fraqtal/agentic-dev
Template
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity

feat(eslint+ci): R40 boundary rule for @sentry/* + R31 sendDefaultPii grep gate

Browse Source 
Adds two flat-config blocks to core-eslint/base.js: (1) repo-wide
no-restricted-imports for @sentry/* with the R40 message, (2) an
allowlist override for the only paths permitted to import the Sentry
SDK directly — core-shared/instrumentation/sentry/**, the bind-sentry
DI files, the no-sentry test guards, and apps' instrumentation* /
next.config / vite.config / sentry.*.config files. Patterns use
**/-prefix so they match whether ESLint runs from the repo root or
from inside a sub-package.

Also adds the standard `argsIgnorePattern: "^_"` config (used
throughout the repo) and a Node-globals override for *.mjs/*.cjs/*.js
and *.config.{ts,tsx} so withSentryConfig in next.config.mjs lints
clean. Required adding `globals` as a core-eslint dep.

Adds .github/workflows/sentry-pii-guard.yml — a lightweight CI step
that fails any PR introducing `sendDefaultPii: true` (R31). Excludes
node_modules / dist / .next / .turbo from the grep so vendored SDK
JSDoc examples don't false-positive.

Pre-existing lint nits cleared as part of getting `pnpm lint` green:
- core-testing define-contract-suite.test.ts: void the unused
  receivedTracer (mirrors the next test's pattern)
- marketing-pages bind-dev-seed.ts: drop unused MockSiteSettingsRepository
  import
- marketing-pages get-site-settings.use-case.ts: drop the now-redundant
  eslint-disable for `_input`

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Danijel Martinek
2026-05-07 20:31:15 +02:00
parent e1b6ecf578
commit 955a763c66
7 changed files with 100 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
.github/workflows/sentry-pii-guard.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
# R31 — block sendDefaultPii: true from ever landing.
#
# This is a defense-in-depth gate: the privacy posture is also enforced by
# the centralized init helpers in core-shared/instrumentation/sentry/, but
# this grep makes any drift impossible to merge.
name: Sentry PII guard (R31)
on:
pull_request:
push:
branches: [main]
jobs:
pii-guard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Verify sendDefaultPii is never true
run: |
if grep -RIn --include='*.ts' --include='*.tsx' --include='*.mjs' --include='*.cjs' --include='*.js' \
--exclude-dir=node_modules --exclude-dir=.next --exclude-dir=dist --exclude-dir=.turbo \
-E 'sendDefaultPii\s*:\s*true' \
packages/ apps/; then
echo "::error::R31 violation — sendDefaultPii: true is forbidden anywhere in the repo."
exit 1
fi
echo "OK — no sendDefaultPii: true detected."