Release notes

Identity lookup and public API contract cleanup

This release updates the public API contract and client-facing docs for the privacy-first identity model.

Breaking changes

• Public examples no longer identify users by email address alone. Send a stable, non-email user_id to identify, and put email addresses only in top-level traits.email when the user is authenticated and you need profile stitching.
• Browser-side email hashing guidance has been removed from tracker docs. Do not compute local SHA-256 email hashes in client code as a user identifier.
• Identity portfolios are the public contract for cross-project lookup boundaries and membership. Portfolio context remains compact interpretation notes for goals, surface roles, and milestones; do not use it as an identity lookup surface.
• OpenAPI copies shipped with the docs now include the current identify, lookup, query, portfolio-context, and portfolios contracts.

Privacy-first lookup model

Agent Analytics may receive raw email during authenticated identify calls or authenticated lookup requests so the service can stitch profiles and resolve a user safely. Raw email is not stored raw in event rows or profile rows. Lookup guidance is now authenticated/server-side: send raw email only through supported authenticated flows, let Agent Analytics apply its privacy protections, and avoid publishing local-only email hashes or browser-side hash matching logic.

Migration checklist

• Replace identify-by-email snippets with a stable app user ID, and include email only as traits.email when authenticated lookup support is needed.
• Remove client-side SHA-256 email-hash helpers from browser integrations.
• Update agents and skills to use documented lookup/query/portfolio endpoints instead of guessing profile IDs from hashes.
• Regenerate clients from https://docs.agentanalytics.sh/openapi.yaml after this release.