[feat] Add CI checks for OSS license compliance and telemetry tree-shaking

[snomiao]

Summary

Implements automated verification to ensure the OSS distribution complies with licensing requirements and properly removes proprietary/telemetry code.

This PR addresses the requirements from the Notion task:

• ✅ Verifies no proprietary licenses in production dependencies
• ✅ Checks ABCROM font is tree-shaken from OSS builds
• ✅ Verifies Mixpanel telemetry is tree-shaken from OSS builds

Changes

New Verification Scripts

1. scripts/verify-licenses.js

   • Validates all production dependencies use approved open-source licenses
   • Checks against a list of OSI-approved licenses
   • Flags any non-compliant or unknown licenses

2. scripts/verify-oss-build.js

   • Scans the dist/ directory for violations
   • Checks for proprietary font files (ABCROM)
   • Searches JavaScript files for telemetry code (Mixpanel)
   • Reports all violations with file locations and code samples

CI Workflow

.github/workflows/ci-oss-compliance.yaml

• Runs on all pushes to main/dev branches and pull requests
• Two jobs:
  1. license-check: Verifies dependency licenses
  2. oss-build-check: Builds OSS distribution and verifies compliance
• Uploads build artifacts on failure for debugging

NPM Scripts

pnpm verify:licenses      # Check dependency licenses
pnpm verify:oss          # Verify OSS build compliance
pnpm verify:compliance   # Run all checks (licenses + build + verify)
pnpm build:oss           # Build OSS distribution

Documentation

docs/OSS_COMPLIANCE.md

• Complete guide for understanding and using the compliance checks
• Explains tree-shaking mechanism
• Troubleshooting guide
• Instructions for adding new cloud-specific code

How It Works

Tree-Shaking Mechanism

The build uses compile-time constants for dead code elimination:

// vite.config.mts
define: {
  __DISTRIBUTION__: JSON.stringify(DISTRIBUTION)
}

// src/platform/distribution/types.ts
const DISTRIBUTION: Distribution = __DISTRIBUTION__
export const isCloud = DISTRIBUTION === 'cloud'

// src/platform/telemetry/index.ts
if (isCloud) {
  _telemetryProvider = new MixpanelTelemetryProvider()
}

When building with DISTRIBUTION=localhost:

• isCloud evaluates to false
• Vite's tree-shaking removes all cloud-specific code
• Mixpanel library is never imported or bundled

Verification Patterns

The OSS build verifier checks for:

Proprietary Fonts:

• .woff, .woff2, .ttf, .otf files containing "ABCROM"

Telemetry Code:

• mixpanel / MixpanelTelemetryProvider
• Tracking methods: trackWorkflow, trackEvent, .track(
• API endpoints: mp.comfy.org

Test Plan

• License check passes on current dependencies
• Scripts handle missing dist/ directory gracefully
• Scripts provide clear error messages and exit codes
• Documentation is comprehensive and accurate
• CI workflow runs successfully on this PR
• OSS build verification passes after build

Testing Locally

# Check licenses
pnpm verify:licenses

# Build OSS distribution and verify
pnpm build:oss
pnpm verify:oss

# Or run all checks
pnpm verify:compliance

Notes

• The license checker currently passes with 343 production dependencies
• The OSS build verification requires building first (CI handles this automatically)
• Build artifacts are uploaded for 7 days when CI checks fail

🤖 Generated with Claude Code

Fixes #10204

┆Issue is synchronized with this Notion page by Unito

[github-actions]

🎨 Storybook Build Status

✅ Build completed successfully!

⏰ Completed at: 12/03/2025, 10:45:51 AM UTC

🔗 Links

• 📊 View Workflow Run
• 🎨 View Storybook

---

🎉 Your Storybook is ready for review!

[github-actions]

🎭 Playwright Test Results

⚠️ Tests passed with flaky tests

⏰ Completed at: 12/03/2025, 10:55:35 AM UTC

📈 Summary

• Total Tests: 495
• Passed: 482 ✅
• Failed: 0
• Flaky: 3 ⚠️
• Skipped: 10 ⏭️

📊 Test Reports by Browser

• ✅ chromium: View Report • ✅ 473 / ❌ 0 / ⚠️ 3 / ⏭️ 10
• ✅ chromium-2x: View Report • ✅ 2 / ❌ 0 / ⚠️ 0 / ⏭️ 0
• ✅ chromium-0.5x: View Report • ✅ 1 / ❌ 0 / ⚠️ 0 / ⏭️ 0
• ✅ mobile-chrome: View Report • ✅ 6 / ❌ 0 / ⚠️ 0 / ⏭️ 0

---

🎉 Click on the links above to view detailed test results for each browser configuration.

[github-actions]

Bundle Size Report

Summary

• Raw size: 17 MB baseline 17 MB — ⚪ 0 B
• Gzip: 3.38 MB baseline 3.38 MB — ⚪ 0 B
• Brotli: 2.59 MB baseline 2.59 MB — ⚪ 0 B
• Bundles: 97 current • 97 baseline

Category Glance
Vendor & Third-Party ⚪ 0 B (8.56 MB) · Other ⚪ 0 B (3.81 MB) · App Entry Points ⚪ 0 B (3.2 MB) · Graph Workspace ⚪ 0 B (971 kB) · Panels & Settings ⚪ 0 B (298 kB) · UI Components ⚪ 0 B (169 kB) · + 3 more

Per-category breakdown

App Entry Points — 3.2 MB (baseline 3.2 MB) • ⚪ 0 B

Main entry bundles and manifests

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/index-Cf__4Z-P.js	345 B	345 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/index-DEdg9DBw.js	2.97 MB	2.97 MB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/index-DvsIp2U2.js	223 kB	223 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Graph Workspace — 971 kB (baseline 971 kB) • ⚪ 0 B

Graph editor runtime, canvas, workflow orchestration

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/GraphView-TBg3dt8M.js	971 kB	971 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Views & Navigation — 6.54 kB (baseline 6.54 kB) • ⚪ 0 B

Top-level views, pages, and routed surfaces

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/UserSelectView-Bs2mt5WB.js	6.54 kB	6.54 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Panels & Settings — 298 kB (baseline 298 kB) • ⚪ 0 B

Configuration panels, inspectors, and settings screens

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/AboutPanel-C1CJXtbE.js	9.16 kB	9.16 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/CreditsPanel-BjhEcMZo.js	21.4 kB	21.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/ExtensionPanel-DX-QTkxT.js	10.8 kB	10.8 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/KeybindingPanel-DPEmufkL.js	13.6 kB	13.6 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/ServerConfigPanel-oKEVC-cG.js	6.56 kB	6.56 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-BhbWhsRg.js	101 B	101 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-BXTtSH4O.js	33.3 kB	33.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-C9Pzn-NG.js	25.2 kB	25.2 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-CCy2fA_h.js	27.3 kB	27.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-CQpqEFfl.js	26.6 kB	26.6 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-DHcnxypw.js	21.7 kB	21.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-DhFTK9fY.js	25.1 kB	25.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-DlT4t_ui.js	25.9 kB	25.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-DRgSrIdD.js	24.2 kB	24.2 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-tjkeqiZq.js	21.1 kB	21.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/UserPanel-DvvIwd9i.js	6.23 kB	6.23 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

UI Components — 169 kB (baseline 169 kB) • ⚪ 0 B

Reusable component library chunks

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/ComfyQueueButton-CxYWRhFc.js	8.44 kB	8.44 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/LazyImage.vue_vue_type_script_setup_true_lang-CURaTibX.js	39.4 kB	39.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/Load3D.vue_vue_type_script_setup_true_lang-DsttmT1j.js	53.9 kB	53.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/MediaTitle.vue_vue_type_script_setup_true_lang-B1PrziiA.js	897 B	897 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/UserAvatar.vue_vue_type_script_setup_true_lang-DRxvgpU7.js	1.34 kB	1.34 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetButton-DBkWxjh1.js	2.04 kB	2.04 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetInputNumber.vue_vue_type_script_setup_true_lang-BYxlDPNB.js	12.9 kB	12.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetLayoutField.vue_vue_type_script_setup_true_lang-VhqMWCTd.js	2.16 kB	2.16 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetSelect.vue_vue_type_script_setup_true_lang-Vf0dgbnk.js	47.6 kB	47.6 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Data & Services — 12.5 kB (baseline 12.5 kB) • ⚪ 0 B

Stores, services, APIs, and repositories

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/audioService-CURg7Yov.js	2.2 kB	2.2 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/keybindingService-DA_xRrK2.js	7.51 kB	7.51 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/serverConfigStore-BIb40oOr.js	2.83 kB	2.83 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Utilities & Hooks — 2.94 kB (baseline 2.94 kB) • ⚪ 0 B

Helpers, composables, and utility bundles

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/audioUtils-BCU8XQ-i.js	1.41 kB	1.41 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/mathUtil-CTARWQ-l.js	1.07 kB	1.07 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeFilterUtil-CXKCRJ-m.js	460 B	460 B	⚪ 0 B	⚪ 0 B	⚪ 0 B

Vendor & Third-Party — 8.56 MB (baseline 8.56 MB) • ⚪ 0 B

External libraries and shared vendor chunks

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/vendor-chart-DWRkrNy1.js	452 kB	452 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-other-BZzgsWym.js	3.98 MB	3.98 MB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-primevue-3gHexYD_.js	1.96 MB	1.96 MB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-three-aR6ntw5X.js	1.37 MB	1.37 MB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-tiptap-Dw558Ulu.js	232 kB	232 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-vue-CoO6TOrn.js	160 kB	160 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-xterm-BZLod3g9.js	407 kB	407 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Other — 3.81 MB (baseline 3.81 MB) • ⚪ 0 B

Bundles that do not match a named category

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/AudioPreviewPlayer-BJfU_odj.js	13.5 kB	13.5 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-_s-RvhJR.js	13.6 kB	13.6 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-BuUILW6P.js	13 kB	13 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-BV4R6fLx.js	14.9 kB	14.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-BWp4HdfU.js	101 B	101 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-CLwPdnT6.js	14.2 kB	14.2 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-CWMchBmd.js	15.9 kB	15.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-DazTQhtc.js	12.9 kB	12.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-DmWrOe93.js	13.7 kB	13.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-DwiH7Kr6.js	13.8 kB	13.8 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-mS3LCNPn.js	14.5 kB	14.5 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/Load3D-_y2rDEPF.js	424 B	424 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-B1JflQcI.js	72.2 kB	72.2 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-B2lyXe48.js	114 kB	114 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-B9XEQ-pc.js	94 kB	94 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BErKFzc-.js	73.1 kB	73.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-Bf7Tze-u.js	83.4 kB	83.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BhGMcO4Q.js	84.3 kB	84.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-CPZUloNQ.js	99 kB	99 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-Cw9RZWRY.js	89 B	89 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-Dva0z-T2.js	86.5 kB	86.5 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-un0K9wDS.js	81.8 kB	81.8 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/Media3DBottom-BxDVzMC3.js	1.5 kB	1.5 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/Media3DTop-DIquBjFa.js	1.49 kB	1.49 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/MediaAudioBottom-DI0UGV_L.js	1.52 kB	1.52 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/MediaAudioTop-DX0t5RN3.js	1.46 kB	1.46 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/MediaImageBottom-C2JdHVMF.js	1.57 kB	1.57 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/MediaImageTop-BN0aEMtg.js	1.75 kB	1.75 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/MediaVideoBottom-CKKuDxU7.js	1.52 kB	1.52 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/MediaVideoTop-BpvqEylZ.js	2.76 kB	2.76 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-8e6QYQW0.js	283 kB	283 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-A_9dx4yn.js	304 kB	304 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-BbD3HDi7.js	307 kB	307 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-BOJhIPft.js	369 kB	369 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-Bw_Jitw_.js	101 B	101 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-C-Pw33mW.js	317 kB	317 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-ChLyG0UJ.js	285 kB	285 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-CUVPxA4l.js	342 kB	342 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-Dx5Y4xrW.js	310 kB	310 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-JqO5mNmW.js	306 kB	306 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetAudioUI-CO8Xwpqd.js	2.82 kB	2.82 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetChart-DsbKXC7D.js	2.48 kB	2.48 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetColorPicker-BIcqK16M.js	3.41 kB	3.41 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetGalleria-C2rRHaUB.js	4.1 kB	4.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetImageCompare-nVNi67CU.js	2.21 kB	2.21 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetInputNumber-CTDJdfB2.js	595 B	595 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetInputText-BCJqA32s.js	1.99 kB	1.99 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetLegacy-DKnHzQXL.js	364 B	364 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetMarkdown-C9cEe2Po.js	3.08 kB	3.08 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/widgetPropFilter-BIbGSUAt.js	1.28 kB	1.28 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetRecordAudio-9ACKT6e5.js	20.4 kB	20.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetSelect-Dhm0DIpQ.js	655 B	655 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetTextarea-CYPMnprw.js	2.79 kB	2.79 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetToggleSwitch-DkvdXJVp.js	1.58 kB	1.58 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sno-license-check

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⚠️ OSS Compliance Check Failed

The OSS build verification has failed. This usually means:

Possible Issues:

1. ✗ Proprietary font files (ABCROM) detected in build output
2. ✗ Telemetry code (Mixpanel) detected in OSS build
3. ✗ Non-compliant dependency licenses detected

What to do:

1. Review the workflow logs for details
2. Check the uploaded build artifacts for inspection
3. Ensure tree-shaking is working correctly for cloud-specific code
4. See OSS Compliance docs for guidance

Build artifacts have been uploaded for 7 days for your inspection.

---

_{This is an automated message from the OSS Compliance workflow}

[snomiao]

📝 PR Review Summary

✅ Changes Reviewed

1. OSS License Compliance Infrastructure - Automated checks for dependency licenses
2. OSS Build Verification - Validates tree-shaking of proprietary assets
3. CI/CD Integration - Workflow automation with failure notifications
4. Documentation - Comprehensive compliance guide

🔍 Current CI Status

Failing Check: OSS Build Verification

Root Causes:

1. ABCROM Font Files (2 files) - Proprietary fonts being bundled in localhost build
2. Cloud Components - Tree-shaking not fully eliminating cloud-specific code

🛠️ Recent Improvements

I've made two commits to improve this PR:

1. Refined Verification Patterns (commit e474eae)

   • Made telemetry detection more specific
   • Reduced false positives from generic patterns like .track(
   • Now targets actual Mixpanel API usage

2. Added CI Failure Notifications (commit c9c1f4e)

   • Automatically posts helpful comment when OSS compliance fails
   • Links to logs and documentation
   • Guides developers on fixing issues

🎯 Remaining Issues

The fundamental issue is that tree-shaking isn't fully working for cloud-specific code:

Problem in src/router.ts:19:

import { cloudOnboardingRoutes } from './platform/cloud/onboarding/onboardingCloudRoutes'

This import happens unconditionally, causing Vite to include the cloud routes module and its dependencies (including fonts) even when DISTRIBUTION=localhost.

Why it happens:

• The spread operator ...(isCloud ? cloudOnboardingRoutes : []) (line 46) is a runtime check
• Vite's tree-shaking can't eliminate the import because it's at the module level
• The fonts are imported in CloudTemplate.vue → fonts.css → font files

💡 Recommended Solutions

Option 1: Dynamic Import (Best)

const routes = [
  ...(isCloud ? (await import('./platform/cloud/onboarding/onboardingCloudRoutes')).cloudOnboardingRoutes : []),
  // ... other routes
]

Option 2: Vite Plugin
Create a Vite plugin that strips cloud-specific imports during OSS builds

Option 3: Separate Entry Points
Build separate bundles for cloud vs OSS distributions

Option 4: Accept Current Behavior

• Document that lazy-loaded cloud code exists but never executes
• Update verification to warn rather than fail for lazy-loaded code
• The runtime check ensures cloud code paths are never reached

📊 Impact Assessment

• Security: ✅ No execution of cloud code in OSS builds (runtime guards work)
• License: ⚠️ Proprietary assets present but unused
• Bundle Size: ⚠️ Slightly larger OSS build due to dead code
• User Experience: ✅ No functional impact

The code is secure (cloud paths never execute), but not ideal for distribution hygiene.

🎬 Next Steps

@snomiao - Please review the architectural options above and decide on the preferred approach. I recommend Option 1 (Dynamic Import) as it's the cleanest solution.

Would you like me to implement one of these solutions?

---

🤖 Generated with Claude Code

[snomiao]

Decision: Breaking into Focused PRs

After comparing this PR with #8623, we've decided to close this PR and break it into 3 focused PRs following the simpler, battle-tested approach from #8623.

Why?

1. Scope Creep
This PR bundles 3 separate concerns:

• License validation
• Font detection
• Telemetry tree-shaking

Each should be its own PR for easier review, testing, and potential rollback.

2. #8623 Approach is Superior

• Simpler: 84 lines of bash vs 785 lines of JavaScript
• Faster: Single grep pass vs Node.js runtime
• Maintainable: Standard tools anyone can modify
• Battle-tested: Already caught real violations in CI
• Proven: Actual failing run shown

3. Wrong Target

• Real problem: GTM/GA leaking (PR feat: add cloud gtm injection #8311/Revert/undo-788f5083-ef8657bb #8353)
• This PR checks Mixpanel, not GTM/GA
• Add CI check for telemetry tree-shaking validation #8623 solves the actual problem

New Plan

Breaking into 3 PRs:

1. PR 1: Telemetry tree-shaking (Mixpanel) - using Add CI check for telemetry tree-shaking validation #8623's bash/grep approach
2. PR 2: License validation - using existing npm packages or simple bash
3. PR 3: Font validation - using simple bash/grep like Add CI check for telemetry tree-shaking validation #8623

Merge Order

Our team will likely merge #8623 first (already in review), then these 3 focused PRs.

Detailed Analysis

See comparison reports:

• Full comparison report
• Approach analysis

Key takeaway: Simple, focused PRs are easier to review, test, and maintain. The #8623 approach embodies Unix philosophy: do one thing well.

[snomiao]

Closing in favor of 3 focused PRs. See comment above for details.