@litmers/cursorflow-orchestrator 0.1.0 → 0.1.2

package/commands/cursorflow-run.md

@@ -1,129 +1,129 @@
-# CursorFlow Run
-
-## Overview
-준비된 태스크를 실행합니다. 단일 레인 또는 멀티 레인 오케스트레이션을 수행합니다.
-
-## Steps
-
-1. **태스크 디렉토리 확인**
-   ```bash
-   ls _cursorflow/tasks/
-   ```
-
-2. **멀티 레인 실행**
-   ```bash
-   cursorflow run _cursorflow/tasks/MyFeature/
-   ```
-
-3. **단일 레인 실행**
-   ```bash
-   cursorflow lane _cursorflow/tasks/MyFeature/01-task.json
-   ```
-
-4. **Dry run (실행 계획 확인)**
-   ```bash
-   cursorflow run _cursorflow/tasks/MyFeature/ --dry-run
-   ```
-
-5. **실행 모니터링**
-   
-   실행 중에는 다른 터미널에서 모니터링:
-   ```bash
-   cursorflow monitor --watch
-   ```
-
-## 옵션
-
-| 옵션 | 설명 |
-|------|------|
-| `--dry-run` | 실제 실행 없이 계획만 확인 |
-| `--executor <type>` | 실행 방식 (cursor-agent \| cloud) |
-| `--no-review` | 코드 리뷰 비활성화 |
-| `--config <path>` | 커스텀 설정 파일 경로 |
-
-## 예제
-
-### 기본 실행
-```bash
-cursorflow run _cursorflow/tasks/2512191700_MyFeature/
-```
-
-### Cloud 실행 (API 키 필요)
-```bash
-export CURSOR_API_KEY=your_key
-cursorflow run _cursorflow/tasks/MyFeature/ --executor cloud
-```
-
-### 리뷰 없이 빠른 실행
-```bash
-cursorflow run _cursorflow/tasks/MyFeature/ --no-review
-```
-
-## 실행 프로세스
-
-1. **초기화**
-   - 설정 로드
-   - cursor-agent CLI 확인
-   - Git 저장소 확인
-
-2. **레인 준비**
-   - Worktree 생성
-   - 브랜치 체크아웃
-   - 환경 설정
-
-3. **태스크 실행**
-   - 순차적으로 태스크 수행
-   - 각 태스크 완료 후 커밋
-   - 리뷰 활성화 시 자동 리뷰
-
-4. **완료**
-   - 변경사항 푸시
-   - PR 생성 (설정에 따라)
-   - 로그 저장
-
-## 로그 위치
-
-실행 로그는 `_cursorflow/logs/runs/` 에 저장됩니다:
-
-```
-_cursorflow/logs/runs/<lane>-<timestamp>/
-├── state.json              # 레인 상태
-├── results.json            # 태스크 결과
-├── conversation.jsonl      # 에이전트 대화
-├── git-operations.jsonl    # Git 작업 로그
-└── events.jsonl            # 이벤트 로그
-```
-
-## Checklist
-- [ ] cursor-agent CLI가 설치되어 있는가?
-- [ ] Git worktree가 사용 가능한가?
-- [ ] 태스크 파일이 올바른가?
-- [ ] 브랜치 이름이 충돌하지 않는가?
-- [ ] 필요한 환경 변수가 설정되었는가? (Cloud 실행 시)
-
-## 트러블슈팅
-
-### 브랜치 충돌
-```bash
-# 기존 브랜치 정리
-cursorflow clean branches --pattern "feature/my-*"
-```
-
-### Worktree 충돌
-```bash
-# 기존 worktree 정리
-cursorflow clean worktrees --all
-```
-
-### 실행 실패
-```bash
-# 로그 확인
-cursorflow monitor
-# 또는
-cat _cursorflow/logs/runs/latest/*/state.json
-```
-
-## Next Steps
-1. `cursorflow monitor --watch`로 진행 상황 모니터링
-2. 완료 후 PR 확인 및 리뷰
-3. 실패 시 `cursorflow resume <lane>`로 재개
+# CursorFlow Run
+
+## Overview
+Execute prepared tasks with single-lane or multi-lane orchestration.
+
+## Steps
+
+1. **Check the task directory**
+   ```bash
+   ls _cursorflow/tasks/
+   ```
+
+2. **Run multiple lanes**
+   ```bash
+   cursorflow run _cursorflow/tasks/MyFeature/
+   ```
+
+3. **Run a single lane**
+   ```bash
+   cursorflow lane _cursorflow/tasks/MyFeature/01-task.json
+   ```
+
+4. **Dry run (preview the plan)**
+   ```bash
+   cursorflow run _cursorflow/tasks/MyFeature/ --dry-run
+   ```
+
+5. **Monitor execution**
+
+   Watch progress from another terminal while the run is in progress:
+   ```bash
+   cursorflow monitor --watch
+   ```
+
+## Options
+
+| Option | Description |
+|------|------|
+| `--dry-run` | Preview the plan without executing |
+| `--executor <type>` | Execution mode (`cursor-agent` \| `cloud`) |
+| `--no-review` | Disable code review |
+| `--config <path>` | Use a custom config file |
+
+## Examples
+
+### Standard run
+```bash
+cursorflow run _cursorflow/tasks/2512191700_MyFeature/
+```
+
+### Cloud run (requires API key)
+```bash
+export CURSOR_API_KEY=your_key
+cursorflow run _cursorflow/tasks/MyFeature/ --executor cloud
+```
+
+### Fast run without review
+```bash
+cursorflow run _cursorflow/tasks/MyFeature/ --no-review
+```
+
+## Execution process
+
+1. **Initialization**
+   - Load configuration
+   - Verify the `cursor-agent` CLI
+   - Confirm Git repository status
+
+2. **Prepare lanes**
+   - Create worktrees
+   - Check out branches
+   - Configure the environment
+
+3. **Run tasks**
+   - Execute tasks sequentially
+   - Commit after each task
+   - Trigger automatic review when enabled
+
+4. **Complete**
+   - Push changes
+   - Create a PR (depending on settings)
+   - Store logs
+
+## Log location
+
+Run logs are stored in `_cursorflow/logs/runs/`:
+
+```
+_cursorflow/logs/runs/<lane>-<timestamp>/
+├── state.json              # Lane status
+├── results.json            # Task results
+├── conversation.jsonl      # Agent conversation
+├── git-operations.jsonl    # Git activity log
+└── events.jsonl            # Event log
+```
+
+## Checklist
+- [ ] Is the `cursor-agent` CLI installed?
+- [ ] Are Git worktrees available?
+- [ ] Are the task files valid?
+- [ ] Do branch names avoid collisions?
+- [ ] Are required environment variables set? (for cloud runs)
+
+## Troubleshooting
+
+### Branch conflicts
+```bash
+# Clean up existing branches
+cursorflow clean branches --pattern "feature/my-*"
+```
+
+### Worktree conflicts
+```bash
+# Clean up existing worktrees
+cursorflow clean worktrees --all
+```
+
+### Run failures
+```bash
+# Inspect logs
+cursorflow monitor
+# or
+cat _cursorflow/logs/runs/latest/*/state.json
+```
+
+## Next steps
+1. Monitor progress with `cursorflow monitor --watch`.
+2. Review the PR when the run completes.
+3. If a run fails, resume with `cursorflow resume <lane>`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@litmers/cursorflow-orchestrator",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Git worktree-based parallel AI agent orchestration system for Cursor",
   "main": "src/cli/index.js",
   "bin": {
@@ -8,8 +8,17 @@
     "cursorflow-setup": "src/cli/setup-commands.js"
   },
   "scripts": {
-    "test": "node test/run.js",
-    "postinstall": "node scripts/postinstall.js"
+    "postinstall": "node scripts/postinstall.js",
+    "prepublishOnly": "npm run validate",
+    "validate": "npm pack --dry-run",
+    "release": "scripts/release.sh",
+    "release:patch": "scripts/release.sh patch",
+    "release:minor": "scripts/release.sh minor",
+    "release:major": "scripts/release.sh major",
+    "security:check": "npm audit && node scripts/ai-security-check.js",
+    "security:audit": "npm audit",
+    "security:audit:fix": "npm audit fix",
+    "security:setup": "scripts/setup-security.sh"
   },
   "keywords": [
     "cursor",
@@ -44,7 +53,7 @@
     "scripts/",
     "commands/",
     "templates/",
-    "docs/",
+    "examples/",
     "README.md",
     "LICENSE",
     "CHANGELOG.md"

package/scripts/ai-security-check.js

@@ -0,0 +1,224 @@
+#!/usr/bin/env node
+
+/**
+ * AI 기반 보안 검사 스크립트
+ * OpenAI API를 사용하여 코드의 보안 취약점을 분석합니다.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+
+// 색상 정의
+const colors = {
+  red: '\x1b[31m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  blue: '\x1b[34m',
+  reset: '\x1b[0m'
+};
+
+// OpenAI API 키 확인
+const OPENAI_API_KEY = process.env.OPENAI_API_KEY;
+if (!OPENAI_API_KEY) {
+  console.log(`${colors.yellow}⚠️  OPENAI_API_KEY not set. Skipping AI security check.${colors.reset}`);
+  process.exit(0);
+}
+
+// 변경된 파일 가져오기 (PR인 경우)
+function getChangedFiles() {
+  try {
+    const baseBranch = process.env.GITHUB_BASE_REF || 'main';
+    const diffCommand = `git diff --name-only origin/${baseBranch}...HEAD`;
+    const files = execSync(diffCommand, { encoding: 'utf-8' })
+      .split('\n')
+      .filter(f => f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.jsx') || f.endsWith('.tsx'))
+      .filter(f => f && fs.existsSync(f));
+    return files;
+  } catch (error) {
+    // PR이 아닌 경우 최근 커밋의 파일들
+    try {
+      const files = execSync('git diff-tree --no-commit-id --name-only -r HEAD', { encoding: 'utf-8' })
+        .split('\n')
+        .filter(f => f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.jsx') || f.endsWith('.tsx'))
+        .filter(f => f && fs.existsSync(f));
+      return files;
+    } catch {
+      return [];
+    }
+  }
+}
+
+// AI 보안 검사 프롬프트
+function createSecurityPrompt(code, filename) {
+  return `You are a security expert analyzing code for vulnerabilities. Analyze the following code and identify any security issues.
+
+File: ${filename}
+
+Code:
+\`\`\`javascript
+${code}
+\`\`\`
+
+Please analyze for:
+1. **Injection vulnerabilities** (SQL, NoSQL, Command, XSS, etc.)
+2. **Authentication/Authorization issues**
+3. **Sensitive data exposure** (hardcoded secrets, credentials, API keys)
+4. **Insecure dependencies or imports**
+5. **Path traversal vulnerabilities**
+6. **Insecure randomness or cryptography**
+7. **Unsafe deserialization**
+8. **Rate limiting or DoS vulnerabilities**
+9. **CSRF/SSRF vulnerabilities**
+10. **Any OWASP Top 10 issues**
+
+Respond in JSON format:
+{
+  "has_issues": true/false,
+  "severity": "critical" | "high" | "medium" | "low" | "none",
+  "issues": [
+    {
+      "type": "vulnerability type",
+      "severity": "critical/high/medium/low",
+      "line": "approximate line number or area",
+      "description": "detailed description",
+      "recommendation": "how to fix"
+    }
+  ],
+  "summary": "overall security assessment"
+}`;
+}
+
+// OpenAI API 호출
+async function analyzeCodeWithAI(code, filename) {
+  const prompt = createSecurityPrompt(code, filename);
+  
+  try {
+    const response = await fetch('https://api.openai.com/v1/chat/completions', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${OPENAI_API_KEY}`
+      },
+      body: JSON.stringify({
+        model: 'gpt-4o',
+        messages: [
+          {
+            role: 'system',
+            content: 'You are a security expert specializing in code security analysis. Provide detailed, actionable security assessments in JSON format.'
+          },
+          {
+            role: 'user',
+            content: prompt
+          }
+        ],
+        temperature: 0.3,
+        response_format: { type: "json_object" }
+      })
+    });
+
+    if (!response.ok) {
+      throw new Error(`OpenAI API error: ${response.status} ${response.statusText}`);
+    }
+
+    const data = await response.json();
+    const content = data.choices[0].message.content;
+    return JSON.parse(content);
+  } catch (error) {
+    console.error(`${colors.red}Error calling OpenAI API: ${error.message}${colors.reset}`);
+    return null;
+  }
+}
+
+// 보안 이슈 출력
+function printSecurityIssues(filename, analysis) {
+  if (!analysis.has_issues) {
+    console.log(`${colors.green}✓ ${filename}: No security issues found${colors.reset}`);
+    return false;
+  }
+
+  console.log(`\n${colors.red}⚠️  Security issues found in ${filename}${colors.reset}`);
+  console.log(`${colors.yellow}Severity: ${analysis.severity.toUpperCase()}${colors.reset}`);
+  console.log(`\n${analysis.summary}\n`);
+
+  analysis.issues.forEach((issue, index) => {
+    const severityColor = {
+      critical: colors.red,
+      high: colors.red,
+      medium: colors.yellow,
+      low: colors.blue
+    }[issue.severity] || colors.reset;
+
+    console.log(`${index + 1}. ${severityColor}[${issue.severity.toUpperCase()}]${colors.reset} ${issue.type}`);
+    console.log(`   Location: ${issue.line}`);
+    console.log(`   ${issue.description}`);
+    console.log(`   ${colors.green}Fix: ${issue.recommendation}${colors.reset}\n`);
+  });
+
+  return analysis.severity === 'critical' || analysis.severity === 'high';
+}
+
+// 메인 실행
+async function main() {
+  console.log(`${colors.blue}🔍 Starting AI Security Analysis...${colors.reset}\n`);
+
+  const changedFiles = getChangedFiles();
+  
+  if (changedFiles.length === 0) {
+    console.log(`${colors.yellow}No code files changed. Skipping AI security check.${colors.reset}`);
+    process.exit(0);
+  }
+
+  console.log(`Analyzing ${changedFiles.length} file(s):\n`);
+  changedFiles.forEach(f => console.log(`  - ${f}`));
+  console.log('');
+
+  let hasBlockingIssues = false;
+  let totalIssues = 0;
+
+  for (const file of changedFiles) {
+    try {
+      const code = fs.readFileSync(file, 'utf-8');
+      
+      // 파일이 너무 크면 스킵
+      if (code.length > 50000) {
+        console.log(`${colors.yellow}⚠️  ${file}: File too large, skipping${colors.reset}`);
+        continue;
+      }
+
+      console.log(`Analyzing ${file}...`);
+      const analysis = await analyzeCodeWithAI(code, file);
+      
+      if (analysis) {
+        const hasIssues = printSecurityIssues(file, analysis);
+        if (hasIssues) {
+          hasBlockingIssues = true;
+          totalIssues += analysis.issues.length;
+        }
+      }
+    } catch (error) {
+      console.error(`${colors.red}Error analyzing ${file}: ${error.message}${colors.reset}`);
+    }
+  }
+
+  console.log(`\n${colors.blue}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${colors.reset}`);
+  console.log(`${colors.blue}📊 Security Analysis Summary${colors.reset}`);
+  console.log(`${colors.blue}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${colors.reset}`);
+  console.log(`Files analyzed: ${changedFiles.length}`);
+  console.log(`Security issues found: ${totalIssues}`);
+
+  if (hasBlockingIssues) {
+    console.log(`\n${colors.red}❌ CRITICAL/HIGH severity security issues found!${colors.reset}`);
+    console.log(`${colors.red}Deployment blocked. Please fix the issues above.${colors.reset}\n`);
+    process.exit(1);
+  } else {
+    console.log(`\n${colors.green}✅ No blocking security issues found${colors.reset}\n`);
+    process.exit(0);
+  }
+}
+
+main().catch(error => {
+  console.error(`${colors.red}Fatal error: ${error.message}${colors.reset}`);
+  process.exit(1);
+});
+

package/scripts/release.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+
+# NPM 배포 스크립트
+# 사용법: ./scripts/release.sh [patch|minor|major]
+
+set -e
+
+# 색상 정의
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# 버전 타입 확인
+VERSION_TYPE=${1:-patch}
+
+if [[ ! "$VERSION_TYPE" =~ ^(patch|minor|major|prerelease)$ ]]; then
+    echo -e "${RED}Error: Invalid version type. Use: patch, minor, major, or prerelease${NC}"
+    exit 1
+fi
+
+echo -e "${BLUE}=== CursorFlow Release Script ===${NC}\n"
+
+# Git 상태 확인
+echo -e "${YELLOW}Checking git status...${NC}"
+if [[ -n $(git status -s) ]]; then
+    echo -e "${RED}Error: Working directory is not clean. Commit or stash your changes first.${NC}"
+    git status -s
+    exit 1
+fi
+echo -e "${GREEN}✓ Working directory is clean${NC}\n"
+
+# 현재 브랜치 확인
+CURRENT_BRANCH=$(git branch --show-current)
+echo -e "${YELLOW}Current branch: ${CURRENT_BRANCH}${NC}"
+if [[ "$CURRENT_BRANCH" != "main" ]] && [[ "$CURRENT_BRANCH" != "master" ]]; then
+    echo -e "${YELLOW}Warning: You are not on main/master branch${NC}"
+    read -p "Continue anyway? (y/N): " -n 1 -r
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        exit 1
+    fi
+fi
+
+# 최신 코드 받기
+echo -e "\n${YELLOW}Pulling latest changes...${NC}"
+git pull origin "$CURRENT_BRANCH"
+echo -e "${GREEN}✓ Up to date${NC}\n"
+
+# 현재 버전 확인
+CURRENT_VERSION=$(node -p "require('./package.json').version")
+echo -e "${BLUE}Current version: ${CURRENT_VERSION}${NC}"
+
+# 버전 업데이트
+echo -e "\n${YELLOW}Updating version ($VERSION_TYPE)...${NC}"
+NEW_VERSION=$(npm version $VERSION_TYPE --no-git-tag-version)
+echo -e "${GREEN}✓ New version: ${NEW_VERSION}${NC}\n"
+
+# CHANGELOG 업데이트 확인
+echo -e "${YELLOW}Have you updated CHANGELOG.md for this release?${NC}"
+read -p "Press Enter to edit CHANGELOG.md, or 's' to skip: " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Ss]$ ]]; then
+    ${EDITOR:-nano} CHANGELOG.md
+fi
+
+# 변경사항 커밋
+echo -e "\n${YELLOW}Committing version bump...${NC}"
+git add package.json CHANGELOG.md
+git commit -m "chore: bump version to ${NEW_VERSION}"
+echo -e "${GREEN}✓ Version bump committed${NC}\n"
+
+# 태그 생성
+TAG_NAME="v${NEW_VERSION#v}"
+echo -e "${YELLOW}Creating tag: ${TAG_NAME}${NC}"
+git tag -a "$TAG_NAME" -m "Release ${TAG_NAME}"
+echo -e "${GREEN}✓ Tag created${NC}\n"
+
+# 푸시 전 확인
+echo -e "${BLUE}Ready to push:${NC}"
+echo -e "  - Commit: chore: bump version to ${NEW_VERSION}"
+echo -e "  - Tag: ${TAG_NAME}"
+echo -e "  - Branch: ${CURRENT_BRANCH}"
+echo
+
+read -p "Push to GitHub and trigger deployment? (y/N): " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+    echo -e "${YELLOW}Aborted. To push manually later:${NC}"
+    echo -e "  git push origin ${CURRENT_BRANCH}"
+    echo -e "  git push origin ${TAG_NAME}"
+    exit 0
+fi
+
+# 푸시
+echo -e "\n${YELLOW}Pushing to GitHub...${NC}"
+git push origin "$CURRENT_BRANCH"
+git push origin "$TAG_NAME"
+echo -e "${GREEN}✓ Pushed successfully${NC}\n"
+
+# 완료 메시지
+echo -e "${GREEN}=== Release Process Complete! ===${NC}\n"
+echo -e "${BLUE}Next steps:${NC}"
+echo -e "  1. Monitor GitHub Actions: https://github.com/eungjin-cigro/cursorflow/actions"
+echo -e "  2. Check npm package: https://www.npmjs.com/package/@litmers/cursorflow-orchestrator"
+echo -e "  3. Verify GitHub Release: https://github.com/eungjin-cigro/cursorflow/releases/tag/${TAG_NAME}"
+echo -e "\n${GREEN}Release ${NEW_VERSION} is being deployed! 🚀${NC}"
+