This repository was archived by the owner on May 11, 2026. It is now read-only.
Remove telemetry, data exfiltration, and harden security#1
Merged
Conversation
Phase 1 - Remove PostHog telemetry: - Gut forge_tracker crate, replace with no-op stubs preserving API surface - Remove PostHog HTTP collector, machine fingerprinting, email harvesting - Remove posthog-rs and machineid-rs dependencies - Remove POSTHOG_API_SECRET from CI workflows and forge_ci - Keep local file-based logging (daily rolling), remove PostHogWriter Phase 2 - Remove source code upload: - No-op all gRPC methods in ForgeContextEngineRepository - No-op ForgeGrpcClient (dummy channel, no connections) - Clear default services_url in .forge.toml - Handle empty services_url gracefully in ForgeInfra init Phase 3 - Remove auto-update: - Replace on_update() with no-op stub - Remove update-informer dependency - Remove auto-update config from .forge.toml - Call sites in ui.rs unchanged (they call the no-op) Phase 4 - Security hardening: - Restrict default permissions to home dir + /tmp (was allow all) - Redact Debug impl on all secret types (ApiKey, tokens, etc.) - Add x-api-key to header sanitization - Set chmod 600 on credential files after writing - Filter env vars for MCP clients to safe whitelist
|
Hi! I'm the It looks like you correctly set up a CI job that uses the autofix.ci GitHub Action, but the autofix.ci GitHub App has not been installed for this repository. This means that autofix.ci unfortunately does not have the permissions to fix this pull request. If you are the repository owner, please install the app and then restart the CI workflow! 😃 |
autofix.ci
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security audit of this ForgeCode fork found extensive telemetry and data exfiltration. This PR removes all of it and hardens security defaults.
forge_trackercrate (no-op stubs preserve API surface), removed email harvesting, machine fingerprinting, and all data collection. Removedposthog-rsandmachineid-rsdependencies.ForgeGrpcClientstubbed out,services_urlcleared from.forge.toml.curl|sh) —on_update()replaced with no-op,update-informerdependency removed.~/**and/tmp/**(was**/*allow-all), redactDebugoutput on all secret types, addx-api-keyto header sanitization, set chmod 600 on credential files, filter MCP env vars to safe whitelist.29 files changed, 231 insertions, 1,803 deletions
What was removed
us.i.posthog.com/capture/forge_tracker/src/collect/posthog.rs~/.ssh/*.pub,git config, macOS Apple IDforge_tracker/src/dispatch.rsforge_tracker/src/client_id/api.forgecode.devforge_repo/src/context_engine.rscurl -fsSL https://forgecode.dev/cli | shforge_main/src/update.rsTest plan
cargo check --workspace— PASScargo test --workspace— PASS (all tests green)posthog.com,api.forgecode.dev, orforgecode.dev/cliat runtime