PostHog
diff --git a/‎nodejs/src/cdp/cdp-api.ts‎
Lines changed: 1 addition & 1 deletion b/‎nodejs/src/cdp/cdp-api.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodejs/src/cdp/consumers/cdp-source-webhooks.consumer.ts‎
Lines changed: 1 addition & 1 deletion b/‎nodejs/src/cdp/consumers/cdp-source-webhooks.consumer.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎…n/cookieless/daily-salt-provider.test.ts‎ ‎…cdp/services/daily-salt-provider.test.ts‎nodejs/src/ingestion/common/cookieless/daily-salt-provider.test.ts renamed to nodejs/src/cdp/services/daily-salt-provider.test.ts b/‎…n/cookieless/daily-salt-provider.test.ts‎ ‎…cdp/services/daily-salt-provider.test.ts‎nodejs/src/ingestion/common/cookieless/daily-salt-provider.test.ts renamed to nodejs/src/cdp/services/daily-salt-provider.test.ts
diff --git a/‎nodejs/src/cdp/services/daily-salt-provider.ts‎
Lines changed: 142 additions & 0 deletions b/‎nodejs/src/cdp/services/daily-salt-provider.ts‎
Lines changed: 142 additions & 0 deletions
diff --git a/‎nodejs/src/cdp/templates/_sources/vercel/vercel_log_drain.template.test.ts‎
Lines changed: 0 additions & 45 deletions b/‎nodejs/src/cdp/templates/_sources/vercel/vercel_log_drain.template.test.ts‎
Lines changed: 0 additions & 45 deletions
diff --git a/‎nodejs/src/cdp/templates/_sources/vercel/vercel_log_drain.template.ts‎
Lines changed: 8 additions & 18 deletions b/‎nodejs/src/cdp/templates/_sources/vercel/vercel_log_drain.template.ts‎
Lines changed: 8 additions & 18 deletions
@@ -2,7 +2,6 @@ import { DateTime } from 'luxon'
 import express from 'ultimate-express'
 
 import { ModifiedRequest } from '~/api/router'
-import { DailySaltProvider } from '~/ingestion/common/cookieless/daily-salt-provider'
 import { PluginEvent } from '~/plugin-scaffold'
 
 import { createCookielessRedisConnectionConfig } from '../config/redis-pools'
@@ -31,6 +30,7 @@ import { BATCH_HOGFLOW_REQUESTS_OUTPUT } from './outputs/outputs'
 import { RerunJobManager } from './rerun/rerun-job.manager'
 import { RerunRequest } from './rerun/rerun-job.types'
 import { BatchExportHogFunctionService, NotFoundError, ParseError } from './services/batch-export-hog-function.service'
+import { DailySaltProvider } from './services/daily-salt-provider'
 import { HogExecutorExecuteAsyncOptions, HogExecutorService, MAX_ASYNC_STEPS } from './services/hog-executor.service'
 import { HogFlowExecutorService, createHogFlowInvocation } from './services/hogflows/hogflow-executor.service'
 import { HogFlowManagerService } from './services/hogflows/hogflow-manager.service'
 
@@ -3,13 +3,13 @@ import { Counter } from 'prom-client'
 
 import type { ModifiedRequest } from '~/api/router'
 import { instrumented } from '~/common/tracing/tracing-utils'
-import { DailySaltProvider, deriveTeamDailySalt } from '~/ingestion/common/cookieless/daily-salt-provider'
 import { HogFlow } from '~/schema/hogflow'
 
 import { HealthCheckResult, HealthCheckResultOk, PluginsServerConfig } from '../../types'
 import { logger } from '../../utils/logger'
 import { PromiseScheduler } from '../../utils/promise-scheduler'
 import { UUID, UUIDT } from '../../utils/utils'
+import { DailySaltProvider, deriveTeamDailySalt } from '../services/daily-salt-provider'
 import { createHogFlowInvocation } from '../services/hogflows/hogflow-executor.service'
 import { actionIdForLogging } from '../services/hogflows/hogflow-utils'
 import { JobQueue } from '../services/job-queue/job-queue.interface'
 
@@ -0,0 +1,142 @@
+import { createHash, randomBytes } from 'crypto'
+import { Pool as GenericPool } from 'generic-pool'
+import Redis from 'ioredis'
+
+import { ConcurrencyController } from '~/utils/concurrencyController'
+
+/*
+ * Daily-rotating salt for Hog-derived distinct_ids.
+ *
+ * A 128-bit random value per calendar day, stored in Redis with a TTL. Once the TTL expires the
+ * salt is gone, so any hash that mixed it in becomes irreversible. This is intentionally independent
+ * of cookieless ingestion — it manages its own salt under its own key — so the cookieless code stays
+ * untouched and the two never share state.
+ */
+
+// Redis key namespace. Deliberately separate from cookieless (`cookieless_salt:`) — own salt, own data.
+const SALT_KEY_PREFIX = 'hog_distinct_id_salt:'
+
+// Calendar-day validity window: accept any day some timezone could currently be in (UTC−12…UTC+14),
+// plus a 72h buffer. Mirrors the cookieless salt window without sharing its code.
+const MAX_NEGATIVE_TIMEZONE_HOURS = 12
+const MAX_POSITIVE_TIMEZONE_HOURS = 14
+const MAX_SUPPORTED_INGESTION_LAG_HOURS = 72
+
+export type DailySaltResult = { success: true; salt: Buffer } | { success: false; reason: 'date_out_of_range' }
+
+export interface DailySaltProviderConfig {
+    saltTtlSeconds: number
+    deleteExpiredLocalSaltsIntervalMs: number
+}
+
+export class DailySaltProvider {
+    private readonly saltTtlSeconds: number
+    private readonly localSaltMap: Record<string, Buffer> = {}
+    private readonly mutex = new ConcurrencyController(1)
+    private cleanupInterval: NodeJS.Timeout | null = null
+
+    constructor(
+        config: DailySaltProviderConfig,
+        private readonly redisPool: GenericPool<Redis.Redis>
+    ) {
+        this.saltTtlSeconds = config.saltTtlSeconds
+        // Periodically drop expired salts from the local cache; Redis TTLs handle the durable copy.
+        this.cleanupInterval = setInterval(this.deleteExpiredLocalSalts, config.deleteExpiredLocalSaltsIntervalMs)
+        // unref so the timer never keeps the process alive.
+        this.cleanupInterval.unref()
+    }
+
+    getSaltForDay(yyyymmdd: string, timestampMs: number): Promise<DailySaltResult> {
+        if (!isCalendarDateValid(yyyymmdd)) {
+            return Promise.resolve({ success: false, reason: 'date_out_of_range' })
+        }
+        if (this.localSaltMap[yyyymmdd]) {
+            return Promise.resolve({ success: true, salt: this.localSaltMap[yyyymmdd] })
+        }
+
+        // Fetch from Redis once per node process per day, behind a mutex so concurrent callers share one round-trip.
+        return this.mutex.run({
+            fn: async (): Promise<DailySaltResult> => {
+                if (this.localSaltMap[yyyymmdd]) {
+                    return { success: true, salt: this.localSaltMap[yyyymmdd] }
+                }
+
+                const key = `${SALT_KEY_PREFIX}${yyyymmdd}`
+                const client = await this.redisPool.acquire()
+                try {
+                    const existing = await client.get(key)
+                    if (existing) {
+                        const salt = Buffer.from(existing, 'base64')
+                        this.localSaltMap[yyyymmdd] = salt
+                        return { success: true, salt }
+                    }
+
+                    // Create the day's salt, but don't overwrite a racing writer (SET NX).
+                    const newSalt = randomBytes(16)
+                    const setResult = await client.set(key, newSalt.toString('base64'), 'EX', this.saltTtlSeconds, 'NX')
+                    if (setResult === 'OK') {
+                        this.localSaltMap[yyyymmdd] = newSalt
+                        return { success: true, salt: newSalt }
+                    }
+
+                    // Lost the race — read the value the winner wrote.
+                    const retry = await client.get(key)
+                    if (!retry) {
+                        throw new Error('Failed to read Hog daily salt from redis')
+                    }
+                    const salt = Buffer.from(retry, 'base64')
+                    this.localSaltMap[yyyymmdd] = salt
+                    return { success: true, salt }
+                } finally {
+                    await this.redisPool.release(client)
+                }
+            },
+            priority: timestampMs,
+        })
+    }
+
+    deleteExpiredLocalSalts = (): void => {
+        for (const key in this.localSaltMap) {
+            if (!isCalendarDateValid(key)) {
+                delete this.localSaltMap[key]
+            }
+        }
+    }
+
+    deleteAllLocalSalts(): void {
+        for (const key in this.localSaltMap) {
+            delete this.localSaltMap[key]
+        }
+    }
+
+    shutdown(): void {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval)
+            this.cleanupInterval = null
+        }
+        this.deleteAllLocalSalts()
+    }
+}
+
+/**
+ * Derive a per-team daily salt from the random daily salt. Forward-derivable from
+ * (dailySalt, teamId, yyyymmdd), but not reversible — sha256 is one-way and the daily salt is
+ * random and discarded after its TTL. Mixing in `teamId` isolates teams: leaking one team's
+ * derived salt reveals nothing about the daily salt or any other team.
+ */
+export function deriveTeamDailySalt(dailySalt: Buffer, teamId: number, yyyymmdd: string): string {
+    return createHash('sha256').update(dailySalt).update(`:${teamId}:${yyyymmdd}`).digest('base64')
+}
+
+export function isCalendarDateValid(yyyymmdd: string): boolean {
+    const utcDate = new Date(`${yyyymmdd}T00:00:00Z`)
+    const nowUTC = new Date(Date.now())
+
+    const startOfDayMinus12 = new Date(utcDate)
+    startOfDayMinus12.setUTCHours(-MAX_NEGATIVE_TIMEZONE_HOURS)
+
+    const endOfDayPlus14 = new Date(utcDate)
+    endOfDayPlus14.setUTCHours(MAX_POSITIVE_TIMEZONE_HOURS + MAX_SUPPORTED_INGESTION_LAG_HOURS)
+
+    return nowUTC >= startOfDayMinus12 && nowUTC < endOfDayPlus14
+}
@@ -617,51 +617,6 @@ describe('vercel log drain template', () => {
             expect(day1.capturedPostHogEvents[0].properties.$distinct_id_strategy).toBe('fixed_salt')
         })
 
-        it('managed_rotating_salt: rotates by day and by injected salt', async () => {
-            setMockedDay('2025-01-01T00:00:00Z')
-            const day1 = await tester.invoke(
-                { distinct_id_strategy: 'managed_rotating_salt' },
-                { request: createVercelRequest(vercelLogDrain), salt: 'team-a-2025-01-01' }
-            )
-            const day1Repeat = await tester.invoke(
-                { distinct_id_strategy: 'managed_rotating_salt' },
-                { request: createVercelRequest(vercelLogDrain), salt: 'team-a-2025-01-01' }
-            )
-            // Different injected salt (another team, or the next day's derived salt) → different id
-            const otherTeam = await tester.invoke(
-                { distinct_id_strategy: 'managed_rotating_salt' },
-                { request: createVercelRequest(vercelLogDrain), salt: 'team-b-2025-01-01' }
-            )
-            // Next calendar day → different id even with the same injected salt (the {day} component)
-            setMockedDay('2025-01-02T00:00:00Z')
-            const day2 = await tester.invoke(
-                { distinct_id_strategy: 'managed_rotating_salt' },
-                { request: createVercelRequest(vercelLogDrain), salt: 'team-a-2025-01-01' }
-            )
-
-            const id1 = day1.capturedPostHogEvents[0].distinct_id
-            expect(id1).toMatch(/^http_log_[A-Za-z0-9+/]{22}$/)
-            expect(day1Repeat.capturedPostHogEvents[0].distinct_id).toBe(id1)
-            expect(otherTeam.capturedPostHogEvents[0].distinct_id).not.toBe(id1)
-            expect(day2.capturedPostHogEvents[0].distinct_id).not.toBe(id1)
-            expect(day1.capturedPostHogEvents[0].properties.$distinct_id_strategy).toBe('managed_rotating_salt')
-        })
-
-        it('managed_rotating_salt: derived from the injected salt, not inputs.salt_secret', async () => {
-            setMockedDay('2025-01-01T00:00:00Z')
-            const base = await tester.invoke(
-                { salt_secret: 'secret-one', distinct_id_strategy: 'managed_rotating_salt' },
-                { request: createVercelRequest(vercelLogDrain), salt: 'team-a-salt' }
-            )
-            // Changing the user secret must NOT change the id — guards against the local shadowing the global.
-            const differentSecret = await tester.invoke(
-                { salt_secret: 'secret-two', distinct_id_strategy: 'managed_rotating_salt' },
-                { request: createVercelRequest(vercelLogDrain), salt: 'team-a-salt' }
-            )
-
-            expect(differentSecret.capturedPostHogEvents[0].distinct_id).toBe(base.capturedPostHogEvents[0].distinct_id)
-        })
-
         it('ip: literal client IP after the prefix; stable across days', async () => {
             setMockedDay('2025-01-01T00:00:00Z')
             const day1 = await tester.invoke(
 
@@ -165,9 +165,7 @@ let scheme := proxy.scheme ?? 'https'
 let path := proxy.path ?? log.path ?? ''
 
 let day := formatDateTime(now(), '%Y-%m-%d')
-let userSalt := inputs.salt_secret ?? ''
-// PostHog-managed per-team daily-rotating salt, injected as the 'salt' runtime global before this runs.
-let managedSalt := salt ?? ''
+let salt := inputs.salt_secret ?? ''
 let strategy := inputs.distinct_id_strategy ?? 'fixed_salt'
 let activeStrategy := strategy
 let distinctId := ''
@@ -179,21 +177,17 @@ fun shortHash(input) {
     return substring(sha256(input, 'base64'), 1, 22)
 }
 
-if (strategy == 'managed_rotating_salt') {
-    // PostHog-managed daily salt — rotates daily and is irreversible by design (the underlying daily
-    // salt is random and discarded after its TTL), so there's no secret to configure or store.
-    distinctId := f'http_log_{shortHash(f'{managedSalt}:{day}:{clientIp}:{host}:{userAgent}')}'
-} else if (strategy == 'rotating_salt') {
-    distinctId := f'http_log_{shortHash(f'{userSalt}:{day}:{clientIp}:{host}:{userAgent}')}'
+if (strategy == 'rotating_salt') {
+    distinctId := f'http_log_{shortHash(f'{salt}:{day}:{clientIp}:{host}:{userAgent}')}'
 } else if (strategy == 'fixed_salt') {
-    distinctId := f'http_log_{shortHash(f'{userSalt}:{clientIp}:{host}:{userAgent}')}'
+    distinctId := f'http_log_{shortHash(f'{salt}:{clientIp}:{host}:{userAgent}')}'
 } else if (strategy == 'ip') {
     distinctId := f'http_log_{clientIp}'
 } else if (strategy == 'custom') {
     let customTemplate := inputs.custom_template ?? ''
     if (empty(customTemplate)) {
         print('vercel log drain: custom_template empty, falling back to rotating_salt')
-        distinctId := f'http_log_{shortHash(f'{userSalt}:{day}:{clientIp}:{host}:{userAgent}')}'
+        distinctId := f'http_log_{shortHash(f'{salt}:{day}:{clientIp}:{host}:{userAgent}')}'
         activeStrategy := 'rotating_salt_fallback'
     } else {
         let result := customTemplate
@@ -209,15 +203,15 @@ if (strategy == 'managed_rotating_salt') {
         // so we don't collapse all such requests onto a single 'http_log_' id.
         if (empty(result)) {
             print('vercel log drain: custom_template substituted to empty, falling back to rotating_salt')
-            distinctId := f'http_log_{shortHash(f'{userSalt}:{day}:{clientIp}:{host}:{userAgent}')}'
+            distinctId := f'http_log_{shortHash(f'{salt}:{day}:{clientIp}:{host}:{userAgent}')}'
             activeStrategy := 'rotating_salt_fallback'
         } else {
             distinctId := f'http_log_{result}'
         }
     }
 } else {
     // Unknown strategy value — treat as rotating_salt
-    distinctId := f'http_log_{shortHash(f'{userSalt}:{day}:{clientIp}:{host}:{userAgent}')}'
+    distinctId := f'http_log_{shortHash(f'{salt}:{day}:{clientIp}:{host}:{userAgent}')}'
     activeStrategy := 'rotating_salt'
 }
 
@@ -371,7 +365,7 @@ return {
             type: 'choice',
             label: 'Distinct ID strategy',
             description:
-                'How distinct IDs are derived from the request. Because events are anonymous by default (no person profiles), this affects unique-visitor counting rather than cost. The default, fixed salt, gives one stable ID per client (IP + host + user agent) for accurate uniques. Rotating salt rotates that ID daily for extra privacy, at the cost of inflated unique counts. Managed rotating salt does the same using a PostHog-managed daily salt, so there is no secret to configure and prior days become irreversible. The active strategy is recorded on each event as $distinct_id_strategy for debugging.',
+                'How distinct IDs are derived from the request. Because events are anonymous by default (no person profiles), this affects unique-visitor counting rather than cost. The default, fixed salt, gives one stable ID per client (IP + host + user agent) for accurate uniques. Rotating salt rotates that ID daily for extra privacy, at the cost of inflated unique counts. The active strategy is recorded on each event as $distinct_id_strategy for debugging.',
             choices: [
                 {
                     value: 'fixed_salt',
@@ -381,10 +375,6 @@ return {
                     value: 'rotating_salt',
                     label: 'Rotating salt (sha256(salt:day:ip:host:ua)) — rotates daily for privacy',
                 },
-                {
-                    value: 'managed_rotating_salt',
-                    label: 'Managed rotating salt — PostHog-managed daily salt, rotates daily, no secret needed',
-                },
                 {
                     value: 'ip',
                     label: 'Raw IP — stores client IPs unhashed as queryable distinct IDs',