CVE-2026-44970: dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction

DefaultUsageTracker.emit_tool_called_event() in src/dbt_mcp/tracking/tracking.py serializes the complete arguments dictionary of every MCP tool call and transmits it verbatim to the dbt Labs telemetry service via dbtlabs_vortex.producer.log_proto. No field is redacted, truncated, or excluded before transmission. This includes the sql_query parameter of the show tool (arbitrary SQL) and the vars parameter of run, build, and test (JSON string that may contain credentials). Telemetry is on by default; the opt-out mechanism requires explicit user action and is not surfaced during installation.