@vibecodetown/mcp-server 2.1.4 → 2.2.0

package/build/auth/credential_store.js

@@ -0,0 +1,146 @@
+// adapters/mcp-ts/src/auth/credential_store.ts
+// Secure local credential storage for GitHub/NPM tokens
+import { homedir } from "os";
+import { join } from "path";
+import { readFile, writeFile, mkdir, unlink, chmod } from "fs/promises";
+import { existsSync } from "fs";
+const CONFIG_DIR = join(homedir(), ".vibe-pm");
+const CREDENTIALS_FILE = join(CONFIG_DIR, "credentials.json");
+/**
+ * Credential Store - Secure local storage for API tokens
+ *
+ * Storage: ~/.vibe-pm/credentials.json (0o600 permissions)
+ * Override: VIBECODE_CREDENTIALS_FILE env var
+ *
+ * Priority for GitHub token:
+ *   1. GITHUB_TOKEN env var
+ *   2. GH_TOKEN env var
+ *   3. Stored credential
+ *
+ * Priority for NPM token:
+ *   1. NPM_TOKEN env var
+ *   2. Stored credential
+ */
+export class CredentialStore {
+    cache = null;
+    resolveCredentialsPath() {
+        const override = (process.env.VIBECODE_CREDENTIALS_FILE || "").trim();
+        return override || CREDENTIALS_FILE;
+    }
+    /**
+     * Get GitHub token (env var takes priority)
+     */
+    async getGitHubToken() {
+        // Env vars take priority
+        const envToken = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;
+        if (envToken)
+            return envToken.trim();
+        // Fall back to stored credential
+        const creds = await this.load();
+        return creds?.github_token || null;
+    }
+    /**
+     * Get NPM token (env var takes priority)
+     */
+    async getNpmToken() {
+        // Env var takes priority
+        const envToken = process.env.NPM_TOKEN;
+        if (envToken)
+            return envToken.trim();
+        // Fall back to stored credential
+        const creds = await this.load();
+        return creds?.npm_token || null;
+    }
+    /**
+     * Store GitHub token
+     */
+    async setGitHubToken(token) {
+        const creds = (await this.load()) || {};
+        creds.github_token = token;
+        creds.updated_at = new Date().toISOString();
+        await this.save(creds);
+    }
+    /**
+     * Store NPM token
+     */
+    async setNpmToken(token) {
+        const creds = (await this.load()) || {};
+        creds.npm_token = token;
+        creds.updated_at = new Date().toISOString();
+        await this.save(creds);
+    }
+    /**
+     * Remove a credential
+     */
+    async remove(key) {
+        const creds = await this.load();
+        if (!creds)
+            return;
+        delete creds[key];
+        creds.updated_at = new Date().toISOString();
+        await this.save(creds);
+    }
+    /**
+     * Clear all credentials
+     */
+    async clear() {
+        this.cache = null;
+        const credPath = this.resolveCredentialsPath();
+        if (existsSync(credPath)) {
+            await unlink(credPath);
+        }
+    }
+    /**
+     * Check what credentials are stored (without exposing values)
+     */
+    async status() {
+        const creds = await this.load();
+        return {
+            github: !!creds?.github_token,
+            npm: !!creds?.npm_token,
+            path: this.resolveCredentialsPath(),
+        };
+    }
+    /**
+     * Load credentials from disk
+     */
+    async load() {
+        if (this.cache)
+            return this.cache;
+        const credPath = this.resolveCredentialsPath();
+        if (!existsSync(credPath))
+            return null;
+        try {
+            const data = await readFile(credPath, "utf-8");
+            this.cache = JSON.parse(data);
+            return this.cache;
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Save credentials to disk with secure permissions
+     */
+    async save(creds) {
+        this.cache = creds;
+        // Ensure config directory exists
+        if (!existsSync(CONFIG_DIR)) {
+            await mkdir(CONFIG_DIR, { recursive: true, mode: 0o700 });
+        }
+        const credPath = this.resolveCredentialsPath();
+        const data = JSON.stringify(creds, null, 2);
+        // Write with restricted permissions (owner read/write only)
+        await writeFile(credPath, data, { mode: 0o600 });
+        // Ensure permissions on existing file
+        await chmod(credPath, 0o600);
+    }
+}
+// Singleton instance
+let _store = null;
+export function getCredentialStore() {
+    if (!_store) {
+        _store = new CredentialStore();
+    }
+    return _store;
+}

package/build/auth/index.js

@@ -5,11 +5,13 @@
  * - Token caching and persistence
  * - Offline JWT verification
  * - Feature gating based on entitlements
+ * - Credential storage (GitHub/NPM tokens)
  */
 export { TokenCache } from './token_cache.js';
 export { TokenVerifier } from './token_verifier.js';
 export { AuthGate } from './gate.js';
 export { PUBLIC_KEY } from './public_key.js';
+export { CredentialStore, getCredentialStore } from './credential_store.js';
 // Re-export convenience functions
 import { TokenCache } from './token_cache.js';
 import { TokenVerifier } from './token_verifier.js';

package/build/control_plane/gate.js

@@ -3,8 +3,10 @@
  *
  * Provides gate enforcement for work orders before execution.
  * All work orders must pass through the gate before any work can proceed.
+ *
+ * All subprocess invocations go through cli_invoker for centralized management.
  */
-import { spawn } from "child_process";
+import { invokeSystem } from "../runtime/cli_invoker.js";
 import { WorkOrderV1Schema } from "../generated/work_order_v1.js";
 import { GateResultV1Schema } from "../generated/gate_result_v1.js";
 /**
@@ -30,76 +32,56 @@ export async function runSystemDesignGate(workOrder, options) {
     pushBool("fail-fast", options.failFast);
     pushBool("semgrep", options.semgrep);
     pushBool("runtime", options.runtime);
-    return new Promise((resolve) => {
-        const child = spawn(pythonExe, [
-            "-m",
-            "vibecoding_helper",
-            "--repo-root",
-            repoRoot,
-            "gate-check",
-            ...overrideFlags,
-            "--work-order",
-            workOrderJson,
-            "--format",
-            "json",
-        ], {
-            cwd: repoRoot,
-            timeout: timeoutMs,
-            env: { ...process.env, PYTHONIOENCODING: "utf-8" },
-        });
-        let stdout = "";
-        let stderr = "";
-        child.stdout?.on("data", (data) => {
-            stdout += data.toString();
-        });
-        child.stderr?.on("data", (data) => {
-            stderr += data.toString();
-        });
-        child.on("close", (code) => {
-            // Exit code 0 = ALLOW, 2 = BLOCK, other = error
-            if (code === null) {
-                resolve({
-                    success: false,
-                    error: "Gate check timed out",
-                });
-                return;
-            }
-            if (code !== 0 && code !== 2) {
-                resolve({
-                    success: false,
-                    error: `Gate check failed with code ${code}: ${stderr || stdout}`,
-                });
-                return;
-            }
-            try {
-                const result = JSON.parse(stdout.trim());
-                const validated = GateResultV1Schema.safeParse(result);
-                if (!validated.success) {
-                    resolve({
-                        success: false,
-                        error: `Invalid gate result: ${validated.error.message}`,
-                    });
-                    return;
-                }
-                resolve({
-                    success: true,
-                    result: validated.data,
-                });
-            }
-            catch (e) {
-                resolve({
-                    success: false,
-                    error: `Failed to parse gate result: ${e instanceof Error ? e.message : String(e)}`,
-                });
-            }
-        });
-        child.on("error", (err) => {
-            resolve({
-                success: false,
-                error: `Gate check process error: ${err.message}`,
-            });
-        });
+    const args = [
+        "-m",
+        "vibecoding_helper",
+        "--repo-root",
+        repoRoot,
+        "gate-check",
+        ...overrideFlags,
+        "--work-order",
+        workOrderJson,
+        "--format",
+        "json",
+    ];
+    const result = await invokeSystem(pythonExe, args, repoRoot, {
+        env: { PYTHONIOENCODING: "utf-8" },
+        timeoutMs,
     });
+    // Exit code 124 = timeout
+    if (result.exitCode === 124) {
+        return {
+            success: false,
+            error: "Gate check timed out",
+        };
+    }
+    // Exit code 0 = ALLOW, 2 = BLOCK, other = error
+    if (result.exitCode !== 0 && result.exitCode !== 2) {
+        return {
+            success: false,
+            error: `Gate check failed with code ${result.exitCode}: ${result.stderr || result.stdout}`,
+        };
+    }
+    try {
+        const parsed = JSON.parse(result.stdout.trim());
+        const validated = GateResultV1Schema.safeParse(parsed);
+        if (!validated.success) {
+            return {
+                success: false,
+                error: `Invalid gate result: ${validated.error.message}`,
+            };
+        }
+        return {
+            success: true,
+            result: validated.data,
+        };
+    }
+    catch (e) {
+        return {
+            success: false,
+            error: `Failed to parse gate result: ${e instanceof Error ? e.message : String(e)}`,
+        };
+    }
 }
 /**
  * Execute a work order only if it passes the gate

package/build/index.js

@@ -71,6 +71,8 @@ server.tool("vibe_pm.export_output", VIBE_PM_TOOL_DESCRIPTIONS["vibe_pm.export_o
 server.tool("vibe_pm.search_oss", VIBE_PM_TOOL_DESCRIPTIONS["vibe_pm.search_oss"], pm.searchOssInputSchema.shape, async (input) => pm.vibePmSearchOss(pm.searchOssInputSchema.parse(input)));
 server.tool("vibe_pm.zoekt_evidence", VIBE_PM_TOOL_DESCRIPTIONS["vibe_pm.zoekt_evidence"], pm.zoektEvidenceInputSchema.shape, async (input) => pm.vibePmZoektEvidence(pm.zoektEvidenceInputSchema.parse(input)));
 server.tool("vibe_pm.gate", VIBE_PM_TOOL_DESCRIPTIONS["vibe_pm.gate"], pm.gateInputSchema.shape, async (input) => pm.vibePmGate(pm.gateInputSchema.parse(input)));
+server.tool("vibe_pm.save_rule", VIBE_PM_TOOL_DESCRIPTIONS["vibe_pm.save_rule"], pm.saveRuleInputSchema.shape, async (input) => pm.vibePmSaveRule(pm.saveRuleInputSchema.parse(input)));
+server.tool("vibe_pm.list_rules", VIBE_PM_TOOL_DESCRIPTIONS["vibe_pm.list_rules"], pm.listRulesInputSchema.shape, async (input) => pm.vibePmListRules(pm.listRulesInputSchema.parse(input)));
 // ============================================================
 // OPTIONAL: react_perf.* Tools (Performance Analysis)
 // ============================================================

package/build/local-mode/git.js

@@ -1,33 +1,47 @@
-import { spawnSync } from "node:child_process";
+/**
+ * Git utilities for local mode
+ *
+ * All git commands go through cli_invoker for centralized subprocess management.
+ *
+ * @module local-mode/git
+ */
+import { invokeGitSync } from "../runtime/cli_invoker.js";
+/**
+ * Get the git repository root directory
+ *
+ * @param cwd - Current working directory
+ * @returns Git root path or null if not in a git repository
+ */
 export function getGitRoot(cwd) {
-    const result = spawnSync("git", ["rev-parse", "--show-toplevel"], {
-        cwd,
-        encoding: "utf-8",
-        stdio: ["ignore", "pipe", "pipe"],
-    });
-    if (result.status !== 0)
+    const result = invokeGitSync(["rev-parse", "--show-toplevel"], cwd);
+    if (result.exitCode !== 0)
         return null;
-    const out = (result.stdout ?? "").trim();
+    const out = result.stdout.trim();
     return out.length > 0 ? out : null;
 }
+/**
+ * Get the configured git hooks path
+ *
+ * @param cwd - Current working directory (should be git root)
+ * @returns Configured hooks path or null if not set
+ */
 export function getGitHooksPath(cwd) {
-    const result = spawnSync("git", ["config", "--local", "--get", "core.hooksPath"], {
-        cwd,
-        encoding: "utf-8",
-        stdio: ["ignore", "pipe", "pipe"],
-    });
-    if (result.status !== 0)
+    const result = invokeGitSync(["config", "--local", "--get", "core.hooksPath"], cwd);
+    if (result.exitCode !== 0)
         return null;
-    const out = (result.stdout ?? "").trim();
+    const out = result.stdout.trim();
     return out.length > 0 ? out : null;
 }
+/**
+ * Set the git hooks path
+ *
+ * @param cwd - Current working directory (should be git root)
+ * @param hooksPath - Path to hooks directory
+ * @returns Success or error
+ */
 export function setGitHooksPath(cwd, hooksPath) {
-    const result = spawnSync("git", ["config", "--local", "core.hooksPath", hooksPath], {
-        cwd,
-        encoding: "utf-8",
-        stdio: ["ignore", "pipe", "pipe"],
-    });
-    if (result.status === 0)
+    const result = invokeGitSync(["config", "--local", "core.hooksPath", hooksPath], cwd);
+    if (result.exitCode === 0)
         return { ok: true };
-    return { ok: false, error: (result.stderr ?? "git config failed").trim() };
+    return { ok: false, error: (result.stderr || "git config failed").trim() };
 }

package/build/local-mode/project-state.js

@@ -0,0 +1,176 @@
+// adapters/mcp-ts/src/local-mode/project-state.ts
+// Per-folder project state persistence
+// Stores workflow state, reminders, and pending actions
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { getVibeRepoPaths } from "./paths.js";
+const DEFAULT_STATE = {
+    schema_version: 1,
+    phases: [],
+    pending_actions: [],
+    reminders: [],
+};
+/**
+ * Load project state from .vibe/project_state.json
+ */
+export function loadProjectState(basePath = process.cwd()) {
+    const paths = getVibeRepoPaths(basePath);
+    const statePath = path.join(paths.vibeDir, "project_state.json");
+    if (!fs.existsSync(statePath)) {
+        return null;
+    }
+    try {
+        const content = fs.readFileSync(statePath, "utf-8");
+        return JSON.parse(content);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Save project state to .vibe/project_state.json
+ */
+export function saveProjectState(state, basePath = process.cwd()) {
+    const paths = getVibeRepoPaths(basePath);
+    const statePath = path.join(paths.vibeDir, "project_state.json");
+    // Ensure .vibe directory exists
+    if (!fs.existsSync(paths.vibeDir)) {
+        fs.mkdirSync(paths.vibeDir, { recursive: true });
+    }
+    state.updated_at = new Date().toISOString();
+    fs.writeFileSync(statePath, JSON.stringify(state, null, 2));
+}
+/**
+ * Get or create project state
+ */
+export function getProjectState(basePath = process.cwd()) {
+    const existing = loadProjectState(basePath);
+    if (existing) {
+        return existing;
+    }
+    const projectId = path.basename(basePath).toLowerCase().replace(/[^a-z0-9_-]/g, "_");
+    return {
+        ...DEFAULT_STATE,
+        project_id: projectId,
+        updated_at: new Date().toISOString(),
+    };
+}
+/**
+ * Add a pending action
+ */
+export function addPendingAction(action, basePath = process.cwd()) {
+    const state = getProjectState(basePath);
+    // Check for duplicate
+    const exists = state.pending_actions.some((a) => a.type === action.type && a.reason === action.reason);
+    if (exists)
+        return;
+    state.pending_actions.push({
+        ...action,
+        created_at: new Date().toISOString(),
+    });
+    saveProjectState(state, basePath);
+}
+/**
+ * Remove a pending action by type
+ */
+export function removePendingAction(type, basePath = process.cwd()) {
+    const state = getProjectState(basePath);
+    state.pending_actions = state.pending_actions.filter((a) => a.type !== type);
+    saveProjectState(state, basePath);
+}
+/**
+ * Get all pending actions (for reminders)
+ */
+export function getPendingActions(basePath = process.cwd()) {
+    const state = loadProjectState(basePath);
+    return state?.pending_actions || [];
+}
+/**
+ * Update last commit info
+ */
+export function updateLastCommit(info, basePath = process.cwd()) {
+    const state = getProjectState(basePath);
+    state.last_commit = info;
+    // If pushed, remove git_push pending action
+    if (info.pushed) {
+        state.pending_actions = state.pending_actions.filter((a) => a.type !== "git_push");
+    }
+    else {
+        // Add git_push pending action if not pushed
+        const exists = state.pending_actions.some((a) => a.type === "git_push");
+        if (!exists) {
+            state.pending_actions.push({
+                type: "git_push",
+                reason: `커밋 ${info.hash.slice(0, 7)} 푸시 필요`,
+                created_at: new Date().toISOString(),
+                priority: "medium",
+            });
+        }
+    }
+    saveProjectState(state, basePath);
+}
+/**
+ * Update last MCP build info
+ */
+export function updateLastMcpBuild(info, basePath = process.cwd()) {
+    const state = getProjectState(basePath);
+    state.last_mcp_build = info;
+    // If published, remove mcp_build and npm_publish pending actions
+    if (info.published) {
+        state.pending_actions = state.pending_actions.filter((a) => a.type !== "mcp_build" && a.type !== "npm_publish");
+    }
+    saveProjectState(state, basePath);
+}
+/**
+ * Format pending actions as reminder text
+ */
+export function formatReminders(basePath = process.cwd()) {
+    const actions = getPendingActions(basePath);
+    if (actions.length === 0)
+        return null;
+    const lines = ["## 📋 대기 중인 작업"];
+    // Sort by priority
+    const sorted = [...actions].sort((a, b) => {
+        const order = { high: 0, medium: 1, low: 2 };
+        return order[a.priority] - order[b.priority];
+    });
+    for (const action of sorted) {
+        const emoji = action.priority === "high" ? "🔴" : action.priority === "medium" ? "🟡" : "🟢";
+        const tool = getToolForAction(action.type);
+        lines.push(`- ${emoji} ${action.reason}${tool ? ` → \`${tool}\`` : ""}`);
+    }
+    return lines.join("\n");
+}
+function getToolForAction(type) {
+    const mapping = {
+        mcp_build: "vibe_pm.publish_mcp",
+        engine_build: null, // Manual
+        npm_publish: "vibe_pm.publish_mcp",
+        git_push: "vibe_pm.finalize_work",
+        review: "vibe_pm.inspect_code",
+        custom: null,
+    };
+    return mapping[type];
+}
+/**
+ * Check and add MCP build pending action if needed
+ */
+export async function checkAndAddMcpBuildAction(basePath = process.cwd()) {
+    // Dynamically import to avoid circular dependency
+    const { needsMcpBuild } = await import("../tools/vibe_pm/publish_mcp.js");
+    try {
+        const needs = await needsMcpBuild(basePath);
+        if (needs) {
+            addPendingAction({
+                type: "mcp_build",
+                reason: "MCP 소스 변경됨 - 빌드 필요",
+                priority: "high",
+            }, basePath);
+            return true;
+        }
+    }
+    catch {
+        // ignore
+    }
+    return false;
+}

package/build/local-mode/templates.js

@@ -763,9 +763,9 @@ jobs:
       - name: Run Vibe guard
         shell: bash
         env:
-          # Default: WARN does not fail the job (seatbelt philosophy).
-          # Opt-in strict mode: set to "true" in the generated workflow.
-          VIBE_FAIL_ON_WARN: "false"
+          # P0-2: CI 환경에서는 WARN도 빌드 실패 처리 (기본값)
+          # 이전 동작이 필요하면 "false"로 변경
+          VIBE_FAIL_ON_WARN: "true"
         run: |
           set -euo pipefail
           if [[ ! -f ".vibe/lib/validate.sh" ]]; then