Drop JS obfuscation — Phase 1 (behavioral); resolves #188, #191 Phase 1#95
Merged
Merged
Conversation
…e 1) Stop producing/serving obfuscated JS without any schema change. Obfuscated columns are left inert and dropped later (Phase 2, expand/contract). - Publish always serves plain source: KytePageController::buildJavaScript() (page JS, kyte_connect block, header/footer) and KyteScriptController::handleScriptPublication() ignore the obfuscate_js / obfuscate_kyte_connect flags. Lossless — plain source was always stored. - Fix #188 version-bloat: remove javascript_obfuscated / content_js_obfuscated from the content-field sets and obfuscate_js from the metadata sets in detectChanges/addChangedFieldsToVersion (KytePage) and detectScriptChanges/addChangedFieldsToScriptVersion (KyteScript). A publish of unchanged source no longer spawns a content-identical version. - Application.obfuscate_kyte_connect now defaults to 0 for new apps. No migration. Storage hooks still accept the *_obfuscated columns, so the change is forward/backward compatible with any Shipyard version during rollout. PHPStan clean; full phpunit runs in CI (MariaDB). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Drop JS obfuscation — Phase 1 (behavioral, no schema change)
Resolves #188 (version-bloat) and is Phase 1 of #191 (drop JS obfuscation). Pairs with kyte-shipyard 2.1.0.
Why
JS obfuscation has been forced on every install since v1: no real security (client JS is readable in the browser), storage bloat (the obfuscated copy duplicates the source), and operational breakage (WAFs/firewalls have blocked legitimate obfuscated JS). It also drives #188: non-deterministic re-obfuscation made
detectChangessee a change on every publish → a content-identicalKytePageVersioneach time.What (behavioral only — no migration)
KytePageController::buildJavaScript()(page JS, thekyte_connectblock, header/footer) andKyteScriptController::handleScriptPublication()ignore theobfuscate_js/obfuscate_kyte_connectflags. Lossless — the plain source was always stored alongside the obfuscated copy.obfuscate_jsremoved from the metadata-field sets andjavascript_obfuscated/content_js_obfuscatedfrom the content-field sets indetectChanges/addChangedFieldsToVersion(KytePage) anddetectScriptChanges/addChangedFieldsToScriptVersion(KyteScript). (generateContentHashalready excluded them.)Application.obfuscate_kyte_connectnow defaults to0for new apps.The obfuscated columns are left in place (inert). They get dropped in a follow-up (Phase 2, expand/contract) once this is confirmed stable — so a code rollback never strands a dropped column on a live DB.
Compatibility
Forward/backward compatible during rollout: the storage hooks still accept the
*_obfuscatedcolumns, so an older Shipyard that sends an obfuscated blob keeps working (kyte-php ignores it at publish), and a newer Shipyard that sends empty*_obfuscated+obfuscate_js=0also works.Verification
php -lclean.buildJavaScriptvia a reflection harness with both obfuscate flags set to1→ output contains the plain JS + plainkyte_connectand excludes the obfuscated variants. MCP read path (list_applications→read_page) confirmed healthy on the patched code.🤖 Generated with Claude Code