Summary

The Rollup build configuration has sourcemap: true unconditionally, meaning .js.map files are generated and deployed alongside the production bundle to the CDN. This exposes the original TypeScript source code, including all hardcoded constants, API endpoints, and the cryptographic material in interaction-tracker.ts.

Affected Files

• rollup.config.js, line 13:

  output: {
    file: 'dist/capture-eye.bundled.js',
    format: 'esm',
    sourcemap: true,  // Always enabled, even for production
  },

• scripts/deploy-release.sh and scripts/deploy-staging.sh: These deploy the entire dist/ directory to S3, which includes the .map files.

Impact

• Original TypeScript source is fully readable by anyone who downloads the source map from the CDN
• Internal API structure, endpoint URLs, and code organization are exposed
• The AES-GCM encryption material in interaction-tracker.ts is more easily discoverable (though it is already in the minified bundle, source maps make it trivial)
• Potential attackers gain a clearer understanding of the codebase for vulnerability research

Suggested Approach

Option A (Recommended): Conditionally disable source maps for production builds:

output: {
  file: 'dist/capture-eye.bundled.js',
  format: 'esm',
  sourcemap: process.env.MODE !== 'prod',
},

Option B: Strip .map files from the deploy scripts before uploading to S3:

find dist -name '*.map' -delete

Option C: Upload source maps to a private location for debugging, but exclude them from the public CDN deployment.