@ranger1/dx 0.1.44 → 0.1.47

package/@opencode/agents/codex-reviewer.md

@@ -1,7 +1,7 @@
 ---
 description: review (Codex)
 mode: subagent
-model: openai/gpt-5.2-codex
+model: openai/gpt-5.3-codex
 temperature: 0.1
 tools:
   write: true

package/@opencode/agents/pr-context.md

@@ -1,7 +1,7 @@
 ---
 description: build PR context file
 mode: subagent
-model: openai/gpt-5.1-codex-mini
+model: github-copilot/claude-sonnet-4.5
 temperature: 0.1
 tools:
   bash: true

package/@opencode/agents/pr-fix.md

@@ -1,7 +1,7 @@
 ---
 description: PR fix review
 mode: subagent
-model: openai/gpt-5.2-codex
+model: openai/gpt-5.3-codex
 temperature: 0.1
 tools:
   write: true

package/@opencode/agents/pr-precheck.md

@@ -1,7 +1,7 @@
 ---
 description: PR precheck (checkout + lint + build)
 mode: subagent
-model: openai/gpt-5.2-codex
+model: openai/gpt-5.3-codex
 temperature: 0.1
 tools:
   bash: true

package/@opencode/commands/git-commit-and-pr.md

@@ -1,7 +1,7 @@
 ---
 allowed-tools: [Bash, Read, Glob, TodoWrite, Edit, Grep]
 description: 'Git 工作流：Issue/Commit/PR 自动化'
-agent: middle
+agent: documenter
 ---
 
 ## 用法

package/@opencode/commands/git-release.md

@@ -1,7 +1,7 @@
 ---
 allowed-tools: [Bash, Read, Glob, TodoWrite, Edit, Grep, AskUserQuestion]
 description: 'Create release versions with intelligent changelog generation from release branch'
-agent: quick
+agent: documenter
 ---
 
 ## Usage

package/@opencode/commands/oh_attach.json

@@ -15,10 +15,10 @@
       "variant": "high"
     },
     "librarian": {
-      "model": "openai/gpt-5.1-codex-mini"
+      "model": "github-copilot/claude-sonnet-4.5"
     },
     "explore": {
-      "model": "openai/gpt-5.1-codex-mini"
+      "model": "github-copilot/claude-sonnet-4.5"
     },
     "multimodal-looker": {
       "model": "github-copilot/gemini-3-flash-preview"

package/@opencode/commands/opencode_attach.json

@@ -14,6 +14,9 @@
     },
     "middle": {
       "model": "github-copilot/claude-sonnet-4.5"
+    },
+    "documenter": {
+      "model": "github-copilot/claude-sonnet-4.5"
     }
   },
   "permission": {

package/lib/logger.js

@@ -5,6 +5,44 @@ function resolveProjectRoot() {
   return process.env.DX_PROJECT_ROOT || process.cwd()
 }
 
+export function sanitizeForLog(input) {
+  let text = input == null ? '' : String(input)
+
+  // CLI token args (vercel)
+  text = text.replace(/--token=("[^"]*"|'[^']*'|[^\s]+)/gi, '--token=***')
+  text = text.replace(/--token\s+("[^"]*"|'[^']*'|[^\s]+)/gi, '--token ***')
+
+  // Env style secrets
+  text = text.replace(/\bVERCEL_TOKEN=([^\s]+)/g, 'VERCEL_TOKEN=***')
+  text = text.replace(/\bTELEGRAM_BOT_TOKEN=([^\s]+)/g, 'TELEGRAM_BOT_TOKEN=***')
+  text = text.replace(
+    /\bTELEGRAM_BOT_WEBHOOK_SECRET=([^\s]+)/g,
+    'TELEGRAM_BOT_WEBHOOK_SECRET=***',
+  )
+
+  // Authorization bearer
+  text = text.replace(
+    /Authorization:\s*Bearer\s+([^\s]+)/gi,
+    'Authorization: Bearer ***',
+  )
+
+  // JSON-ish token fields
+  text = text.replace(/"token"\s*:\s*"[^"]*"/gi, '"token":"***"')
+  text = text.replace(
+    /("secret_token"\s*:\s*")([^"]*)(")/gi,
+    '$1***$3',
+  )
+  text = text.replace(/\bsecret_token=([^\s&]+)/gi, 'secret_token=***')
+
+  // Telegram bot token in URLs
+  text = text.replace(
+    /api\.telegram\.org\/bot([^/\s]+)(\/|$)/gi,
+    'api.telegram.org/bot***$2',
+  )
+
+  return text
+}
+
 // 处理输出管道被关闭导致的 EPIPE 错误，避免进程在清理阶段崩溃
 try {
   const handleBrokenPipe = err => {
@@ -48,34 +86,39 @@ export class Logger {
 
   // 基础日志方法
   info(message, prefix = '🚀') {
-    const output = `${prefix} ${message}`
+    const safeMessage = sanitizeForLog(message)
+    const output = `${prefix} ${safeMessage}`
     console.log(output)
-    this.writeLog('info', message)
+    this.writeLog('info', safeMessage)
   }
 
   success(message) {
-    const output = `✅ ${message}`
+    const safeMessage = sanitizeForLog(message)
+    const output = `✅ ${safeMessage}`
     console.log(output)
-    this.writeLog('success', message)
+    this.writeLog('success', safeMessage)
   }
 
   warn(message) {
-    const output = `⚠️  ${message}`
+    const safeMessage = sanitizeForLog(message)
+    const output = `⚠️  ${safeMessage}`
     console.log(output)
-    this.writeLog('warn', message)
+    this.writeLog('warn', safeMessage)
   }
 
   error(message) {
-    const output = `❌ ${message}`
+    const safeMessage = sanitizeForLog(message)
+    const output = `❌ ${safeMessage}`
     console.log(output)
-    this.writeLog('error', message)
+    this.writeLog('error', safeMessage)
   }
 
   debug(message) {
     if (this.logLevel === 'debug') {
-      const output = `🐛 ${message}`
+      const safeMessage = sanitizeForLog(message)
+      const output = `🐛 ${safeMessage}`
       console.log(output)
-      this.writeLog('debug', message)
+      this.writeLog('debug', safeMessage)
     }
   }
 
@@ -84,17 +127,20 @@ export class Logger {
     const prefix = stepNumber ? `步骤 ${stepNumber}:` : '执行:'
     const separator = '=================================='
 
+    const safeMessage = sanitizeForLog(message)
+
     console.log(`\n${separator}`)
-    console.log(`🚀 ${prefix} ${message}`)
+    console.log(`🚀 ${prefix} ${safeMessage}`)
     console.log(separator)
 
-    this.writeLog('step', `${prefix} ${message}`)
+    this.writeLog('step', `${prefix} ${safeMessage}`)
   }
 
   // 进度显示
   progress(message) {
-    process.stdout.write(`⌛ ${message}...`)
-    this.writeLog('progress', `开始: ${message}`)
+    const safeMessage = sanitizeForLog(message)
+    process.stdout.write(`⌛ ${safeMessage}...`)
+    this.writeLog('progress', `开始: ${safeMessage}`)
   }
 
   progressDone() {
@@ -104,8 +150,9 @@ export class Logger {
 
   // 命令执行日志
   command(command) {
-    console.log(`💻 执行: ${command}`)
-    this.writeLog('command', command)
+    const safeCommand = sanitizeForLog(command)
+    console.log(`💻 执行: ${safeCommand}`)
+    this.writeLog('command', safeCommand)
   }
 
   // 分隔符
@@ -118,15 +165,16 @@ export class Logger {
     if (data.length === 0) return
 
     if (headers.length > 0) {
-      console.log(`\n${headers.join('\t')}`)
-      console.log('-'.repeat(headers.join('\t').length))
+      const safeHeaders = headers.map(h => sanitizeForLog(h))
+      console.log(`\n${safeHeaders.join('\t')}`)
+      console.log('-'.repeat(safeHeaders.join('\t').length))
     }
 
     data.forEach(row => {
       if (Array.isArray(row)) {
-        console.log(row.join('\t'))
+        console.log(row.map(cell => sanitizeForLog(cell)).join('\t'))
       } else {
-        console.log(row)
+        console.log(sanitizeForLog(row))
       }
     })
     console.log()
@@ -136,7 +184,9 @@ export class Logger {
   ports(portInfo) {
     console.log('\n📡 服务端口信息:')
     portInfo.forEach(({ service, port, url }) => {
-      console.log(`  ${service}: http://localhost:${port} ${url ? `(${url})` : ''}`)
+      const safeService = sanitizeForLog(service)
+      const safeUrl = url ? sanitizeForLog(url) : ''
+      console.log(`  ${safeService}: http://localhost:${port} ${safeUrl ? `(${safeUrl})` : ''}`)
     })
     console.log()
   }
@@ -146,8 +196,9 @@ export class Logger {
     if (!this.enableFile) return
 
     try {
+      const safeMessage = sanitizeForLog(message)
       const timestamp = this.formatTimestamp()
-      const logLine = `[${timestamp}] [${level.toUpperCase()}] ${message}\n`
+      const logLine = `[${timestamp}] [${level.toUpperCase()}] ${safeMessage}\n`
 
       const logFile = join(this.logDir, `ai-cli-${new Date().toISOString().split('T')[0]}.log`)
       writeFileSync(logFile, logLine, { flag: 'a', encoding: 'utf8' })

package/lib/telegram-webhook.js

@@ -22,7 +22,9 @@ export async function handleTelegramBotDeploy(environment, projectId, orgId, tok
 
   if (missingVars.length > 0) {
     logger.error('缺少以下 Telegram Bot 环境变量:')
-    missingVars.forEach(v => logger.error(`  - ${v}`))
+    missingVars.forEach(v => {
+      logger.error(`  - ${v}`)
+    })
     logger.warn('跳过 Webhook 配置，请手动设置')
     return
   }
@@ -67,8 +69,15 @@ export async function handleTelegramBotDeploy(environment, projectId, orgId, tok
     }
     else {
       logger.error(`Telegram Webhook 设置失败: ${result.description}`)
-      logger.info('请手动执行以下命令:')
-      logger.info(curlCmd)
+      logger.info('请手动执行以下命令（不要把明文 token/secret 写进日志）:')
+      const manualPayload = JSON.stringify({
+        url: webhookUrl,
+        secret_token: '<YOUR_WEBHOOK_SECRET>',
+        drop_pending_updates: false,
+      })
+      logger.info(
+        `curl -X POST "https://api.telegram.org/bot<YOUR_BOT_TOKEN>/setWebhook" -H "Content-Type: application/json" -d '${manualPayload}' --silent`,
+      )
     }
   }
   catch (error) {
@@ -82,15 +91,18 @@ export async function handleTelegramBotDeploy(environment, projectId, orgId, tok
  */
 async function getLatestDeploymentUrl(projectId, orgId, token, environment) {
   try {
-    const cmd = [
-      'vercel',
-      'ls',
-      `--token=${token}`,
-      orgId ? `--scope=${orgId}` : '',
-      '--json',
-    ].filter(Boolean).join(' ')
-
-    const output = execSync(cmd, { encoding: 'utf8' })
+    const cmd = ['vercel', 'ls', orgId ? `--scope=${orgId}` : '', '--json']
+      .filter(Boolean)
+      .join(' ')
+
+    const output = execSync(cmd, {
+      encoding: 'utf8',
+      env: {
+        ...process.env,
+        // 不通过 CLI args 传递 token，避免出现在错误信息/日志中
+        VERCEL_TOKEN: token,
+      },
+    })
     const deployments = JSON.parse(output)
 
     // 根据环境筛选部署

package/lib/vercel-deploy.js

@@ -1,11 +1,105 @@
-import { execSync } from 'node:child_process'
+import { execSync, spawn } from 'node:child_process'
 import { join } from 'node:path'
 import { envManager } from './env.js'
-import { execManager } from './exec.js'
 import { logger } from './logger.js'
 
 const ALLOWED_ENVIRONMENTS = ['development', 'staging', 'production']
 
+function collectErrorText(err) {
+  const parts = []
+  if (err?.message) parts.push(String(err.message))
+  if (err?.stderr) parts.push(String(err.stderr))
+  if (err?.stdout) parts.push(String(err.stdout))
+  return parts.join('\n')
+}
+
+function isMissingFilesError(err) {
+  const text = collectErrorText(err)
+  return (
+    text.includes('missing_files') ||
+    text.includes('Missing files') ||
+    text.includes('code":"missing_files"')
+  )
+}
+
+async function runVercel(args, options = {}) {
+  const { env, cwd } = options
+  const MAX_CAPTURE = 20000
+
+  return new Promise((resolve, reject) => {
+    const child = spawn('vercel', args, {
+      cwd: cwd || process.cwd(),
+      env: env || process.env,
+      stdio: ['inherit', 'pipe', 'pipe'],
+    })
+
+    let stdout = ''
+    let stderr = ''
+
+    const append = (current, chunk) => {
+      const next = current + chunk
+      return next.length > MAX_CAPTURE ? next.slice(-MAX_CAPTURE) : next
+    }
+
+    child.stdout.on('data', data => {
+      process.stdout.write(data)
+      stdout = append(stdout, data.toString('utf8'))
+    })
+
+    child.stderr.on('data', data => {
+      process.stderr.write(data)
+      stderr = append(stderr, data.toString('utf8'))
+    })
+
+    child.on('error', error => {
+      error.stdout = stdout
+      error.stderr = stderr
+      reject(error)
+    })
+
+    child.on('close', code => {
+      if (code === 0) return resolve({ code, stdout, stderr })
+      const error = new Error(`vercel ${args[0] || ''} 失败 (exit ${code})`)
+      error.code = code
+      error.stdout = stdout
+      error.stderr = stderr
+      reject(error)
+    })
+  })
+}
+
+export async function deployPrebuiltWithFallback(options) {
+  const {
+    baseArgs,
+    env,
+    cwd,
+    run = runVercel,
+    cleanupArchiveParts = () => {
+      try {
+        execSync('rm -f .vercel/source.tgz.part*', { stdio: 'ignore' })
+      } catch {
+        // ignore
+      }
+    },
+    onMissingFiles = () => {
+      logger.warn('检测到 missing_files，自动使用 --archive=tgz 重试一次')
+    },
+  } = options || {}
+
+  try {
+    await run(baseArgs, { env, cwd })
+    return { usedArchive: false }
+  } catch (e) {
+    if (!isMissingFilesError(e)) throw e
+    onMissingFiles(e)
+    cleanupArchiveParts()
+    const archiveArgs = baseArgs.slice()
+    archiveArgs.splice(2, 0, '--archive=tgz')
+    await run(archiveArgs, { env, cwd })
+    return { usedArchive: true }
+  }
+}
+
 export async function deployToVercel(target, options = {}) {
   const { environment = 'staging' } = options
 
@@ -63,7 +157,9 @@ export async function deployToVercel(target, options = {}) {
   // 如果有缺失变量，统一报错并退出
   if (missingVars.length > 0) {
     logger.error('缺少以下 Vercel 环境变量:')
-    missingVars.forEach(v => logger.error(`  - ${v}`))
+    missingVars.forEach(v => {
+      logger.error(`  - ${v}`)
+    })
     logger.info('')
     logger.info('请在 .env.<env>.local 中配置这些变量，例如:')
     logger.info('  VERCEL_TOKEN=<your-vercel-token>')
@@ -120,6 +216,9 @@ export async function deployToVercel(target, options = {}) {
       envVars.VERCEL_ORG_ID = orgId
     }
 
+    // 不通过 CLI args 传递 token，避免出现在错误信息/日志中
+    envVars.VERCEL_TOKEN = token
+
     // 绕过 Vercel Git author 权限检查：临时修改最新 commit 的 author
     const authorEmail = process.env.VERCEL_GIT_COMMIT_AUTHOR_EMAIL
     let originalAuthor = null
@@ -138,52 +237,37 @@ export async function deployToVercel(target, options = {}) {
     try {
       // 第一步：本地构建
       logger.step(`本地构建 ${t} (${environment})`)
-      const buildCmd = [
-        'vercel build',
-        `--local-config="${configPath}"`,
-        '--yes',
-        `--token=${token}`,
-      ]
+      const buildArgs = ['build', '--local-config', configPath, '--yes']
 
       // staging 和 production 环境需要 --prod 标志，确保构建产物与部署环境匹配
       if (environment === 'staging' || environment === 'production') {
-        buildCmd.push('--prod')
+        buildArgs.push('--prod')
       }
 
       if (orgId) {
-        buildCmd.push(`--scope=${orgId}`)
+        buildArgs.push('--scope', orgId)
       }
 
-      execSync(buildCmd.join(' '), {
-        stdio: 'inherit',
-        cwd: process.cwd(),
-        env: envVars,
-      })
+      await runVercel(buildArgs, { env: envVars, cwd: process.cwd() })
       logger.success(`${t} 本地构建成功`)
 
       // 第二步：上传预构建产物
       logger.step(`部署 ${t} 到 Vercel (${environment})`)
-      const deployCmd = [
-        'vercel deploy',
-        '--prebuilt',
-        `--local-config="${configPath}"`,
-        '--yes',
-        `--token=${token}`,
-      ]
+      const baseDeployArgs = ['deploy', '--prebuilt', '--local-config', configPath, '--yes']
 
       // staging 和 production 环境都添加 --prod 标志以绑定固定域名
       if (environment === 'staging' || environment === 'production') {
-        deployCmd.push('--prod')
+        baseDeployArgs.push('--prod')
       }
 
       if (orgId) {
-        deployCmd.push(`--scope=${orgId}`)
+        baseDeployArgs.push('--scope', orgId)
       }
 
-      execSync(deployCmd.join(' '), {
-        stdio: 'inherit',
-        cwd: process.cwd(),
+      await deployPrebuiltWithFallback({
+        baseArgs: baseDeployArgs,
         env: envVars,
+        cwd: process.cwd(),
       })
       logger.success(`${t} 部署成功`)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ranger1/dx",
-  "version": "0.1.44",
+  "version": "0.1.47",
   "type": "module",
   "license": "MIT",
   "repository": {