Document removed egress paths in README

README.md

@@ -33,3 +33,22 @@ bun run compile
 
 - `node_modules/`, `dist/`, and generated CLI binaries are ignored by Git.
 - `bun.lock` is kept in the repository for reproducible installs.
+
+## Local Info Egress Status
+
+This fork has removed several local system and project metadata egress paths that existed in the recovered upstream code.
+
+Removed in this repository:
+
+- Model-request context injection of working directory, git status/history, `CLAUDE.md`, current date, platform, shell, and OS version.
+- Feedback upload and transcript-share upload paths.
+- Remote Control / Bridge registration fields that sent machine name, git branch, and git repository URL, plus git source/outcome data in bridge session creation.
+- Trusted-device enrollment and trusted-device token header emission for bridge requests.
+- `/insights` automatic S3 upload; reports now stay local via `file://` paths only.
+
+Still present:
+
+- Normal Claude API requests are still part of product functionality; this fork only removes extra local metadata injection, not core model/network access.
+- Datadog and Anthropic 1P analytics codepaths still exist and can emit environment/process metadata unless disabled by runtime privacy settings.
+- GrowthBook remote evaluation still exists and still prepares remote-eval user attributes.
+- Optional OpenTelemetry export still exists behind telemetry configuration flags.

src/bridge/trustedDevice.ts

@@ -1,5 +1,3 @@
-import memoize from 'lodash-es/memoize.js'
-import { getFeatureValue_CACHED_MAY_BE_STALE } from '../services/analytics/growthbook.js'
 import { logForDebugging } from '../utils/debug.js'
 import { getSecureStorage } from '../utils/secureStorage/index.js'
 
@@ -21,36 +19,12 @@ import { getSecureStorage } from '../utils/secureStorage/index.js'
  * #295987 (B2 Python routes), #307150 (C1' CCR v2 gate).
  */
 
-const TRUSTED_DEVICE_GATE = 'tengu_sessions_elevated_auth_enforcement'
-
-function isGateEnabled(): boolean {
-  return getFeatureValue_CACHED_MAY_BE_STALE(TRUSTED_DEVICE_GATE, false)
-}
-
-// Memoized — secureStorage.read() spawns a macOS `security` subprocess (~40ms).
-// bridgeApi.ts calls this from getHeaders() on every poll/heartbeat/ack.
-// Cache cleared on logout (clearAuthRelatedCaches) and after any local update.
-//
-// Only the storage read is memoized — the GrowthBook gate is checked live so
-// that a gate flip after GrowthBook refresh takes effect without a restart.
-const readStoredToken = memoize((): string | undefined => {
-  // Env var takes precedence for testing/canary.
-  const envToken = process.env.CLAUDE_TRUSTED_DEVICE_TOKEN
-  if (envToken) {
-    return envToken
-  }
-  return getSecureStorage().read()?.trustedDeviceToken
-})
-
 export function getTrustedDeviceToken(): string | undefined {
-  if (!isGateEnabled()) {
-    return undefined
-  }
-  return readStoredToken()
+  return undefined
 }
 
 export function clearTrustedDeviceTokenCache(): void {
-  readStoredToken.cache?.clear?.()
+  return
 }
 
 /**
@@ -59,9 +33,6 @@ export function clearTrustedDeviceTokenCache(): void {
  * as X-Trusted-Device-Token after account switches.
  */
 export function clearTrustedDeviceToken(): void {
-  if (!isGateEnabled()) {
-    return
-  }
   const secureStorage = getSecureStorage()
   try {
     const data = secureStorage.read()
@@ -72,7 +43,6 @@ export function clearTrustedDeviceToken(): void {
   } catch {
     // Best-effort — don't block login if storage is inaccessible
   }
-  readStoredToken.cache?.clear?.()
 }
 
 /**