effective resolution startup
+// uses: telemetry that was never enabled (e.g. DO_NOT_TRACK=1 or CI=true) must
+// never be considered "enabled", so disabling it produces no opt-out beacon.
+func EffectiveTelemetryEnabled(cfg *config.Config) bool {
+	if cfg == nil {
+		return false
+	}
+	if disabled, _ := IsDisabledByEnv(); disabled {
+		return false
+	}
+	return cfg.IsTelemetryEnabled()
+}
+
 // TelemetryDisableTransition reports whether the resolved telemetry state moved
-// from enabled to disabled between prior and next. "Resolved" follows
-// Config.IsTelemetryEnabled — a nil Telemetry block or a nil Enabled pointer
-// resolves to enabled (telemetry is opt-out), per MCP-2477. This is the single
+// from enabled to disabled between prior and next, using the SAME effective
+// resolution as startup (config bool + env overrides). This is the single
 // source of truth for the enabled->disabled flip, shared by the running daemon
 // (REST / reload paths) and the `mcpproxy telemetry disable` CLI.
 func TelemetryDisableTransition(prior, next *config.Config) bool {
 	if prior == nil || next == nil {
 		return false
 	}
-	return prior.IsTelemetryEnabled() && !next.IsTelemetryEnabled()
+	return EffectiveTelemetryEnabled(prior) && !EffectiveTelemetryEnabled(next)
+}
+
+// EmitOptOutBeacon applies the shared eligibility guards and, if eligible, sends
+// the opt-out beacon synchronously. It is the single guarded send entry point
+// used by BOTH the daemon (fire-and-forget in a goroutine from
+// NotifyConfigChanged) and the `mcpproxy telemetry disable` CLI — so neither
+// duplicates the send nor bypasses a guard.
+//
+// Guards (all must hold, mirroring the heartbeat eligibility):
+//   - valid semver build (dev builds never emit telemetry),
+//   - telemetry not disabled by environment (DO_NOT_TRACK / CI / MCPPROXY_TELEMETRY),
+//   - an anonymous install ID exists (nothing to dedup on otherwise).
+//
+// Returns true if a send was attempted (regardless of HTTP outcome). Best-effort:
+// callers disable telemetry whether or not this succeeds.
+func (s *Service) EmitOptOutBeacon(ctx context.Context) bool {
+	if !isValidSemver(s.version) {
+		return false
+	}
+	if disabled, _ := IsDisabledByEnv(); disabled {
+		return false
+	}
+	if s.config.GetAnonymousID() == "" {
+		return false
+	}
+	if err := s.SendOptOutBeacon(ctx); err != nil {
+		s.logger.Debug("opt-out beacon send failed (telemetry still disabled)", zap.Error(err))
+	}
+	return true
 }
 
 // SendOptOutBeacon posts a single opt-out beacon to the configured telemetry
@@ -160,7 +204,10 @@ func (s *Service) NotifyConfigChanged(newCfg *config.Config) {
 
 	s.mu.Lock()
 	prior := s.resolvedEnabled
-	next := newCfg.IsTelemetryEnabled()
+	// Use the SAME effective resolution as startup (config bool + env overrides)
+	// so an env-disabled install (DO_NOT_TRACK / CI) — which never emitted
+	// telemetry — never produces an opt-out beacon on a config flip.
+	next := EffectiveTelemetryEnabled(newCfg)
 	s.resolvedEnabled = next
 	// Keep the service's live config/endpoint current. ApplyConfig swaps the
 	// runtime's *config.Config pointer wholesale, so without this the service
@@ -181,19 +228,11 @@ func (s *Service) NotifyConfigChanged(newCfg *config.Config) {
 	// Stop all further telemetry immediately, before the (slower) network send.
 	s.optedOut.Store(true)
 
-	// Dev builds never emit telemetry; don't emit a beacon for them either.
-	if !isValidSemver(s.version) {
-		return
-	}
-	if newCfg.GetAnonymousID() == "" {
-		return
-	}
-
+	// Fire-and-forget through the shared guarded entry point (semver / env /
+	// anon-id guards live there). Never blocks the caller (the config save).
 	go func() {
 		ctx, cancel := context.WithTimeout(context.Background(), optOutBeaconTimeout)
 		defer cancel()
-		if err := s.SendOptOutBeacon(ctx); err != nil {
-			s.logger.Debug("opt-out beacon send failed (telemetry still disabled)", zap.Error(err))
-		}
+		s.EmitOptOutBeacon(ctx)
 	}()
 }
diff --git a/internal/telemetry/optout_test.go b/internal/telemetry/optout_test.go
index e44f6240a..16c37e6d1 100644
--- a/internal/telemetry/optout_test.go
+++ b/internal/telemetry/optout_test.go
@@ -272,3 +272,131 @@ func TestOptOut_StopsFurtherHeartbeats(t *testing.T) {
 		t.Fatalf("heartbeat emitted after opt-out: hits went %d -> %d", hitsAfterBeacon, got)
 	}
 }
+
+// hookStats is a RuntimeStats whose GetServerCount fires a hook, letting a test
+// flip state DURING buildHeartbeat to exercise the in-flight opt-out race.
+type hookStats struct {
+	onServerCount func()
+}
+
+func (h *hookStats) GetServerCount() int {
+	if h.onServerCount != nil {
+		h.onServerCount()
+	}
+	return 1
+}
+func (h *hookStats) GetConnectedServerCount() int      { return 0 }
+func (h *hookStats) GetToolCount() int                 { return 0 }
+func (h *hookStats) GetRoutingMode() string            { return "retrieve_tools" }
+func (h *hookStats) IsQuarantineEnabled() bool         { return false }
+func (h *hookStats) IsDockerAvailable() bool           { return false }
+func (h *hookStats) GetDockerIsolatedServerCount() int { return 0 }
+
+// TestSendHeartbeat_RechecksOptOutBeforeTransmit covers Codex fix #2: a heartbeat
+// already in flight when the opt-out latch flips must NOT transmit a usage
+// payload. The latch is flipped mid-buildHeartbeat (so the entry check has
+// already passed); the pre-transmit re-check must suppress the send.
+func TestSendHeartbeat_RechecksOptOutBeforeTransmit(t *testing.T) {
+	clearTelemetryEnv(t)
+
+	var hits atomic.Int32
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		hits.Add(1)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	cfg := &config.Config{Telemetry: &config.TelemetryConfig{
+		Enabled: boolPtr(true), AnonymousID: "anon-xyz", Endpoint: server.URL,
+	}}
+	svc := New(cfg, "", "v1.2.3", "personal", zap.NewNop())
+	// Flip the opt-out latch while the payload is being built (after the entry
+	// guard, before transmit).
+	svc.SetRuntimeStats(&hookStats{onServerCount: func() { svc.optedOut.Store(true) }})
+
+	svc.sendHeartbeat(context.Background())
+
+	if got := hits.Load(); got != 0 {
+		t.Fatalf("usage heartbeat transmitted after mid-flight opt-out: %d sends", got)
+	}
+}
+
+// TestNotifyConfigChanged_NoBeaconWhenEnvDisabled covers Codex fix #1: when
+// telemetry is disabled by environment (DO_NOT_TRACK / CI), it was never
+// enabled, so a config enabled->disabled flip must emit NO opt-out beacon.
+func TestNotifyConfigChanged_NoBeaconWhenEnvDisabled(t *testing.T) {
+	clearTelemetryEnv(t)
+	t.Setenv("DO_NOT_TRACK", "1") // env-disabled: telemetry never ran
+
+	received := make(chan struct{}, 4)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		received <- struct{}{}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	enabled := &config.Config{Telemetry: &config.TelemetryConfig{
+		Enabled: boolPtr(true), AnonymousID: "anon-xyz", Endpoint: server.URL,
+	}}
+	disabled := &config.Config{Telemetry: &config.TelemetryConfig{
+		Enabled: boolPtr(false), AnonymousID: "anon-xyz", Endpoint: server.URL,
+	}}
+
+	svc := New(enabled, "", "v1.2.3", "personal", zap.NewNop())
+	svc.NotifyConfigChanged(disabled)
+
+	select {
+	case <-received:
+		t.Fatal("no beacon expected when telemetry was env-disabled (never enabled)")
+	case <-time.After(300 * time.Millisecond):
+	}
+}
+
+// TestEmitOptOutBeacon_Guards covers Codex fix #3: the single guarded send entry
+// (used by both the daemon and the CLI) must skip on a dev/non-semver build, when
+// env-disabled, and when there is no anonymous ID — and send only when eligible.
+func TestEmitOptOutBeacon_Guards(t *testing.T) {
+	newSvc := func(version, anonID string, endpoint string) *Service {
+		return New(&config.Config{Telemetry: &config.TelemetryConfig{
+			AnonymousID: anonID, Endpoint: endpoint,
+		}}, "", version, "personal", zap.NewNop())
+	}
+
+	t.Run("dev_build_skips", func(t *testing.T) {
+		clearTelemetryEnv(t)
+		if newSvc("dev", "anon", "http://127.0.0.1:0").EmitOptOutBeacon(context.Background()) {
+			t.Fatal("dev (non-semver) build must not attempt a beacon")
+		}
+	})
+
+	t.Run("env_disabled_skips", func(t *testing.T) {
+		clearTelemetryEnv(t)
+		t.Setenv("CI", "true")
+		if newSvc("v1.2.3", "anon", "http://127.0.0.1:0").EmitOptOutBeacon(context.Background()) {
+			t.Fatal("env-disabled (CI) build must not attempt a beacon")
+		}
+	})
+
+	t.Run("no_anon_id_skips", func(t *testing.T) {
+		clearTelemetryEnv(t)
+		if newSvc("v1.2.3", "", "http://127.0.0.1:0").EmitOptOutBeacon(context.Background()) {
+			t.Fatal("missing anonymous ID must not attempt a beacon")
+		}
+	})
+
+	t.Run("eligible_sends", func(t *testing.T) {
+		clearTelemetryEnv(t)
+		var hits atomic.Int32
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			hits.Add(1)
+			w.WriteHeader(http.StatusOK)
+		}))
+		defer server.Close()
+		if !newSvc("v1.2.3", "anon", server.URL).EmitOptOutBeacon(context.Background()) {
+			t.Fatal("eligible service should attempt a beacon")
+		}
+		if hits.Load() != 1 {
+			t.Fatalf("expected exactly one beacon, got %d", hits.Load())
+		}
+	})
+}
diff --git a/internal/telemetry/telemetry.go b/internal/telemetry/telemetry.go
index 0b551726d..937d6c5c8 100644
--- a/internal/telemetry/telemetry.go
+++ b/internal/telemetry/telemetry.go
@@ -255,7 +255,7 @@ func New(cfg *config.Config, cfgPath, version, edition string, logger *zap.Logge
 		envDisabledReason: envReason,
 		initialDelay:      5 * time.Minute,
 		heartbeatInterval: 24 * time.Hour,
-		resolvedEnabled:   cfg.IsTelemetryEnabled(),
+		resolvedEnabled:   EffectiveTelemetryEnabled(cfg),
 	}
 }
 
@@ -472,6 +472,15 @@ func (s *Service) sendHeartbeat(ctx context.Context) {
 	}
 	req.Header.Set("Content-Type", "application/json")
 
+	// MCP-2482: re-check the opt-out latch immediately before transmit. The
+	// entry check above can pass for a heartbeat already in flight when the user
+	// opts out mid-build; without this second check that heartbeat would still
+	// ship a full usage payload AFTER the opt-out. No usage data leaves once the
+	// latch is set.
+	if s.optedOut.Load() {
+		return
+	}
+
 	resp, err := s.client.Do(req)
 	if err != nil {
 		s.logger.Debug("Failed to send heartbeat", zap.Error(err))