@su-record/vibe 2.12.4 → 2.13.0

package/hooks/scripts/code-check.js

@@ -1,27 +1,115 @@
 /**
  * PostToolUse Hook - Write/Edit 후 코드 품질 검사 + 관찰 자동 캡처
+ *
+ * findings를 console.log가 아닌 반환값으로 전달 — 디스패처가 수집해 additionalContext에 주입.
+ * P1 이슈 발견 시 run-ledger에 verifyRequired 상태 기록.
  */
-import { getToolsBaseUrl, PROJECT_DIR } from './utils.js';
+import { getToolsBaseUrl, PROJECT_DIR, readProjectConfig } from './utils.js';
 import { readFileSync, existsSync, writeFileSync } from 'fs';
 import path from 'path';
 import os from 'os';
-
-process.on('uncaughtException', () => {});
-process.on('unhandledRejection', () => {});
+import { buildCliCtx, isDirectRun } from './lib/hook-context.js';
+import { recordVerifyRequired } from './lib/run-ledger.js';
 
 const BASE_URL = getToolsBaseUrl();
 
+// P1 이슈 판단 기준: .ts/.tsx 파일에서만 적용
+const P1_DETECTORS = [
+  // `: any` — 타입 어노테이션
+  /:\s*any\b/,
+  // `as any` — 타입 캐스트
+  /\bas\s+any\b/,
+  // `<any>` — 제네릭 any (단, JSX 태그 제외 목적으로 뒤에 공백/쉼표/> 허용)
+  /<any[\s,>]/,
+  // @ts-ignore
+  /@ts-ignore\b/,
+];
+
+const TS_EXT_RE = /\.(ts|tsx)$/;
+const CODE_EXT_RE = /\.(ts|tsx|js|jsx|mjs|cjs)$/;
+
+// console.log 기본 허용 경로 (glob 패턴 → 정규식으로 변환)
+const DEFAULT_CONSOLE_ALLOW_GLOBS = [
+  'hooks/scripts/**',
+  'scripts/**',
+  '**/cli/**',
+  '**/*.test.*',
+  '**/*.spec.*',
+  '**/__tests__/**',
+];
+
 /**
- * stdin에서 hook input JSON을 읽어 파일 경로 추출
+ * 경량 glob → RegExp 변환 (scope-guard와 동일 알고리즘, 독립 복사본).
+ * @param {string} glob
+ * @returns {RegExp}
  */
-function getModifiedFiles() {
-  try {
-    const input = process.env.HOOK_INPUT;
-    if (input) {
-      const parsed = JSON.parse(input);
-      const filePath = parsed.tool_input?.file_path || parsed.tool_input?.path;
-      return filePath ? [filePath] : [];
+function globToRegExp(glob) {
+  const normalized = glob.replace(/\\/g, '/');
+  let out = '';
+  for (let i = 0; i < normalized.length; i++) {
+    const c = normalized[i];
+    if (c === '*') {
+      if (normalized[i + 1] === '*') {
+        out += '.*';
+        i++;
+        if (normalized[i + 1] === '/') i++;
+      } else {
+        out += '[^/]*';
+      }
+    } else if (c === '?') {
+      out += '[^/]';
+    } else if ('.+^$()|{}[]\\'.includes(c)) {
+      out += '\\' + c;
+    } else {
+      out += c;
     }
+  }
+  return new RegExp('^' + out + '$');
+}
+
+/**
+ * .vibe/config.json의 qualityCheck.consoleAllow 글로브 목록 로드.
+ * 기본 글로브와 병합하여 반환.
+ * @returns {RegExp[]}
+ */
+function loadConsoleAllowPatterns() {
+  try {
+    const cfg = readProjectConfig();
+    const extra = cfg?.qualityCheck?.consoleAllow;
+    const globs = Array.isArray(extra)
+      ? [...DEFAULT_CONSOLE_ALLOW_GLOBS, ...extra]
+      : DEFAULT_CONSOLE_ALLOW_GLOBS;
+    return globs.map(g => globToRegExp(g));
+  } catch {
+    return DEFAULT_CONSOLE_ALLOW_GLOBS.map(g => globToRegExp(g));
+  }
+}
+
+/**
+ * 파일 경로가 console.log 허용 경로인지 판단.
+ * @param {string} filePath - 절대 또는 프로젝트 상대 경로
+ * @returns {boolean}
+ */
+function isConsoleAllowed(filePath) {
+  try {
+    const rel = path.relative(PROJECT_DIR, path.resolve(filePath)).replace(/\\/g, '/');
+    const patterns = loadConsoleAllowPatterns();
+    return patterns.some(re => re.test(rel));
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * hook input에서 수정된 파일 경로 추출.
+ * @param {object} ctx
+ * @returns {string[]}
+ */
+function getModifiedFiles(ctx) {
+  try {
+    const parsed = ctx.payload || (ctx.hookInput ? JSON.parse(ctx.hookInput) : null);
+    const filePath = parsed?.tool_input?.file_path || parsed?.tool_input?.path;
+    return filePath ? [filePath] : [];
   } catch {
     // ignore
   }
@@ -30,6 +118,8 @@ function getModifiedFiles() {
 
 /**
  * 파일 확장자/경로로 관찰 타입 분류
+ * @param {string[]} files
+ * @returns {{ type: string, title: string }}
  */
 function classifyObservation(files) {
   const hasTest = files.some(f => /\.(test|spec)\.[jt]sx?$/.test(f) || /\/__tests__\//.test(f));
@@ -41,16 +131,44 @@ function classifyObservation(files) {
 }
 
 /**
- * Detect `any` type usage and return line-level findings
+ * P1: any 타입 탐지 — .ts/.tsx 전용, 단어 경계 기반.
+ * @param {string[]} lines
+ * @returns {Array<{ line: number, match: string, severity: 'P1' }>}
  */
 function detectAnyType(lines) {
   const findings = [];
   lines.forEach((line, i) => {
-    if (/:\s*any\b|<any>|as\s+any\b/.test(line)) {
+    for (const re of P1_DETECTORS) {
+      if (re.test(line)) {
+        findings.push({
+          line: i + 1,
+          match: line.trim(),
+          severity: 'P1',
+          suggestion: "Replace with: unknown + type guard pattern: if (typeof x === 'string') { ... }",
+        });
+        break; // 한 줄에 여러 패턴이 있어도 중복 발견 방지
+      }
+    }
+  });
+  return findings;
+}
+
+/**
+ * P1: console.log 탐지 — 허용 경로가 아닌 곳의 src/ 코드.
+ * @param {string[]} lines
+ * @param {string} filePath
+ * @returns {Array<{ line: number, match: string, severity: 'P1' }>}
+ */
+function detectConsoleLogs(lines, filePath) {
+  if (isConsoleAllowed(filePath)) return [];
+  const findings = [];
+  lines.forEach((line, i) => {
+    if (/console\.log\(/.test(line)) {
       findings.push({
         line: i + 1,
         match: line.trim(),
-        suggestion: 'Replace with: unknown + type guard pattern: if (typeof x === \'string\') { ... }'
+        severity: 'P1',
+        suggestion: 'Remove or replace with debugLog utility',
       });
     }
   });
@@ -58,7 +176,9 @@ function detectAnyType(lines) {
 }
 
 /**
- * Detect functions exceeding 50 lines
+ * P2: 함수 길이 초과 탐지.
+ * @param {string[]} lines
+ * @returns {Array<{ line: number, match: string, severity: 'P2' }>}
  */
 function detectLongFunctions(lines) {
   const findings = [];
@@ -80,7 +200,8 @@ function detectLongFunctions(lines) {
         findings.push({
           line: fnStart + 1,
           match: `function '${fnName}' is ${length} lines`,
-          suggestion: `Extract lines ${fnStart + 20}–${i + 1} into a separate helper function`
+          severity: 'P2',
+          suggestion: `Extract lines ${fnStart + 20}–${i + 1} into a separate helper function`,
         });
       }
       fnStart = -1;
@@ -91,7 +212,9 @@ function detectLongFunctions(lines) {
 }
 
 /**
- * Detect nesting depth exceeding 3 levels
+ * P2: 중첩 깊이 초과 탐지.
+ * @param {string[]} lines
+ * @returns {Array<{ line: number, match: string, severity: 'P2' }>}
  */
 function detectDeepNesting(lines) {
   const findings = [];
@@ -104,7 +227,8 @@ function detectDeepNesting(lines) {
       findings.push({
         line: i + 1,
         match: `nesting depth ${depth} at line ${i + 1}`,
-        suggestion: 'Use early return pattern: if (!condition) return; — instead of wrapping in else'
+        severity: 'P2',
+        suggestion: 'Use early return pattern: if (!condition) return; — instead of wrapping in else',
       });
       reported = true;
     }
@@ -113,70 +237,50 @@ function detectDeepNesting(lines) {
   return findings;
 }
 
-/**
- * Detect console.log statements
- */
-function detectConsoleLogs(lines) {
-  const findings = [];
-  lines.forEach((line, i) => {
-    if (/console\.log\(/.test(line)) {
-      findings.push({
-        line: i + 1,
-        match: line.trim(),
-        suggestion: 'Remove or replace with debugLog utility'
-      });
-    }
-  });
-  return findings;
-}
+// magic number 무시 값 목록 (0, 1, -1, 2, 10, 100, 1000)
+const MAGIC_NUMBER_IGNORE = new Set(['10', '100', '1000']);
 
 /**
- * Detect magic numbers (bare numeric literals ≥2 digits, outside comments/strings)
+ * advisory: 매직 넘버 탐지 (P3, 스팸 방지 적용).
+ * 무시 조건: 0/1/-1/2 (단일 digit), ALLCAPS const 선언, 테스트 파일, 배열 인덱스
+ * @param {string[]} lines
+ * @param {string} filePath
+ * @returns {Array<{ line: number, match: string, severity: 'P3' }>}
  */
-function detectMagicNumbers(lines) {
+function detectMagicNumbers(lines, filePath) {
+  // 테스트 파일은 스킵
+  if (/\.(test|spec)\.[jt]sx?$/.test(filePath) || /\/__tests__\//.test(filePath)) {
+    return [];
+  }
+
   const findings = [];
   lines.forEach((line, i) => {
+    // ALL_CAPS const 선언 줄은 스킵 (예: const LIMIT = 500)
+    if (/^\s*(?:export\s+)?const\s+[A-Z][A-Z0-9_]+\s*=/.test(line)) return;
+
     const stripped = line.replace(/\/\/.*$/, '').replace(/(['"`]).*?\1/g, '""');
-    const nums = stripped.match(/\b\d{2,}\b/g) || [];
-    if (nums.length > 0) {
+    const nums = (stripped.match(/\b\d{2,}\b/g) || []).filter(n => MAGIC_NUMBER_IGNORE.has(n));
+    // 배열 인덱스: [NN] 패턴 제외
+    const nonIndexNums = (stripped.match(/\b\d{2,}\b/g) || []).filter(n => {
+      if (MAGIC_NUMBER_IGNORE.has(n)) return false;
+      // 배열 인덱스 [NN] 체크
+      const idx = stripped.indexOf(n);
+      if (idx > 0 && stripped[idx - 1] === '[') return false;
+      return true;
+    });
+
+    if (nonIndexNums.length > 0) {
       findings.push({
         line: i + 1,
-        match: `magic number(s): ${nums.join(', ')}`,
-        suggestion: `Extract to named constant: const LIMIT = ${nums[0]};`
+        match: `magic number(s): ${nonIndexNums.join(', ')}`,
+        severity: 'P3',
+        suggestion: `Extract to named constant: const LIMIT = ${nonIndexNums[0]};`,
       });
     }
   });
   return findings;
 }
 
-/**
- * Run all self-heal detectors and emit [SELF-HEAL] messages
- */
-function emitSelfHealMessages(filePath) {
-  let content;
-  try {
-    content = readFileSync(filePath, 'utf-8');
-  } catch {
-    return;
-  }
-
-  const lines = content.split('\n');
-  const detectors = [
-    { label: 'any type detected', fn: detectAnyType },
-    { label: 'function too long', fn: detectLongFunctions },
-    { label: 'nesting too deep', fn: detectDeepNesting },
-    { label: 'console.log found', fn: detectConsoleLogs },
-    { label: 'magic number', fn: detectMagicNumbers },
-  ];
-
-  for (const { label, fn } of detectors) {
-    const findings = fn(lines).slice(0, 2);
-    for (const f of findings) {
-      console.log(`[SELF-HEAL] ${label} at line ${f.line} → ${f.suggestion}`);
-    }
-  }
-}
-
 // ─── Failure Escalation Tracking ───
 
 const ESCALATION_THRESHOLD = 3;
@@ -197,6 +301,12 @@ function saveFailureTracker(tracker) {
   } catch { /* ignore */ }
 }
 
+/**
+ * 실패 추적 — 동일 파일에 P1 이슈가 반복되면 에스컬레이션 메시지 반환.
+ * @param {string} filePath
+ * @param {string[]} issues
+ * @returns {string|null} 에스컬레이션 메시지 (없으면 null)
+ */
 function trackFailure(filePath, issues) {
   const tracker = loadFailureTracker();
   const key = filePath;
@@ -208,14 +318,12 @@ function trackFailure(filePath, issues) {
   saveFailureTracker(tracker);
 
   if (entry.count >= ESCALATION_THRESHOLD) {
-    console.log(`\n🚨 [ESCALATION] ${path.basename(filePath)}: 동일 이슈 ${entry.count}회 반복`);
-    console.log(`   이슈: ${entry.issues.join(' | ')}`);
-    console.log('   → 사용자 개입 필요 — 자동 수정이 수렴하지 않고 있습니다.');
-    console.log('   → 방향을 바꾸거나, 접근 방식을 재검토하세요.');
-    // 카운터 리셋 (다음 에스컬레이션까지 다시 3회)
+    const msg = `[ESCALATION] ${path.basename(filePath)}: 동일 이슈 ${entry.count}회 반복 — 수동 개입 필요`;
     entry.count = 0;
     saveFailureTracker(tracker);
+    return msg;
   }
+  return null;
 }
 
 function clearFailure(filePath) {
@@ -224,36 +332,112 @@ function clearFailure(filePath) {
   saveFailureTracker(tracker);
 }
 
-async function main() {
-  // 1. Code quality check (changed files only — never scan entire project)
+/**
+ * 모든 self-heal 탐지기 실행. findings 배열 반환.
+ * @param {string} filePath
+ * @returns {{ p1: string[], advisory: string[], escalation: string|null }}
+ */
+function runDetectors(filePath) {
+  let content;
   try {
-    const files = getModifiedFiles();
-    if (files.length > 0) {
-      const module = await import(`${BASE_URL}convention/index.js`);
-      const result = await module.validateCodeQuality({
-        targetPath: files[0],
-        projectPath: PROJECT_DIR,
-      });
-      const text = result.content[0].text;
-      // Output P1/P2 only — skip P3 (style)
-      const critical = text.split('\n').filter(l => /\b(error|critical|P1|P2)\b/i.test(l)).slice(0, 3);
-      if (critical.length > 0) {
-        console.log('[CODE CHECK]', critical.join(' | '));
-        trackFailure(files[0], critical);
-      } else {
-        clearFailure(files[0]);
-      }
-      emitSelfHealMessages(files[0]);
+    content = readFileSync(filePath, 'utf-8');
+  } catch {
+    return { p1: [], advisory: [], escalation: null };
+  }
+
+  const lines = content.split('\n');
+  const isTs = TS_EXT_RE.test(filePath);
+
+  const p1Findings = [];
+  const advisoryFindings = [];
+
+  // P1: any 탐지 — TS 파일만
+  if (isTs) {
+    const anyHits = detectAnyType(lines).slice(0, 2);
+    for (const f of anyHits) {
+      p1Findings.push(`P1 any-type line ${f.line}: ${f.match.substring(0, 60)}`);
+    }
+  }
+
+  // P1: console.log — 허용 경로 제외
+  const consoleHits = detectConsoleLogs(lines, filePath).slice(0, 2);
+  for (const f of consoleHits) {
+    p1Findings.push(`P1 console.log line ${f.line}: ${f.match.substring(0, 60)}`);
+  }
+
+  // P2: 함수 길이
+  const fnHits = detectLongFunctions(lines).slice(0, 1);
+  for (const f of fnHits) {
+    advisoryFindings.push(`P2 ${f.match}`);
+  }
+
+  // P2: 중첩 깊이
+  const nestHits = detectDeepNesting(lines).slice(0, 1);
+  for (const f of nestHits) {
+    advisoryFindings.push(`P2 ${f.match}`);
+  }
+
+  // P3: 매직 넘버 (advisory, 스팸 방지)
+  const magicHits = detectMagicNumbers(lines, filePath).slice(0, 1);
+  for (const f of magicHits) {
+    advisoryFindings.push(`P3 ${f.match}`);
+  }
+
+  let escalation = null;
+  if (p1Findings.length > 0) {
+    escalation = trackFailure(filePath, p1Findings);
+  } else {
+    clearFailure(filePath);
+  }
+
+  return { p1: p1Findings, advisory: advisoryFindings, escalation };
+}
+
+/**
+ * in-process 진입점 — 품질 검사 + 관찰 캡처.
+ * findings 배열을 반환한다 (디스패처가 수집해 additionalContext에 주입).
+ * @param {{ payload: object|null, hookInput: string|null }} ctx
+ * @returns {Promise<{ exitCode: number, findings: string[] }>}
+ */
+export async function run(ctx) {
+  const findings = [];
+  const files = getModifiedFiles(ctx);
+  if (files.length === 0) return { exitCode: 0, findings };
+
+  // 1. Self-heal 탐지기 실행 (changed file only)
+  try {
+    const { p1, advisory, escalation } = runDetectors(files[0]);
+
+    for (const msg of p1) findings.push(msg);
+    for (const msg of advisory) findings.push(msg);
+    if (escalation) findings.push(escalation);
+
+    // P1 이슈 → run-ledger에 verifyRequired 기록
+    if (p1.length > 0) {
+      try {
+        recordVerifyRequired(PROJECT_DIR, p1[0]);
+      } catch { /* fail-open */ }
     }
   } catch {
-    // Silently continue on check failure — never block progress
+    // 탐지기 실패 → fail-open, 계속 진행
   }
 
-  // 2. 관찰 자동 캡처
+  // 2. validateCodeQuality 호출 (P1/P2 필터)
   try {
-    const files = getModifiedFiles();
-    if (files.length === 0) return;
+    const module = await import(`${BASE_URL}convention/index.js`);
+    const result = await module.validateCodeQuality({
+      targetPath: files[0],
+      projectPath: PROJECT_DIR,
+    });
+    const text = result.content[0].text;
+    const critical = text.split('\n').filter(l => /\b(error|critical|P1|P2)\b/i.test(l)).slice(0, 3);
+    for (const line of critical) findings.push(`[CODE CHECK] ${line}`);
+  } catch {
+    // Silently continue on check failure
+  }
 
+  // 3. 관찰 자동 캡처
+  try {
     const memModule = await import(`${BASE_URL}memory/index.js`);
     const { type, title } = classifyObservation(files);
 
@@ -264,8 +448,17 @@ async function main() {
       projectPath: PROJECT_DIR,
     });
   } catch {
-    // 관찰 캡처 실패해도 무시 (non-critical)
+    // 관찰 캡처 실패해도 무시
   }
+
+  return { exitCode: 0, findings };
 }
 
-main();
+// standalone CLI 모드 (직접 실행 시 — 디스패처 없이)
+if (isDirectRun(import.meta.url)) {
+  process.on('uncaughtException', () => {});
+  process.on('unhandledRejection', () => {});
+  const { exitCode, findings } = await run(buildCliCtx());
+  if (findings.length > 0) process.stdout.write(findings.join('\n') + '\n');
+  process.exit(exitCode);
+}

package/hooks/scripts/codex-hook-adapter.js

@@ -98,7 +98,18 @@ function handleUserPromptSubmit() {
 
 function handlePostToolUse() {
   const result = runScript('post-edit-dispatcher.js');
-  writeAdditionalContext(combinedOutput(result));
+  const output = combinedOutput(result);
+  if (!output) return;
+  // 디스패처가 이미 JSON hookSpecificOutput을 출력한 경우 그대로 전달 (이중 래핑 방지).
+  // 그 외(plain text)는 Codex 어댑터 표준 방식으로 래핑.
+  try {
+    const parsed = JSON.parse(output);
+    if (parsed?.hookSpecificOutput) {
+      writeJson(parsed);
+      return;
+    }
+  } catch { /* not JSON — fall through to text wrap */ }
+  writeAdditionalContext(output);
 }
 
 function handleStop() {

package/hooks/scripts/command-log.js

@@ -7,26 +7,36 @@
 import { appendFileSync, mkdirSync, existsSync } from 'fs';
 import path from 'path';
 import { PROJECT_DIR, projectVibeRoot } from './utils.js';
+import { buildCliCtx, isDirectRun } from './lib/hook-context.js';
 
-const LOG_DIR = projectVibeRoot(PROJECT_DIR);
-const LOG_FILE = path.join(LOG_DIR, 'command-log.txt');
 const MAX_CMD_LENGTH = 500;
 
-try {
-  const input = JSON.parse(process.env.TOOL_INPUT || '{}');
-  const command = input.command || '';
-  if (!command) process.exit(0);
+/**
+ * in-process 진입점 — 로깅만 수행, 항상 0 반환 (차단하지 않음).
+ * @param {{ toolInput: string }} ctx
+ * @returns {Promise<number>}
+ */
+export async function run(ctx) {
+  try {
+    const input = JSON.parse(ctx.toolInput || '{}');
+    const command = input.command || '';
+    if (!command) return 0;
 
-  const timestamp = new Date().toISOString();
-  const truncated = command.length > MAX_CMD_LENGTH
-    ? command.slice(0, MAX_CMD_LENGTH) + '...(truncated)'
-    : command;
+    const timestamp = new Date().toISOString();
+    const truncated = command.length > MAX_CMD_LENGTH
+      ? command.slice(0, MAX_CMD_LENGTH) + '...(truncated)'
+      : command;
 
-  const entry = `[${timestamp}] ${truncated}\n`;
+    const logDir = projectVibeRoot(PROJECT_DIR);
+    if (!existsSync(logDir)) mkdirSync(logDir, { recursive: true });
+    appendFileSync(path.join(logDir, 'command-log.txt'), `[${timestamp}] ${truncated}\n`);
+  } catch {
+    // Never block on logging failure
+  }
+  return 0;
+}
 
-  if (!existsSync(LOG_DIR)) mkdirSync(LOG_DIR, { recursive: true });
-  appendFileSync(LOG_FILE, entry);
-} catch {
-  // Never block on logging failure
+// standalone CLI 모드
+if (isDirectRun(import.meta.url)) {
+  process.exit(await run(buildCliCtx()));
 }
-process.exit(0);

package/hooks/scripts/lib/dispatcher.js

@@ -20,6 +20,7 @@ import { spawn } from 'child_process';
 import path from 'path';
 import fs from 'fs';
 import { fileURLToPath } from 'url';
+import { readStdinSync, buildCtx } from './hook-context.js';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const SCRIPTS_DIR = path.resolve(__dirname, '..');
@@ -112,3 +113,40 @@ export async function dispatch(steps) {
     process.exit(2);
   }
 }
+
+/**
+ * in-process 디스패처 — 자식 spawn 없이 import된 run(ctx)들을 병렬 실행.
+ *
+ * spawn 대비:
+ *   - 자식 node VM 기동(~20ms × N)과 stdin 재읽기/재파싱 제거
+ *   - 크래시 격리는 step별 try/catch로 대체 (throw → exit 1 취급, fail-open)
+ *   - step별 강제 timeout은 없음 — 무거운 작업(포매터/테스트러너)은 모두
+ *     자체 timeout을 가진 비동기 자식 프로세스라 디스패처가 행 걸리지 않는다
+ *
+ * deny 시맨틱 보존: denyOnExit2 step이 2를 반환하면 process.exit(2)로 상위 전파.
+ *
+ * @param {Array<{name: string, run: (ctx: object) => Promise<number>, denyOnExit2?: boolean}>} steps
+ * @param {{ argvToolName?: string }} [options]
+ */
+export async function dispatchInProcess(steps, { argvToolName = '' } = {}) {
+  const { raw, parsed } = readStdinSync();
+  const ctx = buildCtx({ rawInput: raw, payload: parsed, argvToolName });
+  const hookConfig = loadHookConfig();
+
+  const enabledSteps = steps.filter(s => isEnabled(hookConfig, s.name));
+  const results = await Promise.all(
+    enabledSteps.map(async (step) => {
+      try {
+        return { step, code: await step.run(ctx) };
+      } catch {
+        // 크래시 격리 — 실패 step은 exit 1 취급, 나머지 step과 디스패처는 계속
+        return { step, code: 1 };
+      }
+    })
+  );
+
+  // 하나라도 deny(exit 2) 반환 → 상위에 전파
+  if (results.some(({ step, code }) => step.denyOnExit2 && code === 2)) {
+    process.exit(2);
+  }
+}