Skip to content

fix: sanitize analytics crash and model values#325

Merged
ruzin merged 3 commits into
ruzin:mainfrom
Optic00:fix/analytics-privacy-followup
Jul 10, 2026
Merged

fix: sanitize analytics crash and model values#325
ruzin merged 3 commits into
ruzin:mainfrom
Optic00:fix/analytics-privacy-followup

Conversation

@Optic00

@Optic00 Optic00 commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • route renderer/child-process crash capture through the existing sanitized exception path
  • collapse custom/free-form model names to fixed analytics labels before tracking
  • add regression tests for both privacy boundaries

Verification

  • npm run test:unit
  • npm run typecheck:renderer

Summary by cubic

Sanitizes analytics crash reports and model values to prevent leaking local paths or private model names. Fixes curated built-in models being mislabeled as "custom" in analytics.

  • Bug Fixes
    • Route renderer/child-process and queued errors through captureSanitizedException so only redacted errors reach PostHog.
    • Expand model allowlist to include all curated built-ins; collapse others to custom. Apply in summarization/transcription contexts and for model_changed events.
    • Add unit tests for crash redaction and to assert every curated public model id passes the allowlist.

Written for commit 861cb7c. Summary will update on new commits.

Review in cubic

@Optic00 Optic00 requested a review from ruzin as a code owner July 8, 2026 17:09

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 3 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread app/analytics-helpers.js
The allowlist missed 4 of 5 SUPPORTED_BEDROCK_MODELS (cubic review find)
plus the non-Gemma local registry entries (llama3.2:3b, qwen3.5:9b,
gpt-oss:20b), so built-in dropdown selections were mislabeled 'custom'.
All are fixed public identifiers - no privacy impact.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="app/analytics-helpers.js">

<violation number="1" location="app/analytics-helpers.js:265">
P3: The new `llama3.2:3b` allowlist entry is not covered by a test assertion. The regression tests verify the other newly added models (`qwen3.5:9b`, `gpt-oss:20b`, and the Bedrock entries), so adding a quick assertion for `llama3.2:3b` would keep the coverage consistent with the test description.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread app/analytics-helpers.js
'gemma4:e2b-nvfp4',
'gemma4:e4b-nvfp4',
'gemma4:12b-nvfp4',
'llama3.2:3b',

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P3: The new llama3.2:3b allowlist entry is not covered by a test assertion. The regression tests verify the other newly added models (qwen3.5:9b, gpt-oss:20b, and the Bedrock entries), so adding a quick assertion for llama3.2:3b would keep the coverage consistent with the test description.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At app/analytics-helpers.js, line 265:

<comment>The new `llama3.2:3b` allowlist entry is not covered by a test assertion. The regression tests verify the other newly added models (`qwen3.5:9b`, `gpt-oss:20b`, and the Bedrock entries), so adding a quick assertion for `llama3.2:3b` would keep the coverage consistent with the test description.</comment>

<file context>
@@ -255,22 +255,33 @@ function captureSanitizedException(posthogClient, err, distinctId) {
   'gemma4:e2b-nvfp4',
   'gemma4:e4b-nvfp4',
   'gemma4:12b-nvfp4',
+  'llama3.2:3b',
+  'qwen3.5:9b',
+  'gpt-oss:20b',
</file context>

@ruzin ruzin merged commit 1b1de68 into ruzin:main Jul 10, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants