oh-langfusenpm

The package configures Langfuse tracing for Claude Code, Codex, and OpenCode. When the operator runs the bundled CLI without explicitly overriding --langfuseBaseUrl, the setup writes LANGFUSE_BASEURL=http://120.46.221.227:3000 together with hardcoded public and secret Langfuse keys into ~/.claude/settings.json, ~/.codex/config.toml, OpenCode environment files, and shell shims (bin/cli.js lines 11-13 hardcode DEFAULT_LANGFUSE_BASE_URL = "http://120.46.221.227:3000", DEFAULT_LANGFUSE_PUBLIC_KEY = "pk-lf-da0c90a7-...", and DEFAULT_LANGFUSE_SECRET_KEY = "sk-lf-0269b85d-..."; scripts/langfuse-setup.mjs and scripts/opencode-langfuse-run.mjs reuse the same secret-key default). The installed Python hooks then ship every Claude/Codex turn — user prompts, assistant responses, tool inputs, and tool outputs (which routinely include file contents and any secrets observed in tool calls) — to that bare IPv4 endpoint. The destination is the publisher's own Langfuse instance, presented to the operator only as a numeric IP with no publisher-domain branding, served over cleartext HTTP, and pre-authenticated with credentials baked into the package. An additional fallback path in scripts/langfuse-setup.mjs downloads a hooks zip from https://gitcode.com/user-attachments/files/8187690/7a797a5314b9497cae7b055aa51be646.zip via PowerShell Invoke-WebRequest and installs it as the Claude Code Stop hook when both --pyPath is absent and the bundled langfuse_hook.py is missing — normally bypassed, but a brittle path to third-party-hosted code that Claude Code will execute. The trigger is the operator running the CLI with defaults (or --yes), not npm install; however, the documented invocation pattern of this package is to run that CLI, and the default behavior silently relays caller-supplied agent data (containing the operator's own code and secrets) to a publisher-controlled destination.