Skip to content

Dead-code removal + shared core utils + unified SSRF guard (expl 0230, phase 0–1)#284

Merged
crs48 merged 8 commits into
mainfrom
claude/0230-codebase-refactoring-atlas-dead-code-god-files-a
Jun 26, 2026
Merged

Dead-code removal + shared core utils + unified SSRF guard (expl 0230, phase 0–1)#284
crs48 merged 8 commits into
mainfrom
claude/0230-codebase-refactoring-atlas-dead-code-god-files-a

Conversation

@crs48

@crs48 crs48 commented Jun 26, 2026

Copy link
Copy Markdown
Owner

Implements the low-risk top of the leverage ladder from
exploration 0230
— the "do now" Phase 0 + Phase 1. The structural phases (schema SSoT, importer
toolkit, god-file splits, cross-app convergence) are deliberately left as
follow-up PRs, exactly as the doc recommends; this doc stays [_].

Net −3,167 LOC, no lockfile change.

What landed

1. Delete dead code (−3,913 LOC). CanvasV2Legacy.tsx (2,380 LOC) had zero
production importers — the public Canvas export resolves to CanvasV3. Its
only references were a Storybook story and a navigation-shell test that
exercised the legacy renderer's internals (it mocks legacy-only modules and
asserts legacy DOM contracts — it can't be repointed to V3). Removed all three.

2. Canonical @xnetjs/core utils + behaviour-preserving migration. New
clamp, clamp01, formatBytes (tested) replace behaviour-identical copies in
canvas (×4), query, hub, and react (×2) — all packages that already
depend on core, so no new dependency edges. The two react byte displays
no longer silently cap at MB. The two identical comment-surface relative-time
copies now share one ui helper.

Reading the code corrected the exploration's grep-based counts: the "29
clamp" conflates three distinct functions (clamp, clamp01, and
specialized clampLimit/clampRatio/…); debounce/throttle have
divergent signatures; several formatBytes copies encode different output.
So the codemod was scoped by behaviour — only truly-identical helpers and
clear bug-fixes were migrated; divergent ones were left local on purpose.

3. Unify the SSRF guard (security). The hub's regex validateExternalUrl
guarded the network-facing unfurl/federation/crawl routes but missed
private ranges (CGNAT 100.64/10, IPv4-mapped IPv6, NAT64, fe81::–fe8f::
link-local, the trailing-dot bypass) and false-positived on hosts like
fd-startup.com. The strict literal-host guard now lives in @xnetjs/core with
a 31-case bypass-vector test; hub and plugins both delegate to it
(plugins keeps its ActionSsrfError contract).

Verification

  • New tests: core utils (9) + SSRF bypass table (31).
  • Touched-package suites green: 948 tests (core/query/ui/react/hub/plugins)
    • 312 (canvas-touched + devtools), plus typecheck on all touched packages.
  • Changeset added (core minor; plugins/react patch — fixed group); Stop-hook
    coverage passes.

Deliberately deferred (separate PRs, per the doc)

Knip/jscpd CI ratchet · schema SCHEMA_METADATA/SCHEMA_UI_METADATA SSoT ·
social importer toolkit · god-file splits (CanvasV3, AiSurfaceService,
sqlite-adapter) · cross-app web/electron view convergence (needs a parity
audit first) · scripts/lib + package scaffold. The devtools byte-formatter
dedup was backed out here to avoid a 17k-line lockfile rewrite from the new
workspace edge.

🤖 Generated with Claude Code

xNet Test and others added 8 commits June 26, 2026 08:29
…ortunities

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
CanvasV2Legacy (2380 LOC) had zero production importers — the public Canvas
export resolves to CanvasV3. Its only references were a Storybook story and a
navigation-shell test that exercised the legacy renderer's internals. Remove
all three (3913 LOC) as dead code.
Establish a single dependency-free home for the small helpers that were
re-implemented across many packages. formatBytes scales correctly to PB
(fixing copies that silently capped at MB). debounce/throttle and the
compact relative-time formatters are intentionally NOT consolidated here —
they have divergent signatures and output formats across call sites.
…pers

Replace behaviour-identical copies with the canonical @xnetjs/core helpers:
- clamp(v,min,max): CanvasV3, webgl vector/raster tiles, query moderation,
  hub crawl (hub's undefined-accepting clamp01 and telemetry's NaN->1 clamp01
  are left local — different semantics).
- formatBytes: canvas memory-profile (re-exported), react quota/sync overlays,
  devtools formatters — the last two fix copies that silently capped at MB.
- formatRelativeTime: the two identical comment-surface copies now share an
  internal ui helper.

Scoped to packages already depending on @xnetjs/core (plus private devtools)
so no publishable package gains a new dependency just for a one-liner.
debounce/throttle are intentionally untouched (divergent signatures).
The hub's regex-based validateExternalUrl missed several private ranges
(CGNAT 100.64/10, IPv4-mapped IPv6, NAT64, fe81::-fe8f:: link-local, the
trailing-dot bypass) and false-positived on hosts like fd-startup.com — it
guarded the network-facing unfurl/federation/crawl routes.

Move the strict literal-host guard (ported from @xnetjs/plugins) into
@xnetjs/core as the single source of truth, exposing assertPublicUrl +
validateExternalUrl + a 31-case bypass-vector test. hub/utils/url.ts and
plugins/actions/ssrf.ts now both delegate to it; plugins keeps its
ActionSsrfError contract.
Add changeset (core minor; plugins/react patch) and a changelog fragment for
the shared-helper consolidation and SSRF hardening.
Backing out the devtools->@xnetjs/core edge: it was the only new workspace
dependency in this PR and a non-frozen install rewrote ~17k lines of the
lockfile. devtools is private and dev-only; deduping its byte formatter can
ride a later batch. All remaining migrations use packages that already depend
on @xnetjs/core, so this PR needs no lockfile change.
@crs48 crs48 temporarily deployed to pr-284 June 26, 2026 15:55 — with GitHub Actions Inactive
@github-actions

Copy link
Copy Markdown
Contributor

🖼️ UI changes in this PR

Interactions

🎬 Open a canvas

Open a canvas

▶ Watch MP4

Auto-captured by CI · run. Informational — not a blocking check.

github-actions Bot added a commit that referenced this pull request Jun 26, 2026
github-actions Bot added a commit that referenced this pull request Jun 26, 2026
@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Preview removed for PR #284.

@crs48 crs48 merged commit 2f41eac into main Jun 26, 2026
16 checks passed
@crs48 crs48 deleted the claude/0230-codebase-refactoring-atlas-dead-code-god-files-a branch June 26, 2026 16:06
github-actions Bot added a commit that referenced this pull request Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant