hardening: isolate third-party paths and clean external-build metadata (#311)
* hardening: isolate third-party paths and clean external-build metadata * fix: restore external feedback flow and make privacy check portable
This commit is contained in:
KRATOS
GitHub
@@ -196,6 +196,13 @@ export function classifyFetchError() { return 'disabled'; }
|
||||
|
||||
'components/FeedbackSurvey/submitTranscriptShare': `
|
||||
export async function submitTranscriptShare() { return { success: false }; }
|
||||
`,
|
||||
|
||||
// ─── Internal employee logging (not needed in the external build) ─────
|
||||
|
||||
'services/internalLogging': `
|
||||
export async function logPermissionContextForAnts() {}
|
||||
export const getContainerId = async () => null;
|
||||
`,
|
||||
}
|
||||
|
||||
|
||||
46
scripts/verify-no-phone-home.sh
Normal file
46
scripts/verify-no-phone-home.sh
Normal file
@@ -0,0 +1,46 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
DIST="dist/cli.mjs"
|
||||
|
||||
if [ ! -f "$DIST" ]; then
|
||||
echo "ERROR: $DIST not found. Run 'bun run build' first."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
EXIT=0
|
||||
|
||||
BANNED=(
|
||||
"datadoghq.com"
|
||||
"api/event_logging/batch"
|
||||
"api/claude_code/metrics"
|
||||
"getKubernetesNamespace"
|
||||
"/var/run/secrets/kubernetes"
|
||||
"/proc/self/mountinfo"
|
||||
"tengu_internal_record_permission_context"
|
||||
)
|
||||
|
||||
echo "Checking $DIST for banned patterns..."
|
||||
echo ""
|
||||
|
||||
for pattern in "${BANNED[@]}"; do
|
||||
COUNT=$(grep -F -c "$pattern" "$DIST" 2>/dev/null || true)
|
||||
COUNT=${COUNT:-0}
|
||||
if [ "$COUNT" -gt 0 ]; then
|
||||
echo " FAIL: '$pattern' found ($COUNT occurrences)"
|
||||
EXIT=1
|
||||
else
|
||||
echo " PASS: '$pattern' not found"
|
||||
fi
|
||||
done
|
||||
|
||||
echo ""
|
||||
|
||||
if [ "$EXIT" -eq 0 ]; then
|
||||
echo "✓ All checks passed — no banned patterns in build output"
|
||||
else
|
||||
echo "✗ FAILED — banned patterns found in build output"
|
||||
fi
|
||||
|
||||
exit $EXIT
|
||||
43
scripts/verify-no-phone-home.ts
Normal file
43
scripts/verify-no-phone-home.ts
Normal file
@@ -0,0 +1,43 @@
|
||||
import { existsSync, readFileSync } from 'node:fs'
|
||||
|
||||
const DIST = 'dist/cli.mjs'
|
||||
const BANNED_PATTERNS = [
|
||||
'datadoghq.com',
|
||||
'api/event_logging/batch',
|
||||
'api/claude_code/metrics',
|
||||
'getKubernetesNamespace',
|
||||
'/var/run/secrets/kubernetes',
|
||||
'/proc/self/mountinfo',
|
||||
'tengu_internal_record_permission_context',
|
||||
] as const
|
||||
|
||||
if (!existsSync(DIST)) {
|
||||
console.error(`ERROR: ${DIST} not found. Run 'bun run build' first.`)
|
||||
process.exit(1)
|
||||
}
|
||||
|
||||
const contents = readFileSync(DIST, 'utf8')
|
||||
let exitCode = 0
|
||||
|
||||
console.log(`Checking ${DIST} for banned patterns...`)
|
||||
console.log('')
|
||||
|
||||
for (const pattern of BANNED_PATTERNS) {
|
||||
const count = contents.split(pattern).length - 1
|
||||
if (count > 0) {
|
||||
console.log(` FAIL: '${pattern}' found (${count} occurrences)`)
|
||||
exitCode = 1
|
||||
} else {
|
||||
console.log(` PASS: '${pattern}' not found`)
|
||||
}
|
||||
}
|
||||
|
||||
console.log('')
|
||||
|
||||
if (exitCode === 0) {
|
||||
console.log('✓ All checks passed — no banned patterns in build output')
|
||||
} else {
|
||||
console.log('✗ FAILED — banned patterns found in build output')
|
||||
}
|
||||
|
||||
process.exit(exitCode)
|
||||
Reference in New Issue
Block a user