vlad/claude-code
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7e1eac8002c5f6ec538cc5309e3cd296b4d458a7
claude-code/PLAN.md
Vlad Durnea 7e1eac8002 axios+telemetry cleanup
2026-04-02 15:19:28 +03:00

48 lines
2.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
## Plan
### Goals
- Replace all `axios` usage with `nativeRequest` from `utils/http.js`
- Remove outbound telemetry/spying requests while keeping functional analytics (auth flows + GrowthBook feature flags)
- Do a quick security pass to remove obvious vulnerabilities and risky network behaviors
### Current Status
- Completed axios → nativeRequest conversions:
- `services/mcp/officialRegistry.ts`
- `services/mcp/claudeai.ts`
- `services/oauth/getOauthProfile.ts`
- In progress:
- `services/settingsSync/index.ts` (axios import removed; remaining axios calls + error classification need conversion)
### Next Steps (Axios Removal)
1. Fix `services/settingsSync/index.ts`
- Replace `classifyAxiosError` import with `classifyHttpError` from `utils/errors.js`
- Replace `axios.get(..., validateStatus: 200|404)` with `nativeRequest` + `try/catch` handling for `HttpError` 404
- Replace `axios.put(...)` with `nativeRequest` (`method: 'PUT'`, JSON body)
2. Convert `services/oauth/client.ts`
- Replace `axios.post/get` with `nativeRequest`
- Replace `axios.isAxiosError` handling with `isHttpError`
- Preserve analytics events but ensure no tokens/PII are logged
3. Convert `services/policyLimits/index.ts`
- Replace `classifyAxiosError` with `classifyHttpError`
- Replace `axios.get(... validateStatus: 200|304|404)` with `nativeRequest` + `try/catch` handling for `HttpError` statuses
- Preserve existing caching semantics (304 means cache valid; 404 means empty restrictions)
4. Convert `services/remoteManagedSettings/index.ts` (same pattern as policy limits, plus 204/304/404 handling)
5. Convert remaining axios users (transports, bridge, installers, feedback, etc.)
### Telemetry / “Spying” Removal
- Search for outbound tracking endpoints and SDKs (events, crash reporting, session replay, fingerprinting)
- Remove or gate non-essential outbound calls behind “essential traffic only” where appropriate
- Keep:
- OAuth/auth network flows required for functionality
- GrowthBook feature flag fetches required for feature gating
### Security Pass (Quick Wins)
- Ensure no secrets/tokens are logged or included in analytics payloads
- Validate any places that build URLs/headers from user input to prevent SSRF or header injection
- Enforce timeouts on outbound requests and avoid overly permissive redirects
- Verify files written to disk use safe permissions (e.g. `0o600` for sensitive caches) and safe paths
### Verification
- Run the repos lint/typecheck commands
- Run test suite (or targeted tests) for settings sync / oauth client flows if present
Reference in New Issue View Git Blame Copy Permalink