diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5194af3..87b2ddb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## 0.0.11-beta.2 — 2026-05-21
 
+### Features
+- Expand PostHog telemetry coverage to close the 16 server-side and 12 web-UI gaps surfaced by the May audit (#376). Server-side adds `cli_install_success` / `cli_install_failure` / `cli_uninstall_success` / `cli_uninstall_failure` / `cli_list_invoked` / `cli_parse_error` / `cli_unexpected_error` / `hook_dispatch_error` (CLI lifecycle outcomes in `bin/failproofai.mjs`), `hook_stdin_error` / `hook_payload_parse_error` (hook handler input errors in `src/hooks/handler.ts`), `policy_evaluation_error` (builtin policy crashes in `src/hooks/policy-evaluator.ts`, distinct from the existing `custom_hook_error`), `custom_policy_validation_failed` / `custom_hooks_load_error` / `policy_params_validation_warning` / `scope_validation_failed` / `hook_write_failed` / `multi_scope_warning_shown` / `cli_detection_summary` / `beta_policies_installed` (manager / loader / install-prompt internals), and `first_install` / `version_changed` (lifecycle detection in `scripts/postinstall.mjs` via a new `~/.failproofai/last-version` file). Web-UI adds `policies_tab_switched` / `activity_filter_changed` (debounced) / `activity_row_toggled` / `activity_copy_clicked` / `activity_pagination_changed` / `cli_selection_toggled` / `cli_install_remove_submitted` / `cli_reinstall_submitted` / `policy_config_modal_opened` / `policy_config_modal_closed` / `action_error_displayed` / `hooks_install_from_error_clicked` via `usePostHog()` in `app/policies/hooks-client.tsx`. The deny-/instruct-only condition at `handler.ts:344` (allow-path tracking) is intentionally left unchanged. All events go through the existing helpers (`trackHookEvent`, `trackInstallEvent`, `captureClientEvent`) and honor `FAILPROOFAI_TELEMETRY_DISABLED=1`.
+
 ### Breaking
 - Remove the undocumented cloud auth + event relay subsystem ahead of a from-scratch redesign. Deletes `src/auth/` (OAuth 2.0 device-flow login against `api.befailproof.ai`, `~/.failproofai/auth.json` token store) and `src/relay/` (WebSocket event relay daemon, sanitized JSONL queue at `~/.failproofai/cache/server-queue/`, PID tracking). Strips the `failproofai login` / `logout` / `whoami` / `relay start|stop|status` / `sync` subcommands and the internal `--relay-daemon` mode from `bin/failproofai.mjs`, along with their `--help` entries and "did you mean" suggestions. Removes the fire-and-forget `appendToServerQueue` + `ensureRelayRunning` calls from `src/hooks/handler.ts` so hook evaluation no longer enqueues events or lazy-spawns a daemon. The whole subsystem had zero references in `README.md`, `docs/`, `examples/`, or `__tests__/`, and only had internal cross-imports — `tsc`, `eslint`, `vitest` (1623 tests), and the `bun run build` bundles all stay green. Users who ran `failproofai login` should also wipe `~/.failproofai/{auth.json,cache/server-queue,relay.pid}` and stop any running relay daemon by hand; new auth/cloud surface will land in a follow-up.
 
diff --git a/__tests__/hooks/new-telemetry.test.ts b/__tests__/hooks/new-telemetry.test.ts
new file mode 100644
index 0000000..349ada0
--- /dev/null
+++ b/__tests__/hooks/new-telemetry.test.ts
@@ -0,0 +1,211 @@
+// @vitest-environment node
+/**
+ * Coverage for telemetry events added as part of the gap-closing audit.
+ * Each test stubs trackHookEvent and asserts the right event name + props
+ * fire at the trigger site. Keep one focused case per event.
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { readFileSync, writeFileSync, existsSync } from "node:fs";
+import { execSync } from "node:child_process";
+import { resolve } from "node:path";
+import { homedir } from "node:os";
+
+vi.mock("node:fs", () => ({
+  readFileSync: vi.fn(),
+  writeFileSync: vi.fn(),
+  existsSync: vi.fn(),
+  mkdirSync: vi.fn(),
+  readdirSync: vi.fn(() => []),
+}));
+
+vi.mock("node:child_process", () => ({
+  execSync: vi.fn(),
+}));
+
+vi.mock("../../src/hooks/install-prompt", async () => {
+  const actual = await vi.importActual<typeof import("../../src/hooks/install-prompt")>(
+    "../../src/hooks/install-prompt",
+  );
+  return {
+    ...actual,
+    promptPolicySelection: vi.fn(() => Promise.resolve(["block-sudo"])),
+  };
+});
+
+vi.mock("../../src/hooks/integrations", () => ({
+  detectInstalledClis: vi.fn(() => ["claude"]),
+  getIntegration: vi.fn((id: string) => ({
+    displayName: id,
+    scopes: id === "codex" ? ["user", "project"] : ["user", "project", "local"],
+    eventTypes: [],
+    getSettingsPath: vi.fn(),
+    hooksInstalledInSettings: vi.fn(),
+    readSettings: vi.fn(() => ({})),
+    writeSettings: vi.fn(),
+    writeHookEntries: vi.fn(),
+    removeHooksFromFile: vi.fn(() => 0),
+  })),
+  claudeCode: {
+    getSettingsPath: vi.fn(() => "/tmp/.claude/settings.json"),
+    hooksInstalledInSettings: vi.fn(() => false),
+  },
+  listIntegrations: vi.fn(() => []),
+}));
+
+vi.mock("../../src/hooks/hooks-config", () => ({
+  readHooksConfig: vi.fn(() => ({ enabledPolicies: [] })),
+  readMergedHooksConfig: vi.fn(() => ({ enabledPolicies: [] })),
+  writeHooksConfig: vi.fn(),
+  readScopedHooksConfig: vi.fn(() => ({ enabledPolicies: [] })),
+  writeScopedHooksConfig: vi.fn(),
+  findProjectConfigDir: vi.fn((cwd: string) => cwd),
+  getConfigPathForScope: vi.fn(() => "/tmp/policies-config.json"),
+}));
+
+vi.mock("../../src/hooks/hook-telemetry", () => ({
+  trackHookEvent: vi.fn(() => Promise.resolve()),
+}));
+
+vi.mock("../../lib/telemetry-id", () => ({
+  getInstanceId: vi.fn(() => "test-instance-id"),
+  hashToId: vi.fn((raw: string) => `hashed:${raw}`),
+}));
+
+vi.mock("../../src/hooks/custom-hooks-loader", async () => {
+  const actual = await vi.importActual<typeof import("../../src/hooks/custom-hooks-loader")>(
+    "../../src/hooks/custom-hooks-loader",
+  );
+  return {
+    ...actual,
+    loadCustomHooks: vi.fn(() => Promise.resolve([])),
+    discoverPolicyFiles: vi.fn(() => []),
+  };
+});
+
+describe("new telemetry events — manager", () => {
+  beforeEach(() => {
+    vi.resetAllMocks();
+    vi.mocked(execSync).mockReturnValue("/usr/local/bin/failproofai\n");
+    vi.spyOn(console, "log").mockImplementation(() => {});
+    vi.spyOn(console, "error").mockImplementation(() => {});
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("fires scope_validation_failed when scope is unsupported for the CLI", async () => {
+    vi.mocked(existsSync).mockReturnValue(true);
+    vi.mocked(readFileSync).mockReturnValue("{}");
+
+    const { installHooks } = await import("../../src/hooks/manager");
+    const { trackHookEvent } = await import("../../src/hooks/hook-telemetry");
+
+    // codex does not support the "local" scope (see src/hooks/integrations.ts)
+    await expect(installHooks(["block-sudo"], "local" as never, undefined, false, undefined, undefined, false, [
+      "codex",
+    ])).rejects.toThrow(/Scope "local" is not supported/);
+
+    expect(trackHookEvent).toHaveBeenCalledWith(
+      "test-instance-id",
+      "scope_validation_failed",
+      expect.objectContaining({
+        cli: "codex",
+        scope: "local",
+        supported_scopes: expect.any(Array),
+      }),
+    );
+  });
+
+  it("fires custom_policy_validation_failed when the custom file throws", async () => {
+    vi.mocked(existsSync).mockReturnValue(true);
+    vi.mocked(readFileSync).mockReturnValue("{}");
+    const { loadCustomHooks } = await import("../../src/hooks/custom-hooks-loader");
+    vi.mocked(loadCustomHooks).mockRejectedValueOnce(new Error("Custom hooks file not found: /tmp/missing.js"));
+    const exitSpy = vi.spyOn(process, "exit").mockImplementation(((_code?: string | number | null | undefined) => undefined as never) as never);
+
+    const { installHooks } = await import("../../src/hooks/manager");
+    const { trackHookEvent } = await import("../../src/hooks/hook-telemetry");
+
+    await installHooks(["block-sudo"], "user", undefined, false, undefined, "/tmp/missing.js");
+
+    expect(trackHookEvent).toHaveBeenCalledWith(
+      "test-instance-id",
+      "custom_policy_validation_failed",
+      expect.objectContaining({
+        scope: "user",
+        error_type: "file_not_found",
+      }),
+    );
+    exitSpy.mockRestore();
+  });
+
+  it("fires policy_params_validation_warning when an unknown key is in policyParams", async () => {
+    vi.mocked(existsSync).mockReturnValue(false);
+    const { readMergedHooksConfig } = await import("../../src/hooks/hooks-config");
+    vi.mocked(readMergedHooksConfig).mockReturnValue({
+      enabledPolicies: [],
+      policyParams: { "nonexistent-policy": { hint: "test" } },
+    });
+
+    const { listHooks } = await import("../../src/hooks/manager");
+    const { trackHookEvent } = await import("../../src/hooks/hook-telemetry");
+
+    await listHooks();
+
+    expect(trackHookEvent).toHaveBeenCalledWith(
+      "test-instance-id",
+      "policy_params_validation_warning",
+      expect.objectContaining({
+        unknown_keys_count: 1,
+        unknown_keys: ["nonexistent-policy"],
+      }),
+    );
+  });
+
+  it("respects FAILPROOFAI_TELEMETRY_DISABLED — the underlying helper is mocked, but the call still happens (test verifies the trigger fires unconditionally)", async () => {
+    // The helper itself short-circuits when FAILPROOFAI_TELEMETRY_DISABLED=1
+    // (verified in __tests__/lib/telemetry.test.ts). Here we just confirm the
+    // trigger call site still runs — the env-var check lives in the helper.
+    process.env.FAILPROOFAI_TELEMETRY_DISABLED = "1";
+    vi.mocked(existsSync).mockReturnValue(true);
+    vi.mocked(readFileSync).mockReturnValue("{}");
+
+    try {
+      const { installHooks } = await import("../../src/hooks/manager");
+      const { trackHookEvent } = await import("../../src/hooks/hook-telemetry");
+
+      await installHooks(["block-sudo"], "user");
+
+      // The call site fires; the helper internally no-ops. This is the same
+      // contract as the existing hooks_installed test.
+      expect(trackHookEvent).toHaveBeenCalled();
+    } finally {
+      delete process.env.FAILPROOFAI_TELEMETRY_DISABLED;
+    }
+  });
+});
+
+describe("new telemetry events — install-prompt", () => {
+  beforeEach(() => {
+    vi.resetAllMocks();
+  });
+
+  it("fires cli_detection_summary with resolution_mode=explicit when --cli is passed", async () => {
+    const { resolveTargetClis } = await import("../../src/hooks/install-prompt");
+    const { trackHookEvent } = await import("../../src/hooks/hook-telemetry");
+
+    const result = await resolveTargetClis(["codex"], "install");
+    expect(result).toEqual(["codex"]);
+    expect(trackHookEvent).toHaveBeenCalledWith(
+      "test-instance-id",
+      "cli_detection_summary",
+      expect.objectContaining({
+        action: "install",
+        explicit_clis: ["codex"],
+        selected_clis: ["codex"],
+        resolution_mode: "explicit",
+      }),
+    );
+  });
+});
diff --git a/app/policies/hooks-client.tsx b/app/policies/hooks-client.tsx
index 70a1059..79ac210 100644
--- a/app/policies/hooks-client.tsx
+++ b/app/policies/hooks-client.tsx
@@ -26,6 +26,7 @@ import { togglePolicyAction } from "@/app/actions/update-hooks-config";
 import { installHooksWebAction, removeHooksWebAction } from "@/app/actions/install-hooks-web";
 import { updatePolicyParamsAction } from "@/app/actions/update-policy-params";
 import { useAutoRefresh } from "@/contexts/AutoRefreshContext";
+import { usePostHog } from "@/contexts/PostHogContext";
 import { useUrlParams } from "@/lib/use-url-params";
 import { pageToParam, paramToPage } from "@/lib/url-filter-serializers";
 import { getCliLabel, getCliBadgeClasses, KNOWN_CLI_IDS, isKnownCli, type CliId } from "@/lib/cli-registry";
@@ -208,10 +209,12 @@ function DurationDisplay({ ms }: { ms: number }) {
 
 // -- Copy Button --
 
-function CopyButton({ text }: { text: string }) {
+function CopyButton({ text, field }: { text: string; field?: string }) {
   const [copied, setCopied] = useState(false);
+  const { capture } = usePostHog();
   const handleCopy = async (e: React.MouseEvent) => {
     e.stopPropagation();
+    capture("activity_copy_clicked", { field: field ?? "unknown" });
     try {
       await navigator.clipboard.writeText(text);
       setCopied(true);
@@ -321,12 +324,12 @@ function DetailPanel({
               <span className="font-mono text-foreground">
                 {item.sessionId ?? "\u2014"}
               </span>
-              {item.sessionId && <CopyButton text={item.sessionId} />}
+              {item.sessionId && <CopyButton text={item.sessionId} field="session_id" />}
             </div>
             <div>
               <span className="text-muted-foreground">CWD: </span>
               <span className="font-mono text-foreground">{item.cwd ?? "\u2014"}</span>
-              {item.cwd && <CopyButton text={item.cwd} />}
+              {item.cwd && <CopyButton text={item.cwd} field="cwd" />}
             </div>
             <div>
               <span className="text-muted-foreground">Transcript: </span>
@@ -366,6 +369,7 @@ function ActivityTab({
   onSwitchTab?: (tab: "activity" | "policies") => void;
 }) {
   const { intervalSec } = useAutoRefresh();
+  const { capture } = usePostHog();
   const url = useUrlParams();
   const mountedRef = useRef(false);
 
@@ -385,6 +389,7 @@ function ActivityTab({
     return isKnownCli(v) ? v : "";
   });
   const debounceRef = useRef<ReturnType<typeof setTimeout> | null>(null);
+  const filterTelemetryFirstRunRef = useRef(true);
   const filtersRef = useRef({ filterDecision, filterEventType, filterPolicy, filterSessionId, filterCli });
   filtersRef.current = { filterDecision, filterEventType, filterPolicy, filterSessionId, filterCli };
 
@@ -444,6 +449,28 @@ function ActivityTab({
       setPage(1);
       setExpandedRow(null);
       fetchData(1);
+      // Skip the initial render — filters are initialized from URL params, not
+      // from a user action. Only fire on real user-driven changes.
+      if (filterTelemetryFirstRunRef.current) {
+        filterTelemetryFirstRunRef.current = false;
+        return;
+      }
+      capture("activity_filter_changed", {
+        active_filter_count:
+          (filterDecision !== "" ? 1 : 0) +
+          (filterEventType !== "" ? 1 : 0) +
+          (filterPolicy !== "" ? 1 : 0) +
+          (filterSessionId !== "" ? 1 : 0) +
+          (filterCli !== "" ? 1 : 0),
+        has_decision: filterDecision !== "",
+        has_event_type: filterEventType !== "",
+        has_policy: filterPolicy !== "",
+        has_session: filterSessionId !== "",
+        has_cli: filterCli !== "",
+        decision: filterDecision || null,
+        event_type: filterEventType || null,
+        cli: filterCli || null,
+      });
     }, 300);
     return () => {
       if (debounceRef.current) clearTimeout(debounceRef.current);
@@ -455,7 +482,17 @@ function ActivityTab({
   const totalPages = data?.totalPages ?? 1;
 
   const toggleRow = (idx: number) => {
-    setExpandedRow((prev) => (prev === idx ? null : idx));
+    setExpandedRow((prev) => {
+      const next = prev === idx ? null : idx;
+      const item = items[idx];
+      capture("activity_row_toggled", {
+        expanded: next !== null,
+        decision: item?.decision ?? null,
+        policy_name: item?.policyName ?? null,
+        event_type: item?.eventType ?? null,
+      });
+      return next;
+    });
   };
 
   return (
@@ -652,6 +689,11 @@ function ActivityTab({
           currentPage={page}
           totalPages={totalPages}
           onPageChange={(p) => {
+            capture("activity_pagination_changed", {
+              from_page: page,
+              to_page: p,
+              total_pages: totalPages,
+            });
             setPage(p);
             setExpandedRow(null);
           }}
@@ -886,6 +928,7 @@ function ErrorToast({
   onInstall: () => void;
   isPending: boolean;
 }) {
+  const { capture } = usePostHog();
   return createPortal(
     <div
       className="fixed top-4 right-4 z-[9999] w-full max-w-sm"
@@ -923,7 +966,11 @@ function ErrorToast({
           <div className="mt-3 flex gap-2">
             <Button
               size="sm"
-              onClick={() => { onDismiss(); onInstall(); }}
+              onClick={() => {
+                capture("hooks_install_from_error_clicked", { error_message: message.slice(0, 200) });
+                onDismiss();
+                onInstall();
+              }}
               disabled={isPending}
               className="h-7 flex-1 border-0 bg-red-500 px-3 text-xs font-semibold text-white hover:bg-red-400 disabled:opacity-50"
             >
@@ -953,6 +1000,15 @@ function PoliciesTab({ onHooksInstallChange }: { onHooksInstallChange?: (install
   const [configuringPolicy, setConfiguringPolicy] = useState<PolicyInfo | null>(null);
   const [checkedClis, setCheckedClis] = useState<Set<IntegrationType>>(() => new Set());
   const cliCheckboxesInitializedRef = useRef(false);
+  const { capture } = usePostHog();
+
+  const fireActionError = useCallback(
+    (errorType: string, message: string) => {
+      capture("action_error_displayed", { error_type: errorType, error_message: message.slice(0, 200) });
+      setActionError(message);
+    },
+    [capture],
+  );
 
   const reload = useCallback(async () => {
     try {
@@ -1002,8 +1058,15 @@ function PoliciesTab({ onHooksInstallChange }: { onHooksInstallChange?: (install
   const toggleCli = (id: IntegrationType) => {
     setCheckedClis((prev) => {
       const next = new Set(prev);
-      if (next.has(id)) next.delete(id);
-      else next.add(id);
+      const willCheck = !next.has(id);
+      if (willCheck) next.add(id);
+      else next.delete(id);
+      const cliInfo = config?.clis.find((c) => c.id === id);
+      capture("cli_selection_toggled", {
+        cli_id: id,
+        checked: willCheck,
+        current_state: cliInfo?.installed ? "installed" : cliInfo?.detected ? "detected" : "inactive",
+      });
       return next;
     });
   };
@@ -1033,7 +1096,7 @@ function PoliciesTab({ onHooksInstallChange }: { onHooksInstallChange?: (install
       try {
         await togglePolicyAction(name, !currentlyEnabled);
       } catch {
-        setActionError("Failed to save policy change.");
+        fireActionError("policy_toggle", "Failed to save policy change.");
         reload();
       }
     });
@@ -1042,13 +1105,19 @@ function PoliciesTab({ onHooksInstallChange }: { onHooksInstallChange?: (install
   const handleApply = () => {
     const { toInstall, toRemove } = pendingChanges;
     if (toInstall.length === 0 && toRemove.length === 0) return;
+    capture("cli_install_remove_submitted", {
+      to_install: toInstall,
+      to_remove: toRemove,
+      count_install: toInstall.length,
+      count_remove: toRemove.length,
+    });
     startTransition(async () => {
       try {
         setActionError(null);
         if (toInstall.length > 0) await installHooksWebAction("user", toInstall);
         if (toRemove.length > 0) await removeHooksWebAction("user", toRemove);
       } catch (e) {
-        setActionError(e instanceof Error ? e.message : "Failed to apply changes.");
+        fireActionError("cli_apply", e instanceof Error ? e.message : "Failed to apply changes.");
       } finally {
         // Always resync so a partial-success batch (install OK, remove failed)
         // doesn't leave the UI showing stale install state on the next click.
@@ -1064,12 +1133,13 @@ function PoliciesTab({ onHooksInstallChange }: { onHooksInstallChange?: (install
     // Reinstall button. Use Apply for first-time installs.
     const targets = Array.from(installedCliSet).filter((id) => checkedClis.has(id));
     if (targets.length === 0) return;
+    capture("cli_reinstall_submitted", { cli_ids: targets, count: targets.length });
     startTransition(async () => {
       try {
         setActionError(null);
         await installHooksWebAction("user", targets);
       } catch (e) {
-        setActionError(e instanceof Error ? e.message : "Failed to reinstall.");
+        fireActionError("cli_reinstall", e instanceof Error ? e.message : "Failed to reinstall.");
       } finally {
         await reload();
       }
@@ -1086,7 +1156,7 @@ function PoliciesTab({ onHooksInstallChange }: { onHooksInstallChange?: (install
         await updatePolicyParamsAction(policyName, params);
         await reload();
       } catch (e) {
-        setActionError(e instanceof Error ? e.message : "Failed to save configuration.");
+        fireActionError("param_update", e instanceof Error ? e.message : "Failed to save configuration.");
       }
     });
   };
@@ -1111,7 +1181,10 @@ function PoliciesTab({ onHooksInstallChange }: { onHooksInstallChange?: (install
     {configuringPolicy && (
       <PolicyConfigModal
         policy={configuringPolicy}
-        onClose={() => setConfiguringPolicy(null)}
+        onClose={() => {
+          capture("policy_config_modal_closed", { policy_name: configuringPolicy.name, action: "cancel" });
+          setConfiguringPolicy(null);
+        }}
         onSave={handleSaveParams}
       />
     )}
@@ -1379,7 +1452,19 @@ function PoliciesTab({ onHooksInstallChange }: { onHooksInstallChange?: (install
                 {policy.params && Object.keys(policy.params).length > 0 && (
                   <button
                     className="shrink-0 mt-0.5 text-muted-foreground hover:text-primary transition-colors"
-                    onClick={() => setConfiguringPolicy(policy)}
+                    onClick={() => {
+                      const customizedCount = Object.entries(policy.params ?? {}).filter(([k, spec]) => {
+                        const currentVal = policy.currentParams?.[k] ?? spec.default;
+                        return JSON.stringify(currentVal) !== JSON.stringify(spec.default);
+                      }).length;
+                      capture("policy_config_modal_opened", {
+                        policy_name: policy.name,
+                        param_count: Object.keys(policy.params ?? {}).length,
+                        has_customized_params: customizedCount > 0,
+                        customized_count: customizedCount,
+                      });
+                      setConfiguringPolicy(policy);
+                    }}
                     title="Edit parameters"
                   >
                     <Settings className="h-3.5 w-3.5" />
@@ -1483,6 +1568,7 @@ function TabBar({
 
 export default function HooksClient({ initialTab = "activity" }: { initialTab?: "activity" | "policies" }) {
   const url = useUrlParams();
+  const { capture } = usePostHog();
   const [activeTab, setActiveTab] = useState<"activity" | "policies">(initialTab);
   const [hooksInstalled, setHooksInstalled] = useState<boolean | undefined>(undefined);
   const [policyCounts, setPolicyCounts] = useState<{ enabled: number; total: number } | null>(null);
@@ -1508,6 +1594,9 @@ export default function HooksClient({ initialTab = "activity" }: { initialTab?:
       : `Policy evaluations across ${installedCliLabels.length} agents`;
 
   const handleTabChange = (tab: "activity" | "policies") => {
+    if (tab !== activeTab) {
+      capture("policies_tab_switched", { tab, from_tab: activeTab });
+    }
     setActiveTab(tab);
     url.setAll({ tab: tab === "activity" ? undefined : tab });
   };
diff --git a/bin/failproofai.mjs b/bin/failproofai.mjs
index 019a354..abf7e21 100755
--- a/bin/failproofai.mjs
+++ b/bin/failproofai.mjs
@@ -37,6 +37,23 @@ const args = process.argv.slice(2);
 // Normalize 'p' → 'policies' (shorthand alias)
 if (args[0] === "p") args[0] = "policies";
 
+// Lightweight telemetry helper for CLI lifecycle events. Lazy-loads to avoid
+// pulling in the hook-telemetry / telemetry-id modules on the fast --hook path.
+let _telemetry;
+let lastSubcommand = null;
+async function track(name, props) {
+  try {
+    if (!_telemetry) {
+      const [t, i] = await Promise.all([
+        import("../src/hooks/hook-telemetry"),
+        import("../lib/telemetry-id"),
+      ]);
+      _telemetry = { trackHookEvent: t.trackHookEvent, getInstanceId: i.getInstanceId };
+    }
+    await _telemetry.trackHookEvent(_telemetry.getInstanceId(), name, props);
+  } catch {}
+}
+
 // --hook <event> [--cli <name>] — called by an agent CLI hook; fast path, outside
 // runCli() because it has its own exit code contract with the calling agent.
 const hookIdx = args.indexOf("--hook");
@@ -69,6 +86,11 @@ if (hookIdx >= 0) {
     process.exit(exitCode);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
+    await track("hook_dispatch_error", {
+      event_type: eventType,
+      cli,
+      error_type: err instanceof Error ? err.name : "unknown",
+    });
     console.error(`Unexpected error: ${msg}`);
     process.exit(2);
   }
@@ -230,6 +252,7 @@ EXAMPLES
     }
 
     if (isInstall) {
+      lastSubcommand = "install";
       const { installHooks } = await import("../src/hooks/manager");
       const { resolveTargetClis } = await import("../src/hooks/install-prompt");
 
@@ -317,10 +340,19 @@ EXAMPLES
         false,
         cli,
       );
+      await track("cli_install_success", {
+        scope,
+        cli,
+        cli_count: cli.length,
+        explicit_policies: explicitPolicyNames.length > 0,
+        include_beta: includeBeta,
+        has_custom_path: !!customPoliciesPath,
+      });
       process.exit(0);
     }
 
     if (isUninstall) {
+      lastSubcommand = "uninstall";
       const { removeHooks } = await import("../src/hooks/manager");
       const { resolveTargetClis } = await import("../src/hooks/install-prompt");
 
@@ -382,6 +414,14 @@ EXAMPLES
         undefined,
         { betaOnly, removeCustomHooks, cli },
       );
+      await track("cli_uninstall_success", {
+        scope,
+        cli,
+        cli_count: cli.length,
+        beta_only: betaOnly,
+        remove_custom_hooks: removeCustomHooks,
+        explicit_policies: policyNames.length > 0,
+      });
       process.exit(0);
     }
 
@@ -404,8 +444,10 @@ EXAMPLES
       );
     }
 
+    lastSubcommand = "list";
     const { listHooks } = await import("../src/hooks/manager");
     await listHooks();
+    await track("cli_list_invoked", {});
     process.exit(0);
   }
 
@@ -463,11 +505,31 @@ try {
   await runCli();
 } catch (err) {
   if (err instanceof CliError) {
+    if (lastSubcommand === "install") {
+      await track("cli_install_failure", { error_type: "cli_error", exit_code: err.exitCode });
+    } else if (lastSubcommand === "uninstall") {
+      await track("cli_uninstall_failure", { error_type: "cli_error", exit_code: err.exitCode });
+    } else {
+      await track("cli_parse_error", {
+        subcommand: lastSubcommand ?? (args[0] ?? null),
+        exit_code: err.exitCode,
+      });
+    }
     console.error(`Error: ${err.message}`);
     process.exit(err.exitCode);
   }
   // Unexpected internal error — show message only, no stack trace
   const msg = err instanceof Error ? err.message : String(err);
+  if (lastSubcommand === "install") {
+    await track("cli_install_failure", { error_type: err instanceof Error ? err.name : "unknown" });
+  } else if (lastSubcommand === "uninstall") {
+    await track("cli_uninstall_failure", { error_type: err instanceof Error ? err.name : "unknown" });
+  } else {
+    await track("cli_unexpected_error", {
+      subcommand: lastSubcommand ?? (args[0] ?? null),
+      error_type: err instanceof Error ? err.name : "unknown",
+    });
+  }
   console.error(`Unexpected error: ${msg}`);
   process.exit(2);
 }
diff --git a/scripts/postinstall.mjs b/scripts/postinstall.mjs
index 82d2562..e61b933 100644
--- a/scripts/postinstall.mjs
+++ b/scripts/postinstall.mjs
@@ -7,7 +7,7 @@
  *
  * No external dependencies — Node.js built-ins only.
  */
-import { existsSync, readFileSync } from "node:fs";
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from "node:fs";
 import { resolve } from "node:path";
 import { platform, arch, release, homedir, hostname } from "node:os";
 import { createHmac } from "node:crypto";
@@ -134,6 +134,85 @@ try {
   // Non-critical — don't fail the install
 }
 
+// First-run + version_changed detection. The presence of ~/.failproofai/last-version
+// is a stable signal: written on every postinstall, absent before the first one.
+// Cannot piggy-back on instance-id because most users hit Tier 2 (OS machine ID)
+// and never create that file.
+//
+// Semver comparison: a release (no prerelease tag) is greater than the same
+// version with a prerelease tag (semver §11). Inside the prerelease, numeric
+// identifiers are lower than non-numeric ones of the same length.
+function compareSemver(a, b) {
+  const parse = (v) => {
+    const m = /^(\d+)\.(\d+)\.(\d+)(?:-(.+))?$/.exec(v);
+    if (!m) return null;
+    return { nums: [Number(m[1]), Number(m[2]), Number(m[3])], pre: m[4] ?? null };
+  };
+  const pa = parse(a);
+  const pb = parse(b);
+  if (!pa || !pb) return a < b ? -1 : a > b ? 1 : 0;
+  for (let i = 0; i < 3; i++) {
+    if (pa.nums[i] !== pb.nums[i]) return pa.nums[i] < pb.nums[i] ? -1 : 1;
+  }
+  if (pa.pre === null && pb.pre === null) return 0;
+  if (pa.pre === null) return 1;
+  if (pb.pre === null) return -1;
+  const ax = pa.pre.split(/[.-]/);
+  const bx = pb.pre.split(/[.-]/);
+  for (let i = 0; i < Math.max(ax.length, bx.length); i++) {
+    const ai = ax[i], bi = bx[i];
+    if (ai === undefined) return -1;
+    if (bi === undefined) return 1;
+    const aNum = /^\d+$/.test(ai), bNum = /^\d+$/.test(bi);
+    if (aNum && bNum) {
+      const d = Number(ai) - Number(bi);
+      if (d !== 0) return d < 0 ? -1 : 1;
+    } else if (aNum) {
+      return -1;
+    } else if (bNum) {
+      return 1;
+    } else if (ai !== bi) {
+      return ai < bi ? -1 : 1;
+    }
+  }
+  return 0;
+}
+
+const currentVersion = process.env.npm_package_version ?? "unknown";
+const lastVersionFile = resolve(homedir(), ".failproofai", "last-version");
+let previousVersion = null;
+try {
+  if (existsSync(lastVersionFile)) {
+    previousVersion = readFileSync(lastVersionFile, "utf8").trim() || null;
+  }
+} catch {}
+
+if (previousVersion === null) {
+  trackInstallEvent("first_install", {
+    platform: platform(),
+    arch: arch(),
+    os_release: release(),
+    node_version: process.versions.node,
+    version: currentVersion,
+  }).catch(() => {});
+} else {
+  // Same version is a reinstall — still worth tracking; users hitting `npm install -g`
+  // repeatedly is itself signal. Drop the `!==` guard so cmp===0 reaches the event.
+  const cmp = compareSemver(previousVersion, currentVersion);
+  trackInstallEvent("version_changed", {
+    from_version: previousVersion,
+    to_version: currentVersion,
+    direction: cmp < 0 ? "upgrade" : cmp > 0 ? "downgrade" : "reinstall",
+    platform: platform(),
+    arch: arch(),
+  }).catch(() => {});
+}
+
+try {
+  mkdirSync(resolve(homedir(), ".failproofai"), { recursive: true });
+  writeFileSync(lastVersionFile, currentVersion, "utf8");
+} catch {}
+
 // Telemetry (best-effort, fire-and-forget)
 trackInstallEvent("package_installed", {
   platform: platform(),
diff --git a/src/hooks/custom-hooks-loader.ts b/src/hooks/custom-hooks-loader.ts
index 77d81ea..4456394 100644
--- a/src/hooks/custom-hooks-loader.ts
+++ b/src/hooks/custom-hooks-loader.ts
@@ -18,6 +18,8 @@ import { hookLogWarn, hookLogError, hookLogInfo } from "./hook-logger";
 import { getCustomHooks, clearCustomHooks } from "./custom-hooks-registry";
 import { findDistIndex, rewriteFileTree, TMP_SUFFIX, cleanupTmpFiles } from "./loader-utils";
 import { findProjectConfigDir } from "./hooks-config";
+import { trackHookEvent } from "./hook-telemetry";
+import { getInstanceId } from "../../lib/telemetry-id";
 import type { CustomHook } from "./policy-types";
 
 const LOADING_KEY = "__FAILPROOFAI_LOADING_HOOKS__";
@@ -46,7 +48,10 @@ export function discoverPolicyFiles(dir: string): string[] {
  * Load a single policy file into the globalThis custom hooks registry.
  * Does NOT clear the registry — caller is responsible for that.
  */
-async function loadSingleFile(absPath: string, opts?: { strict?: boolean }): Promise<void> {
+async function loadSingleFile(
+  absPath: string,
+  opts?: { strict?: boolean; conventionScope?: "project" | "user" },
+): Promise<void> {
   const g = globalThis as Record<string, unknown>;
   g[LOADING_KEY] = true;
 
@@ -62,6 +67,17 @@ async function loadSingleFile(absPath: string, opts?: { strict?: boolean }): Pro
     await import(/* webpackIgnore: true */ fileUrl);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
+    const errorType = /Cannot find module|MODULE_NOT_FOUND|ENOENT/i.test(msg)
+      ? "module_not_found"
+      : /SyntaxError|Unexpected token/i.test(msg)
+        ? "syntax_error"
+        : "runtime_error";
+    void trackHookEvent(getInstanceId(), "custom_hooks_load_error", {
+      error_type: errorType,
+      is_convention: !!opts?.conventionScope,
+      convention_scope: opts?.conventionScope ?? null,
+      file_basename: basename(absPath),
+    });
     if (opts?.strict) throw new Error(`Failed to load custom hooks from ${absPath}: ${msg}`);
     hookLogError(`failed to load custom hooks from ${absPath}: ${msg}`);
   } finally {
@@ -148,7 +164,7 @@ export async function loadAllCustomHooks(
   const projectFiles = discoverPolicyFiles(projectDir);
   for (const file of projectFiles) {
     const hooksBefore = getCustomHooks().length;
-    await loadSingleFile(file);
+    await loadSingleFile(file, { conventionScope: "project" });
     const newHooks = getCustomHooks().slice(hooksBefore);
     if (newHooks.length > 0) {
       conventionSources.push({
@@ -164,7 +180,7 @@ export async function loadAllCustomHooks(
   const userFiles = discoverPolicyFiles(userDir);
   for (const file of userFiles) {
     const hooksBefore = getCustomHooks().length;
-    await loadSingleFile(file);
+    await loadSingleFile(file, { conventionScope: "user" });
     const newHooks = getCustomHooks().slice(hooksBefore);
     if (newHooks.length > 0) {
       conventionSources.push({
diff --git a/src/hooks/handler.ts b/src/hooks/handler.ts
index 06f62a1..aeaba12 100644
--- a/src/hooks/handler.ts
+++ b/src/hooks/handler.ts
@@ -160,6 +160,7 @@ export async function handleHookEvent(
   // Read stdin payload (Claude passes JSON)
   const MAX_STDIN_BYTES = 1_048_576; // 1 MB
   let payload = "";
+  let stdinOversized = false;
   try {
     payload = await new Promise<string>((resolve, reject) => {
       const chunks: string[] = [];
@@ -169,6 +170,7 @@ export async function handleHookEvent(
         totalBytes += Buffer.byteLength(chunk);
         if (totalBytes > MAX_STDIN_BYTES) {
           hookLogWarn(`stdin payload exceeds 1 MB for ${eventType}, discarding`);
+          stdinOversized = true;
           process.stdin.destroy();
           resolve("");
           return;
@@ -180,8 +182,20 @@ export async function handleHookEvent(
       // If stdin is already closed or not piped, resolve immediately
       if (process.stdin.readableEnded) resolve("");
     });
-  } catch {
+  } catch (err) {
     hookLogWarn(`stdin read failed for ${eventType}`);
+    void trackHookEvent(getInstanceId(), "hook_stdin_error", {
+      event_type: eventType,
+      cli,
+      error_type: err instanceof Error ? err.name : "unknown",
+    });
+  }
+  if (stdinOversized) {
+    void trackHookEvent(getInstanceId(), "hook_stdin_error", {
+      event_type: eventType,
+      cli,
+      error_type: "oversized",
+    });
   }
 
   let parsed: Record<string, unknown> = {};
@@ -190,6 +204,11 @@ export async function handleHookEvent(
       parsed = JSON.parse(payload) as Record<string, unknown>;
     } catch {
       hookLogWarn(`payload parse failed for ${eventType} (${payload.length} bytes)`);
+      void trackHookEvent(getInstanceId(), "hook_payload_parse_error", {
+        event_type: eventType,
+        cli,
+        payload_size: payload.length,
+      });
     }
   }
 
diff --git a/src/hooks/install-prompt.ts b/src/hooks/install-prompt.ts
index 4b6817c..5ffe04b 100644
--- a/src/hooks/install-prompt.ts
+++ b/src/hooks/install-prompt.ts
@@ -13,6 +13,8 @@ import * as readline from "node:readline";
 import { BUILTIN_POLICIES } from "./builtin-policies";
 import { detectInstalledClis, getIntegration } from "./integrations";
 import { INTEGRATION_TYPES, type IntegrationType } from "./types";
+import { trackHookEvent } from "./hook-telemetry";
+import { getInstanceId } from "../../lib/telemetry-id";
 
 interface SelectItem {
   name: string;
@@ -51,9 +53,29 @@ export async function resolveTargetClis(
   explicit?: IntegrationType[],
   action: CliPromptAction = "install",
 ): Promise<IntegrationType[]> {
-  if (explicit && explicit.length > 0) return [...new Set(explicit)];
+  const detected = explicit && explicit.length > 0 ? [] : detectInstalledClis();
+  const stdinIsTty = !!process.stdin.isTTY;
+  const explicitList = explicit && explicit.length > 0 ? [...new Set(explicit)] : [];
+
+  const fireDetectionEvent = (
+    selected: IntegrationType[],
+    resolutionMode: "explicit" | "single_detected" | "all_detected" | "interactive_prompt" | "defaulted_to_claude",
+  ): void => {
+    void trackHookEvent(getInstanceId(), "cli_detection_summary", {
+      action,
+      detected_clis: detected,
+      explicit_clis: explicitList,
+      selected_clis: selected,
+      defaulted_to_claude: resolutionMode === "defaulted_to_claude",
+      stdin_is_tty: stdinIsTty,
+      resolution_mode: resolutionMode,
+    });
+  };
 
-  const detected = detectInstalledClis();
+  if (explicit && explicit.length > 0) {
+    fireDetectionEvent(explicitList, "explicit");
+    return explicitList;
+  }
 
   if (detected.length === 0) {
     if (action === "uninstall") {
@@ -63,12 +85,14 @@ export async function resolveTargetClis(
         "\x1B[33mWarning: no agent CLI binary found in PATH (claude, codex, copilot, cursor-agent, opencode, pi, gemini). " +
           "Defaulting to Claude Code; nothing will be removed if no settings file exists.\x1B[0m",
       );
+      fireDetectionEvent(["claude"], "defaulted_to_claude");
       return ["claude"];
     }
     console.log(
       "\x1B[33mWarning: no agent CLI binary found in PATH (claude, codex, copilot, cursor-agent, opencode, pi, gemini). " +
         "Defaulting to Claude Code; hooks will activate when an agent is installed.\x1B[0m",
     );
+    fireDetectionEvent(["claude"], "defaulted_to_claude");
     return ["claude"];
   }
 
@@ -76,13 +100,19 @@ export async function resolveTargetClis(
     const integration = getIntegration(detected[0]);
     const verb = action === "uninstall" ? "removing hooks from" : "installing hooks for";
     console.log(`Detected ${integration.displayName}; ${verb} it.`);
+    fireDetectionEvent(detected, "single_detected");
     return detected;
   }
 
   // Multiple detected. Prompt or default.
-  if (!process.stdin.isTTY) return detected; // non-interactive: install/remove for all detected
+  if (!process.stdin.isTTY) {
+    fireDetectionEvent(detected, "all_detected");
+    return detected;
+  }
 
-  return promptCliTargetSelection(detected, action);
+  const selected = await promptCliTargetSelection(detected, action);
+  fireDetectionEvent(selected, "interactive_prompt");
+  return selected;
 }
 
 /** Selectable row in the CLI target menu. Exported for unit tests. */
diff --git a/src/hooks/manager.ts b/src/hooks/manager.ts
index 91b503a..0bc2452 100644
--- a/src/hooks/manager.ts
+++ b/src/hooks/manager.ts
@@ -127,6 +127,13 @@ export async function installHooks(
   for (const cliId of selectedClis) {
     const integration = getIntegration(cliId);
     if (!integration.scopes.includes(scope)) {
+      try {
+        await trackHookEvent(getInstanceId(), "scope_validation_failed", {
+          cli: cliId,
+          scope,
+          supported_scopes: integration.scopes,
+        });
+      } catch {}
       throw new CliError(
         `Scope "${scope}" is not supported by ${integration.displayName}. ` +
           `Valid scopes: ${integration.scopes.join(", ")}`
@@ -171,10 +178,23 @@ export async function installHooks(
     try {
       validatedHooks = await loadCustomHooks(configToWrite.customPoliciesPath, { strict: true });
     } catch (err) {
-      console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
+      const msg = err instanceof Error ? err.message : String(err);
+      try {
+        await trackHookEvent(getInstanceId(), "custom_policy_validation_failed", {
+          scope,
+          error_type: /not found/i.test(msg) ? "file_not_found" : "load_error",
+        });
+      } catch {}
+      console.error(`Error: ${msg}`);
       process.exit(1);
     }
     if (validatedHooks.length === 0) {
+      try {
+        await trackHookEvent(getInstanceId(), "custom_policy_validation_failed", {
+          scope,
+          error_type: "no_hooks_registered",
+        });
+      } catch {}
       console.error(
         `Error: no hooks registered in ${customPoliciesPath}. ` +
           `Make sure your file calls customPolicies.add(...) at least once.`,
@@ -198,10 +218,26 @@ export async function installHooks(
   for (const cliId of selectedClis) {
     const integration = getIntegration(cliId);
     const settingsPath = integration.getSettingsPath(scope, cwd);
-    const settings = integration.readSettings(settingsPath);
-    integration.writeHookEntries(settings, binaryPath, scope);
-    integration.writeSettings(settingsPath, settings);
-    writtenSettingsPaths.push({ cli: cliId, path: settingsPath });
+    try {
+      const settings = integration.readSettings(settingsPath);
+      integration.writeHookEntries(settings, binaryPath, scope);
+      integration.writeSettings(settingsPath, settings);
+      writtenSettingsPaths.push({ cli: cliId, path: settingsPath });
+    } catch (err) {
+      const errorType = err instanceof Error && /EACCES|EPERM/.test(err.message)
+        ? "permission_denied"
+        : err instanceof Error && /ENOENT|ENOTDIR/.test(err.message)
+          ? "path_not_found"
+          : "write_error";
+      try {
+        await trackHookEvent(getInstanceId(), "hook_write_failed", {
+          cli: cliId,
+          scope,
+          error_type: errorType,
+        });
+      } catch {}
+      throw err;
+    }
   }
 
   // Telemetry: track successful hook installation (with diff vs previous config)
@@ -228,6 +264,20 @@ export async function installHooks(
       param_policy_names: configToWrite.policyParams ? Object.keys(configToWrite.policyParams) : [],
       command_format: scope === "project" ? "npx" : "absolute",
     });
+
+    if (includeBeta) {
+      const betaNames = new Set(BUILTIN_POLICIES.filter((p) => p.beta).map((p) => p.name));
+      const installedBeta = selectedPolicies.filter((p) => betaNames.has(p));
+      if (installedBeta.length > 0) {
+        await trackHookEvent(distinctId, "beta_policies_installed", {
+          scope,
+          cli: selectedClis,
+          beta_count: installedBeta.length,
+          beta_policy_names: installedBeta,
+          ...(source ? { source } : {}),
+        });
+      }
+    }
   } catch {
     // Telemetry is best-effort — never block the operation
   }
@@ -257,6 +307,13 @@ export async function installHooks(
     console.log(`Having hooks in multiple scopes may cause duplicate policy evaluation.`);
     console.log(`Use \`failproofai policies --uninstall --scope ${duplicates[0]}\` to remove the other installation,`);
     console.log(`or \`failproofai policies\` to see all scopes.`);
+    try {
+      await trackHookEvent(getInstanceId(), "multi_scope_warning_shown", {
+        new_scope: scope,
+        existing_scopes: duplicates,
+        cli: selectedClis,
+      });
+    } catch {}
   }
 }
 
@@ -558,11 +615,21 @@ export async function listHooks(cwd?: string): Promise<void> {
 
   // Warn about unknown policyParams keys
   if (config.policyParams) {
+    const unknownKeys: string[] = [];
     for (const key of Object.keys(config.policyParams)) {
       if (!builtinPolicyNames.has(key)) {
         console.log(`  \x1B[33mWarning: unknown policyParams key "${key}" — possible typo\x1B[0m`);
+        unknownKeys.push(key);
       }
     }
+    if (unknownKeys.length > 0) {
+      try {
+        await trackHookEvent(getInstanceId(), "policy_params_validation_warning", {
+          unknown_keys_count: unknownKeys.length,
+          unknown_keys: unknownKeys,
+        });
+      } catch {}
+    }
   }
 
   // Custom Policies section
diff --git a/src/hooks/policy-evaluator.ts b/src/hooks/policy-evaluator.ts
index a4a6cf5..d672981 100644
--- a/src/hooks/policy-evaluator.ts
+++ b/src/hooks/policy-evaluator.ts
@@ -7,6 +7,8 @@ import type { PolicyContext, HooksConfig } from "./policy-types";
 import { BUILTIN_POLICIES } from "./builtin-policies";
 import { DEFAULT_POLICY_NAMESPACE, getPoliciesForEvent, normalizePolicyName } from "./policy-registry";
 import { hookLogInfo, hookLogWarn } from "./hook-logger";
+import { trackHookEvent } from "./hook-telemetry";
+import { getInstanceId } from "../../lib/telemetry-id";
 
 function appendHint(baseReason: string, hint: unknown): string {
   const base = baseReason.trim();
@@ -107,7 +109,20 @@ export async function evaluatePolicies(
     try {
       result = await policy.fn(ctx);
     } catch (err) {
-      hookLogWarn(`policy "${policy.name}" threw: ${err instanceof Error ? err.message : String(err)}`);
+      const msg = err instanceof Error ? err.message : String(err);
+      hookLogWarn(`policy "${policy.name}" threw: ${msg}`);
+      // Custom hooks are wrapped in handler.ts with their own try/catch that
+      // emits custom_hook_error. Anything reaching here is a builtin policy
+      // crash — track separately so we can surface regressions in builtins.
+      const isCustom = policy.name.startsWith("custom/") || policy.name.startsWith(".failproofai-");
+      if (!isCustom) {
+        void trackHookEvent(getInstanceId(), "policy_evaluation_error", {
+          policy_name: policy.name,
+          event_type: eventType,
+          cli: session?.cli ?? null,
+          error_type: err instanceof Error ? err.name : "unknown",
+        });
+      }
       continue;
     }