Audit: ./src/telemetry
Scanned 8 files for bugs, security vulnerabilities, and performance issues.
Summary
The telemetry module is a collection of stub/factory functions for OpenTelemetry instrumentation. Several files contain misleading implementations — functions that promise to do work but return static or empty results. No security vulnerabilities found.
Findings
| File |
Type |
Severity |
Summary |
flusher.js |
bug |
medium |
flushPending() doesn't actually flush data — just clears the array. Misleading name and behavior. |
flusher.js |
bug |
medium |
Module-level mutable state with no concurrency safety. Race conditions possible in async contexts. |
llmInstrumenter.js |
bug |
medium |
Returns static object with empty spans: []. Doesn't create actual spans. Stub implementation. |
provider.js |
bug |
medium |
No error handling on sdk.start() or sdk.shutdown(). If start() throws, sdk is assigned but SDK is broken. |
provider.js |
code-smell |
low |
Duplicate functions: isTelemetryReady() and isTelemetryEnabled() do the same thing. |
metrics.js |
bug |
low |
record() functions return plain objects but don't actually record to any metrics backend. |
redaction.js |
performance |
low |
redactAttributes uses case-insensitive substring matching which could be overly aggressive. |
Clean Files
index.js — Re-export file, no issues.sampler.js — Simple, clean factory functions.skillInstrumenter.js — Simple factory, no issues.
Audit Table
| File |
Type |
Severity |
Summary |
loader.js |
security |
high |
Path traversal via unsanitized sessionId parameter |
saver.js |
security |
high |
Path traversal via unsanitized threadId parameter |
loader.js |
performance |
medium |
Synchronous file I/O (readFileSync) blocks event loop |
loader.js |
bug |
medium |
Unhandled error in loadFile() — outside try/catch scope |
onboarding.js |
bug |
medium |
Null check gap in #advanceOrSave() — accesses #attributes.length without guard |
shutdown.js |
bug |
medium |
No guard against duplicate shutdown handler registration |
loader.js |
performance |
low |
Inefficient directory listing — readdirSync + statSync loop |
Audit: ./src/telemetry
Scanned 8 files for bugs, security vulnerabilities, and performance issues.
Summary
The telemetry module is a collection of stub/factory functions for OpenTelemetry instrumentation. Several files contain misleading implementations — functions that promise to do work but return static or empty results. No security vulnerabilities found.
Findings
flusher.jsflushPending()doesn't actually flush data — just clears the array. Misleading name and behavior.flusher.jsllmInstrumenter.jsspans: []. Doesn't create actual spans. Stub implementation.provider.jssdk.start()orsdk.shutdown(). Ifstart()throws,sdkis assigned but SDK is broken.provider.jsisTelemetryReady()andisTelemetryEnabled()do the same thing.metrics.jsrecord()functions return plain objects but don't actually record to any metrics backend.redaction.jsredactAttributesuses case-insensitive substring matching which could be overly aggressive.Clean Files
index.js— Re-export file, no issues.sampler.js— Simple, clean factory functions.skillInstrumenter.js— Simple factory, no issues.Audit Table
loader.jssaver.jsloader.jsloader.jsonboarding.jsshutdown.jsloader.js