continue-privacy-mining
Read-only mining codemod for Continue. It detects the five critical privacy/security anti-patterns identified for Continue and emits one continue_privacy_risk_finding metric row per match. Source files are never modified.
Critical rules detected
| Rule ID | Anti-pattern | What it finds |
|---|---|---|
| RAG-001 | scope_filter_gap | FTS directory param defined but unused in SQL builder |
| RAG-002 | scope_filter_gap | lance_db_cache hydrated by UUID without artifact_id |
| RAG-003 | scope_filter_gap | code_snippets fetched by ID without tag join |
| TOOL-002 | autonomous_tool_execution | Edit tools hardcoded to allowedWithoutPermission |
| TOOL-020 | autonomous_tool_execution | retrieveWithTools() calls callBuiltInTool() without policy gate |
Metric
Name: continue_privacy_risk_finding
Each row includes:
| Label | Tier | Example |
|---|---|---|
anti_pattern | L1 | scope_filter_gap |
severity | L1 | critical |
autonomous | L1 | true |
rule_id | L2 | TOOL-002 |
category | L2 | policy-bypass |
risk_tier | L2 | autonomous-write |
execution_surface | L2 | gui-agent |
file | L3 | core/indexing/LanceDbIndex.ts |
line | L3 | 478 |
symbol | L3 | retrieve |
tool_name | L3 | none |
Usage
Run against a Continue checkout:
Run the JSSG script directly:
Test
Expected hits in upstream Continue
| Rule | File |
|---|---|
| RAG-001 | core/indexing/FullTextSearchCodebaseIndex.ts |
| RAG-002 | core/indexing/LanceDbIndex.ts |
| RAG-003 | core/indexing/CodeSnippetsIndex.ts |
| TOOL-002 | gui/src/redux/thunks/evaluateToolPolicies.ts |
| TOOL-020 | core/context/retrieval/pipelines/BaseRetrievalPipeline.ts |