DC-492 - Add Meta Pixel support to Enrollment app

[pkarman]

---

Add Meta Pixel support to Enrollment app

🔗 Jira ticket

✍️ Description

If the NEXT_PUBLIC_META_PIXEL env var is set at build time, inserts the FB Meta Pixel JS snippet into the page head.

If the NEXT_PUBLIC_META_PIXEL_ACTION env var is set, calls a trigger action on the final Review page Submit button click.

Expects that the public/meta_pixel.js file is updated at build time to replace NEXT_PUBLIC_META_PIXEL string with the Meta account id. This is left as an exercise to the builder, but in our Makefile it's:

build-enrollment: NEXT_PUBLIC_META_PIXEL ?= $(shell jq '.settings.NEXT_PUBLIC_META_PIXEL' < config/$(BUILD_ENV)/frontend.json)
build-enrollment: NEXT_PUBLIC_META_PIXEL_ACTION ?= $(shell jq '.settings.NEXT_PUBLIC_META_PIXEL_ACTION' < config/$(BUILD_ENV)/frontend.json)
build-enrollment: ## Build the static enrollment app
  perl -pi -e 's/NEXT_PUBLIC_META_PIXEL/$(NEXT_PUBLIC_META_PIXEL)/' $(BUILD)/$(PORTAL)/src/SEBT.EnrollmentChecker.Web/public/meta_pixel.js
  # more build commands here

🔗 Links to related PRs

✅ Completion tasks

• Added relevant tests
• Meets acceptance criteria in ticket
• Configuration changes:
  • If new environment variables are added, update in Tofu
  • If new environment secrets are added, update in Tofu and set in AWS Secret Manager
  • If you're adding an appsetting, add it to the requisite example file, and update it in the AWS AppConfig
  • If appsetttings are changed, update in AWS AppConfig

[pkarman]

it's not clear to me that this will fire on each route change, since this is a SPA. I am not sure if that is desirable either.

[aikido-pr-checks]

Invokes window.fbq contingent on an externally loaded Meta Pixel script that isn't version-pinned or checksum-verified. Ensure the Pixel script is pinned and integrity-checked before relying on fbq.

Details

✨ AI Reasoning
​The new submit handler calls the global fbq function if environment variables are present. This runtime call depends on an external Meta Pixel script being loaded and untampered. Since the script is added elsewhere in this PR without checksum or version pinning, this change increases risk: it couples application behavior to an unpinned external dependency and lacks verification that fbq originates from an expected, immutable artifact.

🔧 How do I fix it?
Include lockfiles in your repo and CI. Pin exact versions or SHAs in manifests. Enable checksum verification. Set ignore-scripts in npm or equivalent. Enforce a 72hr minimum package age policy to avoid newly published malicious packages.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

Loads meta_pixel.js from a runtime path without pinning or integrity checks. Pin the script version and include checksum verification (or vendor the file) to avoid silent/unauthorized updates.

Details

✨ AI Reasoning
​The new code injects an external JavaScript asset at runtime using an environment-controlled path. This introduces an unmanaged third-party dependency into the production build: its exact contents, version, and integrity are not pinned, nor is there any checksum or package-lock-style verification. According to strict dependency management practices, externally loaded scripts should be versioned and verified (lockfile/integrity) to prevent silent or malicious upgrades. This change therefore worsens the repository's dependency management posture by adding an unpinned, unverifiable script load.

🔧 How do I fix it?
Include lockfiles in your repo and CI. Pin exact versions or SHAs in manifests. Enable checksum verification. Set ignore-scripts in npm or equivalent. Enforce a 72hr minimum package age policy to avoid newly published malicious packages.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

Sets t.src to an unpinned external URL ('https://connect.facebook.net/en_US/fbevents.js') without checksum or version pinning; include a pinned version and integrity verification.

Details

✨ AI Reasoning
​The new code injects an external script by setting t.src to a public CDN URL. This introduces an unmanaged runtime dependency that can silently change (no pinned version or checksum), which violates strict dependency management expectations. It increases risk of unexpected behavior or supply-chain changes because there is no integrity or pinned reference for the fetched asset.

🔧 How do I fix it?
Include lockfiles in your repo and CI. Pin exact versions or SHAs in manifests. Enable checksum verification. Set ignore-scripts in npm or equivalent. Enforce a 72hr minimum package age policy to avoid newly published malicious packages.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[mtodd-cfa]

Added myself as a reviewer and also re-applied the "do not merge" label as this PR should not be merged, as-is, without further discussion.

[mtodd-cfa]

https://codeforamerica.atlassian.net/browse/DC-492