feat: Add Application Insights telemetry via OpenTelemetry (#240)

- Add OpenTelemetry + Azure Monitor for usage tracking and unhandled exceptions
- Implement SensitiveDataRedactingProcessor to protect file paths/connection strings
- Add telemetry to all 12 MCP tools via ExecuteToolAction pattern
- Support opt-out via EXCELMCP_TELEMETRY_OPTOUT environment variable
- Add debug mode via EXCELMCP_DEBUG_TELEMETRY for local testing (console output)
- Build-time connection string injection in release workflow
- Add Bicep templates for Azure Application Insights deployment
- Add 29 tests (28 unit + 1 integration) for telemetry components
- Update developer docs with telemetry setup instructions

Closes #239

Author: sbroenne

.github/workflows/release-mcp-server.yml

@@ -7,8 +7,9 @@ name: Release MCP Server & CLI
 # Unified Versioning: MCP Server and CLI always release together with the same version
 # Tag pattern: v1.2.3 (removes mcp-v prefix, CLI and MCP Server share version)
 #
-# Required GitHub Secret:
+# Required GitHub Secrets:
 # - NUGET_USER: Your NuGet.org username (profile name, NOT email)
+# - APPINSIGHTS_CONNECTION_STRING: Application Insights connection string for telemetry
 #
 # Required NuGet.org Configuration:
 # - Package: Sbroenne.ExcelMcp.McpServer
@@ -95,6 +96,22 @@ jobs:
         dotnet restore src/ExcelMcp.McpServer/ExcelMcp.McpServer.csproj
         dotnet restore src/ExcelMcp.CLI/ExcelMcp.CLI.csproj
 
+    - name: Inject Application Insights Connection String
+      run: |
+        $telemetryFile = "src/ExcelMcp.McpServer/Telemetry/ExcelMcpTelemetry.cs"
+        $connectionString = "${{ secrets.APPINSIGHTS_CONNECTION_STRING }}"
+
+        if ([string]::IsNullOrWhiteSpace($connectionString)) {
+          Write-Output "⚠️ APPINSIGHTS_CONNECTION_STRING secret not configured - telemetry will be disabled"
+        } else {
+          Write-Output "Injecting Application Insights connection string..."
+          $content = Get-Content $telemetryFile -Raw
+          $content = $content -replace '__APPINSIGHTS_CONNECTION_STRING__', $connectionString
+          Set-Content $telemetryFile $content
+          Write-Output "✅ Telemetry connection string injected"
+        }
+      shell: pwsh
+
     - name: Build MCP Server & CLI
       run: |
         dotnet build src/ExcelMcp.McpServer/ExcelMcp.McpServer.csproj --configuration Release --no-restore

.gitignore

@@ -225,3 +225,4 @@ gh-pages/vendor
 gh-pages/_site/*
 
 codeql-db/*
+infrastructure/azure/appinsights.secrets.local

Directory.Packages.props

@@ -13,6 +13,8 @@
     <PackageVersion Include="Microsoft.Extensions.Hosting" Version="9.0.10" />
     <PackageVersion Include="Microsoft.Extensions.Logging" Version="9.0.10" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
+    <!-- OpenTelemetry for Application Insights -->
+    <PackageVersion Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.3.0" />    <PackageVersion Include="OpenTelemetry.Exporter.Console" Version="1.11.2" />    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.11.2" />
     <PackageVersion Include="Microsoft.Extensions.Resilience" Version="10.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Configuration" Version="9.0.10" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="9.0.10" />
@@ -35,4 +37,4 @@
     <PackageVersion Include="Microsoft.CodeAnalysis.Analyzers" Version="3.3.5" />
     <PackageVersion Include="Microsoft.CodeAnalysis.NetAnalyzers" Version="10.0.100" />
   </ItemGroup>
-</Project>
+</Project>

docs/DEVELOPMENT.md

@@ -371,6 +371,157 @@ dotnet build -c Release
 .\src\ExcelMcp.CLI\bin\Release\net10.0\excelcli.exe --version
 ```
 
+## 📊 **Application Insights / Telemetry Setup**
+
+ExcelMcp uses Azure Application Insights for anonymous usage telemetry and crash reporting. Telemetry is **opt-out** (enabled by default in release builds).
+
+### **What is Tracked**
+
+- **Tool invocations**: Tool name, action, duration (ms), success/failure
+- **Unhandled exceptions**: Exception type and redacted stack trace
+- **Session ID**: Random GUID per process (no user identification)
+
+### **What is NOT Tracked**
+
+- File paths, file names, or file contents
+- User identity, machine name, or IP address
+- Excel data, formulas, or cell values
+- Connection strings, credentials, or passwords
+
+### **Sensitive Data Redaction**
+
+All telemetry passes through `SensitiveDataRedactingProcessor` which removes:
+- Windows file paths (`C:\Users\...` → `[REDACTED_PATH]`)
+- UNC paths (`\\server\share\...` → `[REDACTED_PATH]`)
+- Connection string secrets (`Password=...` → `[REDACTED_CREDENTIAL]`)
+- Email addresses → `[REDACTED_EMAIL]`
+
+### **Azure Resources Setup (Maintainers Only)**
+
+To deploy the Application Insights infrastructure:
+
+```powershell
+# 1. Login to Azure
+az login
+
+# 2. Deploy resources (creates RG, Log Analytics, App Insights)
+.\infrastructure\azure\deploy-appinsights.ps1 -SubscriptionId "<your-subscription-id>"
+
+# 3. Copy the connection string from output
+# Output: "Connection String: InstrumentationKey=xxx;IngestionEndpoint=..."
+```
+
+### **GitHub Secret Configuration (Maintainers Only)**
+
+After deploying Azure resources:
+
+1. Go to GitHub repo → **Settings** → **Secrets and variables** → **Actions**
+2. Add new secret: `APPINSIGHTS_CONNECTION_STRING`
+3. Paste the connection string from deployment output
+
+The release workflow automatically injects this at build time.
+
+### **Local Development**
+
+During local development, telemetry is **disabled by default** because the placeholder connection string is not replaced. This is intentional - no telemetry data is sent from dev builds.
+
+#### **Debug Mode: Console Output**
+
+To test telemetry locally without Azure, enable debug mode which logs to stderr:
+
+```powershell
+# Enable debug telemetry (logs to console instead of Azure)
+$env:EXCELMCP_DEBUG_TELEMETRY = "true"
+
+# Build and run the MCP server
+dotnet build src/ExcelMcp.McpServer/ExcelMcp.McpServer.csproj
+dotnet run --project src/ExcelMcp.McpServer/ExcelMcp.McpServer.csproj
+
+# You'll see telemetry output like:
+# [Telemetry] Debug mode enabled - logging to stderr
+# Activity.TraceId: abc123...
+# Activity.DisplayName: ToolInvocation
+# Activity.Tags:
+#     tool.name: excel_file
+#     tool.action: list
+#     tool.duration_ms: 42
+#     tool.success: true
+```
+
+#### **Testing with Real Azure Resources**
+
+To test with actual Application Insights:
+
+```powershell
+# 1. Deploy Azure resources
+.\infrastructure\azure\deploy-appinsights.ps1 -SubscriptionId "<your-sub-id>"
+
+# 2. Temporarily inject connection string (DON'T COMMIT!)
+$connStr = "InstrumentationKey=xxx;IngestionEndpoint=https://..."
+(Get-Content "src/ExcelMcp.McpServer/Telemetry/ExcelMcpTelemetry.cs") -replace `
+    '__APPINSIGHTS_CONNECTION_STRING__', $connStr | `
+    Set-Content "src/ExcelMcp.McpServer/Telemetry/ExcelMcpTelemetry.cs"
+
+# 3. Build and run
+dotnet build src/ExcelMcp.McpServer/ExcelMcp.McpServer.csproj
+dotnet run --project src/ExcelMcp.McpServer/ExcelMcp.McpServer.csproj
+
+# 4. Check Azure Portal → Application Insights → Transaction search
+
+# 5. IMPORTANT: Revert the file (don't commit connection string!)
+git checkout src/ExcelMcp.McpServer/Telemetry/ExcelMcpTelemetry.cs
+```
+
+To verify telemetry state:
+```csharp
+// ExcelMcpTelemetry.IsEnabled returns false when:
+// - Connection string is placeholder "__APPINSIGHTS_CONNECTION_STRING__"
+// - User has opted out via EXCELMCP_TELEMETRY_OPTOUT=true
+
+// ExcelMcpTelemetry.IsEnabled returns true when:
+// - EXCELMCP_DEBUG_TELEMETRY=true (console output mode)
+// - Connection string is real (injected at build time)
+```
+
+### **User Opt-Out**
+
+Users can disable telemetry by setting an environment variable:
+
+```powershell
+# Windows
+$env:EXCELMCP_TELEMETRY_OPTOUT = "true"
+
+# Or permanently via System Properties → Environment Variables
+```
+
+### **Telemetry Architecture**
+
+```
+MCP Tool Invocation
+    │
+    ▼
+ExcelToolsBase.ExecuteToolAction()
+    │ (tracks: tool, action, duration, success)
+    ▼
+ExcelMcpTelemetry.TrackToolInvocation()
+    │
+    ▼
+SensitiveDataRedactingProcessor
+    │ (removes: paths, credentials, emails)
+    ▼
+Azure Monitor Exporter → Application Insights
+```
+
+### **Files Overview**
+
+| File | Purpose |
+|------|---------|
+| `Telemetry/ExcelMcpTelemetry.cs` | Static helper for tracking |
+| `Telemetry/SensitiveDataRedactingProcessor.cs` | Redacts PII before transmission |
+| `Program.cs` | OpenTelemetry configuration |
+| `infrastructure/azure/appinsights.bicep` | Azure resource definitions |
+| `infrastructure/azure/deploy-appinsights.ps1` | Deployment script |
+
 ## 📞 **Need Help?**
 
 - **Read the docs**: [Contributing Guide](CONTRIBUTING.md)

infrastructure/azure/appinsights-resources.bicep

@@ -0,0 +1,51 @@
+// Application Insights resources module
+// Called by appinsights.bicep - deploys into an existing resource group
+
+param location string
+param logAnalyticsName string
+param appInsightsName string
+param retentionInDays int
+param tags object
+
+// Log Analytics Workspace (required backend for Application Insights)
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
+  name: logAnalyticsName
+  location: location
+  tags: tags
+  properties: {
+    sku: {
+      name: 'PerGB2018'
+    }
+    retentionInDays: retentionInDays
+    features: {
+      enableLogAccessUsingOnlyResourcePermissions: true
+    }
+    workspaceCapping: {
+      dailyQuotaGb: -1 // No cap
+    }
+    publicNetworkAccessForIngestion: 'Enabled'
+    publicNetworkAccessForQuery: 'Enabled'
+  }
+}
+
+// Application Insights (workspace-based)
+resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
+  name: appInsightsName
+  location: location
+  tags: tags
+  kind: 'other' // 'other' for non-web applications like console apps
+  properties: {
+    Application_Type: 'other'
+    WorkspaceResourceId: logAnalytics.id
+    IngestionMode: 'LogAnalytics'
+    publicNetworkAccessForIngestion: 'Enabled'
+    publicNetworkAccessForQuery: 'Enabled'
+    RetentionInDays: retentionInDays
+  }
+}
+
+// Outputs
+output logAnalyticsWorkspaceId string = logAnalytics.id
+output appInsightsName string = appInsights.name
+output appInsightsConnectionString string = appInsights.properties.ConnectionString
+output appInsightsInstrumentationKey string = appInsights.properties.InstrumentationKey

infrastructure/azure/appinsights.bicep

@@ -0,0 +1,57 @@
+// Application Insights infrastructure for ExcelMcp telemetry
+// Deploys: Resource Group, Log Analytics Workspace, Application Insights
+//
+// Deploy with: az deployment sub create --location <location> --template-file appinsights.bicep --parameters appinsights.parameters.json
+
+targetScope = 'subscription'
+
+@description('Name of the resource group to create')
+param resourceGroupName string = 'excelmcp-observability'
+
+@description('Azure region for all resources')
+param location string = 'westeurope'
+
+@description('Name of the Log Analytics workspace')
+param logAnalyticsName string = 'excelmcp-logs'
+
+@description('Name of the Application Insights resource')
+param appInsightsName string = 'excelmcp-appinsights'
+
+@description('Data retention in days (30-730)')
+@minValue(30)
+@maxValue(730)
+param retentionInDays int = 90
+
+@description('Tags to apply to all resources')
+param tags object = {
+  project: 'ExcelMcp'
+  purpose: 'Telemetry'
+  managedBy: 'Bicep'
+}
+
+// Resource Group
+resource rg 'Microsoft.Resources/resourceGroups@2024-03-01' = {
+  name: resourceGroupName
+  location: location
+  tags: tags
+}
+
+// Deploy resources into the resource group
+module observability 'appinsights-resources.bicep' = {
+  name: 'observability-deployment'
+  scope: rg
+  params: {
+    location: location
+    logAnalyticsName: logAnalyticsName
+    appInsightsName: appInsightsName
+    retentionInDays: retentionInDays
+    tags: tags
+  }
+}
+
+// Outputs
+output resourceGroupName string = rg.name
+output logAnalyticsWorkspaceId string = observability.outputs.logAnalyticsWorkspaceId
+output appInsightsName string = observability.outputs.appInsightsName
+output appInsightsConnectionString string = observability.outputs.appInsightsConnectionString
+output appInsightsInstrumentationKey string = observability.outputs.appInsightsInstrumentationKey

infrastructure/azure/appinsights.parameters.json

@@ -0,0 +1,28 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "resourceGroupName": {
+      "value": "excelmcp-observability"
+    },
+    "location": {
+      "value": "swedencentral"
+    },
+    "logAnalyticsName": {
+      "value": "excelmcp-logs"
+    },
+    "appInsightsName": {
+      "value": "excelmcp-appinsights"
+    },
+    "retentionInDays": {
+      "value": 90
+    },
+    "tags": {
+      "value": {
+        "project": "ExcelMcp",
+        "purpose": "Telemetry",
+        "managedBy": "Bicep"
+      }
+    }
+  }
+}