50c 3.9.2 → 4.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/bin/50c.js +2241 -2212
- package/lib/pre-publish.js +24 -5
- package/lib/subagent.js +369 -366
- package/package.json +3 -2
package/lib/pre-publish.js
CHANGED
|
@@ -397,18 +397,37 @@ const EMPIRICAL_CHECKS = {
|
|
|
397
397
|
const path = require('path');
|
|
398
398
|
const findings = [];
|
|
399
399
|
|
|
400
|
+
// File-level exclusions: files whose entire purpose IS a local dev server
|
|
401
|
+
const LEGIT_LOCAL_FILES = new Set(['pre-publish.js', 'mcp-tv.js', 'invent-ui.js']);
|
|
402
|
+
|
|
400
403
|
for (const file of ctx.files.filter(f => /\.(js|ts|json)$/.test(f)).slice(0, 30)) {
|
|
401
|
-
|
|
402
|
-
|
|
403
|
-
|
|
404
|
+
if (LEGIT_LOCAL_FILES.has(path.basename(file))) continue;
|
|
405
|
+
|
|
404
406
|
try {
|
|
405
407
|
const content = fs.readFileSync(file, 'utf8');
|
|
406
408
|
if (/localhost|127\.0\.0\.1|0\.0\.0\.0/.test(content)) {
|
|
407
|
-
// Check it's not in a comment or config option
|
|
408
409
|
const lines = content.split('\n');
|
|
409
410
|
for (let i = 0; i < lines.length; i++) {
|
|
410
411
|
const line = lines[i];
|
|
411
|
-
|
|
412
|
+
const trimmed = line.trim();
|
|
413
|
+
// Exclude legitimate patterns:
|
|
414
|
+
// - Comments (// or *)
|
|
415
|
+
// - env-fallback (|| 'localhost')
|
|
416
|
+
// - regex/pattern keywords
|
|
417
|
+
// - Template-literal dynamic ports (`http://localhost:${port}`)
|
|
418
|
+
// - API protocol documentation in help text (POST/GET http://localhost)
|
|
419
|
+
// - JSDoc protocol descriptions
|
|
420
|
+
if (
|
|
421
|
+
/localhost|127\.0\.0\.1/.test(line)
|
|
422
|
+
&& !trimmed.startsWith('//')
|
|
423
|
+
&& !trimmed.startsWith('*')
|
|
424
|
+
&& !line.includes('||')
|
|
425
|
+
&& !line.includes('regex')
|
|
426
|
+
&& !line.includes('pattern')
|
|
427
|
+
&& !line.includes('${')
|
|
428
|
+
&& !line.includes('POST http')
|
|
429
|
+
&& !line.includes('GET http')
|
|
430
|
+
) {
|
|
412
431
|
findings.push(`${path.basename(file)}:${i+1}`);
|
|
413
432
|
break;
|
|
414
433
|
}
|