npm - @mandujs/mcp - Versions diffs - 0.12.2 → 0.13.0 - Mend

@mandujs/mcp 0.12.2 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/README.md +367 -367
package/package.json +2 -2
package/src/activity-monitor.ts +847 -847
package/src/adapters/index.ts +20 -20
package/src/adapters/monitor-adapter.ts +100 -100
package/src/adapters/tool-adapter.ts +88 -88
package/src/executor/error-handler.ts +250 -250
package/src/executor/index.ts +22 -22
package/src/executor/tool-executor.ts +148 -148
package/src/hooks/config-watcher.ts +174 -174
package/src/hooks/index.ts +23 -23
package/src/hooks/mcp-hooks.ts +227 -227
package/src/index.ts +106 -106
package/src/logging/index.ts +15 -15
package/src/logging/mcp-transport.ts +134 -134
package/src/registry/index.ts +13 -13
package/src/registry/mcp-tool-registry.ts +298 -298
package/src/resources/skills/guides.ts +1136 -1136
package/src/resources/skills/index.ts +12 -12
package/src/resources/skills/loader.ts +218 -218
package/src/resources/skills/mandu-composition/SKILL.md +91 -91
package/src/resources/skills/mandu-composition/metadata.json +13 -13
package/src/resources/skills/mandu-composition/rules/_sections.md +26 -26
package/src/resources/skills/mandu-composition/rules/_template.md +77 -77
package/src/resources/skills/mandu-composition/rules/comp-arch-avoid-boolean-props.md +146 -146
package/src/resources/skills/mandu-composition/rules/comp-arch-compound-components.md +164 -164
package/src/resources/skills/mandu-composition/rules/comp-island-event.md +161 -161
package/src/resources/skills/mandu-composition/rules/comp-island-slot-split.md +167 -167
package/src/resources/skills/mandu-composition/rules/comp-pattern-children.md +149 -149
package/src/resources/skills/mandu-composition/rules/comp-state-context-interface.md +148 -148
package/src/resources/skills/mandu-composition/rules/comp-state-lift-state.md +150 -150
package/src/resources/skills/mandu-deployment/SKILL.md +92 -92
package/src/resources/skills/mandu-deployment/_sections.md +41 -41
package/src/resources/skills/mandu-deployment/_template.md +38 -38
package/src/resources/skills/mandu-deployment/metadata.json +13 -13
package/src/resources/skills/mandu-deployment/rules/deploy-build-bun.md +109 -109
package/src/resources/skills/mandu-deployment/rules/deploy-build-output.md +115 -115
package/src/resources/skills/mandu-deployment/rules/deploy-cicd-github.md +219 -219
package/src/resources/skills/mandu-deployment/rules/deploy-docker-bun.md +150 -150
package/src/resources/skills/mandu-deployment/rules/deploy-docker-compose.md +223 -223
package/src/resources/skills/mandu-deployment/rules/deploy-platform-fly.md +152 -152
package/src/resources/skills/mandu-deployment/rules/deploy-platform-render.md +179 -179
package/src/resources/skills/mandu-deployment/rules/deploy-platform-supabase.md +323 -323
package/src/resources/skills/mandu-deployment/rules/deploy-platform-vercel.md +140 -140
package/src/resources/skills/mandu-fs-routes/SKILL.md +82 -82
package/src/resources/skills/mandu-fs-routes/metadata.json +12 -12
package/src/resources/skills/mandu-fs-routes/rules/_sections.md +36 -36
package/src/resources/skills/mandu-fs-routes/rules/_template.md +69 -69
package/src/resources/skills/mandu-fs-routes/rules/routes-api-methods.md +65 -65
package/src/resources/skills/mandu-fs-routes/rules/routes-dynamic-param.md +93 -93
package/src/resources/skills/mandu-fs-routes/rules/routes-naming-page.md +55 -55
package/src/resources/skills/mandu-guard/SKILL.md +129 -129
package/src/resources/skills/mandu-guard/metadata.json +12 -12
package/src/resources/skills/mandu-guard/rules/_sections.md +36 -36
package/src/resources/skills/mandu-guard/rules/_template.md +82 -82
package/src/resources/skills/mandu-guard/rules/guard-config-rules.md +100 -100
package/src/resources/skills/mandu-guard/rules/guard-layer-direction.md +76 -76
package/src/resources/skills/mandu-guard/rules/guard-preset-mandu.md +81 -81
package/src/resources/skills/mandu-guard/rules/guard-validate-import.md +80 -80
package/src/resources/skills/mandu-hydration/SKILL.md +91 -91
package/src/resources/skills/mandu-hydration/metadata.json +12 -12
package/src/resources/skills/mandu-hydration/rules/_sections.md +31 -31
package/src/resources/skills/mandu-hydration/rules/_template.md +72 -72
package/src/resources/skills/mandu-hydration/rules/hydration-data-event.md +109 -109
package/src/resources/skills/mandu-hydration/rules/hydration-directive-use-client.md +55 -55
package/src/resources/skills/mandu-hydration/rules/hydration-island-setup.md +113 -113
package/src/resources/skills/mandu-hydration/rules/hydration-priority-visible.md +68 -68
package/src/resources/skills/mandu-performance/SKILL.md +85 -85
package/src/resources/skills/mandu-performance/metadata.json +14 -14
package/src/resources/skills/mandu-performance/rules/_sections.md +31 -31
package/src/resources/skills/mandu-performance/rules/_template.md +64 -64
package/src/resources/skills/mandu-performance/rules/perf-async-defer-await.md +103 -103
package/src/resources/skills/mandu-performance/rules/perf-async-parallel.md +95 -95
package/src/resources/skills/mandu-performance/rules/perf-bun-file.md +124 -124
package/src/resources/skills/mandu-performance/rules/perf-bun-serve.md +125 -125
package/src/resources/skills/mandu-performance/rules/perf-bundle-imports.md +80 -80
package/src/resources/skills/mandu-performance/rules/perf-bundle-island-lazy.md +145 -145
package/src/resources/skills/mandu-performance/rules/perf-cache-react.md +98 -98
package/src/resources/skills/mandu-performance/rules/perf-render-transitions.md +154 -154
package/src/resources/skills/mandu-security/SKILL.md +87 -87
package/src/resources/skills/mandu-security/metadata.json +13 -13
package/src/resources/skills/mandu-security/rules/_sections.md +31 -31
package/src/resources/skills/mandu-security/rules/_template.md +74 -74
package/src/resources/skills/mandu-security/rules/sec-auth-guard.md +127 -127
package/src/resources/skills/mandu-security/rules/sec-env-management.md +133 -133
package/src/resources/skills/mandu-security/rules/sec-input-validate.md +148 -148
package/src/resources/skills/mandu-security/rules/sec-protect-csrf.md +146 -146
package/src/resources/skills/mandu-security/rules/sec-protect-headers.md +138 -138
package/src/resources/skills/mandu-slot/SKILL.md +85 -85
package/src/resources/skills/mandu-slot/metadata.json +12 -12
package/src/resources/skills/mandu-slot/rules/_sections.md +36 -36
package/src/resources/skills/mandu-slot/rules/_template.md +63 -63
package/src/resources/skills/mandu-slot/rules/slot-basic-structure.md +38 -38
package/src/resources/skills/mandu-slot/rules/slot-ctx-response.md +56 -56
package/src/resources/skills/mandu-slot/rules/slot-guard-auth.md +59 -59
package/src/resources/skills/mandu-slot/rules/slot-http-methods.md +64 -64
package/src/resources/skills/mandu-styling/SKILL.md +154 -154
package/src/resources/skills/mandu-styling/_sections.md +43 -43
package/src/resources/skills/mandu-styling/_template.md +32 -32
package/src/resources/skills/mandu-styling/metadata.json +15 -15
package/src/resources/skills/mandu-styling/rules/style-component-compound.md +235 -235
package/src/resources/skills/mandu-styling/rules/style-component-slots.md +255 -255
package/src/resources/skills/mandu-styling/rules/style-component-tokens.md +205 -205
package/src/resources/skills/mandu-styling/rules/style-island-animations.md +272 -272
package/src/resources/skills/mandu-styling/rules/style-island-scoping.md +167 -167
package/src/resources/skills/mandu-styling/rules/style-island-variants.md +221 -221
package/src/resources/skills/mandu-styling/rules/style-perf-critical.md +209 -209
package/src/resources/skills/mandu-styling/rules/style-perf-purge.md +192 -192
package/src/resources/skills/mandu-styling/rules/style-setup-modules.md +162 -162
package/src/resources/skills/mandu-styling/rules/style-setup-panda.md +164 -164
package/src/resources/skills/mandu-styling/rules/style-setup-tailwind.md +170 -170
package/src/resources/skills/mandu-styling/rules/style-tailwind-v4-gotchas.md +179 -179
package/src/resources/skills/mandu-styling/rules/style-theme-darkmode.md +229 -229
package/src/resources/skills/mandu-testing/SKILL.md +99 -99
package/src/resources/skills/mandu-testing/metadata.json +13 -13
package/src/resources/skills/mandu-testing/rules/_sections.md +26 -26
package/src/resources/skills/mandu-testing/rules/_template.md +65 -65
package/src/resources/skills/mandu-testing/rules/test-component-island.md +195 -195
package/src/resources/skills/mandu-testing/rules/test-e2e-playwright.md +196 -196
package/src/resources/skills/mandu-testing/rules/test-mock-fetch.md +219 -219
package/src/resources/skills/mandu-testing/rules/test-slot-unit.md +192 -192
package/src/resources/skills/mandu-ui/SKILL.md +117 -117
package/src/resources/skills/mandu-ui/_sections.md +23 -23
package/src/resources/skills/mandu-ui/_template.md +32 -32
package/src/resources/skills/mandu-ui/metadata.json +13 -13
package/src/resources/skills/mandu-ui/rules/ui-accessibility-aria.md +232 -232
package/src/resources/skills/mandu-ui/rules/ui-accessibility-focus.md +238 -238
package/src/resources/skills/mandu-ui/rules/ui-composition-patterns.md +259 -259
package/src/resources/skills/mandu-ui/rules/ui-island-integration.md +258 -258
package/src/resources/skills/mandu-ui/rules/ui-radix-patterns.md +213 -213
package/src/resources/skills/mandu-ui/rules/ui-shadcn-setup.md +209 -209
package/src/resources/skills/recipes.ts +932 -932
package/src/tools/generate.ts +7 -4
package/src/tools/guard.ts +17 -4
package/src/tools/hydration.ts +10 -10
package/src/tools/project.ts +334 -334
package/src/tools/runtime.ts +497 -497
package/src/tools/seo.ts +417 -417
package/src/tools/spec.ts +80 -159
package/src/utils/project.ts +22 -12
package/src/utils/withWarnings.ts +83 -83

package/src/resources/skills/mandu-security/rules/_template.md CHANGED Viewed

@@ -1,74 +1,74 @@
-# Rule Template
-Use this template when creating new rules for mandu-security.
----
-```markdown
----
-title: Rule Title Here
-impact: CRITICAL | HIGH | MEDIUM | LOW
-impactDescription: 영향 설명 (예: "Prevents unauthorized access")
-tags: security, tag1, tag2
----
-## Rule Title Here
-**Impact: {LEVEL} ({impactDescription})**
-보안 규칙의 목적과 중요성을 설명합니다.
-**Vulnerable (취약한 코드):**
-\`\`\`typescript
-// ❌ 보안 취약점이 있는 코드
-export default Mandu.filling()
-  .get(async (ctx) => {
-    // 인증 없이 민감 데이터 반환
-    const users = await db.user.findMany();
-    return ctx.ok({ users });
-  });
-\`\`\`
-**Secure (안전한 코드):**
-\`\`\`typescript
-// ✅ 보안이 강화된 코드
-export default Mandu.filling()
-  .guard((ctx) => {
-    if (!ctx.get("user")?.isAdmin) {
-      return ctx.forbidden("Admin access required");
-    }
-  })
-  .get(async (ctx) => {
-    const users = await db.user.findMany();
-    return ctx.ok({ users });
-  });
-\`\`\`
-## Attack Vector
-이 취약점이 어떻게 악용될 수 있는지 설명합니다.
-## Mitigation
-추가적인 방어 방법을 설명합니다.
-Reference: [OWASP 관련 문서](https://owasp.org/)
-```
----
-## Naming Convention
-- 파일명: `sec-{category}-{rule-name}.md`
-- 예시: `sec-auth-guard.md`, `sec-input-validate.md`
-## OWASP Top 10 Reference
-| # | Category | Related Rules |
-|---|----------|---------------|
-| 1 | Broken Access Control | sec-auth-* |
-| 2 | Cryptographic Failures | sec-data-* |
-| 3 | Injection | sec-input-* |
-| 7 | XSS | sec-protect-xss |
+# Rule Template
+Use this template when creating new rules for mandu-security.
+---
+```markdown
+---
+title: Rule Title Here
+impact: CRITICAL | HIGH | MEDIUM | LOW
+impactDescription: 영향 설명 (예: "Prevents unauthorized access")
+tags: security, tag1, tag2
+---
+## Rule Title Here
+**Impact: {LEVEL} ({impactDescription})**
+보안 규칙의 목적과 중요성을 설명합니다.
+**Vulnerable (취약한 코드):**
+\`\`\`typescript
+// ❌ 보안 취약점이 있는 코드
+export default Mandu.filling()
+  .get(async (ctx) => {
+    // 인증 없이 민감 데이터 반환
+    const users = await db.user.findMany();
+    return ctx.ok({ users });
+  });
+\`\`\`
+**Secure (안전한 코드):**
+\`\`\`typescript
+// ✅ 보안이 강화된 코드
+export default Mandu.filling()
+  .guard((ctx) => {
+    if (!ctx.get("user")?.isAdmin) {
+      return ctx.forbidden("Admin access required");
+    }
+  })
+  .get(async (ctx) => {
+    const users = await db.user.findMany();
+    return ctx.ok({ users });
+  });
+\`\`\`
+## Attack Vector
+이 취약점이 어떻게 악용될 수 있는지 설명합니다.
+## Mitigation
+추가적인 방어 방법을 설명합니다.
+Reference: [OWASP 관련 문서](https://owasp.org/)
+```
+---
+## Naming Convention
+- 파일명: `sec-{category}-{rule-name}.md`
+- 예시: `sec-auth-guard.md`, `sec-input-validate.md`
+## OWASP Top 10 Reference
+| # | Category | Related Rules |
+|---|----------|---------------|
+| 1 | Broken Access Control | sec-auth-* |
+| 2 | Cryptographic Failures | sec-data-* |
+| 3 | Injection | sec-input-* |
+| 7 | XSS | sec-protect-xss |

package/src/resources/skills/mandu-security/rules/sec-auth-guard.md CHANGED Viewed

@@ -1,127 +1,127 @@
----
-title: Use guard() for Authentication Checks
-impact: CRITICAL
-impactDescription: Prevents unauthorized access
-tags: security, auth, guard, slot
----
-## Use guard() for Authentication Checks
-**Impact: CRITICAL (Prevents unauthorized access)**
-모든 보호된 slot에서 `guard()`를 사용하여 인증을 확인하세요. guard는 핸들러 실행 전에 검사됩니다.
-**Vulnerable (인증 없음):**
-```typescript
-// ❌ 인증 체크 없이 민감 데이터 노출
-export default Mandu.filling()
-  .get(async (ctx) => {
-    const users = await db.user.findMany();
-    return ctx.ok({ users });  // 누구나 접근 가능!
-  });
-```
-**Secure (guard로 인증):**
-```typescript
-// ✅ guard로 인증 체크
-export default Mandu.filling()
-  .guard((ctx) => {
-    const user = ctx.get("user");
-    if (!user) {
-      return ctx.unauthorized("Authentication required");
-    }
-    // void 반환 시 계속 진행
-  })
-  .get(async (ctx) => {
-    const users = await db.user.findMany();
-    return ctx.ok({ users });
-  });
-```
-## 역할 기반 접근 제어 (RBAC)
-```typescript
-export default Mandu.filling()
-  .guard((ctx) => {
-    const user = ctx.get("user");
-    if (!user) {
-      return ctx.unauthorized("Login required");
-    }
-    if (!user.roles.includes("admin")) {
-      return ctx.forbidden("Admin access required");
-    }
-  })
-  .get(async (ctx) => {
-    // 관리자만 접근 가능
-    const sensitiveData = await db.audit.findMany();
-    return ctx.ok({ data: sensitiveData });
-  });
-```
-## 리소스 소유권 검증
-```typescript
-export default Mandu.filling()
-  .guard(async (ctx) => {
-    const user = ctx.get("user");
-    const resourceId = ctx.params.id;
-    if (!user) {
-      return ctx.unauthorized("Login required");
-    }
-    // 리소스 소유권 확인
-    const resource = await db.resource.findUnique({
-      where: { id: resourceId },
-    });
-    if (resource?.ownerId !== user.id) {
-      return ctx.forbidden("You don't own this resource");
-    }
-    // 나중에 사용할 수 있도록 저장
-    ctx.set("resource", resource);
-  })
-  .get((ctx) => {
-    const resource = ctx.get("resource");
-    return ctx.ok({ resource });
-  })
-  .delete(async (ctx) => {
-    const resource = ctx.get("resource");
-    await db.resource.delete({ where: { id: resource.id } });
-    return ctx.noContent();
-  });
-```
-## 다중 guard 체이닝
-```typescript
-const requireAuth = (ctx) => {
-  if (!ctx.get("user")) {
-    return ctx.unauthorized("Login required");
-  }
-};
-const requireAdmin = (ctx) => {
-  if (!ctx.get("user")?.isAdmin) {
-    return ctx.forbidden("Admin required");
-  }
-};
-export default Mandu.filling()
-  .guard(requireAuth)
-  .guard(requireAdmin)  // 순차적으로 실행
-  .get(/* ... */);
-```
-## 주의사항
-- guard에서 응답을 반환하면 핸들러가 실행되지 않음
-- void 반환 시 다음 guard 또는 핸들러로 진행
-- 인증 미들웨어에서 `ctx.set("user", user)`로 사용자 정보 저장
-Reference: [OWASP Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
+---
+title: Use guard() for Authentication Checks
+impact: CRITICAL
+impactDescription: Prevents unauthorized access
+tags: security, auth, guard, slot
+---
+## Use guard() for Authentication Checks
+**Impact: CRITICAL (Prevents unauthorized access)**
+모든 보호된 slot에서 `guard()`를 사용하여 인증을 확인하세요. guard는 핸들러 실행 전에 검사됩니다.
+**Vulnerable (인증 없음):**
+```typescript
+// ❌ 인증 체크 없이 민감 데이터 노출
+export default Mandu.filling()
+  .get(async (ctx) => {
+    const users = await db.user.findMany();
+    return ctx.ok({ users });  // 누구나 접근 가능!
+  });
+```
+**Secure (guard로 인증):**
+```typescript
+// ✅ guard로 인증 체크
+export default Mandu.filling()
+  .guard((ctx) => {
+    const user = ctx.get("user");
+    if (!user) {
+      return ctx.unauthorized("Authentication required");
+    }
+    // void 반환 시 계속 진행
+  })
+  .get(async (ctx) => {
+    const users = await db.user.findMany();
+    return ctx.ok({ users });
+  });
+```
+## 역할 기반 접근 제어 (RBAC)
+```typescript
+export default Mandu.filling()
+  .guard((ctx) => {
+    const user = ctx.get("user");
+    if (!user) {
+      return ctx.unauthorized("Login required");
+    }
+    if (!user.roles.includes("admin")) {
+      return ctx.forbidden("Admin access required");
+    }
+  })
+  .get(async (ctx) => {
+    // 관리자만 접근 가능
+    const sensitiveData = await db.audit.findMany();
+    return ctx.ok({ data: sensitiveData });
+  });
+```
+## 리소스 소유권 검증
+```typescript
+export default Mandu.filling()
+  .guard(async (ctx) => {
+    const user = ctx.get("user");
+    const resourceId = ctx.params.id;
+    if (!user) {
+      return ctx.unauthorized("Login required");
+    }
+    // 리소스 소유권 확인
+    const resource = await db.resource.findUnique({
+      where: { id: resourceId },
+    });
+    if (resource?.ownerId !== user.id) {
+      return ctx.forbidden("You don't own this resource");
+    }
+    // 나중에 사용할 수 있도록 저장
+    ctx.set("resource", resource);
+  })
+  .get((ctx) => {
+    const resource = ctx.get("resource");
+    return ctx.ok({ resource });
+  })
+  .delete(async (ctx) => {
+    const resource = ctx.get("resource");
+    await db.resource.delete({ where: { id: resource.id } });
+    return ctx.noContent();
+  });
+```
+## 다중 guard 체이닝
+```typescript
+const requireAuth = (ctx) => {
+  if (!ctx.get("user")) {
+    return ctx.unauthorized("Login required");
+  }
+};
+const requireAdmin = (ctx) => {
+  if (!ctx.get("user")?.isAdmin) {
+    return ctx.forbidden("Admin required");
+  }
+};
+export default Mandu.filling()
+  .guard(requireAuth)
+  .guard(requireAdmin)  // 순차적으로 실행
+  .get(/* ... */);
+```
+## 주의사항
+- guard에서 응답을 반환하면 핸들러가 실행되지 않음
+- void 반환 시 다음 guard 또는 핸들러로 진행
+- 인증 미들웨어에서 `ctx.set("user", user)`로 사용자 정보 저장
+Reference: [OWASP Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)

package/src/resources/skills/mandu-security/rules/sec-env-management.md CHANGED Viewed

@@ -1,133 +1,133 @@
----
-title: Secure Environment Variable Management
-impact: HIGH
-impactDescription: Prevents secret exposure
-tags: security, env, secrets, configuration
----
-## Secure Environment Variable Management
-**Impact: HIGH (Prevents secret exposure)**
-시크릿과 민감한 설정은 환경 변수로 관리하고, 절대 코드에 하드코딩하지 마세요.
-**Vulnerable (하드코딩된 시크릿):**
-```typescript
-// ❌ 코드에 시크릿 하드코딩
-const db = new Database({
-  host: "prod-db.example.com",
-  password: "super_secret_password",  // 위험!
-});
-const stripe = new Stripe("sk_live_abc123xyz");  // 위험!
-```
-**Secure (환경 변수 사용):**
-```typescript
-// ✅ 환경 변수에서 로드
-const db = new Database({
-  host: process.env.DATABASE_HOST,
-  password: process.env.DATABASE_PASSWORD,
-});
-const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
-```
-## 환경 변수 검증
-```typescript
-// lib/env.ts
-import { z } from "zod";
-const envSchema = z.object({
-  // 필수
-  DATABASE_URL: z.string().url(),
-  SESSION_SECRET: z.string().min(32),
-  STRIPE_SECRET_KEY: z.string().startsWith("sk_"),
-  // 선택 (기본값)
-  NODE_ENV: z.enum(["development", "production", "test"]).default("development"),
-  PORT: z.coerce.number().default(3000),
-  // 프로덕션에서만 필수
-  SENTRY_DSN: z.string().url().optional(),
-});
-// 앱 시작 시 검증
-export const env = envSchema.parse(process.env);
-// 타입 안전한 접근
-console.log(env.DATABASE_URL);  // string
-console.log(env.PORT);          // number
-```
-## .env 파일 관리
-```bash
-# .env.example (커밋됨 - 템플릿)
-DATABASE_URL=postgresql://user:password@localhost:5432/db
-SESSION_SECRET=change_me_to_random_32_char_string
-STRIPE_SECRET_KEY=sk_test_xxx
-# .env.local (커밋 안 됨 - 실제 값)
-DATABASE_URL=postgresql://admin:real_password@prod-db:5432/myapp
-SESSION_SECRET=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
-STRIPE_SECRET_KEY=sk_live_real_key_here
-```
-## .gitignore 설정
-```gitignore
-# 환경 변수 파일
-.env
-.env.local
-.env.*.local
-# 시크릿 관련
-*.pem
-*.key
-credentials.json
-```
-## 클라이언트에 노출되지 않도록 주의
-```typescript
-// ❌ 클라이언트 번들에 포함됨
-// app/page.tsx
-const apiKey = process.env.API_SECRET_KEY;  // 위험!
-// ✅ 서버에서만 사용
-// spec/slots/api.slot.ts
-export default Mandu.filling()
-  .get(async (ctx) => {
-    // 서버 측에서만 접근
-    const apiKey = process.env.API_SECRET_KEY;
-    const data = await fetchExternalApi(apiKey);
-    return ctx.ok({ data });  // apiKey는 반환하지 않음
-  });
-```
-## 시크릿 로테이션
-```typescript
-// 여러 버전의 시크릿 지원
-const CURRENT_SECRET = process.env.SESSION_SECRET!;
-const PREVIOUS_SECRET = process.env.SESSION_SECRET_PREVIOUS;
-function verifyToken(token: string): boolean {
-  // 현재 시크릿으로 먼저 검증
-  if (verify(token, CURRENT_SECRET)) return true;
-  // 이전 시크릿으로도 검증 (로테이션 기간)
-  if (PREVIOUS_SECRET && verify(token, PREVIOUS_SECRET)) {
-    // 토큰 갱신 권장
-    return true;
-  }
-  return false;
-}
-```
-Reference: [12-Factor App Config](https://12factor.net/config)
+---
+title: Secure Environment Variable Management
+impact: HIGH
+impactDescription: Prevents secret exposure
+tags: security, env, secrets, configuration
+---
+## Secure Environment Variable Management
+**Impact: HIGH (Prevents secret exposure)**
+시크릿과 민감한 설정은 환경 변수로 관리하고, 절대 코드에 하드코딩하지 마세요.
+**Vulnerable (하드코딩된 시크릿):**
+```typescript
+// ❌ 코드에 시크릿 하드코딩
+const db = new Database({
+  host: "prod-db.example.com",
+  password: "super_secret_password",  // 위험!
+});
+const stripe = new Stripe("sk_live_abc123xyz");  // 위험!
+```
+**Secure (환경 변수 사용):**
+```typescript
+// ✅ 환경 변수에서 로드
+const db = new Database({
+  host: process.env.DATABASE_HOST,
+  password: process.env.DATABASE_PASSWORD,
+});
+const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
+```
+## 환경 변수 검증
+```typescript
+// lib/env.ts
+import { z } from "zod";
+const envSchema = z.object({
+  // 필수
+  DATABASE_URL: z.string().url(),
+  SESSION_SECRET: z.string().min(32),
+  STRIPE_SECRET_KEY: z.string().startsWith("sk_"),
+  // 선택 (기본값)
+  NODE_ENV: z.enum(["development", "production", "test"]).default("development"),
+  PORT: z.coerce.number().default(3000),
+  // 프로덕션에서만 필수
+  SENTRY_DSN: z.string().url().optional(),
+});
+// 앱 시작 시 검증
+export const env = envSchema.parse(process.env);
+// 타입 안전한 접근
+console.log(env.DATABASE_URL);  // string
+console.log(env.PORT);          // number
+```
+## .env 파일 관리
+```bash
+# .env.example (커밋됨 - 템플릿)
+DATABASE_URL=postgresql://user:password@localhost:5432/db
+SESSION_SECRET=change_me_to_random_32_char_string
+STRIPE_SECRET_KEY=sk_test_xxx
+# .env.local (커밋 안 됨 - 실제 값)
+DATABASE_URL=postgresql://admin:real_password@prod-db:5432/myapp
+SESSION_SECRET=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
+STRIPE_SECRET_KEY=sk_live_real_key_here
+```
+## .gitignore 설정
+```gitignore
+# 환경 변수 파일
+.env
+.env.local
+.env.*.local
+# 시크릿 관련
+*.pem
+*.key
+credentials.json
+```
+## 클라이언트에 노출되지 않도록 주의
+```typescript
+// ❌ 클라이언트 번들에 포함됨
+// app/page.tsx
+const apiKey = process.env.API_SECRET_KEY;  // 위험!
+// ✅ 서버에서만 사용
+// spec/slots/api.slot.ts
+export default Mandu.filling()
+  .get(async (ctx) => {
+    // 서버 측에서만 접근
+    const apiKey = process.env.API_SECRET_KEY;
+    const data = await fetchExternalApi(apiKey);
+    return ctx.ok({ data });  // apiKey는 반환하지 않음
+  });
+```
+## 시크릿 로테이션
+```typescript
+// 여러 버전의 시크릿 지원
+const CURRENT_SECRET = process.env.SESSION_SECRET!;
+const PREVIOUS_SECRET = process.env.SESSION_SECRET_PREVIOUS;
+function verifyToken(token: string): boolean {
+  // 현재 시크릿으로 먼저 검증
+  if (verify(token, CURRENT_SECRET)) return true;
+  // 이전 시크릿으로도 검증 (로테이션 기간)
+  if (PREVIOUS_SECRET && verify(token, PREVIOUS_SECRET)) {
+    // 토큰 갱신 권장
+    return true;
+  }
+  return false;
+}
+```
+Reference: [12-Factor App Config](https://12factor.net/config)