@comate/zulu 1.4.1 → 1.4.2

package/comate-engine/assets/skills/code-security/scripts/ducc/open_browser.py

@@ -17,6 +17,7 @@ import os
 import subprocess
 import socket
 import sys
+import tempfile
 
 # 导入公共 URL 构建模块
 sys.path.insert(0, os.path.dirname(os.path.dirname(__file__)))
@@ -42,22 +43,21 @@ def find_kernel_socket() -> str | None:
     适用于 DUCC/Comate 两种环境：无论脚本由哪个父进程调用，
     都能找到当前 VSCode 窗口对应的 kernel socket。
     """
-    tmpdir = os.environ.get("TMPDIR", "/tmp").rstrip("/")
+    tmpdir = tempfile.gettempdir()
     pid = os.getpid()
     for _ in range(20):  # 最多向上追溯 20 层
         pid = get_parent_pid(pid)
         if not pid or pid == 1:
             break
-        for sock_dir in [tmpdir, "/tmp"]:
-            sock_path = f"{sock_dir}/comate-kernel-{pid}.sock"
-            if os.path.exists(sock_path):
-                return sock_path
+        sock_path = f"{tmpdir}/comate-kernel-{pid}.sock"
+        if os.path.exists(sock_path):
+            return sock_path
     return None
 
 
 def open_url(url: str, pid: str = None, title: str = "网页") -> bool:
     """在当前 DUCC 聊天框所在 VSCode 窗口的内嵌浏览器中打开 URL"""
-    tmpdir = os.environ.get("TMPDIR", "/tmp").rstrip("/")
+    tmpdir = tempfile.gettempdir()
 
     body = json.dumps({
         "action": "executeVirtualEditor",
@@ -92,22 +92,20 @@ def open_url(url: str, pid: str = None, title: str = "网页") -> bool:
 
     # 如果指定了 PID，直接使用
     if pid:
-        for sock_dir in [tmpdir, "/tmp"]:
-            sock_path = f"{sock_dir}/comate-kernel-{pid}.sock"
-            if os.path.exists(sock_path) and send_request(sock_path):
-                print(f"✅ 已在内嵌浏览器中打开 (PID: {pid})")
-                return True
+        sock_path = f"{tmpdir}/comate-kernel-{pid}.sock"
+        if os.path.exists(sock_path) and send_request(sock_path):
+            print(f"✅ 已在内嵌浏览器中打开 (PID: {pid})")
+            return True
         print(f"❌ 连接失败 (PID: {pid})")
         return False
 
     # 优先使用 init_env.sh 在 shell 层检测到的 kernel PID
     env_kernel_pid = os.environ.get("_KERNEL_PID", "").strip()
     if env_kernel_pid:
-        for sock_dir in [tmpdir, "/tmp"]:
-            sock_path = f"{sock_dir}/comate-kernel-{env_kernel_pid}.sock"
-            if os.path.exists(sock_path) and send_request(sock_path):
-                print(f"✅ 已在内嵌浏览器中打开 (当前窗口 PID: {env_kernel_pid})")
-                return True
+        sock_path = f"{tmpdir}/comate-kernel-{env_kernel_pid}.sock"
+        if os.path.exists(sock_path) and send_request(sock_path):
+            print(f"✅ 已在内嵌浏览器中打开 (当前窗口 PID: {env_kernel_pid})")
+            return True
 
     # 次选：Python 进程树向上查找
     kernel_sock = find_kernel_socket()
@@ -124,8 +122,7 @@ def open_url(url: str, pid: str = None, title: str = "网页") -> bool:
         except Exception:
             return False
 
-    socket_candidates = set(glob.glob(f"{tmpdir}/comate-kernel-*.sock") +
-                               glob.glob("/tmp/comate-kernel-*.sock"))
+    socket_candidates = set(glob.glob(f"{tmpdir}/comate-kernel-*.sock"))
 
     active_sockets = []
     for sock_path in socket_candidates:

package/comate-engine/assets/skills/code-security/scripts/http_client.py

@@ -12,6 +12,7 @@ import json
 import logging
 import os
 import subprocess
+import tempfile
 
 try:
     import ssl
@@ -26,9 +27,7 @@ except ImportError:
     from urllib2 import Request, urlopen, HTTPError, URLError
 
 # ---- 统一日志配置 ----
-_scripts_dir = os.path.dirname(os.path.abspath(__file__))
-_skill_dir = os.path.dirname(_scripts_dir)
-_log_dir = os.path.join(_skill_dir, "logs")
+_log_dir = os.path.join(tempfile.gettempdir(), ".code-security", "logs")
 os.makedirs(_log_dir, exist_ok=True)
 
 # 清理超过 7 天的日志文件

package/comate-engine/assets/skills/code-security/scripts/repair_vulnerability.py

@@ -25,7 +25,7 @@ import os
 import sys
 import time
 
-import http_client  # noqa: F401 (triggers shared logging config)
+import http_client
 import utils
 
 logger = logging.getLogger("repair")
@@ -113,7 +113,7 @@ def upload_files_for_repair(root_path, missing_files, username, user_id, chat_id
             print("警告: 读取文件失败 {}: {}".format(file_path, e), file=sys.stderr)
 
     http_client.put(
-        "{}/api/v1/upload".format(utils.HOST),
+        utils.build_url("/api/v1/upload"),
         headers=utils.build_headers(username, user_id, chat_id),
         json_body=payload,
     )
@@ -131,7 +131,7 @@ def repair_vulnerability(root_path, vulnerability_info, username, user_id, chat_
     repair_type = vulnerability_info.get("type", 2)
     file_count = len(vulnerability_info.get("files", []))
     logger.info("repair start: type=%d, files=%d", repair_type, file_count)
-    api_url = "{}/api/v2/repair_file".format(utils.HOST)
+    api_url = utils.build_url("/api/v2/repair_file")
     print("开始修复...", file=sys.stderr)
 
     poll_count = 0

package/comate-engine/assets/skills/code-security/scripts/report_chat.py

@@ -16,7 +16,7 @@ import logging
 import os
 import sys
 
-import http_client  # noqa: F401 (triggers shared logging config)
+import http_client
 import utils
 
 logger = logging.getLogger("report")
@@ -95,7 +95,7 @@ def report_chat(chat_id, scan_result, git_url, git_branch, ide, query, root_path
     headers = utils.build_headers(username, user_id, chat_id)
     logger.info("report_chat: chat_id=%s, vuls_count=%d, git_url=%s, git_branch=%s",
                 chat_id, len(vuls), git_url, git_branch)
-    return http_client.post("{}/api/v1/chats".format(utils.HOST), headers=headers, json_body=body)
+    return http_client.post(utils.build_url("/api/v1/chats"), headers=headers, json_body=body)
 
 
 def main():

package/comate-engine/assets/skills/code-security/scripts/scan_vulnerability.py

@@ -97,7 +97,7 @@ def is_ignored(path, gitignore_patterns, root_dir):
 
 
 def walk_dir(directory, extensions=None, gitignore_patterns=None):
-    # type: (str, list | None, list | None) -> list
+    # type: (str, list or None, list or None) -> list
     """递归遍历目录，按扩展名过滤并排除 .gitignore 中的文件。"""
     files = []
     resolved_dir = os.path.realpath(directory)
@@ -131,7 +131,7 @@ def get_settings(username, user_id):
     # type: (str, str) -> dict
     """获取扫描配置。"""
     return http_client.get(
-        "{}/api/v2/analysis/settings".format(utils.HOST),
+        utils.build_url("/api/v2/analysis/settings", utils.SCAN_API_HOST),
         headers=utils.build_headers(username, user_id),
     )
 
@@ -140,7 +140,7 @@ def create_bundle(file_hashes, username, user_id):
     # type: (dict, str, str) -> tuple
     """创建扫描 bundle，返回 (bundle_hash, missing_files)。"""
     data = http_client.post(
-        "{}/api/v1/bundle".format(utils.HOST),
+        utils.build_url("/api/v1/bundle", utils.SCAN_API_HOST),
         headers=utils.build_headers(username, user_id),
         json_body=file_hashes,
     )
@@ -166,9 +166,9 @@ def upload_files(bundle_hash, root_path, missing_files, file_hashes, username, u
             print("警告: 读取文件失败 {}: {}".format(file_path, e), file=sys.stderr)
 
     if upload_type == "scan":
-        url = "{}/api/v1/bundle/{}".format(utils.HOST, bundle_hash)
+        url = utils.build_url("/api/v1/bundle/{}".format(bundle_hash), utils.SCAN_API_HOST)
     else:
-        url = "{}/api/v1/upload".format(utils.HOST)
+        url = utils.build_url("/api/v1/upload", utils.SCAN_API_HOST)
 
     data = http_client.put(url, headers=utils.build_headers(username, user_id), json_body=payload)
 
@@ -276,7 +276,7 @@ def _poll_ai_analysis(scan_info, chat_id, username, user_id, ai_analysis_timeout
         time.sleep(poll_interval)
 
         result = http_client.post(
-            "{}/api/v2/analysis".format(utils.HOST),
+            utils.build_url("/api/v2/analysis", utils.SCAN_API_HOST),
             headers=utils.build_headers(username, user_id, chat_id),
             json_body=scan_info,
         )
@@ -347,7 +347,7 @@ def scan_vulnerability(root_path, chat_id="", username="", user_id="", wait_ai=T
     poll_count = 0
     while poll_count < MAX_SCAN_POLLS:
         result = http_client.post(
-            "{}/api/v2/analysis".format(utils.HOST), headers=headers, json_body=scan_info
+            utils.build_url("/api/v2/analysis", utils.SCAN_API_HOST), headers=headers, json_body=scan_info
         )
         if result.get("status") != 1:
             break

package/comate-engine/assets/skills/code-security/scripts/utils.py

@@ -8,13 +8,28 @@ import hashlib
 import os
 import shutil
 import subprocess
+import tempfile
 import time
 import uuid
 from typing import Optional
 
-HOST = "https://comate-sec.baidu-int.com"
+
+SCAN_API_HOST = "https://comate-sec.baidu-int.com"
+API_HOST = "https://comate-sec.baidu-int.com"
+FE_HOST = "https://comate-sec.baidu-int.com"
 WS_HOST = "wss://comate-sec.baidu-int.com"
 
+def build_url(path, api_host=None):
+    # type: (str, str) -> str
+    """根据路径构建完整 URL。
+
+    当 path 以 /api 开头时使用 api_host（默认 API_HOST），否则使用 FE_HOST。
+    """
+    if path.startswith("/api"):
+        return (api_host or API_HOST) + path
+    else:
+        return FE_HOST + path
+
 # 常见应跳过的大目录（即使 .gitignore 未列出）
 SKIP_DIRS = {".git", ".svn", ".hg", "node_modules", "__pycache__", "vendor", ".idea", ".vscode"}
 
@@ -101,27 +116,26 @@ def get_git_info(root_path):
 
 def get_output_dir(root_path, output_dir=None):
     # type: (str, Optional[str]) -> str
-    """获取输出目录，默认为 skill 临时目录下的项目隔离子目录。
+    """获取输出目录，默认为 <tempdir>/.code-security/<项目名>_<哈希>/ 下的项目隔离子目录。
 
     每次调用时自动清理超过 24 小时的过期临时数据。
     """
-    skill_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+    base_dir = os.path.join(tempfile.gettempdir(), ".code-security")
     project_name = os.path.basename(os.path.realpath(root_path))
     path_hash = hashlib.md5(os.path.realpath(root_path).encode("utf-8")).hexdigest()[:8]
-    default_output = os.path.join(skill_dir, ".tmp", "{}_{}".format(project_name, path_hash))
+    default_output = os.path.join(base_dir, "{}_{}".format(project_name, path_hash))
     result = os.path.realpath(output_dir) if output_dir else default_output
 
     # 清理过期临时数据
-    _cleanup_expired_tmp(skill_dir)
+    _cleanup_expired_tmp(base_dir)
 
     os.makedirs(result, exist_ok=True)
     return result
 
 
-def _cleanup_expired_tmp(skill_dir):
+def _cleanup_expired_tmp(tmp_dir):
     # type: (str) -> None
-    """清理 .tmp 目录下超过 24 小时的子目录。"""
-    tmp_dir = os.path.join(skill_dir, ".tmp")
+    """清理临时目录下超过 24 小时的子目录。"""
     if not os.path.isdir(tmp_dir):
         return
 
@@ -143,10 +157,11 @@ def _cleanup_expired_tmp(skill_dir):
 
 def safe_rmtree(dir_path):
     # type: (str) -> None
-    """安全删除临时目录，校验路径位于 .tmp 下防止误删。"""
+    """安全删除临时目录，校验路径位于 <tempdir>/.code-security/ 下防止误删。"""
     dir_path = os.path.realpath(dir_path)
-    # 安全校验：确保路径在 .tmp 目录下
-    if ".tmp" not in dir_path.split(os.sep):
+    # 安全校验：确保路径在临时目录的 .code-security 目录下
+    tmp_base = os.path.join(tempfile.gettempdir(), ".code-security")
+    if not dir_path.startswith(tmp_base + os.sep):
         return
     if not os.path.isdir(dir_path):
         return

package/comate-engine/node_modules/better-sqlite3/node_modules/.bin/prebuild-install

@@ -6,9 +6,9 @@ case `uname` in
 esac
 
 if [ -z "$NODE_PATH" ]; then
-  export NODE_PATH="/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/prebuild-install@7.1.3/node_modules/prebuild-install/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/prebuild-install@7.1.3/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules"
+  export NODE_PATH="/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/prebuild-install@7.1.3/node_modules/prebuild-install/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/prebuild-install@7.1.3/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules"
 else
-  export NODE_PATH="/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/prebuild-install@7.1.3/node_modules/prebuild-install/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/prebuild-install@7.1.3/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules:$NODE_PATH"
+  export NODE_PATH="/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/prebuild-install@7.1.3/node_modules/prebuild-install/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/prebuild-install@7.1.3/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
   exec "$basedir/node"  "$basedir/../../../../../prebuild-install@7.1.3/node_modules/prebuild-install/bin.js" "$@"

package/comate-engine/node_modules/tree-sitter-bash/node_modules/.bin/node-gyp-build

@@ -6,9 +6,9 @@ case `uname` in
 esac
 
 if [ -z "$NODE_PATH" ]; then
-  export NODE_PATH="/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules"
+  export NODE_PATH="/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules"
 else
-  export NODE_PATH="/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules:$NODE_PATH"
+  export NODE_PATH="/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
   exec "$basedir/node"  "$basedir/../../../../../node-gyp-build@4.8.4/node_modules/node-gyp-build/bin.js" "$@"

package/comate-engine/node_modules/tree-sitter-bash/node_modules/.bin/node-gyp-build-optional

@@ -6,9 +6,9 @@ case `uname` in
 esac
 
 if [ -z "$NODE_PATH" ]; then
-  export NODE_PATH="/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules"
+  export NODE_PATH="/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules"
 else
-  export NODE_PATH="/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules:$NODE_PATH"
+  export NODE_PATH="/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
   exec "$basedir/node"  "$basedir/../../../../../node-gyp-build@4.8.4/node_modules/node-gyp-build/optional.js" "$@"

package/comate-engine/node_modules/tree-sitter-bash/node_modules/.bin/node-gyp-build-test

@@ -6,9 +6,9 @@ case `uname` in
 esac
 
 if [ -z "$NODE_PATH" ]; then
-  export NODE_PATH="/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules"
+  export NODE_PATH="/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules"
 else
-  export NODE_PATH="/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/Projects/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules:$NODE_PATH"
+  export NODE_PATH="/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules:/Users/wangshenyu/baidu/ide/comate-plugin-host/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
   exec "$basedir/node"  "$basedir/../../../../../node-gyp-build@4.8.4/node_modules/node-gyp-build/build-test.js" "$@"

package/comate-engine/package.json

@@ -81,6 +81,7 @@
     "qs": "^6.11.2",
     "reflect-metadata": "^0.1.13",
     "region-vanilla": "^12.0.0",
+    "proper-lockfile": "^4.1.2",
     "simple-git": "^3.33.0",
     "sqlite-vec": "0.1.7-alpha.2",
     "sqlite-vec-darwin-arm64": "0.1.7-alpha.2",
@@ -122,6 +123,7 @@
     "@types/js-yaml": "^4.0.9",
     "@types/node": "18.15.3",
     "@types/picomatch": "^4.0.0",
+    "@types/proper-lockfile": "^4.1.4",
     "@types/which": "^3.0.4",
     "@types/ws": "^8.18.1",
     "rollup": "^4.9.2",