From 41875092f6c5402e3e58ce3e3de28e1a1c38b440 Mon Sep 17 00:00:00 2001
From: Termux User <termux@localhost>
Date: Sun, 14 Jun 2026 12:20:10 -0400
Subject: [PATCH] fix: telemetry path sanitization + REPL hardcoded block count
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

G-1 (CRITICAL): Telemetry events in governance_reports.cpp included raw
absolute paths (e.g., /data/data/com.termux/files/home/...) in ev["file"]
fields. These flowed unsanitized through telemetry_forwarder to external
webhooks, leaking host directory structure. Fixed by applying
ErrorSanitizer::sanitizeFilePaths() at both emission sites (line 249
emitRefusalAttestation, line 887 writeTelemetry loop).

G-2 (LOW): REPL printed hardcoded "24,167 blocks available" — a static
number with no runtime basis. Removed.

Findings from Gemini 30-level slop audit, verified against actual code.
15 of 20 claims were false positives or by-design.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/repl/repl.cpp                  | 3 +--
 src/runtime/governance_reports.cpp | 5 +++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/repl/repl.cpp b/src/repl/repl.cpp
index 6c42614e..9c804117 100644
--- a/src/repl/repl.cpp
+++ b/src/repl/repl.cpp
@@ -124,8 +124,7 @@ class ReplSession {
             if (i > 0) fmt::print(", ");
             fmt::print("{}", languages[i]);
         }
-        fmt::print("\n");
-        fmt::print("24,167 blocks available\n\n");
+        fmt::print("\n\n");
     }
 
     void handleCommand(const std::string& cmd) {
diff --git a/src/runtime/governance_reports.cpp b/src/runtime/governance_reports.cpp
index b9a53cd8..fe3a2750 100644
--- a/src/runtime/governance_reports.cpp
+++ b/src/runtime/governance_reports.cpp
@@ -3,6 +3,7 @@
 
 #include "naab/governance.h"
 #include "naab/telemetry_forwarder.h"
+#include "naab/error_sanitizer.h"
 #include "naab/crypto_utils.h"
 #include "naab/language_registry.h"
 #include "naab/interpreter.h"
@@ -245,7 +246,7 @@ void GovernanceEngine::emitRefusalAttestation(
     ev["result"] = "refused";
     ev["binding_status"] = "non-binding";
     ev["execution_prevented"] = true;
-    ev["file"] = current_check_file_;
+    ev["file"] = error::ErrorSanitizer::sanitizeFilePaths(current_check_file_);
     ev["line"] = current_check_line_;
     // Cap violation message to prevent telemetry bloat
     ev["violation_message"] = violation_message.size() > 500
@@ -883,7 +884,7 @@ void GovernanceEngine::writeTelemetry() const {
             ? (r.passed ? "Check passed: " + r.rule_name : "Check failed: " + r.rule_name)
             : r.message;
         ev["timestamp"] = timestamp;
-        ev["file"] = r.file;
+        ev["file"] = error::ErrorSanitizer::sanitizeFilePaths(r.file);
         ev["line"] = r.line;
         ev["category"] = r.category;
         ev["severity"] = r.severity;