## Plan

### Goals
- Replace all `axios` usage with `nativeRequest` from `utils/http.js`
- Remove outbound telemetry/spying requests while keeping functional analytics (auth flows + GrowthBook feature flags)
- Do a quick security pass to remove obvious vulnerabilities and risky network behaviors

### Current Status
- Completed axios → nativeRequest conversions:
  - `services/mcp/officialRegistry.ts`
  - `services/mcp/claudeai.ts`
  - `services/oauth/getOauthProfile.ts`
- In progress:
  - `services/settingsSync/index.ts` (axios import removed; remaining axios calls + error classification need conversion)

### Next Steps (Axios Removal)
1. Fix `services/settingsSync/index.ts`
   - Replace `classifyAxiosError` import with `classifyHttpError` from `utils/errors.js`
   - Replace `axios.get(..., validateStatus: 200|404)` with `nativeRequest` + `try/catch` handling for `HttpError` 404
   - Replace `axios.put(...)` with `nativeRequest` (`method: 'PUT'`, JSON body)
2. Convert `services/oauth/client.ts`
   - Replace `axios.post/get` with `nativeRequest`
   - Replace `axios.isAxiosError` handling with `isHttpError`
   - Preserve analytics events but ensure no tokens/PII are logged
3. Convert `services/policyLimits/index.ts`
   - Replace `classifyAxiosError` with `classifyHttpError`
   - Replace `axios.get(... validateStatus: 200|304|404)` with `nativeRequest` + `try/catch` handling for `HttpError` statuses
   - Preserve existing caching semantics (304 means cache valid; 404 means empty restrictions)
4. Convert `services/remoteManagedSettings/index.ts` (same pattern as policy limits, plus 204/304/404 handling)
5. Convert remaining axios users (transports, bridge, installers, feedback, etc.)

### Telemetry / “Spying” Removal
- Search for outbound tracking endpoints and SDKs (events, crash reporting, session replay, fingerprinting)
- Remove or gate non-essential outbound calls behind “essential traffic only” where appropriate
- Keep:
  - OAuth/auth network flows required for functionality
  - GrowthBook feature flag fetches required for feature gating

### Security Pass (Quick Wins)
- Ensure no secrets/tokens are logged or included in analytics payloads
- Validate any places that build URLs/headers from user input to prevent SSRF or header injection
- Enforce timeouts on outbound requests and avoid overly permissive redirects
- Verify files written to disk use safe permissions (e.g. `0o600` for sensitive caches) and safe paths

### Verification
- Run the repo’s lint/typecheck commands
- Run test suite (or targeted tests) for settings sync / oauth client flows if present