vlad/claude-code
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7e1eac8002c5f6ec538cc5309e3cd296b4d458a7
claude-code/PLAN.md
Vlad Durnea 7e1eac8002 axios+telemetry cleanup
2026-04-02 15:19:28 +03:00

2.6 KiB
Raw Blame History

Plan

Goals

  • Replace all axios usage with nativeRequest from utils/http.js
  • Remove outbound telemetry/spying requests while keeping functional analytics (auth flows + GrowthBook feature flags)
  • Do a quick security pass to remove obvious vulnerabilities and risky network behaviors

Current Status

  • Completed axios → nativeRequest conversions:
    • services/mcp/officialRegistry.ts
    • services/mcp/claudeai.ts
    • services/oauth/getOauthProfile.ts
  • In progress:
    • services/settingsSync/index.ts (axios import removed; remaining axios calls + error classification need conversion)

Next Steps (Axios Removal)

  1. Fix services/settingsSync/index.ts
    • Replace classifyAxiosError import with classifyHttpError from utils/errors.js
    • Replace axios.get(..., validateStatus: 200|404) with nativeRequest + try/catch handling for HttpError 404
    • Replace axios.put(...) with nativeRequest (method: 'PUT', JSON body)
  2. Convert services/oauth/client.ts
    • Replace axios.post/get with nativeRequest
    • Replace axios.isAxiosError handling with isHttpError
    • Preserve analytics events but ensure no tokens/PII are logged
  3. Convert services/policyLimits/index.ts
    • Replace classifyAxiosError with classifyHttpError
    • Replace axios.get(... validateStatus: 200|304|404) with nativeRequest + try/catch handling for HttpError statuses
    • Preserve existing caching semantics (304 means cache valid; 404 means empty restrictions)
  4. Convert services/remoteManagedSettings/index.ts (same pattern as policy limits, plus 204/304/404 handling)
  5. Convert remaining axios users (transports, bridge, installers, feedback, etc.)

Telemetry / “Spying” Removal

  • Search for outbound tracking endpoints and SDKs (events, crash reporting, session replay, fingerprinting)
  • Remove or gate non-essential outbound calls behind “essential traffic only” where appropriate
  • Keep:
    • OAuth/auth network flows required for functionality
    • GrowthBook feature flag fetches required for feature gating

Security Pass (Quick Wins)

  • Ensure no secrets/tokens are logged or included in analytics payloads
  • Validate any places that build URLs/headers from user input to prevent SSRF or header injection
  • Enforce timeouts on outbound requests and avoid overly permissive redirects
  • Verify files written to disk use safe permissions (e.g. 0o600 for sensitive caches) and safe paths

Verification

  • Run the repos lint/typecheck commands
  • Run test suite (or targeted tests) for settings sync / oauth client flows if present
Reference in New Issue View Git Blame Copy Permalink