@su-record/vibe 2.8.24 → 2.8.25

package/hooks/scripts/__tests__/sentinel-guard.test.js

@@ -0,0 +1,210 @@
+import { describe, it, expect } from 'vitest';
+import { execFileSync, execSync } from 'child_process';
+import path from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const SCRIPT = path.resolve(__dirname, '..', 'sentinel-guard.js');
+
+/**
+ * Run sentinel-guard.js with argv arguments.
+ * Returns { stdout, exitCode }.
+ */
+function runGuard(args = []) {
+  try {
+    const stdout = execFileSync('node', [SCRIPT, ...args], {
+      encoding: 'utf-8',
+      timeout: 5000,
+    });
+    return { stdout: stdout.trim(), exitCode: 0 };
+  } catch (err) {
+    return { stdout: (err.stdout || '').trim(), exitCode: err.status };
+  }
+}
+
+/**
+ * Run sentinel-guard.js with stdin JSON payload (using shell pipe).
+ * The script reads stdin via fs.openSync('/dev/stdin'), which requires
+ * a real pipe — execFileSync input option does not work.
+ */
+function runGuardWithStdin(payload) {
+  const json = typeof payload === 'string' ? payload : JSON.stringify(payload);
+  // Escape single quotes in JSON for shell safety
+  const escaped = json.replace(/'/g, "'\\''");
+  try {
+    const stdout = execSync(`echo '${escaped}' | node ${SCRIPT}`, {
+      encoding: 'utf-8',
+      timeout: 5000,
+    });
+    return { stdout: stdout.trim(), exitCode: 0 };
+  } catch (err) {
+    return { stdout: (err.stdout || '').trim(), exitCode: err.status };
+  }
+}
+
+// ══════════════════════════════════════════════════
+// Sentinel path protection
+// ══════════════════════════════════════════════════
+describe('sentinel-guard', () => {
+  describe('Write/Edit to sentinel paths via argv', () => {
+    it('should block Write to src/infra/lib/autonomy/', () => {
+      const result = runGuard([
+        'Write',
+        JSON.stringify({ file_path: 'src/infra/lib/autonomy/policy.ts' }),
+      ]);
+      expect(result.exitCode).toBe(2);
+      expect(result.stdout).toContain('block');
+      expect(result.stdout).toContain('Sentinel files are protected');
+    });
+
+    it('should block Edit to sentinel path', () => {
+      const result = runGuard([
+        'Edit',
+        JSON.stringify({ file_path: 'src/infra/lib/autonomy/config.ts' }),
+      ]);
+      expect(result.exitCode).toBe(2);
+      expect(result.stdout).toContain('block');
+    });
+
+    it('should block Write with backslash path separators', () => {
+      const result = runGuard([
+        'Write',
+        JSON.stringify({ file_path: 'src\\infra\\lib\\autonomy\\file.ts' }),
+      ]);
+      expect(result.exitCode).toBe(2);
+      expect(result.stdout).toContain('Sentinel files are protected');
+    });
+
+    it('should block Write with ./ prefix', () => {
+      const result = runGuard([
+        'Write',
+        JSON.stringify({ file_path: './src/infra/lib/autonomy/index.ts' }),
+      ]);
+      expect(result.exitCode).toBe(2);
+    });
+  });
+
+  describe('Write/Edit to sentinel paths via stdin', () => {
+    it('should block Edit via stdin payload', () => {
+      const result = runGuardWithStdin({
+        tool_name: 'Edit',
+        tool_input: { file_path: './src/infra/lib/autonomy/config.ts' },
+      });
+      expect(result.exitCode).toBe(2);
+      expect(result.stdout).toContain('block');
+    });
+
+    it('should block Write via stdin payload', () => {
+      const result = runGuardWithStdin({
+        tool_name: 'Write',
+        tool_input: { file_path: 'src/infra/lib/autonomy/policy.ts' },
+      });
+      expect(result.exitCode).toBe(2);
+      expect(result.stdout).toContain('Sentinel files are protected');
+    });
+  });
+
+  describe('allowed operations', () => {
+    it('should allow Write to non-sentinel paths', () => {
+      const result = runGuard([
+        'Write',
+        JSON.stringify({ file_path: 'src/cli/commands/init.ts' }),
+      ]);
+      expect(result.exitCode).toBe(0);
+    });
+
+    it('should allow Read to sentinel paths (read is not blocked)', () => {
+      const result = runGuard([
+        'Read',
+        JSON.stringify({ file_path: 'src/infra/lib/autonomy/policy.ts' }),
+      ]);
+      expect(result.exitCode).toBe(0);
+    });
+
+    it('should allow Bash commands that do not target sentinel paths', () => {
+      const result = runGuard([
+        'Bash',
+        JSON.stringify({ command: 'ls -la src/cli/' }),
+      ]);
+      expect(result.exitCode).toBe(0);
+    });
+  });
+
+  describe('dangerous bash commands targeting sentinel paths', () => {
+    it('should block rm -rf targeting sentinel path', () => {
+      const result = runGuard([
+        'Bash',
+        JSON.stringify({ command: 'rm -rf src/infra/lib/autonomy/' }),
+      ]);
+      expect(result.exitCode).toBe(2);
+      expect(result.stdout).toContain('block');
+      expect(result.stdout).toContain('Dangerous command targeting sentinel path');
+    });
+
+    it('should block kill -9 targeting sentinel path', () => {
+      const result = runGuard([
+        'Bash',
+        JSON.stringify({ command: 'kill -9 1234 && rm src/infra/lib/autonomy/x' }),
+      ]);
+      expect(result.exitCode).toBe(2);
+    });
+
+    it('should allow rm -rf on non-sentinel paths', () => {
+      const result = runGuard([
+        'Bash',
+        JSON.stringify({ command: 'rm -rf dist/' }),
+      ]);
+      expect(result.exitCode).toBe(0);
+    });
+
+    it('should allow dangerous commands not targeting sentinel paths', () => {
+      const result = runGuard([
+        'Bash',
+        JSON.stringify({ command: 'rm -rf /tmp/junk' }),
+      ]);
+      expect(result.exitCode).toBe(0);
+    });
+  });
+
+  describe('Bash command containing sentinel path in command string', () => {
+    it('should block when command string itself starts with sentinel path', () => {
+      const result = runGuard([
+        'Bash',
+        JSON.stringify({ command: 'src/infra/lib/autonomy/run.sh' }),
+      ]);
+      expect(result.exitCode).toBe(2);
+      expect(result.stdout).toContain('Sentinel files are protected');
+    });
+
+    it('should not block non-dangerous commands referencing sentinel path mid-string', () => {
+      // isSentinelPath only checks startsWith, and the DANGEROUS_BASH_RE +
+      // includes check requires both a dangerous command and sentinel path
+      const result = runGuard([
+        'Bash',
+        JSON.stringify({ command: 'cat src/infra/lib/autonomy/policy.ts | wc -l' }),
+      ]);
+      // 'cat' is not a dangerous command, command does not start with sentinel path
+      expect(result.exitCode).toBe(0);
+    });
+  });
+
+  describe('stdin vs argv priority', () => {
+    it('should prefer stdin payload over argv', () => {
+      const payload = JSON.stringify({
+        tool_name: 'Write',
+        tool_input: { file_path: 'src/infra/lib/autonomy/x.ts' },
+      });
+      const escaped = payload.replace(/'/g, "'\\''");
+      try {
+        execSync(`echo '${escaped}' | node ${SCRIPT} Read '{}'`, {
+          encoding: 'utf-8',
+          timeout: 5000,
+        });
+        expect.unreachable('should have exited with code 2');
+      } catch (err) {
+        expect(err.status).toBe(2);
+        expect(err.stdout).toContain('block');
+      }
+    });
+  });
+});

package/hooks/scripts/auto-commit.js

@@ -0,0 +1,65 @@
+/**
+ * Stop Hook - 에이전트 응답 완료 시 자동 커밋
+ *
+ * 변경사항이 있으면 자동으로 git add + commit.
+ * 커밋 메시지는 변경 파일 목록 기반으로 생성.
+ * feature branch에서만 동작 (main/master 보호).
+ */
+import { execSync } from 'child_process';
+import { PROJECT_DIR } from './utils.js';
+
+const PROTECTED_BRANCHES = ['main', 'master', 'develop', 'production'];
+const MAX_FILES_IN_MSG = 5;
+
+function getCurrentBranch() {
+  return execSync('git branch --show-current', {
+    cwd: PROJECT_DIR,
+    encoding: 'utf-8',
+  }).trim();
+}
+
+function hasChanges() {
+  const status = execSync('git status --porcelain', {
+    cwd: PROJECT_DIR,
+    encoding: 'utf-8',
+  }).trim();
+  return status.length > 0;
+}
+
+function getChangedFiles() {
+  const status = execSync('git status --porcelain', {
+    cwd: PROJECT_DIR,
+    encoding: 'utf-8',
+  }).trim();
+  return status.split('\n')
+    .map(line => line.slice(3).trim())
+    .filter(f => f.length > 0);
+}
+
+function buildCommitMessage(files) {
+  const shown = files.slice(0, MAX_FILES_IN_MSG);
+  const remaining = files.length - shown.length;
+  let msg = `auto: update ${shown.join(', ')}`;
+  if (remaining > 0) msg += ` (+${remaining} more)`;
+  return msg;
+}
+
+try {
+  const branch = getCurrentBranch();
+  if (PROTECTED_BRANCHES.includes(branch)) {
+    // Never auto-commit to protected branches
+    process.exit(0);
+  }
+
+  if (!hasChanges()) process.exit(0);
+
+  const files = getChangedFiles();
+  const msg = buildCommitMessage(files);
+
+  execSync('git add -A', { cwd: PROJECT_DIR, stdio: 'ignore' });
+  execSync(`git commit -m "${msg}"`, { cwd: PROJECT_DIR, stdio: 'ignore' });
+
+  console.log(`[AUTO-COMMIT] ${msg}`);
+} catch {
+  // Auto-commit failure should never block
+}

package/hooks/scripts/auto-format.js

@@ -0,0 +1,64 @@
+/**
+ * PostToolUse Hook - Write/Edit 후 자동 포맷
+ *
+ * 프로젝트에 설치된 포매터를 감지하고 수정된 파일에 자동 실행.
+ * Prettier(JS/TS), Black(Python), gofmt(Go) 지원.
+ * 200ms 이내 완료 목표 — 단일 파일만 처리.
+ */
+import { execSync } from 'child_process';
+import { existsSync } from 'fs';
+import path from 'path';
+import { PROJECT_DIR } from './utils.js';
+
+const CODE_EXT_RE = /\.(ts|tsx|js|jsx|mjs|cjs|css|scss|json|md|html|vue|svelte)$/;
+const PYTHON_EXT_RE = /\.py$/;
+const GO_EXT_RE = /\.go$/;
+
+function getFilePath() {
+  const input = JSON.parse(process.env.TOOL_INPUT || '{}');
+  return input.file_path || input.path || '';
+}
+
+function hasBin(name) {
+  try {
+    execSync(`which ${name}`, { stdio: 'ignore' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function hasPrettier() {
+  return existsSync(path.join(PROJECT_DIR, 'node_modules', '.bin', 'prettier'));
+}
+
+function formatFile(filePath) {
+  const resolved = path.resolve(filePath);
+  if (!existsSync(resolved)) return;
+
+  try {
+    if (CODE_EXT_RE.test(filePath) && hasPrettier()) {
+      execSync(`npx prettier --write "${resolved}"`, {
+        cwd: PROJECT_DIR,
+        stdio: 'ignore',
+        timeout: 5000,
+      });
+      console.log(`[AUTO-FORMAT] prettier: ${path.basename(resolved)}`);
+    } else if (PYTHON_EXT_RE.test(filePath) && hasBin('black')) {
+      execSync(`black --quiet "${resolved}"`, { stdio: 'ignore', timeout: 5000 });
+      console.log(`[AUTO-FORMAT] black: ${path.basename(resolved)}`);
+    } else if (GO_EXT_RE.test(filePath) && hasBin('gofmt')) {
+      execSync(`gofmt -w "${resolved}"`, { stdio: 'ignore', timeout: 5000 });
+      console.log(`[AUTO-FORMAT] gofmt: ${path.basename(resolved)}`);
+    }
+  } catch {
+    // Format failure should never block — silently continue
+  }
+}
+
+try {
+  const filePath = getFilePath();
+  if (filePath) formatFile(filePath);
+} catch {
+  // Silent fail
+}

package/hooks/scripts/auto-test.js

@@ -0,0 +1,81 @@
+/**
+ * PostToolUse Hook - Write/Edit 후 관련 테스트 자동 실행
+ *
+ * 수정된 파일에 대응하는 테스트 파일을 찾아 실행.
+ * 실패 시 마지막 5줄만 출력해서 context window 오염 방지.
+ * exit 0 항상 — 차단하지 않고 에이전트에게 결과만 전달.
+ */
+import { execSync } from 'child_process';
+import { existsSync } from 'fs';
+import path from 'path';
+import { PROJECT_DIR } from './utils.js';
+
+const CODE_EXT_RE = /\.(ts|tsx|js|jsx)$/;
+const TEST_SUFFIXES = ['.test.', '.spec.'];
+const MAX_OUTPUT_LINES = 5;
+
+function getFilePath() {
+  const input = JSON.parse(process.env.TOOL_INPUT || '{}');
+  return input.file_path || input.path || '';
+}
+
+function isTestFile(filePath) {
+  return TEST_SUFFIXES.some(s => filePath.includes(s));
+}
+
+function findTestFile(filePath) {
+  const dir = path.dirname(filePath);
+  const ext = path.extname(filePath);
+  const base = path.basename(filePath, ext);
+
+  // src/foo.ts → src/foo.test.ts, src/__tests__/foo.test.ts
+  const candidates = [
+    path.join(dir, `${base}.test${ext}`),
+    path.join(dir, `${base}.spec${ext}`),
+    path.join(dir, '__tests__', `${base}.test${ext}`),
+    path.join(dir, '__tests__', `${base}.spec${ext}`),
+  ];
+  return candidates.find(c => existsSync(c)) || null;
+}
+
+function hasVitest() {
+  return existsSync(path.join(PROJECT_DIR, 'node_modules', '.bin', 'vitest'));
+}
+
+function hasJest() {
+  return existsSync(path.join(PROJECT_DIR, 'node_modules', '.bin', 'jest'));
+}
+
+try {
+  const filePath = getFilePath();
+  if (!filePath || !CODE_EXT_RE.test(filePath)) process.exit(0);
+
+  const testFile = isTestFile(filePath) ? filePath : findTestFile(filePath);
+  if (!testFile) process.exit(0);
+
+  const relPath = path.relative(PROJECT_DIR, testFile);
+  let cmd = '';
+  if (hasVitest()) {
+    cmd = `npx vitest run "${relPath}" --reporter=verbose`;
+  } else if (hasJest()) {
+    cmd = `npx jest "${relPath}" --no-coverage`;
+  } else {
+    process.exit(0);
+  }
+
+  console.log(`[AUTO-TEST] Running: ${relPath}`);
+  const output = execSync(cmd, {
+    cwd: PROJECT_DIR,
+    stdio: ['ignore', 'pipe', 'pipe'],
+    timeout: 60000,
+  }).toString();
+
+  const tail = output.trim().split('\n').slice(-MAX_OUTPUT_LINES).join('\n');
+  console.log(`[AUTO-TEST] PASSED\n${tail}`);
+} catch (err) {
+  const stderr = err.stderr ? err.stderr.toString() : '';
+  const stdout = err.stdout ? err.stdout.toString() : '';
+  const combined = (stdout + '\n' + stderr).trim();
+  const tail = combined.split('\n').slice(-MAX_OUTPUT_LINES).join('\n');
+  console.log(`[AUTO-TEST] FAILED\n${tail}`);
+}

package/hooks/scripts/code-check.js

@@ -2,6 +2,7 @@
  * PostToolUse Hook - Write/Edit 후 코드 품질 검사 + 관찰 자동 캡처
  */
 import { getToolsBaseUrl, PROJECT_DIR } from './utils.js';
+import { readFileSync } from 'fs';
 
 const BASE_URL = getToolsBaseUrl();
 
@@ -34,6 +35,143 @@ function classifyObservation(files) {
   return { type: 'feature', title: 'Code modified' };
 }
 
+/**
+ * Detect `any` type usage and return line-level findings
+ */
+function detectAnyType(lines) {
+  const findings = [];
+  lines.forEach((line, i) => {
+    if (/:\s*any\b|<any>|as\s+any\b/.test(line)) {
+      findings.push({
+        line: i + 1,
+        match: line.trim(),
+        suggestion: 'Replace with: unknown + type guard pattern: if (typeof x === \'string\') { ... }'
+      });
+    }
+  });
+  return findings;
+}
+
+/**
+ * Detect functions exceeding 50 lines
+ */
+function detectLongFunctions(lines) {
+  const findings = [];
+  let fnStart = -1;
+  let fnName = '';
+  let depth = 0;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const fnMatch = line.match(/(?:function\s+(\w+)|(?:const|let|var)\s+(\w+)\s*=\s*(?:async\s*)?\()/);
+    if (fnMatch && depth === 0) {
+      fnStart = i;
+      fnName = fnMatch[1] || fnMatch[2] || 'anonymous';
+    }
+    depth += (line.match(/\{/g) || []).length - (line.match(/\}/g) || []).length;
+    if (fnStart !== -1 && depth <= 0) {
+      const length = i - fnStart + 1;
+      if (length > 50) {
+        findings.push({
+          line: fnStart + 1,
+          match: `function '${fnName}' is ${length} lines`,
+          suggestion: `Extract lines ${fnStart + 20}–${i + 1} into a separate helper function`
+        });
+      }
+      fnStart = -1;
+      depth = 0;
+    }
+  }
+  return findings;
+}
+
+/**
+ * Detect nesting depth exceeding 3 levels
+ */
+function detectDeepNesting(lines) {
+  const findings = [];
+  let depth = 0;
+  let reported = false;
+
+  lines.forEach((line, i) => {
+    depth += (line.match(/\{/g) || []).length - (line.match(/\}/g) || []).length;
+    if (depth > 3 && !reported) {
+      findings.push({
+        line: i + 1,
+        match: `nesting depth ${depth} at line ${i + 1}`,
+        suggestion: 'Use early return pattern: if (!condition) return; — instead of wrapping in else'
+      });
+      reported = true;
+    }
+    if (depth <= 3) reported = false;
+  });
+  return findings;
+}
+
+/**
+ * Detect console.log statements
+ */
+function detectConsoleLogs(lines) {
+  const findings = [];
+  lines.forEach((line, i) => {
+    if (/console\.log\(/.test(line)) {
+      findings.push({
+        line: i + 1,
+        match: line.trim(),
+        suggestion: 'Remove or replace with debugLog utility'
+      });
+    }
+  });
+  return findings;
+}
+
+/**
+ * Detect magic numbers (bare numeric literals ≥2 digits, outside comments/strings)
+ */
+function detectMagicNumbers(lines) {
+  const findings = [];
+  lines.forEach((line, i) => {
+    const stripped = line.replace(/\/\/.*$/, '').replace(/(['"`]).*?\1/g, '""');
+    const nums = stripped.match(/\b\d{2,}\b/g) || [];
+    if (nums.length > 0) {
+      findings.push({
+        line: i + 1,
+        match: `magic number(s): ${nums.join(', ')}`,
+        suggestion: `Extract to named constant: const LIMIT = ${nums[0]};`
+      });
+    }
+  });
+  return findings;
+}
+
+/**
+ * Run all self-heal detectors and emit [SELF-HEAL] messages
+ */
+function emitSelfHealMessages(filePath) {
+  let content;
+  try {
+    content = readFileSync(filePath, 'utf-8');
+  } catch {
+    return;
+  }
+
+  const lines = content.split('\n');
+  const detectors = [
+    { label: 'any type detected', fn: detectAnyType },
+    { label: 'function too long', fn: detectLongFunctions },
+    { label: 'nesting too deep', fn: detectDeepNesting },
+    { label: 'console.log found', fn: detectConsoleLogs },
+    { label: 'magic number', fn: detectMagicNumbers },
+  ];
+
+  for (const { label, fn } of detectors) {
+    const findings = fn(lines).slice(0, 2);
+    for (const f of findings) {
+      console.log(`[SELF-HEAL] ${label} at line ${f.line} → ${f.suggestion}`);
+    }
+  }
+}
+
 async function main() {
   // 1. Code quality check (changed files only — never scan entire project)
   try {
@@ -50,6 +188,7 @@ async function main() {
       if (critical.length > 0) {
         console.log('[CODE CHECK]', critical.join(' | '));
       }
+      emitSelfHealMessages(files[0]);
     }
   } catch {
     // Silently continue on check failure — never block progress

package/hooks/scripts/command-log.js

@@ -0,0 +1,32 @@
+/**
+ * PreToolUse Hook - 모든 Bash 명령어를 타임스탬프와 함께 로깅
+ *
+ * 로그 위치: .claude/command-log.txt
+ * exit 0 항상 통과 (로깅만 수행, 차단하지 않음)
+ */
+import { appendFileSync, mkdirSync, existsSync } from 'fs';
+import path from 'path';
+import { PROJECT_DIR } from './utils.js';
+
+const LOG_DIR = path.join(PROJECT_DIR, '.claude');
+const LOG_FILE = path.join(LOG_DIR, 'command-log.txt');
+const MAX_CMD_LENGTH = 500;
+
+try {
+  const input = JSON.parse(process.env.TOOL_INPUT || '{}');
+  const command = input.command || '';
+  if (!command) process.exit(0);
+
+  const timestamp = new Date().toISOString();
+  const truncated = command.length > MAX_CMD_LENGTH
+    ? command.slice(0, MAX_CMD_LENGTH) + '...(truncated)'
+    : command;
+
+  const entry = `[${timestamp}] ${truncated}\n`;
+
+  if (!existsSync(LOG_DIR)) mkdirSync(LOG_DIR, { recursive: true });
+  appendFileSync(LOG_FILE, entry);
+} catch {
+  // Never block on logging failure
+}
+process.exit(0);