clean up signature events + harden release workflow (#28)

* fix(security): prevent tag-name command injection in release workflow

The publish job runs with id-token:write (npm OIDC trusted publishing)
and contents:write, and interpolated the attacker-influenceable tag
name (github.ref_name and tag-derived step outputs) directly into run:
scripts. Git ref names permit shell metacharacters, so a tag like
v1.0.0$(...) could execute arbitrary commands with publish privileges.

- Move all tag-derived values to env: blocks, referenced as quoted
  shell variables instead of ${{ }} interpolation in run: bodies
- Add strict semver tag validation that fails the workflow before any
  untrusted value is used

Actions are already pinned to commit SHAs; npm pin intentionally
omitted (npm@latest retained by decision).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(security): stop exfiltrating raw wallet signatures (C1, CRITICAL)

Autocaptured signature events shipped the produced signature
(state.data) as `signatureHash` to events.formo.so — a replayable
permit/Permit2/SIWE bearer credential, on by default.

Scope: remove `signatureHash` only. The signed message (plaintext or
EIP-712 struct) is still captured as before; no behavior change there
and no new configuration option.

- Remove `signatureHash` end-to-end: SignatureAPIEvent, IFormoAnalytics
  /IFormoAnalyticsInstance signature(), FormoAnalytics.signature(),
  EventFactory.generateSignatureEvent (+ lib/event/types.ts), and the
  WagmiEventHandler mutation handler (no longer reads state.data).
- Add src/__tests__/signature.test.ts: asserts no signatureHash / no
  raw-signature value is emitted for signMessage or signTypedData.

deepsec revalidate: CRITICAL other-signature-exfiltration -> fixed.
typecheck/lint clean, 212/212 tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: drop internal C1 audit-id references from comments and tests

Comment/label-only cleanup, no behavior change. Gates green (212/212).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: yosriady

.github/workflows/release.yml

@@ -19,13 +19,16 @@ jobs:
           fetch-depth: 0  # Fetch all history for changelog generation
 
       - name: Verify tag is on main branch
+        env:
+          COMMIT_SHA: ${{ github.sha }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
           # Check if the tag is reachable from main branch
           git fetch origin main
-          if ! git merge-base --is-ancestor ${{ github.sha }} origin/main; then
+          if ! git merge-base --is-ancestor "$COMMIT_SHA" origin/main; then
             echo "Error: This tag is not on the main branch"
             echo "Tags must be created on the main branch to trigger a release"
-            echo "Current tag: ${{ github.ref_name }}"
+            echo "Current tag: $REF_NAME"
             exit 1
           fi
           echo "Tag is on main branch, proceeding with release"
@@ -48,14 +51,24 @@ jobs:
 
       - name: Extract version from tag
         id: version
+        env:
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          VERSION=${GITHUB_REF#refs/tags/v}
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          # Git ref names can legitimately contain shell metacharacters, and
+          # this value flows into later steps. Reject anything that is not a
+          # clean semver release tag before using it anywhere.
+          if [[ ! "$REF_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$ ]]; then
+            echo "Error: Tag '$REF_NAME' is not a valid release tag (expected vX.Y.Z)"
+            exit 1
+          fi
+          VERSION="${REF_NAME#v}"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
           echo "Publishing version: $VERSION"
 
       - name: Verify tag matches package.json version
+        env:
+          TAG_VERSION: ${{ steps.version.outputs.version }}
         run: |
-          TAG_VERSION=${{ steps.version.outputs.version }}
           PKG_VERSION=$(node -p "require('./package.json').version")
 
           if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
@@ -74,10 +87,13 @@ jobs:
 
       - name: Generate release notes
         id: release_notes
+        env:
+          CURRENT_TAG: ${{ github.ref_name }}
+          VERSION: ${{ steps.version.outputs.version }}
+          REPO: ${{ github.repository }}
         run: |
           # Get the previous version tag (second most recent v* tag by version order)
           # This is more reliable than using git describe which follows commit ancestry
-          CURRENT_TAG=${{ github.ref_name }}
           PREV_TAG=$(git tag -l 'v*' --sort=-version:refname | grep -v "^${CURRENT_TAG}$" | head -1)
 
           if [ -z "$PREV_TAG" ]; then
@@ -88,7 +104,7 @@ jobs:
 
           # Get current date
           RELEASE_DATE=$(date +%Y-%m-%d)
-          VERSION=${{ steps.version.outputs.version }}
+          # VERSION is provided via the validated env var declared above
 
           # Generate changelog with PR links
           if [ -n "$PREV_TAG" ]; then
@@ -115,11 +131,11 @@ jobs:
               PR_NUM="${BASH_REMATCH[1]}"
               # Remove the (#PR_NUM) from message to avoid duplication (handles with or without space)
               CLEAN_MESSAGE=$(echo "$message" | sed -E 's/ ?\(#[0-9]+\)//')
-              PR_LINK="[#$PR_NUM](https://github.com/${{ github.repository }}/pull/$PR_NUM)"
-              COMMIT_LINK="[$hash](https://github.com/${{ github.repository }}/commit/$hash)"
+              PR_LINK="[#$PR_NUM](https://github.com/$REPO/pull/$PR_NUM)"
+              COMMIT_LINK="[$hash](https://github.com/$REPO/commit/$hash)"
               ITEM="$CLEAN_MESSAGE ($PR_LINK) ($COMMIT_LINK)"
             else
-              COMMIT_LINK="[$hash](https://github.com/${{ github.repository }}/commit/$hash)"
+              COMMIT_LINK="[$hash](https://github.com/$REPO/commit/$hash)"
               ITEM="$message ($COMMIT_LINK)"
             fi
 

src/FormoAnalytics.ts

@@ -401,13 +401,11 @@ export class FormoAnalytics implements IFormoAnalytics {
       chainId,
       address,
       message,
-      signatureHash,
     }: {
       status: SignatureStatus;
       chainId?: ChainID;
       address: Address;
       message: string;
-      signatureHash?: string;
     },
     properties?: IFormoEventProperties,
     context?: IFormoEventContext,
@@ -424,7 +422,6 @@ export class FormoAnalytics implements IFormoAnalytics {
         ...(chainId !== undefined && chainId !== null && { chainId }),
         address,
         message,
-        ...(signatureHash && { signatureHash }),
       },
       properties,
       context,

src/__tests__/FormoAnalytics.test.ts

@@ -314,11 +314,27 @@ describe('FormoAnalytics', () => {
         chainId: 1,
         address: '0x742d35cc6634c0532925a3b844bc9e7595f3f6d2',
         message: 'test message',
-        signatureHash: '0xabc123',
       });
 
       expect(mockEventManager.addEvent).toHaveBeenCalled();
     });
+
+    it('never forwards a signatureHash to the event pipeline', async () => {
+      await analytics.signature({
+        status: SignatureStatus.CONFIRMED,
+        chainId: 1,
+        address: '0x742d35cc6634c0532925a3b844bc9e7595f3f6d2',
+        message: 'test message',
+        // signatureHash was removed from the API; a caller forcing it in
+        // must never reach the emitted event.
+        signatureHash: '0x' + 'a'.repeat(130),
+      } as any);
+
+      expect(mockEventManager.addEvent).toHaveBeenCalled();
+      const emitted = mockEventManager.addEvent.mock.calls[0][0];
+      expect(emitted).not.toHaveProperty('signatureHash');
+      expect(JSON.stringify(emitted)).not.toContain('a'.repeat(130));
+    });
   });
 
   describe('transaction()', () => {

src/__tests__/signature.test.ts

@@ -0,0 +1,70 @@
+import { WagmiEventHandler } from "../lib/wagmi/WagmiEventHandler";
+
+// A realistic 65-byte ECDSA signature (the replayable credential we must not leak).
+const RAW_SIGNATURE = "0x" + "a".repeat(130);
+
+// Build a WagmiEventHandler with the formo boundary mocked. The wagmi/query
+// plumbing is external integration surface (unavoidable mock); the code under
+// test — handleSignatureMutation — is exercised for real.
+function makeHandler() {
+  const signature = jest.fn().mockResolvedValue(undefined);
+  const formo = {
+    connect: jest.fn(),
+    disconnect: jest.fn(),
+    chain: jest.fn(),
+    signature,
+    transaction: jest.fn(),
+    isAutocaptureEnabled: jest.fn(() => true),
+  };
+  const wagmiConfig = { subscribe: () => () => {} };
+  const handler = new WagmiEventHandler(formo as any, wagmiConfig as any);
+  // Connection state is established elsewhere; inject it directly so we can
+  // exercise the signature path in isolation.
+  (handler as any).trackingState = {
+    isProcessing: false,
+    lastChainId: 1,
+    lastAddress: "0x742d35cc6634c0532925a3b844bc9e7595f3f6d2",
+  };
+  const fire = (mutationType: "signMessage" | "signTypedData", state: any) =>
+    (handler as any).handleSignatureMutation(mutationType, { state });
+  return { signature, fire };
+}
+
+const flat = (obj: unknown) => JSON.stringify(obj);
+
+describe("signature autocapture must never emit the raw signature", () => {
+  it("signMessage: no signatureHash, no raw signature value", () => {
+    const { signature, fire } = makeHandler();
+
+    fire("signMessage", {
+      status: "success",
+      data: RAW_SIGNATURE,
+      variables: { message: "hello" },
+    });
+
+    expect(signature).toHaveBeenCalledTimes(1);
+    const arg = signature.mock.calls[0][0];
+    expect(arg).not.toHaveProperty("signatureHash");
+    expect(flat(arg)).not.toContain(RAW_SIGNATURE);
+  });
+
+  it("signTypedData: no signatureHash, no raw signature value", () => {
+    const { signature, fire } = makeHandler();
+    const permit = {
+      domain: { name: "USD Coin", chainId: 1 },
+      primaryType: "Permit",
+      types: { Permit: [{ name: "owner", type: "address" }] },
+      message: { owner: "0xVictim", spender: "0xRouter", value: "1", deadline: 9 },
+    };
+
+    fire("signTypedData", {
+      status: "success",
+      data: RAW_SIGNATURE,
+      variables: permit,
+    });
+
+    const arg = signature.mock.calls[0][0];
+    expect(arg).not.toHaveProperty("signatureHash");
+    expect(flat(arg)).not.toContain(RAW_SIGNATURE);
+  });
+});

src/lib/event/EventFactory.ts

@@ -499,7 +499,6 @@ class EventFactory implements IEventFactory {
     chainId: ChainID | undefined,
     address: Address,
     message: string,
-    signatureHash?: string,
     properties?: IFormoEventProperties,
     context?: IFormoEventContext
   ): Promise<IFormoEvent> {
@@ -508,7 +507,6 @@ class EventFactory implements IEventFactory {
         status,
         ...(chainId !== undefined && chainId !== null && { chainId }),
         message,
-        ...(signatureHash && { signatureHash }),
         ...properties,
       },
       address,
@@ -646,7 +644,6 @@ class EventFactory implements IEventFactory {
           event.chainId,
           event.address,
           event.message,
-          event.signatureHash,
           event.properties,
           event.context
         );

src/lib/event/types.ts

@@ -66,7 +66,6 @@ export interface IEventFactory {
     chainId: ChainID | undefined,
     address: Address,
     message: string,
-    signatureHash?: string,
     properties?: IFormoEventProperties,
     context?: IFormoEventContext
   ): Promise<IFormoEvent>;

src/lib/wagmi/WagmiEventHandler.ts

@@ -33,7 +33,6 @@ interface IFormoAnalyticsInstance {
     chainId: number;
     address: string;
     message: string;
-    signatureHash?: string;
   }): Promise<void>;
   transaction(params: {
     status: TransactionStatus;
@@ -362,13 +361,11 @@ export class WagmiEventHandler {
 
     try {
       let status: SignatureStatus;
-      let signatureHash: string | undefined;
 
       if (state.status === "pending") {
         status = SignatureStatus.REQUESTED;
       } else if (state.status === "success") {
         status = SignatureStatus.CONFIRMED;
-        signatureHash = state.data as string;
       } else if (state.status === "error") {
         status = SignatureStatus.REJECTED;
       } else {
@@ -394,7 +391,6 @@ export class WagmiEventHandler {
         chainId,
         address,
         message,
-        ...(signatureHash && { signatureHash }),
       }).catch((error) => {
         logger.error("WagmiEventHandler: Error tracking signature:", error);
       });

src/types/base.ts

@@ -56,7 +56,6 @@ export interface IFormoAnalytics {
       chainId?: ChainID;
       address: Address;
       message: string;
-      signatureHash?: string;
     },
     properties?: IFormoEventProperties,
     context?: IFormoEventContext,

src/types/events.ts

@@ -85,7 +85,6 @@ export interface SignatureAPIEvent {
   chainId?: ChainID;
   address: Address;
   message: string;
-  signatureHash?: string;
 }
 
 export interface ConnectAPIEvent {