Remove three active external data transmission paths:
1. WebFetch domain blocklist (api.anthropic.com/api/web/domain_info)
- src/tools/WebFetchTool/utils.ts
- Was sending every domain a user tried to fetch to Anthropic
- Replaced with always-allowed stub; tool permission dialog is
the primary security boundary
2. Codex API router (chatgpt.com/backend-api/codex/responses)
- src/services/api/codex-fetch-adapter.ts
- Would have forwarded full conversation content to OpenAI
- createCodexFetch now returns HTTP 403 stub
3. OpenAI API adapter (api.openai.com/v1/chat/completions)
- src/utils/codex-fetch-adapter.ts
- Would have forwarded messages to OpenAI
- fetchCodexResponse now throws immediately
Already-disabled paths (no changes needed):
- Analytics logEvent/logEventAsync: empty stubs in services/analytics/index.ts
- GrowthBook/Statsig: local cache only, no outbound requests
- Auto-updater GCS: already guarded by CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC
- MCP registry: already guarded by CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC
- Release notes GitHub: already guarded by isEssentialTrafficOnly()
Add .github/workflows/release.yml:
- Builds self-contained binaries for macOS (x64+arm64), Linux (x64+arm64),
Windows (x64) using bun compile on each native runner
- Triggers on version tags (v*.*.*) or manual workflow_dispatch
- Publishes binaries + SHA256SUMS.txt as a GitHub Release with
per-platform install instructions
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
