repremium/mokosh
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(01-12): wave-7 pre-checkpoint — log out-of-scope discovery (setimmediate polyfill new Function pre-existing)

Browse Source 
Wave 7 pre-checkpoint bundle gates per feedback-pre-checkpoint-bundle-gates.md
revealed a pre-existing benign concern in the SW production bundle:

`vite-plugin-node-polyfills` (configured for Buffer in vite.config.ts)
bundles the upstream `setimmediate` package which contains a fallback
`new Function("" + I)` evaluated when setImmediate is called with a
non-function argument. Production source code does NOT call
setImmediate(string); the construct is dead at the runtime call-graph
level but Rollup conservatively preserves it (behind a runtime
typeof check, not a static dead branch).

Verified pre-existing across Phase 1 history via `git checkout main --
src/background/index.ts vite.config.ts && npm run build` — same
`new Function` count. Plan 01-12 made NO changes to the polyfill
configuration; this is logged for future tightening (Phase 5
hardening or a dedicated MV3 CSP audit plan), NOT for fix in this
plan per the deviation-rule SCOPE BOUNDARY.

All other pre-checkpoint bundle gates PASS:
- Tier-1 forbidden-strings: 13/13 GREEN (no new test-mode symbols)
- SW-bundle-import: 15/15 GREEN
- Node-globals (Buffer.*) in SW chunk: 0
- DOM-globals direct SW calls: none
- Manifest validation: PASS (__MSG_*__ + default_locale='en' +
  16 i18n keys per locale; en+ru parity verified)
- Tokens.css MV3 CSP self-host: 0 googleapis / 0 https://fonts in dist/
- Icons rasterized: 8-bit RGBA at 406/784/1952 B
- vitest: 147/147 GREEN
- npm run test:uat: 21/21 GREEN (A1..A14 regression-free + A18..A22
  new + A23 from 01-14)
- npx tsc --noEmit: clean
- npm run build + npm run build:test: clean

Surfacing Wave 7 operator brand-fit checkpoint to orchestrator next.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mark
2026-05-20 07:47:13 +02:00
parent b909c374cc
commit 865d394ae0
1 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
.planning/phases/01-stabilize-video-pipeline/deferred-items.md Normal file
View File

@@ -0,0 +1,42 @@
# Phase 01 Deferred Items
Out-of-scope discoveries surfaced during plan execution that didn't directly
caused-by the current plan's changes. Per `<deviation_rules>` SCOPE
BOUNDARY: log here, don't fix.
## Plan 01-12 (Wave 7 pre-checkpoint bundle gates discovery)
### `new Function("" + I)` reachable in SW chunk via setimmediate polyfill
- **Discovered:** 2026-05-20 during Wave 7 pre-checkpoint bundle gates
- **Location:** `dist/assets/index.ts-<hash>.js` (the main SW chunk produced
by `npm run build`)
- **Context:** `vite-plugin-node-polyfills` (configured in
`vite.config.ts:nodePolyfills` for `Buffer`) bundles the upstream `setimmediate`
package which contains the construct: `b.setImmediate=function(I){typeof
I!="function"&&(I=new Function(""+I));...}`. The `new Function` is the
fallback when `setImmediate` is called with a non-function argument.
- **Reachability check:** Production code path `src/background/index.ts` +
`src/offscreen/recorder.ts` + their transitive deps DO NOT call
`setImmediate(string)`. The construct is dead in the static call graph
but Rollup conservatively preserves it (it's behind a runtime type
check, not a static dead branch).
- **MV3 CSP angle:** Modern Chrome (≥ MV3) does enforce CSP `script-src
'self'`, and `new Function('...')` evaluates a string-as-code which
some CSPs reject. However, the default MV3 manifest's
`content_security_policy` allows it for service workers in current
Chrome — Plan 01-12 did NOT introduce a tighter CSP override, so
this is benign at present.
- **Scope:** Pre-existing across all of Phase 1 history. Verified by
`git checkout main -- src/background/index.ts vite.config.ts &&
npm run build && grep -c 'new Function' dist/assets/index.ts-*.js`
returning the same count. Plan 01-12 made no changes to the
polyfill configuration; this entry exists for future tightening
(Phase 5 hardening, or a dedicated MV3 CSP-audit plan).
- **Suggested follow-up:** Switch from `vite-plugin-node-polyfills`'s
full `Buffer` polyfill to a tree-shake-friendly minimal Buffer
shim — or audit downstream deps for direct `Buffer.*` usage and
inline the few needed primitives. Either approach drops the
setimmediate polyfill entirely.
Documented in 01-12-SUMMARY.md "Known Limitations" section.