getdoorman 1.0.0

package/src/share.js

@@ -0,0 +1,88 @@
+import { writeFileSync } from 'fs';
+import { join, basename, resolve } from 'path';
+
+/**
+ * Generate a shareable HTML score card for social media / team sharing.
+ * Returns the file path of the generated card.
+ */
+export function generateScoreCard(targetPath, result) {
+  const resolvedPath = resolve(targetPath);
+  const projectName = basename(resolvedPath);
+  const score = result.score ?? 0;
+  const findings = result.findings || [];
+  const stack = result.stack || {};
+
+  const critical = findings.filter(f => f.severity === 'critical').length;
+  const high = findings.filter(f => f.severity === 'high').length;
+  const medium = findings.filter(f => f.severity === 'medium').length;
+  const fixable = findings.filter(f => f.fix).length;
+
+  const stackLabel = [stack.framework || stack.language || 'Unknown', stack.orm, stack.database]
+    .filter(Boolean).join(' + ');
+
+  const scoreColor = score >= 70 ? '#10b981' : score >= 40 ? '#f59e0b' : '#ef4444';
+  const statusText = score >= 70 ? 'SAFE TO LAUNCH' : 'NOT SAFE TO LAUNCH';
+  const statusEmoji = score >= 70 ? '✅' : '⚠️';
+
+  const html = `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Doorman Score: ${score}/100 — ${projectName}</title>
+<meta property="og:title" content="Doorman Score: ${score}/100 ${statusEmoji}">
+<meta property="og:description" content="${projectName}: ${critical} critical, ${high} high, ${medium} medium issues. ${fixable} auto-fixable.">
+<meta name="twitter:card" content="summary">
+<style>
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+  body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: #0b0e14; color: #e2e8f0; display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+  .card { background: #12161f; border: 1px solid #252b3b; border-radius: 16px; padding: 48px; max-width: 480px; width: 100%; text-align: center; }
+  .logo { font-size: 14px; font-weight: 700; color: #8892a8; letter-spacing: 2px; text-transform: uppercase; margin-bottom: 24px; }
+  .logo span { color: #10b981; }
+  .project { font-size: 18px; color: #8892a8; margin-bottom: 8px; }
+  .stack { font-size: 13px; color: #5a6478; margin-bottom: 32px; }
+  .score { font-size: 80px; font-weight: 800; color: ${scoreColor}; line-height: 1; letter-spacing: -3px; }
+  .score span { font-size: 28px; color: #5a6478; font-weight: 400; }
+  .status { font-size: 14px; font-weight: 700; color: ${scoreColor}; margin-top: 8px; letter-spacing: 1px; }
+  .issues { display: flex; justify-content: center; gap: 24px; margin-top: 32px; padding-top: 24px; border-top: 1px solid #252b3b; }
+  .issue { text-align: center; }
+  .issue-num { font-size: 24px; font-weight: 800; }
+  .issue-label { font-size: 11px; color: #5a6478; text-transform: uppercase; letter-spacing: 1px; margin-top: 4px; }
+  .critical { color: #ff2d55; }
+  .high { color: #ff6b35; }
+  .medium { color: #ffb800; }
+  .fixable { color: #10b981; }
+  .cta { margin-top: 32px; padding-top: 24px; border-top: 1px solid #252b3b; }
+  .cta code { background: #1a1f2e; padding: 8px 16px; border-radius: 8px; font-family: 'SF Mono', monospace; font-size: 14px; color: #10b981; }
+  .cta p { font-size: 12px; color: #5a6478; margin-top: 12px; }
+</style>
+</head>
+<body>
+<div class="card">
+  <div class="logo">Safe<span>Launch</span> Score</div>
+  <div class="project">${escapeHtml(projectName)}</div>
+  <div class="stack">${escapeHtml(stackLabel)}</div>
+  <div class="score">${score}<span>/100</span></div>
+  <div class="status">${statusText}</div>
+  <div class="issues">
+    <div class="issue"><div class="issue-num critical">${critical}</div><div class="issue-label">Critical</div></div>
+    <div class="issue"><div class="issue-num high">${high}</div><div class="issue-label">High</div></div>
+    <div class="issue"><div class="issue-num medium">${medium}</div><div class="issue-label">Medium</div></div>
+    <div class="issue"><div class="issue-num fixable">${fixable}</div><div class="issue-label">Fixable</div></div>
+  </div>
+  <div class="cta">
+    <code>npx getdoorman check</code>
+    <p>What's your score? Try it free.</p>
+  </div>
+</div>
+</body>
+</html>`;
+
+  const outPath = join(resolvedPath, 'doorman-score.html');
+  writeFileSync(outPath, html);
+  return outPath;
+}
+
+function escapeHtml(str) {
+  return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+}

package/src/taint.js

@@ -0,0 +1,300 @@
+/**
+ * Single-file taint analysis engine.
+ *
+ * Tracks user-controlled data (req.body, req.query, etc.) through variable
+ * assignments within a single file and flags when tainted data reaches a
+ * dangerous sink (exec, SQL query, eval, res.send, readFile, redirect).
+ *
+ * Only reports INDIRECT flows — at least one variable hop between source and
+ * sink. Direct cases (e.g. exec(req.query.x)) are already caught by the
+ * pattern-matching rules.
+ *
+ * Level 1: single-file only. Cross-file propagation is Level 2.
+ */
+
+// ─── TAINT SOURCES ────────────────────────────────────────────────────────────
+// Expressions that introduce user-controlled data.
+const SOURCE_PATTERNS = [
+  /\breq\.(body|query|params|headers|cookies)\b/,
+  /\brequest\.(body|query|params|headers|cookies)\b/,
+  /\bctx\.(request\.body|query|params|headers|cookies)\b/,
+  /\bevent\.(body|queryStringParameters|pathParameters|multiValueQueryStringParameters)\b/,
+  /\bc\.req\.(body|query|param|header)\b/,    // Hono
+  /\bprocess\.argv\b/,
+  /\bURL\.searchParams\b|\.searchParams\.get\s*\(/,
+  /\bnew\s+URL\s*\(\s*req\b/,                 // new URL(req.url)
+];
+
+// ─── SINKS ────────────────────────────────────────────────────────────────────
+const SINKS = [
+  {
+    id: 'TAINT-CMD-001',
+    severity: 'critical',
+    title: 'Indirect command injection — tainted variable reaches exec()',
+    pattern: /\bexec(?:Sync|File|FileSync)?\s*\(|\bspawn(?:Sync)?\s*\(/,
+    category: 'Command Injection',
+    fix: 'Validate and sanitize the value, or avoid including user input in shell commands entirely.',
+  },
+  {
+    id: 'TAINT-SQL-001',
+    severity: 'critical',
+    title: 'Indirect SQL injection — tainted variable reaches database query',
+    pattern: /\.(?:query|raw|execute|run|prepare)\s*\(|db\.\w+\s*\(/,
+    category: 'SQL Injection',
+    fix: 'Use parameterized queries. Pass the tainted value as a bound parameter, never concatenated into the query string.',
+  },
+  {
+    id: 'TAINT-EVAL-001',
+    severity: 'critical',
+    title: 'Indirect code injection — tainted variable reaches eval() or new Function()',
+    pattern: /\beval\s*\(|\bnew\s+Function\s*\(/,
+    category: 'Code Injection',
+    fix: 'Never evaluate user-controlled strings as code. Redesign to avoid eval entirely.',
+  },
+  {
+    id: 'TAINT-XSS-001',
+    severity: 'high',
+    title: 'Indirect XSS — tainted variable reaches HTTP response',
+    pattern: /\bres\.(send|write|end|render)\s*\(|\bresponse\.(send|write|end)\s*\(/,
+    category: 'Cross-Site Scripting',
+    fix: 'Escape the value with a library like DOMPurify or he before including it in the response.',
+  },
+  {
+    id: 'TAINT-PATH-001',
+    severity: 'high',
+    title: 'Indirect path traversal — tainted variable reaches filesystem operation',
+    pattern: /\breadFile(?:Sync)?\s*\(|\bwriteFile(?:Sync)?\s*\(|\bcreate(?:Read|Write)Stream\s*\(|\bunlink(?:Sync)?\s*\(|\bstat(?:Sync)?\s*\(|\breaddir(?:Sync)?\s*\(|\bexists(?:Sync)?\s*\(|\bappendFile(?:Sync)?\s*\(/,
+    category: 'Path Traversal',
+    fix: 'Use path.basename() to strip directory components, or validate against an allowlist of permitted paths.',
+  },
+  {
+    id: 'TAINT-REDIR-001',
+    severity: 'high',
+    title: 'Indirect open redirect — tainted variable reaches redirect()',
+    pattern: /\bres\.redirect\s*\(|\bredirect\s*\(/,
+    category: 'Open Redirect',
+    fix: 'Validate the URL against an allowlist of permitted destinations before redirecting.',
+  },
+  {
+    id: 'TAINT-REQUIRE-001',
+    severity: 'critical',
+    title: 'Indirect RCE — tainted variable reaches dynamic require() or import()',
+    pattern: /\brequire\s*\(|\bimport\s*\(/,
+    category: 'Remote Code Execution',
+    fix: 'Never load modules from user-controlled paths. Validate against an allowlist of permitted module names.',
+  },
+];
+
+// ─── ASSIGNMENT PATTERNS ──────────────────────────────────────────────────────
+// Matches: const/let/var name = expr
+const VAR_DECL    = /^(?:const|let|var)\s+(\w+)\s*=(?!=)\s*(.+)/;
+// Matches: const { a, b: alias, c = default } = expr
+const OBJ_DESTRUCT = /^(?:const|let|var)\s+\{\s*([^}]+)\}\s*=(?!=)\s*(.+)/;
+// Matches: const [a, b] = expr
+const ARR_DESTRUCT = /^(?:const|let|var)\s+\[\s*([^\]]+)\]\s*=(?!=)\s*(.+)/;
+// Matches: name = expr  (reassignment, not ==, !=, <=, >=, ===, !==)
+const REASSIGN     = /^(\w+)\s*=(?![=>])\s*(.+)/;
+// Matches: name += / name -= / name += expr (compound assignment also propagates)
+const COMPOUND     = /^(\w+)\s*[+\-*/%]=\s*(.+)/;
+
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+/** Returns true if the expression contains a known taint source. */
+function isSourceExpr(expr) {
+  return SOURCE_PATTERNS.some(p => p.test(expr));
+}
+
+/**
+ * Build a regex that matches a variable name as a standalone identifier —
+ * NOT preceded by a dot (property access like req.query won't match "query").
+ */
+function varRegex(name) {
+  return new RegExp(`(?<!\\.\\s*)\\b${escapeRegex(name)}\\b`);
+}
+
+/** Returns true if any tainted variable appears as a standalone identifier. */
+function exprIsTainted(expr, taintedVars) {
+  for (const v of taintedVars) {
+    if (varRegex(v).test(expr)) return true;
+  }
+  return false;
+}
+
+/**
+ * Parse names out of a destructuring pattern string.
+ * "a, b: aliasB, c = 'default'" → ['a', 'aliasB', 'c']
+ */
+function parseDestructuredNames(str) {
+  return str
+    .split(',')
+    .map(part => {
+      const t = part.trim().split(/\s*[=:]\s*/)[0].trim(); // take key, ignore alias/default
+      // For "key: alias" patterns the alias is the actual binding
+      const colonIdx = part.indexOf(':');
+      if (colonIdx !== -1) {
+        return part.slice(colonIdx + 1).trim().split(/[\s,=]/)[0];
+      }
+      return t;
+    })
+    .filter(n => n && /^\w+$/.test(n));
+}
+
+/**
+ * Analyse a single file for indirect taint flows.
+ *
+ * @param {string} content   File content
+ * @param {string} filepath  File path (used in findings)
+ * @returns {Array}          Array of finding objects
+ */
+export function analyzeTaint(content, filepath) {
+  const findings = [];
+  const lines = content.split('\n');
+
+  // varName → line number where it was first tainted
+  const tainted = new Map();
+  // Deduplicate: (lineNum, ruleId) pairs already reported
+  const reported = new Set();
+
+  // Track brace depth to detect function boundaries and reset taint per-function.
+  // When braceDepth returns to the depth at which the last function started,
+  // we flush taint so variables don't leak across handler closures.
+  let braceDepth = 0;
+  // Stack of { depth, taintSnapshot } so nested functions get their own scope.
+  const scopeStack = [];
+
+  for (let i = 0; i < lines.length; i++) {
+    const raw   = lines[i];
+    const line  = raw.trim();
+    const lineN = i + 1;
+
+    // Skip blank lines and comments
+    if (!line) continue;
+    if (line.startsWith('//') || line.startsWith('*') || line.startsWith('/*')) continue;
+
+    // ── SCOPE TRACKING ───────────────────────────────────────────────────────
+    // Count net brace change to detect function entry/exit.
+    // Strip string literals and comments before counting braces to avoid false counts
+    const strippedLine = line.replace(/(['"`])(?:(?!\1|\\).|\\.)*\1/g, '').replace(/\/\/.*$/, '');
+    const opens  = (strippedLine.match(/\{/g) || []).length;
+    const closes = (strippedLine.match(/\}/g) || []).length;
+
+    // If this line starts a new function/arrow, push a scope boundary.
+    const isFnEntry = /(?:function\s*\w*\s*\(|\=>\s*\{|\bfunction\s*\()/.test(line) && opens > closes;
+    if (isFnEntry) {
+      scopeStack.push({ depth: braceDepth + opens - closes, savedTaint: new Map(tainted) });
+      // Reset taint for the new function scope
+      tainted.clear();
+    }
+
+    braceDepth += opens - closes;
+
+    // Pop scope when we return to the depth where the function started.
+    if (scopeStack.length > 0 && braceDepth <= scopeStack[scopeStack.length - 1].depth - 1) {
+      const { savedTaint } = scopeStack.pop();
+      tainted.clear();
+      for (const [k, v] of savedTaint) tainted.set(k, v);
+    }
+
+    // ── TAINT PROPAGATION ────────────────────────────────────────────────────
+    let m;
+
+    // Object destructuring
+    if ((m = OBJ_DESTRUCT.exec(line))) {
+      const [, names, expr] = m;
+      if (isSourceExpr(expr) || exprIsTainted(expr, tainted.keys())) {
+        for (const name of parseDestructuredNames(names)) {
+          if (!tainted.has(name)) tainted.set(name, lineN);
+        }
+      }
+    }
+    // Array destructuring
+    else if ((m = ARR_DESTRUCT.exec(line))) {
+      const [, names, expr] = m;
+      if (isSourceExpr(expr) || exprIsTainted(expr, tainted.keys())) {
+        for (const name of names.split(',').map(s => s.trim()).filter(s => s && s !== '_' && /^\w+$/.test(s))) {
+          if (!tainted.has(name)) tainted.set(name, lineN);
+        }
+      }
+    }
+    // Simple variable declaration
+    else if ((m = VAR_DECL.exec(line))) {
+      const [, name, expr] = m;
+      if (isSourceExpr(expr) || exprIsTainted(expr, tainted.keys())) {
+        tainted.set(name, lineN);
+      }
+    }
+    // Reassignment (may re-taint or further propagate)
+    else if ((m = REASSIGN.exec(line))) {
+      const [, name, expr] = m;
+      if (isSourceExpr(expr) || exprIsTainted(expr, tainted.keys())) {
+        tainted.set(name, lineN);
+      }
+    }
+    // Compound assignment (+=, etc.) — propagates if either side is tainted
+    else if ((m = COMPOUND.exec(line))) {
+      const [, name, expr] = m;
+      if (tainted.has(name) || isSourceExpr(expr) || exprIsTainted(expr, tainted.keys())) {
+        tainted.set(name, lineN); // update taint line to compound op
+      }
+    }
+
+    // ── SINK DETECTION ───────────────────────────────────────────────────────
+    if (tainted.size === 0) continue;
+
+    for (const sink of SINKS) {
+      if (!sink.pattern.test(line)) continue;
+
+      // Only fire if a tainted variable appears as a standalone identifier
+      for (const [varName, taintedAtLine] of tainted) {
+        // Skip if tainted on the same line — direct case, existing rules cover it
+        if (taintedAtLine === lineN) continue;
+
+        if (!varRegex(varName).test(line)) continue;
+
+        const key = `${lineN}:${sink.id}:${varName}`;
+        if (reported.has(key)) continue;
+        reported.add(key);
+
+        const taintLine = lines[taintedAtLine - 1]?.trim() ?? '';
+        findings.push({
+          ruleId: sink.id,
+          category: 'security',
+          severity: sink.severity,
+          confidence: 'likely',
+          title: sink.title,
+          description:
+            `Variable "${varName}" receives user-controlled input at line ${taintedAtLine} ` +
+            `and flows into ${sink.category} sink at line ${lineN} without sanitization. ` +
+            `Taint chain: \`${taintLine}\` → \`${line.slice(0, 120)}\`. ${sink.fix}`,
+          file: filepath,
+          line: lineN,
+          fix: null,
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Run taint analysis across all JS/TS files in the file map.
+ * Called from the taint rule's check() function.
+ */
+export function runTaintAnalysis(files) {
+  const JS_TS = /\.(js|jsx|ts|tsx|mjs|cjs)$/;
+  const findings = [];
+  for (const [fp, content] of files) {
+    if (!JS_TS.test(fp)) continue;
+    // Skip test files — they intentionally pass tainted data around
+    if (/[./](?:test|spec)[./]|__tests__|\.test\.|\.spec\./.test(fp)) continue;
+    try {
+      findings.push(...analyzeTaint(content, fp));
+    } catch {
+      // Never let a parse error crash the scan
+    }
+  }
+  return findings;
+}

package/src/telemetry.js

@@ -0,0 +1,183 @@
+// ---------------------------------------------------------------------------
+// Telemetry Module — Privacy Guarantees
+// ---------------------------------------------------------------------------
+//
+// 1. OPT-IN ONLY: Telemetry is DISABLED by default. It is never sent unless
+//    the user explicitly enables it via one of these mechanisms:
+//      - `doorman init --telemetry`
+//      - Setting `"telemetry": true` in `.doormanrc.json`
+//      - Setting the environment variable `DOORMAN_TELEMETRY=1`
+//
+// 2. NO PII COLLECTED: We never collect personally identifiable information.
+//    No usernames, emails, IP addresses, hostnames, file paths, file contents,
+//    code snippets, repository names, or Git URLs are transmitted. Project
+//    identity is a one-way SHA-256 hash (first 16 hex chars) that cannot be
+//    reversed to reveal the original URL or path.
+//
+// 3. AGGREGATE DATA ONLY: The payload contains only aggregate counts (score,
+//    finding counts by severity/category, rule IDs, file count) and generic
+//    stack metadata (language, framework, runtime, boolean feature flags).
+//
+// 4. DISABLE AT ANY TIME: Set `DOORMAN_TELEMETRY=0` or remove the
+//    `"telemetry": true` entry from `.doormanrc.json`. Locally cached
+//    telemetry data is stored in `.doorman/telemetry.json` and can be
+//    deleted freely.
+//
+// 5. NEVER BLOCKS: Telemetry runs fire-and-forget with a 3-second timeout.
+//    Failures are silently ignored and never affect scan results.
+//
+// ---------------------------------------------------------------------------
+
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
+import { join } from 'path';
+import { createHash } from 'crypto';
+import { execSync } from 'child_process';
+
+const TELEMETRY_ENDPOINT = 'https://api.doorman.dev/telemetry';
+const CONFIG_DIR = '.doorman';
+const TELEMETRY_FILE = 'telemetry.json';
+
+/**
+ * Check if telemetry is enabled.
+ *
+ * IMPORTANT: This is opt-in only. Returns false by default.
+ *
+ * Enable via:
+ *   - Environment variable: DOORMAN_TELEMETRY=1
+ *   - Config file: { "telemetry": true } in .doormanrc.json
+ *
+ * Disable via:
+ *   - Environment variable: DOORMAN_TELEMETRY=0 (overrides config file)
+ *   - Config file: { "telemetry": false } or omit the key
+ */
+export function isTelemetryEnabled(targetPath) {
+  if (process.env.DOORMAN_TELEMETRY === '0') return false;
+  if (process.env.DOORMAN_TELEMETRY === '1') return true;
+
+  try {
+    const rcPath = join(targetPath, '.doormanrc.json');
+    if (existsSync(rcPath)) {
+      const rc = JSON.parse(readFileSync(rcPath, 'utf-8'));
+      if (rc.telemetry === true) return true;
+      if (rc.telemetry === false) return false;
+    }
+  } catch {}
+
+  return false; // Opt-in by default
+}
+
+/**
+ * Generate an anonymous project ID (hash of git remote URL or cwd).
+ * This allows deduplication without identifying the project.
+ */
+export function getAnonymousId(targetPath) {
+  try {
+    const remote = execSync('git remote get-url origin', {
+      cwd: targetPath,
+      stdio: 'pipe',
+    }).toString().trim();
+    return createHash('sha256').update(remote).digest('hex').slice(0, 16);
+  } catch {
+    return createHash('sha256').update(targetPath).digest('hex').slice(0, 16);
+  }
+}
+
+/**
+ * Build the telemetry payload from scan results.
+ * IMPORTANT: No code, no file paths, no secrets. Only aggregate numbers.
+ */
+export function buildPayload(scanResult, stack) {
+  return {
+    version: '1.0.0',
+    timestamp: new Date().toISOString(),
+    // What stack (generic, not specific project)
+    stack: {
+      language: stack.language || 'unknown',
+      framework: stack.framework || 'unknown',
+      runtime: stack.runtime || 'unknown',
+      hasTypescript: !!stack.hasTypescript,
+      hasDocker: !!stack.hasDocker,
+      hasCI: !!stack.hasCI,
+      hasTests: !!stack.hasTests,
+    },
+    // Aggregate findings (no file paths or code)
+    scan: {
+      score: scanResult.score,
+      totalFindings: scanResult.findings.length,
+      bySeverity: {
+        critical: scanResult.findings.filter(f => f.severity === 'critical').length,
+        high: scanResult.findings.filter(f => f.severity === 'high').length,
+        medium: scanResult.findings.filter(f => f.severity === 'medium').length,
+        low: scanResult.findings.filter(f => f.severity === 'low').length,
+      },
+      byCategory: {},
+      topRuleIds: [], // Most common rule IDs (just IDs, no context)
+      fixableCount: scanResult.findings.filter(f => f.fix).length,
+      fileCount: scanResult.fileCount || 0,
+    },
+  };
+}
+
+/**
+ * Enrich payload with category and rule breakdowns.
+ */
+function enrichPayload(payload, findings) {
+  const catCounts = {};
+  const ruleCounts = {};
+  for (const f of findings) {
+    catCounts[f.category] = (catCounts[f.category] || 0) + 1;
+    ruleCounts[f.ruleId] = (ruleCounts[f.ruleId] || 0) + 1;
+  }
+  payload.scan.byCategory = catCounts;
+  payload.scan.topRuleIds = Object.entries(ruleCounts)
+    .sort((a, b) => b[1] - a[1])
+    .slice(0, 10)
+    .map(([id, count]) => ({ id, count }));
+  return payload;
+}
+
+/**
+ * Send telemetry data. Non-blocking, fire-and-forget.
+ * Never throws, never blocks the user.
+ */
+export async function sendTelemetry(targetPath, scanResult, stack) {
+  if (!isTelemetryEnabled(targetPath)) return;
+
+  try {
+    const payload = buildPayload(scanResult, stack);
+    enrichPayload(payload, scanResult.findings);
+
+    // Store locally for batch sending later
+    const dir = join(targetPath, CONFIG_DIR);
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+
+    const telPath = join(dir, TELEMETRY_FILE);
+    let existing = [];
+    try {
+      if (existsSync(telPath)) {
+        existing = JSON.parse(readFileSync(telPath, 'utf-8'));
+      }
+    } catch {}
+
+    existing.push(payload);
+    // Keep last 50 entries
+    if (existing.length > 50) existing = existing.slice(-50);
+    writeFileSync(telPath, JSON.stringify(existing, null, 2));
+
+    // Try to send (non-blocking, fails silently)
+    try {
+      const controller = new AbortController();
+      setTimeout(() => controller.abort(), 3000); // 3s timeout
+      await fetch(TELEMETRY_ENDPOINT, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(payload),
+        signal: controller.signal,
+      });
+    } catch {
+      // Network unavailable — data stored locally for later
+    }
+  } catch {
+    // Telemetry should never break the tool
+  }
+}