@litmers/cursorflow-orchestrator 0.1.3 → 0.1.6

package/scripts/ai-security-check.js

@@ -7,7 +7,7 @@
 
 const fs = require('fs');
 const path = require('path');
-const { execSync } = require('child_process');
+const { spawnSync } = require('child_process');
 
 // 색상 정의
 const colors = {
@@ -29,8 +29,10 @@ if (!OPENAI_API_KEY) {
 function getChangedFiles() {
   try {
     const baseBranch = process.env.GITHUB_BASE_REF || 'main';
-    const diffCommand = `git diff --name-only origin/${baseBranch}...HEAD`;
-    const files = execSync(diffCommand, { encoding: 'utf-8' })
+    const result = spawnSync('git', ['diff', '--name-only', `origin/${baseBranch}...HEAD`], { encoding: 'utf-8' });
+    if (result.status !== 0) throw new Error(result.stderr);
+    
+    const files = result.stdout
       .split('\n')
       .filter(f => f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.jsx') || f.endsWith('.tsx'))
       .filter(f => f && fs.existsSync(f));
@@ -38,7 +40,10 @@ function getChangedFiles() {
   } catch (error) {
     // PR이 아닌 경우 최근 커밋의 파일들
     try {
-      const files = execSync('git diff-tree --no-commit-id --name-only -r HEAD', { encoding: 'utf-8' })
+      const result = spawnSync('git', ['diff-tree', '--no-commit-id', '--name-only', '-r', 'HEAD'], { encoding: 'utf-8' });
+      if (result.status !== 0) return [];
+      
+      const files = result.stdout
         .split('\n')
         .filter(f => f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.jsx') || f.endsWith('.tsx'))
         .filter(f => f && fs.existsSync(f));
@@ -71,6 +76,8 @@ Please analyze for:
 8. **Rate limiting or DoS vulnerabilities**
 9. **CSRF/SSRF vulnerabilities**
 10. **Any OWASP Top 10 issues**
+11. **CodeQL-specific patterns** (tainted data flow, improper input validation, dangerous sinks like eval or child_process.exec)
+12. **Code quality issues** that might trigger CodeQL's "Security and Quality" queries
 
 Respond in JSON format:
 {

package/scripts/local-security-gate.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# 로컬 보안 게이트 (Local Security Gate)
+# 커밋 또는 푸시 전에 보안 취약점을 미리 검사합니다.
+
+set -e
+
+# 색상 정의
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+echo -e "${BLUE}🔍 Starting Local Security Gate...${NC}"
+
+# 1. 의존성 취약점 검사 (npm audit)
+echo -e "\n${BLUE}[1/4] Checking dependencies (npm audit)...${NC}"
+if npm audit --audit-level=high; then
+    echo -e "${GREEN}✅ No high-severity dependency issues found.${NC}"
+else
+    echo -e "${RED}❌ High-severity dependency issues found!${NC}"
+    echo -e "${YELLOW}Please run 'npm audit fix' to resolve them.${NC}"
+    exit 1
+fi
+
+# 2. 정적 코드 분석 (Semgrep - CodeQL 대안)
+echo -e "\n${BLUE}[2/4] Running static analysis (Semgrep)...${NC}"
+if command -v semgrep &> /dev/null; then
+    if semgrep --config=auto --error .; then
+        echo -e "${GREEN}✅ Semgrep analysis passed.${NC}"
+    else
+        echo -e "${RED}❌ Semgrep found potential security issues!${NC}"
+        echo -e "${YELLOW}CodeQL과 유사한 보안 이슈들입니다. 위 리포트를 확인하고 수정하세요.${NC}"
+        exit 1
+    fi
+else
+    echo -e "${YELLOW}⚠️  Semgrep not installed. Skipping static analysis.${NC}"
+    echo -e "Install it to catch CodeQL-like issues: pip install semgrep"
+fi
+
+# 3. 민감 정보 노출 검사 (Simple Secret Scan)
+echo -e "\n${BLUE}[3/4] Checking for hardcoded secrets...${NC}"
+# git에 추적되는 파일들 중 API 키나 비밀번호 패턴 검색
+# .cursorignore나 .gitignore에 있는 파일은 제외
+# .github, *.md, scripts/setup-security.sh 등은 제외
+# 변수 선언이나 에러 메시지에 포함된 키워드는 제외하도록 필터 강화
+SECRETS_FOUND=$(git grep -Ei "api[_-]?key|secret|password|token|bearer|private[_-]?key" -- ":!package-lock.json" ":!*.md" ":!scripts/setup-security.sh" ":!scripts/ai-security-check.js" ":!.github/*" ":!scripts/local-security-gate.sh" | grep -v "process.env" | grep -v "example" | grep -v "\${{" | grep -vE "stderr\.includes|checkCursorApiKey|CURSOR_API_KEY|api key|API_KEY" || true)
+
+if [ -z "$SECRETS_FOUND" ]; then
+    echo -e "${GREEN}✅ No obvious secrets found in tracked files.${NC}"
+else
+    echo -e "${YELLOW}⚠️  Possible secrets found:${NC}"
+    echo "$SECRETS_FOUND"
+    echo -e "\n${RED}❌ Please remove secrets or move them to .env file before pushing!${NC}"
+    exit 1
+fi
+
+# 4. AI 기반 코드 보안 분석 (선택적)
+echo -e "\n${BLUE}[4/4] AI-based security analysis...${NC}"
+if [ -z "$OPENAI_API_KEY" ]; then
+    echo -e "${YELLOW}⚠️  OPENAI_API_KEY not set. Skipping AI security check.${NC}"
+    echo -e "Set the environment variable to enable this step: export OPENAI_API_KEY=your-key"
+else
+    if node scripts/ai-security-check.js; then
+        echo -e "${GREEN}✅ AI security check passed.${NC}"
+    else
+        echo -e "${RED}❌ AI security check failed!${NC}"
+        exit 1
+    fi
+fi
+
+echo -e "\n${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+echo -e "${GREEN}✅ All local security checks passed!${NC}"
+echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}\n"
+

package/src/cli/{clean.js → clean.ts}

@@ -1,11 +1,17 @@
-#!/usr/bin/env node
 /**
  * CursorFlow clean command (stub)
  */
 
-const logger = require('../utils/logger');
+import * as logger from '../utils/logger';
 
-function parseArgs(args) {
+interface CleanOptions {
+  type?: string;
+  pattern: string | null;
+  dryRun: boolean;
+  force: boolean;
+}
+
+function parseArgs(args: string[]): CleanOptions {
   return {
     type: args[0], // branches | worktrees | logs | all
     pattern: null,
@@ -14,7 +20,7 @@ function parseArgs(args) {
   };
 }
 
-async function clean(args) {
+async function clean(args: string[]): Promise<void> {
   logger.section('🧹 Cleaning CursorFlow Resources');
   
   const options = parseArgs(args);
@@ -27,4 +33,4 @@ async function clean(args) {
   logger.info('This will clean branches, worktrees, and logs');
 }
 
-module.exports = clean;
+export = clean;

package/src/cli/doctor.ts

@@ -0,0 +1,127 @@
+/**
+ * CursorFlow doctor command
+ *
+ * Usage:
+ *   cursorflow doctor [options]
+ *
+ * Options:
+ *   --json                 Output machine-readable JSON
+ *   --tasks-dir <path>     Also validate lane files (run preflight)
+ *   --executor <type>      cursor-agent | cloud
+ *   --no-cursor            Skip Cursor Agent install/auth checks
+ *   --help, -h             Show help
+ */
+
+import * as logger from '../utils/logger';
+import { runDoctor } from '../utils/doctor';
+
+interface DoctorCliOptions {
+  json: boolean;
+  tasksDir: string | null;
+  executor: string | null;
+  includeCursorAgentChecks: boolean;
+}
+
+function printHelp(): void {
+  console.log(`
+Usage: cursorflow doctor [options]
+
+Verify your environment is ready for CursorFlow runs.
+
+Options:
+  --json                 Output machine-readable JSON
+  --tasks-dir <path>     Also validate lane files (run preflight)
+  --executor <type>      cursor-agent | cloud
+  --no-cursor            Skip Cursor Agent install/auth checks
+  --help, -h             Show help
+
+Examples:
+  cursorflow doctor
+  cursorflow doctor --tasks-dir _cursorflow/tasks/demo-test/
+  cursorflow doctor --json
+  `);
+}
+
+function parseArgs(args: string[]): DoctorCliOptions {
+  const tasksDirIdx = args.indexOf('--tasks-dir');
+  const executorIdx = args.indexOf('--executor');
+
+  const options: DoctorCliOptions = {
+    json: args.includes('--json'),
+    tasksDir: tasksDirIdx >= 0 ? (args[tasksDirIdx + 1] || null) : null,
+    executor: executorIdx >= 0 ? (args[executorIdx + 1] || null) : null,
+    includeCursorAgentChecks: !args.includes('--no-cursor'),
+  };
+
+  if (args.includes('--help') || args.includes('-h')) {
+    printHelp();
+    process.exit(0);
+  }
+
+  return options;
+}
+
+function printHumanReport(report: ReturnType<typeof runDoctor>): void {
+  logger.section('🩺 CursorFlow Doctor');
+  logger.info(`cwd: ${report.context.cwd}`);
+  if (report.context.repoRoot) logger.info(`repo: ${report.context.repoRoot}`);
+  if (report.context.tasksDir) logger.info(`tasks: ${report.context.tasksDir}`);
+
+  if (report.issues.length === 0) {
+    logger.success('All checks passed');
+    return;
+  }
+
+  for (const issue of report.issues) {
+    const header = `${issue.title} (${issue.id})`;
+    if (issue.severity === 'error') {
+      logger.error(header, '❌');
+    } else {
+      logger.warn(header, '⚠️');
+    }
+
+    console.log(`   ${issue.message}`);
+
+    if (issue.details) {
+      console.log(`   Details: ${issue.details}`);
+    }
+
+    if (issue.fixes && issue.fixes.length > 0) {
+      console.log('   Fix:');
+      for (const fix of issue.fixes) {
+        console.log(`     - ${fix}`);
+      }
+    }
+
+    console.log('');
+  }
+
+  if (report.ok) {
+    logger.success('Doctor completed with warnings');
+  } else {
+    logger.error('Doctor found blocking issues');
+  }
+}
+
+async function doctor(args: string[]): Promise<void> {
+  const options = parseArgs(args);
+
+  const report = runDoctor({
+    cwd: process.cwd(),
+    tasksDir: options.tasksDir || undefined,
+    executor: options.executor || undefined,
+    includeCursorAgentChecks: options.includeCursorAgentChecks,
+  });
+
+  if (options.json) {
+    console.log(JSON.stringify(report, null, 2));
+  } else {
+    printHumanReport(report);
+  }
+
+  process.exit(report.ok ? 0 : 1);
+}
+
+export = doctor;
+
+

package/src/cli/{index.js → index.ts}

@@ -1,19 +1,24 @@
-#!/usr/bin/env node
 /**
  * CursorFlow CLI - Main entry point
  */
 
-const logger = require('../utils/logger');
+import * as logger from '../utils/logger';
 
-const COMMANDS = {
+// Command functions signature
+type CommandFn = (args: string[]) => Promise<void>;
+
+// Lazy load commands to speed up help/version output
+const COMMANDS: Record<string, CommandFn> = {
   init: require('./init'),
   run: require('./run'),
   monitor: require('./monitor'),
   clean: require('./clean'),
   resume: require('./resume'),
+  doctor: require('./doctor'),
+  signal: require('./signal'),
 };
 
-function printHelp() {
+function printHelp(): void {
   console.log(`
 CursorFlow - Git worktree-based parallel AI agent orchestration
 
@@ -25,6 +30,8 @@ Commands:
   monitor [run-dir] [options] Monitor lane execution
   clean <type> [options]      Clean branches/worktrees/logs
   resume <lane> [options]     Resume interrupted lane
+  doctor [options]            Check environment and preflight
+  signal <lane> <msg>         Directly intervene in a running lane
 
 Global Options:
   --config <path>             Config file path
@@ -36,44 +43,47 @@ Examples:
   cursorflow run _cursorflow/tasks/MyFeature/
   cursorflow monitor --watch
   cursorflow clean branches --all
+  cursorflow doctor
 
 Documentation:
   https://github.com/eungjin-cigro/cursorflow#readme
   `);
 }
 
-function printVersion() {
+function printVersion(): void {
   const pkg = require('../../package.json');
   console.log(`CursorFlow v${pkg.version}`);
 }
 
-async function main() {
+async function main(): Promise<void> {
   const args = process.argv.slice(2);
   
   if (args.length === 0 || args.includes('--help') || args.includes('-h')) {
     printHelp();
-    process.exit(0);
+    return;
   }
   
   if (args.includes('--version') || args.includes('-v')) {
     printVersion();
-    process.exit(0);
+    return;
   }
   
-  const command = args[0];
+  const commandName = args[0]!;
   const commandArgs = args.slice(1);
   
-  if (!COMMANDS[command]) {
-    logger.error(`Unknown command: ${command}`);
+  const command = COMMANDS[commandName];
+  
+  if (!command) {
+    logger.error(`Unknown command: ${commandName}`);
     console.log('\nRun "cursorflow --help" for usage information.');
     process.exit(1);
   }
   
   try {
-    await COMMANDS[command](commandArgs);
-  } catch (error) {
+    await command(commandArgs);
+  } catch (error: any) {
     logger.error(error.message);
-    if (process.env.DEBUG) {
+    if (process.env['DEBUG']) {
       console.error(error.stack);
     }
     process.exit(1);
@@ -83,11 +93,12 @@ async function main() {
 if (require.main === module) {
   main().catch(error => {
     logger.error(`Fatal error: ${error.message}`);
-    if (process.env.DEBUG) {
+    if (process.env['DEBUG']) {
       console.error(error.stack);
     }
     process.exit(1);
   });
 }
 
-module.exports = main;
+export default main;
+export { main };

package/src/cli/{init.js → init.ts}

@@ -1,18 +1,25 @@
-#!/usr/bin/env node
 /**
  * CursorFlow init command
  * 
  * Initialize CursorFlow in a project
  */
 
-const fs = require('fs');
-const path = require('path');
-const logger = require('../utils/logger');
-const { findProjectRoot, createDefaultConfig } = require('../utils/config');
-const { setupCommands } = require('./setup-commands');
+import * as fs from 'fs';
+import * as path from 'path';
+import * as logger from '../utils/logger';
+import { findProjectRoot, createDefaultConfig, CursorFlowConfig } from '../utils/config';
+import { setupCommands } from './setup-commands';
 
-function parseArgs(args) {
-  const options = {
+interface InitOptions {
+  example: boolean;
+  withCommands: boolean;
+  configOnly: boolean;
+  force: boolean;
+  gitignore: boolean;
+}
+
+function parseArgs(args: string[]): InitOptions {
+  const options: InitOptions = {
     example: false,
     withCommands: true,
     configOnly: false,
@@ -53,7 +60,7 @@ function parseArgs(args) {
   return options;
 }
 
-function printHelp() {
+function printHelp(): void {
   console.log(`
 Usage: cursorflow init [options]
 
@@ -76,7 +83,7 @@ Examples:
   `);
 }
 
-function createDirectories(projectRoot, config) {
+function createDirectories(projectRoot: string, config: CursorFlowConfig): void {
   const tasksDir = path.join(projectRoot, config.tasksDir);
   const logsDir = path.join(projectRoot, config.logsDir);
   
@@ -95,7 +102,7 @@ function createDirectories(projectRoot, config) {
   }
 }
 
-function createExampleTasks(projectRoot, config) {
+function createExampleTasks(projectRoot: string, config: CursorFlowConfig): void {
   const exampleDir = path.join(projectRoot, config.tasksDir, 'example');
   
   if (!fs.existsSync(exampleDir)) {
@@ -164,7 +171,7 @@ cursorflow run ${config.tasksDir}/example/
 /**
  * Add _cursorflow to .gitignore
  */
-function updateGitignore(projectRoot) {
+function updateGitignore(projectRoot: string): void {
   const gitignorePath = path.join(projectRoot, '.gitignore');
   const entry = '_cursorflow/';
   
@@ -209,7 +216,7 @@ function updateGitignore(projectRoot) {
   logger.success('Added _cursorflow/ to .gitignore');
 }
 
-async function init(args) {
+async function init(args: string[]): Promise<void> {
   logger.section('🚀 Initializing CursorFlow');
   
   const options = parseArgs(args);
@@ -228,7 +235,7 @@ async function init(args) {
     try {
       createDefaultConfig(projectRoot, options.force);
       logger.success(`Created config file: cursorflow.config.js`);
-    } catch (error) {
+    } catch (error: any) {
       if (error.message.includes('already exists') && !options.force) {
         logger.warn(error.message);
       } else {
@@ -237,7 +244,8 @@ async function init(args) {
     }
   }
   
-  const config = require(configPath);
+  // We need to require the config file after it might have been created
+  const config: CursorFlowConfig = require(configPath);
   
   if (options.configOnly) {
     logger.section('✅ Configuration initialized');
@@ -256,7 +264,7 @@ async function init(args) {
     logger.info('\n📝 Updating .gitignore...');
     try {
       updateGitignore(projectRoot);
-    } catch (error) {
+    } catch (error: any) {
       logger.warn(`Failed to update .gitignore: ${error.message}`);
       logger.info('You can manually add "_cursorflow/" to your .gitignore');
     }
@@ -267,7 +275,7 @@ async function init(args) {
     logger.info('\n📋 Installing Cursor commands...');
     try {
       await setupCommands({ force: options.force, silent: false });
-    } catch (error) {
+    } catch (error: any) {
       logger.warn(`Failed to install Cursor commands: ${error.message}`);
       logger.info('You can install them later with: npx cursorflow-setup');
     }
@@ -297,4 +305,4 @@ async function init(args) {
   console.log('');
 }
 
-module.exports = init;
+export = init;