Skip to content

feat(tooling): integrate daily anonymizer for usage metrics collection#32387

Draft
NicolasMassart wants to merge 11 commits into
mainfrom
feat/MCWP-644-daily-anonymizer
Draft

feat(tooling): integrate daily anonymizer for usage metrics collection#32387
NicolasMassart wants to merge 11 commits into
mainfrom
feat/MCWP-644-daily-anonymizer

Conversation

@NicolasMassart

@NicolasMassart NicolasMassart commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Warning

PREVIEW ONLY

Description

This PR integrates a daily anonymizer into the developer usage-metrics collection tooling.

The usage-tracking Yarn plugin now opportunistically triggers the anonymizer once per 24h window: the first non-CI yarn <script> run after the window opens spawns the anonymizer as a detached, non-blocking child process. The 24h gate is read from last_run_at in ~/.tool-usage-collection/anonymizer-state.json; the anonymizer re-checks and claims the window itself, so concurrent spawns are harmless. The trigger is best-effort and never throws into the Yarn hot path — failures are written to a local anonymizer.log.

The anonymizer itself is published as @metamask/tooling-insight and consumed here as a devDependency, pinned to a specific preview build. The trigger is disabled when CI is set or TOOL_USAGE_COLLECTION_OPT_IN=false, consistent with the rest of the collection tooling.

Also cleans up scripts/tooling/README.md (trims the inlined dev-tooling-explorer instructions in favor of linking its repo, documents the daily anonymizer) and removes the now-unused scripts/tooling/tsconfig.json.

Changelog

CHANGELOG entry: null

Related issues

Refs: MCWP-644

Manual testing steps

N/A — developer-only tooling, disabled in CI. Verified via unit tests in .yarn/plugins/plugin-usage-tracking.test.ts:

  1. Run yarn jest .yarn/plugins/plugin-usage-tracking.test.ts.
  2. Confirm the anonymizer is not spawned when last_run_at is within 24h.
  3. Confirm the plugin is disabled (no spawn) when CI is set.

Screenshots/Recordings

N/A — non-user-facing developer tooling change.

Before

After

Pre-merge author checklist

Performance checks (if applicable)

  • I've tested on Android
    • Ideally on a mid-range device; emulator is acceptable
  • I've tested with a power user scenario
    • Use these power-user SRPs to import wallets with many accounts and tokens
  • I've instrumented key operations with Sentry traces for production performance metrics

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

@github-actions

Copy link
Copy Markdown
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@metamask-ci

metamask-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

PR template — items to address before "Ready for review"

Warnings — informational, address before merging:

  • Pre-merge author checklist has unchecked items (e.g. "I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors."). Every box must be consciously checked — see docs/readme/ready-for-review.md.

See docs/readme/ready-for-review.md for the full Definition of Ready for Review.

@NicolasMassart NicolasMassart added team-mobile-platform Mobile Platform team DO-NOT-MERGE Pull requests that should not be merged labels Jul 2, 2026
@socket-security

socket-security Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednpm/​@​metamask-previews/​tooling-insight@​1.0.1-preview-cbd7e547410010091100
Updatednpm/​@​metamask/​bitcoin-wallet-standard@​1.1.0 ⏵ 1.0.0761009995100

View full report

@socket-security

socket-security Bot commented Jul 15, 2026

Copy link
Copy Markdown

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Network access: npm @metamask-previews/tooling-insight in module node:dns/promises

Module: node:dns/promises

Location: Package overview

From: package.jsonnpm/@metamask-previews/tooling-insight@1.0.1-preview-cbd7e54

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask-previews/tooling-insight@1.0.1-preview-cbd7e54. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @metamask-previews/tooling-insight in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: package.jsonnpm/@metamask-previews/tooling-insight@1.0.1-preview-cbd7e54

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask-previews/tooling-insight@1.0.1-preview-cbd7e54. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
System shell access: npm @metamask-previews/tooling-insight in module node:child_process

Module: node:child_process

Location: Package overview

From: package.jsonnpm/@metamask-previews/tooling-insight@1.0.1-preview-cbd7e54

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask-previews/tooling-insight@1.0.1-preview-cbd7e54. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @babel/helper-module-imports is 78.0% likely to have a medium risk anomaly

Notes: The analyzed code is a Babel AST helper (ImportBuilder) used to construct import statements and interop-wrapped imports. It contains no indicators of malicious behavior, data exfiltration, backdoors, or runtime abuses. It operates within a compiler/transpiler context to produce code, not to execute arbitrary user data. Therefore, the code itself does not present security risks or malware indicators under normal usage. This is benign library behavior intended for code transformation.

Confidence: 0.78

Severity: 0.55

From: ?npm/expo@55.0.26npm/@babel/helper-module-imports@7.27.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-imports@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @babel/helper-module-transforms is 80.0% likely to have a medium risk anomaly

Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling.

Confidence: 0.80

Severity: 0.50

From: ?npm/expo@55.0.26npm/@babel/helper-module-transforms@7.27.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @babel/helper-string-parser is 78.0% likely to have a medium risk anomaly

Notes: The analyzed code is a standard, well-structured parsing utility for JavaScript string literals and escapes (consistent with Babel’s helper-string-parser). It includes thorough validation, proper Unicode handling, and defensive error reporting. There is no evidence of malicious behavior, data leakage, or network activity within this fragment. The security risk is low when used as part of a trusted toolchain; the code otherwise poses no evident supply-chain threat based on the provided snippet.

Confidence: 0.78

Severity: 0.55

From: ?npm/@react-native/metro-config@0.83.0npm/@react-native/babel-preset@0.83.0npm/react-native@0.83.6npm/expo@55.0.26npm/depcheck@1.4.7npm/@babel/preset-env@7.26.9npm/@babel/core@7.27.1npm/babel-jest@29.7.0npm/metro-react-native-babel-preset@0.76.9npm/metro-react-native-babel-transformer@0.76.9npm/@babel/helper-string-parser@7.27.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-string-parser@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @babel/plugin-syntax-typescript is 72.0% likely to have a medium risk anomaly

Notes: The code is a standard Babel plugin fragment that configures syntax support for TypeScript by manipulating parser plugins. There is no malicious logic, no data exfiltration, and no unsafe operations. It appears to be a legitimate helper for enabling TypeScript syntax in Babel pipelines.

Confidence: 0.72

Severity: 0.50

From: ?npm/expo@55.0.26npm/@babel/plugin-syntax-typescript@7.25.9

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/plugin-syntax-typescript@7.25.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Smart E2E Test Selection

  • Selected E2E tags: None (no tests recommended)
  • Selected Performance tags: None (no tests recommended)
  • Risk Level: low
  • AI Confidence: 97%
click to see 🤖 AI reasoning details

E2E Test Selection:
All changes in this PR are confined to developer tooling infrastructure with zero impact on app functionality or test infrastructure:

  1. package.json: Adds @metamask/tooling-insight as a devDependency only — this is a developer analytics tool, not a runtime dependency.

  2. .yarn/plugins/plugin-usage-tracking.cjs: Adds a maybeTriggerAnonymizer function that spawns a background process for developer tool usage analytics. Critically, this plugin explicitly skips execution in CI environments (if (process.env.CI) return;), so it has no effect on CI test runs whatsoever.

  3. .yarn/plugins/plugin-usage-tracking.test.ts: Unit tests for the new anonymizer trigger — not E2E tests, no impact on smoke test selection.

  4. scripts/tooling/README.md: Pure documentation update.

  5. scripts/tooling/tsconfig.json: TypeScript config for tooling scripts only.

  6. yarn.lock: Lockfile update reflecting the new devDependency.

None of these changes touch app source code, test page objects, flows, selectors, smoke specs, or any user-facing functionality. The yarn plugin is explicitly disabled in CI. No E2E tests need to run to validate these changes.

Performance Test Selection:
No app code, performance-sensitive paths, or user-facing flows were modified. All changes are in developer tooling infrastructure (yarn plugin, devDependency, documentation). The anonymizer plugin is explicitly disabled in CI environments, so it cannot affect app performance metrics.

View GitHub Actions results

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

DO-NOT-MERGE Pull requests that should not be merged size-M team-mobile-platform Mobile Platform team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant