feat(telemetry): adding initial telemetry functionality to the cli

[billxinli]

Summary

This PR adds telemetry functionality to the Socket CLI to track usage patterns, performance metrics, and errors. The implementation includes instrumentation across CLI commands, subprocess executions, and API interactions.

Telemetry Infrastructure

• Organization-scoped tracking: All telemetry requires org context - cannot track without organization
• Event batching: Configurable batch sizes with periodic flushing (500ms intervals)
• Graceful degradation: Telemetry failures never block CLI execution
• Session tracking: Unique session IDs per CLI invocation
• Privacy-first: Comprehensive PII sanitization (tokens, file paths, package names)
• Queue size limiting: Max 1,000 events to prevent memory leaks during API outages
• Timeout protection: 2-second max flush time prevents hanging on exit

Event Types Tracked

• CLI lifecycle: cli_start, cli_complete, cli_error
• Subprocess execution: subprocess_start, subprocess_complete, subprocess_error
• API interactions: api_request, api_response, api_error
• Custom events: Generic event tracking with metadata support

PII Sanitization

• API tokens: Redacts sktsec_* tokens and hex tokens
• File paths: Replaces home directory with ~
• Package names: Strips package arguments after wrapper CLIs
• Sensitive flags: Redacts values after --api-token, --token, -t

Example Sanitization

Input:  ['node', 'socket', 'npm', 'install', '@my/private-pkg', '--token', 'sktsec_abc123']
Output: ['npm', 'install']  // Package name and token removed

Telemetry Configuration

  const TELEMETRY_SERVICE_CONFIG = {
    batch_size: 10,           // Events per batch
    flush_interval: 500,      // 0.5 second periodic flush
    flush_timeout: 2_000,     // 2 second max flush duration
    max_queue_size: 1_000,    // Memory leak protection
  }

Breaking Changes

None. Telemetry is opt-in via organization configuration and fails gracefully.

[billxinli]

Will need to point to the newly published sdk from SocketDev/socket-sdk-js#446

[billxinli]

The sdk synced the latest version of OAS spec.

[billxinli]

The sdk is calling the hooks on some endpoint and not others. I am not sure if this is the intended pattern. (Should only some endpoints and functions gets hooks and not others? If so, that could simplify this awkward logic.)