bluekiwi 0.1.2 → 0.1.4

package/dist/assets/mcp/api-client.d.ts

@@ -0,0 +1,6 @@
+export declare class BlueKiwiClient {
+    private baseUrl;
+    private apiKey;
+    constructor(baseUrl: string, apiKey: string);
+    request<T>(method: string, path: string, body?: unknown): Promise<T>;
+}

package/dist/assets/mcp/api-client.js

@@ -0,0 +1,61 @@
+import { BlueKiwiAuthError, BlueKiwiApiError, BlueKiwiNetworkError, } from "./errors.js";
+const RETRY_DELAYS_MS = [100, 500, 2000];
+export class BlueKiwiClient {
+    baseUrl;
+    apiKey;
+    constructor(baseUrl, apiKey) {
+        this.baseUrl = baseUrl;
+        this.apiKey = apiKey;
+        if (!baseUrl)
+            throw new Error("BlueKiwiClient: baseUrl is required");
+        if (!apiKey)
+            throw new Error("BlueKiwiClient: apiKey is required");
+    }
+    async request(method, path, body) {
+        const url = `${this.baseUrl.replace(/\/$/, "")}${path}`;
+        const init = {
+            method,
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${this.apiKey}`,
+            },
+            body: body === undefined ? undefined : JSON.stringify(body),
+        };
+        let lastError;
+        for (let attempt = 0; attempt <= RETRY_DELAYS_MS.length; attempt++) {
+            try {
+                const res = await fetch(url, init);
+                if (res.status === 401) {
+                    throw new BlueKiwiAuthError();
+                }
+                if (!res.ok) {
+                    const text = await res.text().catch(() => "");
+                    if (res.status >= 500 && attempt < RETRY_DELAYS_MS.length) {
+                        lastError = new BlueKiwiApiError(res.status, text);
+                        await sleep(RETRY_DELAYS_MS[attempt]);
+                        continue;
+                    }
+                    throw new BlueKiwiApiError(res.status, text);
+                }
+                const text = await res.text();
+                return (text ? JSON.parse(text) : null);
+            }
+            catch (err) {
+                if (err instanceof BlueKiwiAuthError ||
+                    err instanceof BlueKiwiApiError) {
+                    throw err;
+                }
+                lastError = err;
+                if (attempt < RETRY_DELAYS_MS.length) {
+                    await sleep(RETRY_DELAYS_MS[attempt]);
+                    continue;
+                }
+                throw new BlueKiwiNetworkError(`Failed to reach ${url} after ${RETRY_DELAYS_MS.length + 1} attempts`, err);
+            }
+        }
+        throw new BlueKiwiNetworkError("Unreachable", lastError);
+    }
+}
+function sleep(ms) {
+    return new Promise((r) => setTimeout(r, ms));
+}

package/dist/assets/mcp/errors.d.ts

@@ -0,0 +1,12 @@
+export declare class BlueKiwiAuthError extends Error {
+    constructor(message?: string);
+}
+export declare class BlueKiwiApiError extends Error {
+    readonly status: number;
+    readonly body: string;
+    constructor(status: number, body: string);
+}
+export declare class BlueKiwiNetworkError extends Error {
+    readonly cause?: unknown | undefined;
+    constructor(message: string, cause?: unknown | undefined);
+}

package/dist/assets/mcp/errors.js

@@ -0,0 +1,24 @@
+export class BlueKiwiAuthError extends Error {
+    constructor(message = "Invalid or expired API key") {
+        super(message);
+        this.name = "BlueKiwiAuthError";
+    }
+}
+export class BlueKiwiApiError extends Error {
+    status;
+    body;
+    constructor(status, body) {
+        super(`BlueKiwi API error ${status}: ${body}`);
+        this.status = status;
+        this.body = body;
+        this.name = "BlueKiwiApiError";
+    }
+}
+export class BlueKiwiNetworkError extends Error {
+    cause;
+    constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = "BlueKiwiNetworkError";
+    }
+}

package/dist/assets/mcp/server.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/assets/mcp/server.js

@@ -0,0 +1,805 @@
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { CallToolRequestSchema, ListToolsRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
+import { BlueKiwiClient } from "./api-client.js";
+import { BlueKiwiApiError, BlueKiwiAuthError, BlueKiwiNetworkError, } from "./errors.js";
+import * as fs from "fs";
+import * as path from "path";
+const KOREA_OTA_PATTERNS = (() => {
+    const rrnSource = String.raw `\b\d{6}-?\d{7}\b`;
+    const secretSource = String.raw `(password|secret|api[_-]?key|token|private[_-]?key)\s*[=:]\s*["'` +
+        "`" +
+        String.raw `].{8,}`;
+    const fieldSource = String.raw `(residentRegistration|rrn|passport|foreignerRegistration|visaNumber|cardNumber|cvv|cvc|accountNumber)`;
+    const httpSource = String.raw `http://(?!localhost|127\.0\.0\.1|0\.0\.0\.0)`;
+    const geoSource = String.raw `navigator\.geolocation\.(getCurrentPosition|watchPosition)`;
+    const precheckSource = String.raw `(defaultChecked|checked)\s*=\s*\{?\s*true`;
+    return [
+        {
+            id: "PIPA-001-RRN",
+            severity: "REVIEW",
+            source: rrnSource,
+            flags: "",
+            description: "RRN/외국인등록번호 형식",
+            regex: new RegExp(rrnSource, ""),
+        },
+        {
+            id: "ISMS-001-SECRET",
+            severity: "BLOCK",
+            source: secretSource,
+            flags: "i",
+            description: "하드코딩 시크릿 의심",
+            regex: new RegExp(secretSource, "i"),
+        },
+        {
+            id: "PIPA-002-FIELD",
+            severity: "REVIEW",
+            source: fieldSource,
+            flags: "i",
+            description: "고위험 식별자 필드명",
+            regex: new RegExp(fieldSource, "i"),
+        },
+        {
+            id: "ISMS-004-HTTP",
+            severity: "WARN",
+            source: httpSource,
+            flags: "",
+            description: "평문 HTTP URL (외부)",
+            regex: new RegExp(httpSource, ""),
+        },
+        {
+            id: "LIA-001-GEO",
+            severity: "REVIEW",
+            source: geoSource,
+            flags: "",
+            description: "Geolocation API 사용",
+            regex: new RegExp(geoSource, ""),
+        },
+        {
+            id: "PIPA-004-PRECHECK",
+            severity: "REVIEW",
+            source: precheckSource,
+            flags: "",
+            description: "사전 체크된 동의 체크박스",
+            regex: new RegExp(precheckSource, ""),
+        },
+    ];
+})();
+const SCAN_REPO_DEFAULT_GLOBS = [
+    "*.ts",
+    "*.tsx",
+    "*.js",
+    "*.jsx",
+    "*.java",
+    "*.py",
+    "*.go",
+    "*.rs",
+    "*.sql",
+    "*.yml",
+    "*.yaml",
+    "*.properties",
+    "*.env",
+    "*.tf",
+    "*.hcl",
+];
+const SCAN_REPO_SKIP_DIRS = new Set([
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    ".next",
+    "coverage",
+    ".turbo",
+]);
+const apiUrl = process.env.BLUEKIWI_API_URL;
+const apiKey = process.env.BLUEKIWI_API_KEY ?? parseApiKeyFlag();
+if (!apiUrl) {
+    throw new Error("BLUEKIWI_API_URL is required");
+}
+if (!apiKey) {
+    throw new Error("BLUEKIWI_API_KEY is required");
+}
+const client = new BlueKiwiClient(apiUrl, apiKey);
+const server = new Server({ name: "bluekiwi", version: "1.0.0" }, { capabilities: { tools: {} } });
+const tools = [
+    tool("list_workflows", "List workflows visible to the current user. By default only active versions are returned. Pass include_inactive=true to see archived versions. Pass folder_id to filter by a specific folder.", {
+        include_inactive: { type: "boolean" },
+        folder_id: { type: "number" },
+    }),
+    tool("list_workflow_versions", "List every version in the same family as the given workflow id, including active and archived ones. Returns the active_version_id and an ordered versions array.", {
+        workflow_id: { type: "number" },
+    }, ["workflow_id"]),
+    tool("activate_workflow", "Activate a specific workflow version. Automatically deactivates the other active version in the same family (one active version per family).", {
+        workflow_id: { type: "number" },
+    }, ["workflow_id"]),
+    tool("deactivate_workflow", "Deactivate a specific workflow version. Archived versions remain readable but cannot be pinned by new task starts.", {
+        workflow_id: { type: "number" },
+    }, ["workflow_id"]),
+    tool("start_workflow", "Start a task from a workflow id. Optionally pin a specific version within the same family. Starting against an archived (inactive) version fails with HTTP 409.", {
+        workflow_id: { type: "number" },
+        version: { type: "string" },
+        context: { type: "string" },
+        session_meta: { type: "string" },
+        target: { type: "object" },
+    }, ["workflow_id"]),
+    tool("execute_step", "Submit the result for the current workflow step", {
+        task_id: { type: "number" },
+        node_id: { type: "number" },
+        output: { type: "string" },
+        status: { type: "string" },
+        visual_html: { type: "string" },
+        loop_continue: { type: "boolean" },
+        context_snapshot: { type: "object" },
+        structured_output: { type: "object" },
+        artifacts: { type: "array" },
+        session_id: { type: "string" },
+        agent_id: { type: "string" },
+        user_name: { type: "string" },
+        model_id: { type: "string" },
+    }, ["task_id", "node_id", "output", "status"]),
+    tool("advance", "Advance a task to the next step or inspect the current step", {
+        task_id: { type: "number" },
+        peek: { type: "boolean" },
+    }, ["task_id"]),
+    tool("heartbeat", "Append progress information for a running task step", {
+        task_id: { type: "number" },
+        node_id: { type: "number" },
+        progress: { type: "string" },
+    }, ["task_id", "node_id", "progress"]),
+    tool("complete_task", "Mark a task as completed or failed", {
+        task_id: { type: "number" },
+        status: { type: "string" },
+        summary: { type: "string" },
+    }, ["task_id", "status"]),
+    tool("rewind", "Rewind a task to a previous step", {
+        task_id: { type: "number" },
+        to_step: { type: "number" },
+    }, ["task_id", "to_step"]),
+    tool("get_web_response", "Fetch the pending web response payload for a task", {
+        task_id: { type: "number" },
+    }, ["task_id"]),
+    tool("submit_visual", "Submit visual HTML for a task step", {
+        task_id: { type: "number" },
+        node_id: { type: "number" },
+        visual_html: { type: "string" },
+    }, ["task_id", "node_id", "visual_html"]),
+    tool("save_artifacts", "Save artifacts for a task step", {
+        task_id: { type: "number" },
+        artifacts: { type: "array" },
+    }, ["task_id", "artifacts"]),
+    tool("load_artifacts", "Load artifacts for a task", {
+        task_id: { type: "number" },
+    }, ["task_id"]),
+    tool("get_comments", "List comments for a task", {
+        task_id: { type: "number" },
+    }, ["task_id"]),
+    tool("list_credentials", "List credentials available to the current user"),
+    tool("create_workflow", "Create a new workflow. Optionally place it in a specific folder_id (defaults to the caller's My Workspace).", {
+        title: { type: "string" },
+        description: { type: "string" },
+        version: { type: "string" },
+        parent_workflow_id: { type: "number" },
+        evaluation_contract: { type: "object" },
+        nodes: { type: "array" },
+        folder_id: { type: "number" },
+    }, ["title"]),
+    tool("update_workflow", "Update an existing workflow", {
+        workflow_id: { type: "number" },
+        title: { type: "string" },
+        description: { type: "string" },
+        version: { type: "string" },
+        evaluation_contract: { type: "object" },
+        create_new_version: { type: "boolean" },
+        nodes: { type: "array" },
+    }, ["workflow_id"]),
+    tool("delete_workflow", "Delete a workflow", {
+        workflow_id: { type: "number" },
+    }, ["workflow_id"]),
+    tool("save_findings", "Save one or more compliance findings for a task", {
+        task_id: { type: "number" },
+        findings: { type: "array" },
+    }, ["task_id", "findings"]),
+    tool("list_findings", "List compliance findings for a task", {
+        task_id: { type: "number" },
+    }, ["task_id"]),
+    tool("list_folders", "List folders visible to the current user. Optionally filter by parent_id.", {
+        parent_id: { type: "number" },
+    }),
+    tool("create_folder", "Create a new folder under an optional parent. Visibility defaults to 'personal'.", {
+        name: { type: "string" },
+        description: { type: "string" },
+        parent_id: { type: "number" },
+        visibility: { type: "string" },
+    }, ["name"]),
+    tool("share_folder", "Share a folder with a user group at the given access level (viewer or editor). Owner or admin only.", {
+        folder_id: { type: "number" },
+        group_id: { type: "number" },
+        access_level: { type: "string" },
+    }, ["folder_id", "group_id", "access_level"]),
+    tool("unshare_folder", "Remove a group share from a folder.", {
+        folder_id: { type: "number" },
+        group_id: { type: "number" },
+    }, ["folder_id", "group_id"]),
+    tool("move_workflow", "Move a workflow into a different folder. Caller must have edit permission on the destination folder.", {
+        workflow_id: { type: "number" },
+        folder_id: { type: "number" },
+    }, ["workflow_id", "folder_id"]),
+    tool("move_instruction", "Move an instruction into a different folder.", {
+        instruction_id: { type: "number" },
+        folder_id: { type: "number" },
+    }, ["instruction_id", "folder_id"]),
+    tool("transfer_workflow", "Transfer ownership of a workflow to another user. Owner, admin, or superuser only.", {
+        workflow_id: { type: "number" },
+        new_owner_id: { type: "number" },
+    }, ["workflow_id", "new_owner_id"]),
+    tool("list_my_groups", "List user groups the current user belongs to."),
+    /*
+  scan_repo is the single local-execution exception in an otherwise REST-thin MCP wrapper.
+  The REST backend has no visibility into the agent's filesystem, so delegating static
+  pattern scans to it is impossible without an upload/clone model. Keeping this step
+  in-process preserves determinism and reproducibility of compliance scans. All other
+  tools must stay thin proxies — do not replicate this pattern elsewhere.
+    */
+    tool("scan_repo", "리포지토리의 특정 경로를 정적 패턴(정규식)으로 스캔하여 컴플라이언스 리스크 신호를 찾아 반환합니다. korea-ota-code 룰셋이 내장되어 있으며, custom 패턴도 추가로 전달할 수 있습니다. [로컬 실행 예외: 이 도구는 REST 백엔드를 거치지 않고 에이전트 파일시스템에서 직접 스캔을 수행합니다.]", {
+        path: { type: "string" },
+        rule_set: { type: "string" },
+        custom_patterns: { type: "array" },
+        include_globs: { type: "array" },
+        max_matches: { type: "number" },
+        task_id: { type: "number" },
+    }, ["path"]),
+];
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools,
+}));
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const name = request.params.name;
+    const args = toArgs(request.params.arguments);
+    try {
+        switch (name) {
+            case "list_workflows": {
+                const qs = new URLSearchParams();
+                if (args.include_inactive === true)
+                    qs.set("include_inactive", "true");
+                if (typeof args.folder_id === "number")
+                    qs.set("folder_id", String(args.folder_id));
+                const suffix = qs.toString() ? `?${qs.toString()}` : "";
+                return wrap(await client.request("GET", `/api/workflows${suffix}`));
+            }
+            case "list_workflow_versions": {
+                const workflowId = requireNumberArg(args, "workflow_id");
+                return wrap(await client.request("GET", `/api/workflows/${workflowId}/versions`));
+            }
+            case "activate_workflow": {
+                const workflowId = requireNumberArg(args, "workflow_id");
+                return wrap(await client.request("POST", `/api/workflows/${workflowId}/activate`));
+            }
+            case "deactivate_workflow": {
+                const workflowId = requireNumberArg(args, "workflow_id");
+                return wrap(await client.request("POST", `/api/workflows/${workflowId}/deactivate`));
+            }
+            case "start_workflow":
+                return wrap(await client.request("POST", "/api/tasks/start", args));
+            case "execute_step": {
+                const taskId = requireNumberArg(args, "task_id");
+                const body = { ...args };
+                delete body.task_id;
+                return wrap(await client.request("POST", `/api/tasks/${taskId}/execute`, body));
+            }
+            case "advance": {
+                const taskId = requireNumberArg(args, "task_id");
+                const body = { ...args };
+                delete body.task_id;
+                return wrap(await client.request("POST", `/api/tasks/${taskId}/advance`, body));
+            }
+            case "heartbeat": {
+                const taskId = requireNumberArg(args, "task_id");
+                const body = { ...args };
+                delete body.task_id;
+                return wrap(await client.request("POST", `/api/tasks/${taskId}/heartbeat`, body));
+            }
+            case "complete_task": {
+                const taskId = requireNumberArg(args, "task_id");
+                const body = { ...args };
+                delete body.task_id;
+                return wrap(await client.request("POST", `/api/tasks/${taskId}/complete`, body));
+            }
+            case "rewind": {
+                const taskId = requireNumberArg(args, "task_id");
+                const body = { ...args };
+                delete body.task_id;
+                return wrap(await client.request("POST", `/api/tasks/${taskId}/rewind`, body));
+            }
+            case "get_web_response": {
+                const taskId = requireNumberArg(args, "task_id");
+                return wrap(await client.request("GET", `/api/tasks/${taskId}/respond`));
+            }
+            case "submit_visual": {
+                const taskId = requireNumberArg(args, "task_id");
+                const body = { ...args };
+                delete body.task_id;
+                return wrap(await client.request("POST", `/api/tasks/${taskId}/visual`, body));
+            }
+            case "save_artifacts": {
+                const taskId = requireNumberArg(args, "task_id");
+                const body = { ...args };
+                delete body.task_id;
+                return wrap(await client.request("POST", `/api/tasks/${taskId}/artifacts`, body));
+            }
+            case "load_artifacts": {
+                const taskId = requireNumberArg(args, "task_id");
+                return wrap(await client.request("GET", `/api/tasks/${taskId}/artifacts`));
+            }
+            case "get_comments": {
+                const taskId = requireNumberArg(args, "task_id");
+                return wrap(await client.request("GET", `/api/tasks/${taskId}/comments`));
+            }
+            case "list_credentials":
+                return wrap(await client.request("GET", "/api/credentials"));
+            case "create_workflow":
+                return wrap(await client.request("POST", "/api/workflows", args));
+            case "update_workflow": {
+                const workflowId = requireNumberArg(args, "workflow_id");
+                const body = { ...args };
+                delete body.workflow_id;
+                return wrap(await client.request("PUT", `/api/workflows/${workflowId}`, body));
+            }
+            case "delete_workflow": {
+                const workflowId = requireNumberArg(args, "workflow_id");
+                return wrap(await client.request("DELETE", `/api/workflows/${workflowId}`));
+            }
+            case "save_findings": {
+                const taskId = requireNumberArg(args, "task_id");
+                const body = { findings: args.findings };
+                return wrap(await client.request("POST", `/api/tasks/${taskId}/findings`, body));
+            }
+            case "list_findings": {
+                const taskId = requireNumberArg(args, "task_id");
+                return wrap(await client.request("GET", `/api/tasks/${taskId}/findings`));
+            }
+            /*
+      scan_repo is the single local-execution exception in an otherwise REST-thin MCP wrapper.
+      The REST backend has no visibility into the agent's filesystem, so delegating static
+      pattern scans to it is impossible without an upload/clone model. Keeping this step
+      in-process preserves determinism and reproducibility of compliance scans. All other
+      tools must stay thin proxies — do not replicate this pattern elsewhere.
+            */
+            case "list_folders": {
+                const qs = new URLSearchParams();
+                if (typeof args.parent_id === "number")
+                    qs.set("parent_id", String(args.parent_id));
+                const suffix = qs.toString() ? `?${qs.toString()}` : "";
+                return wrap(await client.request("GET", `/api/folders${suffix}`));
+            }
+            case "create_folder":
+                return wrap(await client.request("POST", "/api/folders", args));
+            case "share_folder": {
+                const folderId = requireNumberArg(args, "folder_id");
+                return wrap(await client.request("POST", `/api/folders/${folderId}/shares`, {
+                    group_id: args.group_id,
+                    access_level: args.access_level,
+                }));
+            }
+            case "unshare_folder": {
+                const folderId = requireNumberArg(args, "folder_id");
+                const groupId = requireNumberArg(args, "group_id");
+                return wrap(await client.request("DELETE", `/api/folders/${folderId}/shares/${groupId}`));
+            }
+            case "move_workflow": {
+                const workflowId = requireNumberArg(args, "workflow_id");
+                const folderId = requireNumberArg(args, "folder_id");
+                return wrap(await client.request("PUT", `/api/workflows/${workflowId}`, {
+                    folder_id: folderId,
+                }));
+            }
+            case "move_instruction": {
+                const instructionId = requireNumberArg(args, "instruction_id");
+                const folderId = requireNumberArg(args, "folder_id");
+                return wrap(await client.request("PUT", `/api/instructions/${instructionId}`, {
+                    folder_id: folderId,
+                }));
+            }
+            case "transfer_workflow": {
+                const workflowId = requireNumberArg(args, "workflow_id");
+                const newOwnerId = requireNumberArg(args, "new_owner_id");
+                return wrap(await client.request("POST", `/api/workflows/${workflowId}/transfer`, { new_owner_id: newOwnerId }));
+            }
+            case "list_my_groups":
+                return wrap(await client.request("GET", "/api/auth/me/groups"));
+            case "scan_repo":
+                return await scanRepoLocal(args);
+            default:
+                return wrapError(`Unknown tool: ${name}`);
+        }
+    }
+    catch (error) {
+        if (error instanceof BlueKiwiAuthError) {
+            return wrap({
+                error: "auth_failed",
+                hint: "Run `npx bluekiwi status` to verify your config, or re-authenticate with `npx bluekiwi accept <new-token>`.",
+            });
+        }
+        if (error instanceof BlueKiwiApiError && error.status >= 500) {
+            return wrap({
+                error: "server_error",
+                status: error.status,
+                hint: `${apiUrl.replace(/\/$/, "")}/api/health`,
+            });
+        }
+        if (error instanceof BlueKiwiNetworkError) {
+            return wrap({
+                error: "network_error",
+                message: error.message,
+            });
+        }
+        return wrapError(error instanceof Error ? error.message : String(error));
+    }
+});
+const transport = new StdioServerTransport();
+await server.connect(transport);
+function tool(name, description, properties, required) {
+    return {
+        name,
+        description,
+        inputSchema: {
+            type: "object",
+            properties,
+            required,
+        },
+    };
+}
+function toArgs(args) {
+    return args ?? {};
+}
+function requireNumberArg(args, key) {
+    const value = args[key];
+    if (typeof value !== "number" || Number.isNaN(value)) {
+        throw new Error(`${key} must be a number`);
+    }
+    return value;
+}
+function wrap(data) {
+    return {
+        content: [{ type: "text", text: JSON.stringify(data) }],
+    };
+}
+function wrapError(message) {
+    return {
+        content: [{ type: "text", text: JSON.stringify({ error: message }) }],
+        isError: true,
+    };
+}
+async function scanRepoLocal(args) {
+    const scanPath = args["path"];
+    if (typeof scanPath !== "string" || scanPath.trim().length === 0) {
+        return wrapError("path must be a non-empty string");
+    }
+    if (scanPath.includes("\u0000")) {
+        return wrapError("path contains a null byte");
+    }
+    const rawRuleSet = args["rule_set"];
+    let ruleSet = "korea-ota-code";
+    if (rawRuleSet !== undefined) {
+        if (typeof rawRuleSet !== "string") {
+            return wrapError("rule_set must be a string");
+        }
+        if (rawRuleSet !== "korea-ota-code" && rawRuleSet !== "none") {
+            return wrapError("rule_set must be 'korea-ota-code' or 'none'");
+        }
+        ruleSet = rawRuleSet;
+    }
+    const rawIncludeGlobs = args["include_globs"];
+    let includeGlobs = SCAN_REPO_DEFAULT_GLOBS;
+    if (rawIncludeGlobs !== undefined) {
+        if (!Array.isArray(rawIncludeGlobs) ||
+            rawIncludeGlobs.some((glob) => typeof glob !== "string")) {
+            return wrapError("include_globs must be an array of strings");
+        }
+        includeGlobs = rawIncludeGlobs;
+    }
+    const rawMaxMatches = args["max_matches"];
+    let maxMatches = 200;
+    if (rawMaxMatches !== undefined) {
+        if (typeof rawMaxMatches !== "number" ||
+            Number.isNaN(rawMaxMatches) ||
+            !Number.isFinite(rawMaxMatches)) {
+            return wrapError("max_matches must be a number");
+        }
+        maxMatches = Math.min(1000, Math.max(1, Math.floor(rawMaxMatches)));
+    }
+    const rawTaskId = args["task_id"];
+    let taskId = null;
+    if (rawTaskId !== undefined) {
+        if (typeof rawTaskId !== "number" ||
+            Number.isNaN(rawTaskId) ||
+            !Number.isFinite(rawTaskId)) {
+            return wrapError("task_id must be a number");
+        }
+        taskId = rawTaskId;
+    }
+    const rawCustomPatterns = args["custom_patterns"];
+    const customPatterns = [];
+    if (rawCustomPatterns !== undefined) {
+        if (!Array.isArray(rawCustomPatterns)) {
+            return wrapError("custom_patterns must be an array");
+        }
+        for (const pattern of rawCustomPatterns) {
+            if (!pattern || typeof pattern !== "object") {
+                return wrapError("custom_patterns entries must be objects");
+            }
+            const entry = pattern;
+            const id = entry["id"];
+            const regex = entry["regex"];
+            const description = entry["description"];
+            const severity = entry["severity"];
+            if (typeof id !== "string" || id.trim().length === 0) {
+                return wrapError("custom_patterns entry id must be a non-empty string");
+            }
+            if (typeof regex !== "string" || regex.length === 0) {
+                return wrapError(`custom_patterns entry regex missing for id ${id}`);
+            }
+            if (description !== undefined && typeof description !== "string") {
+                return wrapError(`custom_patterns entry description must be a string for id ${id}`);
+            }
+            if (severity !== undefined &&
+                severity !== "BLOCK" &&
+                severity !== "REVIEW" &&
+                severity !== "WARN" &&
+                severity !== "INFO") {
+                return wrapError(`custom_patterns entry severity invalid for id ${id}`);
+            }
+            customPatterns.push({
+                id,
+                regex,
+                description: typeof description === "string" ? description : undefined,
+                severity: severity === undefined ? undefined : severity,
+            });
+        }
+    }
+    const workspaceCwd = path.resolve(process.cwd());
+    const resolvedScanPath = path.resolve(workspaceCwd, scanPath);
+    if (resolvedScanPath.includes("\u0000")) {
+        return wrapError("scan path contains a null byte");
+    }
+    const workspacePrefix = workspaceCwd.endsWith(path.sep)
+        ? workspaceCwd
+        : workspaceCwd + path.sep;
+    if (resolvedScanPath !== workspaceCwd &&
+        !resolvedScanPath.startsWith(workspacePrefix)) {
+        return wrapError("scan path escapes workspace");
+    }
+    let scanStat;
+    try {
+        scanStat = await fs.promises.stat(resolvedScanPath);
+    }
+    catch {
+        return wrapError("scan path does not exist");
+    }
+    const compiledPatterns = [];
+    function normalizeFlags(flags) {
+        const flagSet = new Set(flags.split("").filter(Boolean));
+        flagSet.add("g");
+        const ordered = ["g", "i", "m", "s", "u", "y", "d"];
+        return ordered.filter((flag) => flagSet.has(flag)).join("");
+    }
+    if (ruleSet !== "none") {
+        for (const pattern of KOREA_OTA_PATTERNS) {
+            compiledPatterns.push({
+                id: pattern.id,
+                severity: pattern.severity,
+                description: pattern.description,
+                regex: new RegExp(pattern.source, normalizeFlags(pattern.flags)),
+            });
+        }
+    }
+    for (const pattern of customPatterns) {
+        try {
+            compiledPatterns.push({
+                id: pattern.id,
+                severity: pattern.severity ?? "INFO",
+                description: pattern.description ?? "",
+                regex: new RegExp(pattern.regex, "g"),
+            });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return wrapError(`custom pattern failed to compile: ${pattern.id}: ${message}`);
+        }
+    }
+    function toPosixPath(p) {
+        return p.split(path.sep).join("/");
+    }
+    function truncate(text, maxLen) {
+        return text.length <= maxLen ? text : text.slice(0, maxLen);
+    }
+    function globToRegExp(glob) {
+        function globPartToRegexSource(part) {
+            let out = "";
+            for (let i = 0; i < part.length; i += 1) {
+                const char = part[i];
+                if (char === "*") {
+                    out += "[^/]*";
+                    continue;
+                }
+                if (char === "{") {
+                    const endIndex = part.indexOf("}", i + 1);
+                    if (endIndex === -1) {
+                        out += "\\{";
+                        continue;
+                    }
+                    const inner = part.slice(i + 1, endIndex);
+                    const options = inner.split(",").map((value) => value.trim());
+                    const optionSources = options.map((option) => globPartToRegexSource(option));
+                    out += `(?:${optionSources.join("|")})`;
+                    i = endIndex;
+                    continue;
+                }
+                if (/[\\^$+?.()|[\]{}]/.test(char)) {
+                    out += `\\${char}`;
+                    continue;
+                }
+                out += char;
+            }
+            return out;
+        }
+        return new RegExp(`^${globPartToRegexSource(glob)}$`);
+    }
+    const includeMatchers = includeGlobs.map((glob) => ({
+        matchBasename: !glob.includes("/"),
+        regex: globToRegExp(glob),
+    }));
+    const matches = [];
+    const byRule = {};
+    const bySeverity = {
+        BLOCK: 0,
+        REVIEW: 0,
+        WARN: 0,
+        INFO: 0,
+    };
+    let filesScanned = 0;
+    let filesSkipped = 0;
+    let truncatedOutput = false;
+    function shouldIncludeFile(relativePosixPath) {
+        if (includeMatchers.length === 0) {
+            return true;
+        }
+        const base = path.posix.basename(relativePosixPath);
+        return includeMatchers.some((matcher) => matcher.regex.test(matcher.matchBasename ? base : relativePosixPath));
+    }
+    async function scanFile(absolutePath) {
+        if (truncatedOutput) {
+            return;
+        }
+        const relativePath = toPosixPath(path.relative(workspaceCwd, absolutePath));
+        if (!shouldIncludeFile(relativePath)) {
+            return;
+        }
+        let fileStat;
+        try {
+            fileStat = await fs.promises.stat(absolutePath);
+        }
+        catch {
+            filesSkipped += 1;
+            return;
+        }
+        if (fileStat.size > 1024 * 1024) {
+            filesSkipped += 1;
+            return;
+        }
+        let content;
+        try {
+            content = await fs.promises.readFile(absolutePath, "utf8");
+        }
+        catch {
+            filesSkipped += 1;
+            return;
+        }
+        filesScanned += 1;
+        const lines = content.split(/\r?\n/);
+        for (let lineIndex = 0; lineIndex < lines.length; lineIndex += 1) {
+            if (truncatedOutput) {
+                break;
+            }
+            const line = lines[lineIndex];
+            for (const pattern of compiledPatterns) {
+                if (truncatedOutput) {
+                    break;
+                }
+                for (const match of line.matchAll(pattern.regex)) {
+                    const matchedText = match[0] ?? "";
+                    const index = match.index ?? 0;
+                    matches.push({
+                        rule_id: pattern.id,
+                        severity: pattern.severity,
+                        file: relativePath,
+                        line: lineIndex + 1,
+                        column: index + 1,
+                        match: truncate(matchedText, 200),
+                        snippet: truncate(line, 300),
+                        description: pattern.description,
+                    });
+                    byRule[pattern.id] = (byRule[pattern.id] ?? 0) + 1;
+                    bySeverity[pattern.severity] += 1;
+                    if (matches.length >= maxMatches) {
+                        truncatedOutput = true;
+                        break;
+                    }
+                }
+            }
+        }
+    }
+    async function walkDirectory(directoryPath) {
+        if (truncatedOutput) {
+            return;
+        }
+        let entries;
+        try {
+            entries = await fs.promises.readdir(directoryPath, {
+                withFileTypes: true,
+            });
+        }
+        catch {
+            return;
+        }
+        entries.sort((a, b) => a.name.localeCompare(b.name));
+        for (const entry of entries) {
+            if (truncatedOutput) {
+                break;
+            }
+            if (entry.isDirectory()) {
+                if (SCAN_REPO_SKIP_DIRS.has(entry.name)) {
+                    continue;
+                }
+                await walkDirectory(path.join(directoryPath, entry.name));
+                continue;
+            }
+            if (entry.isFile()) {
+                await scanFile(path.join(directoryPath, entry.name));
+            }
+        }
+    }
+    if (compiledPatterns.length === 0) {
+        return wrap({
+            scanned_path: scanStat.isDirectory()
+                ? toPosixPath(path.relative(workspaceCwd, resolvedScanPath)) || "."
+                : toPosixPath(path.relative(workspaceCwd, resolvedScanPath)),
+            rule_set: ruleSet,
+            patterns_applied: 0,
+            files_scanned: 0,
+            files_skipped: 0,
+            total_matches: 0,
+            truncated: false,
+            by_rule: {},
+            by_severity: bySeverity,
+            matches: [],
+            task_id: taskId,
+        });
+    }
+    if (scanStat.isDirectory()) {
+        await walkDirectory(resolvedScanPath);
+    }
+    else if (scanStat.isFile()) {
+        await scanFile(resolvedScanPath);
+    }
+    else {
+        return wrapError("scan path must be a file or directory");
+    }
+    const relativeScannedPath = toPosixPath(path.relative(workspaceCwd, resolvedScanPath));
+    return wrap({
+        scanned_path: relativeScannedPath.length === 0 ? "." : relativeScannedPath,
+        rule_set: ruleSet,
+        patterns_applied: compiledPatterns.length,
+        files_scanned: filesScanned,
+        files_skipped: filesSkipped,
+        total_matches: matches.length,
+        truncated: truncatedOutput,
+        by_rule: byRule,
+        by_severity: bySeverity,
+        matches,
+        task_id: taskId,
+    });
+}
+function parseApiKeyFlag() {
+    const index = process.argv.indexOf("--api-key");
+    return index >= 0 ? process.argv[index + 1] : undefined;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bluekiwi",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "BlueKiwi CLI — install MCP client and skills into your agent runtime",
   "license": "MIT",
   "repository": {