From 865d394ae09f1a61a54f97466d8ef59778302479 Mon Sep 17 00:00:00 2001 From: Mark Date: Wed, 20 May 2026 07:47:13 +0200 Subject: [PATCH] =?UTF-8?q?docs(01-12):=20wave-7=20pre-checkpoint=20?= =?UTF-8?q?=E2=80=94=20log=20out-of-scope=20discovery=20(setimmediate=20po?= =?UTF-8?q?lyfill=20new=20Function=20pre-existing)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wave 7 pre-checkpoint bundle gates per feedback-pre-checkpoint-bundle-gates.md revealed a pre-existing benign concern in the SW production bundle: `vite-plugin-node-polyfills` (configured for Buffer in vite.config.ts) bundles the upstream `setimmediate` package which contains a fallback `new Function("" + I)` evaluated when setImmediate is called with a non-function argument. Production source code does NOT call setImmediate(string); the construct is dead at the runtime call-graph level but Rollup conservatively preserves it (behind a runtime typeof check, not a static dead branch). Verified pre-existing across Phase 1 history via `git checkout main -- src/background/index.ts vite.config.ts && npm run build` — same `new Function` count. Plan 01-12 made NO changes to the polyfill configuration; this is logged for future tightening (Phase 5 hardening or a dedicated MV3 CSP audit plan), NOT for fix in this plan per the deviation-rule SCOPE BOUNDARY. All other pre-checkpoint bundle gates PASS: - Tier-1 forbidden-strings: 13/13 GREEN (no new test-mode symbols) - SW-bundle-import: 15/15 GREEN - Node-globals (Buffer.*) in SW chunk: 0 - DOM-globals direct SW calls: none - Manifest validation: PASS (__MSG_*__ + default_locale='en' + 16 i18n keys per locale; en+ru parity verified) - Tokens.css MV3 CSP self-host: 0 googleapis / 0 https://fonts in dist/ - Icons rasterized: 8-bit RGBA at 406/784/1952 B - vitest: 147/147 GREEN - npm run test:uat: 21/21 GREEN (A1..A14 regression-free + A18..A22 new + A23 from 01-14) - npx tsc --noEmit: clean - npm run build + npm run build:test: clean Surfacing Wave 7 operator brand-fit checkpoint to orchestrator next. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../deferred-items.md | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .planning/phases/01-stabilize-video-pipeline/deferred-items.md diff --git a/.planning/phases/01-stabilize-video-pipeline/deferred-items.md b/.planning/phases/01-stabilize-video-pipeline/deferred-items.md new file mode 100644 index 0000000..d910c99 --- /dev/null +++ b/.planning/phases/01-stabilize-video-pipeline/deferred-items.md @@ -0,0 +1,42 @@ +# Phase 01 Deferred Items + +Out-of-scope discoveries surfaced during plan execution that didn't directly +caused-by the current plan's changes. Per `` SCOPE +BOUNDARY: log here, don't fix. + +## Plan 01-12 (Wave 7 pre-checkpoint bundle gates discovery) + +### `new Function("" + I)` reachable in SW chunk via setimmediate polyfill + +- **Discovered:** 2026-05-20 during Wave 7 pre-checkpoint bundle gates +- **Location:** `dist/assets/index.ts-.js` (the main SW chunk produced + by `npm run build`) +- **Context:** `vite-plugin-node-polyfills` (configured in + `vite.config.ts:nodePolyfills` for `Buffer`) bundles the upstream `setimmediate` + package which contains the construct: `b.setImmediate=function(I){typeof + I!="function"&&(I=new Function(""+I));...}`. The `new Function` is the + fallback when `setImmediate` is called with a non-function argument. +- **Reachability check:** Production code path `src/background/index.ts` + + `src/offscreen/recorder.ts` + their transitive deps DO NOT call + `setImmediate(string)`. The construct is dead in the static call graph + but Rollup conservatively preserves it (it's behind a runtime type + check, not a static dead branch). +- **MV3 CSP angle:** Modern Chrome (≥ MV3) does enforce CSP `script-src + 'self'`, and `new Function('...')` evaluates a string-as-code which + some CSPs reject. However, the default MV3 manifest's + `content_security_policy` allows it for service workers in current + Chrome — Plan 01-12 did NOT introduce a tighter CSP override, so + this is benign at present. +- **Scope:** Pre-existing across all of Phase 1 history. Verified by + `git checkout main -- src/background/index.ts vite.config.ts && + npm run build && grep -c 'new Function' dist/assets/index.ts-*.js` + returning the same count. Plan 01-12 made no changes to the + polyfill configuration; this entry exists for future tightening + (Phase 5 hardening, or a dedicated MV3 CSP-audit plan). +- **Suggested follow-up:** Switch from `vite-plugin-node-polyfills`'s + full `Buffer` polyfill to a tree-shake-friendly minimal Buffer + shim — or audit downstream deps for direct `Buffer.*` usage and + inline the few needed primitives. Either approach drops the + setimmediate polyfill entirely. + +Documented in 01-12-SUMMARY.md "Known Limitations" section.