Skip to content

audit: SEC-09 DebugOverlay bundle exposure analysis#302

Merged
ericmt-98 merged 1 commit into
ericmt-98:mainfrom
mrteeednut007-dotcom:audit/SEC-09-debug-overlay-bundle
Jul 2, 2026
Merged

audit: SEC-09 DebugOverlay bundle exposure analysis#302
ericmt-98 merged 1 commit into
ericmt-98:mainfrom
mrteeednut007-dotcom:audit/SEC-09-debug-overlay-bundle

Conversation

@mrteeednut007-dotcom

Copy link
Copy Markdown
Contributor

SEC-09: DebugOverlay — Dead Code Bundle Exposure Analysis

Audits whether DebugOverlay.tsx (imported but never rendered in App.tsx) leaks sensitive stack
metadata into the production bundle.

Findings:

  • ✅ Tree-shaking confirmed — all 14 DebugOverlay-specific strings (Depuración Interna, Escrow
    Contract ID, Stellar SDK: v14.6, Vite: v6.2, etc.) are absent from the production bundle
  • ✅ No hidden trigger found — no keydown listener, gesture, query param, or Konami sequence
    calls setDebugOpen(true) anywhere in the frontend source
  • ✅ SDK versions not exposed via the overlay
  • ⚠️ Minor residual: prop names setDebugOpen, isMockStellar, isDemoMode are present in the
    bundle as part of AppContext (not the overlay) — low impact, no sensitive values

Severity: ⚪ Low / Informational — dead code, no active exposure. Fix suggestion: remove the
orphan import and setDebugOpen from AppContext.

close #216

- Compiled production build and searched all 14 DebugOverlay-specific
  strings in dist/assets — 0 found (tree-shaking confirmed)
- Verified no hidden trigger (keydown, gesture, query param) calls
  setDebugOpen(true) anywhere in the frontend source
- SDK versions (Stellar SDK: v14.6, Vite: v6.2) absent from bundle
- Residual: setDebugOpen/isMockStellar prop names present in AppContext
  object in bundle (low impact, no sensitive value)
- Severity: Low / Informational — dead code, no active exposure

Refs: docs/security-reports/SEC-09-debug-overlay-bundle.md
@drips-wave

drips-wave Bot commented Jun 30, 2026

Copy link
Copy Markdown

@mrteeednut007-dotcom Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@ericmt-98 ericmt-98 merged commit 9efb7ea into ericmt-98:main Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[SEC-09] DebugOverlay es código muerto incluido en el bundle de producción

2 participants