Prevent raw exception messages from leaking stack frames or absolute
paths in the console logs and token health endpoints.
Also harden the i18n mirror move script by replacing shell-based git
commands with execFileSync and a safer fallback for untracked files.
Fixes the 4 fixable alerts opened in the recent scan and adds enforceable
guardrails so future development follows the same pattern.
Code fixes:
- src/mitm/cert/install.ts: pass certPath/certName/action via exec()'s env
option instead of string-interpolating them into the bash script
(CodeQL js/shell-command-injection-from-environment #225)
- scripts/docs/{gen-provider-reference,add-frontmatter,fix-internal-links}:
escape backslash before other regex/markdown metacharacters
(CodeQL js/incomplete-sanitization #227, #228, #229)
Documentation (mandatory patterns):
- docs/security/PUBLIC_CREDS.md — embedding public upstream OAuth/Firebase
identifiers via resolvePublicCred(); never as string literals
- docs/security/ERROR_SANITIZATION.md — routing every error response through
sanitizeErrorMessage()/buildErrorBody(); never raw err.stack/err.message
- CLAUDE.md: 4 new Hard Rules (#11-#14) + Security section + scenario notes
- AGENTS.md, CONTRIBUTING.md: cross-reference the two new docs
- SECURITY.md: extended Hard Security Rules with the new mandatory patterns
- docs/README.md: index entries pointing to the two new docs
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- scripts/docs/gen-openapi-module.mjs (new): build helper that loads
docs/reference/openapi.yaml via js-yaml, flattens paths × methods, and
emits src/app/docs/lib/openapi.generated.ts with strongly-typed
OPENAPI_ENDPOINTS, OPENAPI_TAGS, OPENAPI_VERSION, OPENAPI_TITLE plus
the OpenApiEndpoint interface (no `any`, deterministic ordering).
By default it skips internal management paths (anything under /api/
that isn't /api/v1/*) so the Api Explorer focuses on the OpenAI-
compatible public surface — 19 endpoints for v3.8.0 (Chat, Messages,
Responses, Embeddings, Images, Audio, Moderations, Rerank, Models,
System). Add --include-management to emit all 121 paths if needed.
- src/app/docs/components/ApiExplorerClient.tsx: drop the 13-entry
hardcoded API_ENDPOINTS array; the component now imports from
@/app/docs/lib/openapi.generated. Tags come from the spec; the
"Try It" form picks an example body keyed by full path (8 well-known
bodies pre-seeded, everything else starts empty). The header pill
now shows endpoint count + OpenAPI version, and an "auth" pill is
rendered next to operations whose spec declares non-empty security.
- package.json: prebuild:docs now chains gen-openapi-module after the
docs index generator so `next build` always sees a fresh module.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Every .md under docs/{architecture,guides,reference,frameworks,routing,
security,compression,ops,diagrams} plus docs/README.md now opens with:
---
title: "<inferred from first H1>"
version: 3.8.0
lastUpdated: 2026-05-13
---
46 files updated (no docs were skipped — none had pre-existing
frontmatter). [slug]/page.tsx already reads frontmatter.version and
frontmatter.lastUpdated via gray-matter and renders a "v3.8.0" pill
plus a "Last updated" caption, so the UI picks these up automatically.
Helper: scripts/docs/add-frontmatter.mjs — idempotent (skips files that
already start with `---`), falls back to a humanized basename when no
leading H1 exists. Excludes docs/i18n/, docs/screenshots/,
docs/superpowers/, docs/diagrams/exported/. Re-runnable safely.
Also regenerated src/app/docs/lib/docs-auto-generated.ts: 44 docs across
8 sections (Architecture / Guides / Reference / Frameworks / Routing /
Security / Compression / Ops), which now includes the 14 docs that were
missing from the v3.7 sidebar (Cloud Agents, Guardrails, Memory, Skills,
Webhooks, Evals, Authz, Agent Protocols, Repository Map, Provider
Reference, Reasoning Replay, Stealth Guide, Tunnels Guide, Electron
Guide).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolves two conflicts:
- docs/diagrams/README.md: FASE 3 created a placeholder, FASE 4 created the
canonical content. Adopts FASE 4 content and updates the doc paths to the
FASE 3 subfolder layout (architecture/, frameworks/, routing/, guides/).
- package.json: combined FASE 1's new scripts/build/ and scripts/check/ paths
with FASE 4's new docs:render-diagrams script.
Post-merge fixes:
- Rewrites diagram link paths in the 7 subfolder docs from ./diagrams/X to
../diagrams/X (FASE 4 added flat-layout links before FASE 3's subfolder move).
- Adds the i18n-flow diagram link to docs/guides/I18N.md (auto-merge missed it).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Reorganizes /docs into 8 subfolders (architecture, guides, reference, frameworks,
routing, security, compression, ops). Resolves two conflicts:
- scripts/docs/gen-provider-reference.ts: combined FASE 1's new __dirname-based
ROOT (two levels up from scripts/docs/) with FASE 3's new output path
(docs/reference/PROVIDER_REFERENCE.md).
- scripts/check-env-doc-sync.mjs: deleted by FASE 1, modified by FASE 3; FASE 1's
delete wins (file is at scripts/check/ now). The FASE 3 intent (point to
docs/reference/ENVIRONMENT.md) was applied to the strict checker at the new path.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add scripts/docs/render-diagrams.mjs as a thin wrapper around
@mermaid-js/mermaid-cli (mmdc):
- Renders every docs/diagrams/*.mmd into docs/diagrams/exported/*.svg
- Writes a Puppeteer config with --no-sandbox for Ubuntu 23.10+/WSL
- Exits non-zero on first failure so CI can gate on rendering
Expose it as `npm run docs:render-diagrams` and commit the initial
8 rendered SVGs so reviewers see the diagrams without having to install
the renderer locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Update tooling for the new docs/<subfolder>/ layout:
- scripts/generate-docs-index.mjs walks the 8 subfolders in defined order and
emits fileName values relative to docs/ (e.g. "architecture/ARCHITECTURE.md").
- scripts/check-docs-sync.mjs reads docs/reference/openapi.yaml.
- scripts/check-docs-counts-sync.mjs targets new doc paths.
- scripts/check-env-doc-sync.mjs reads docs/reference/ENVIRONMENT.md.
- scripts/gen-provider-reference.ts writes to docs/reference/PROVIDER_REFERENCE.md.
- scripts/pack-artifact-policy.ts allowlists docs/reference/openapi.yaml.
- New scripts/docs/{fix-internal-links,move-i18n-mirrors}.mjs are one-shot
FASE 3 helpers, safe to delete after merge.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
