claude-code-station 0.2.1

package/bin/ccs-secrets.ts

@@ -0,0 +1,104 @@
+/**
+ * ccs-secrets.ts — Unified secret detection for ccs (scan + preview).
+ *
+ * Single source of truth for secret-masking patterns. Both the scan engine
+ * (which writes `first_line` columns into state.db) and the fzf preview pane
+ * (which renders session text live) import from here so no credential can
+ * land in cache or terminal output through pattern drift.
+ *
+ * All matches are replaced with the sentinel [REDACTED].
+ */
+
+/*
+ * Pattern origins:
+ *   anthropic     = Anthropic API key (sk-ant-...)
+ *   openai        = OpenAI API key (sk-... excluding sk-ant-)
+ *   github-pat    = GitHub Personal Access Token
+ *   github-oauth  = GitHub OAuth access token
+ *   github-server = GitHub server-to-server token (GitHub Apps)
+ *   github-user   = GitHub user-to-server token
+ *   github-refresh= GitHub OAuth refresh token
+ *   github-fine   = GitHub fine-grained personal access token (github_pat_)
+ *   gitlab-pat    = GitLab personal access token (glpat-)
+ *   google-oauth  = Google OAuth client secret (GOCSPX-)
+ *   sendgrid      = SendGrid API key (SG.xxx.yyy)
+ *   npm-token     = npm automation/publish token (npm_)
+ *   slack-webhook = Slack incoming-webhook URL (hooks.slack.com/services/...)
+ *   aws-access    = AWS long-lived access key ID (AKIA prefix)
+ *   aws-sts       = AWS STS temporary session credentials (ASIA prefix)
+ *   google-api    = Google API key (AIza prefix)
+ *   stripe-live   = Stripe live-mode secret/restricted key (sk_live / rk_live)
+ *   stripe-test   = Stripe test-mode secret/restricted key (sk_test / rk_test)
+ *   twilio-account= Twilio Account SID (AC + 32 hex chars)
+ *   slack-token   = Slack bot/user/app/refresh/OAuth token family (xox[baprs])
+ *   jwt           = JSON Web Token (3 base64url segments separated by dots)
+ *   bearer        = "Bearer " Authorization header token
+ *   op-ref        = 1Password op:// secret reference
+ *   url-cred      = Any URL with embedded user:password credentials
+ *                   (postgres/mysql/mongodb/redis/https/..., incl. +srv)
+ *   env-assign    = Generic KEY=value / KEY: value assignment where the name
+ *                   ends in KEY/TOKEN/SECRET/PASSWORD (catch-all for pasted
+ *                   .env lines and handoff notes)
+ *   private-key   = PEM-encoded private key block
+ */
+export const SECRET_PATTERNS: { name: string; re: RegExp }[] = [
+  { name: "anthropic", re: /sk-ant-[A-Za-z0-9_-]{20,}/g },
+  { name: "openai", re: /sk-(?!ant-)[A-Za-z0-9_-]{20,}/g },
+  { name: "github-pat", re: /ghp_[A-Za-z0-9]{36,}/g },
+  { name: "github-oauth", re: /gho_[A-Za-z0-9]{36,}/g },
+  { name: "github-server", re: /ghs_[A-Za-z0-9]{36,}/g },
+  { name: "github-user", re: /ghu_[A-Za-z0-9]{36,}/g },
+  { name: "github-refresh", re: /ghr_[A-Za-z0-9]{36,}/g },
+  { name: "github-fine", re: /github_pat_[A-Za-z0-9_]{22,}/g },
+  { name: "gitlab-pat", re: /glpat-[A-Za-z0-9_-]{20,}/g },
+  { name: "google-oauth", re: /GOCSPX-[A-Za-z0-9_-]{20,}/g },
+  { name: "sendgrid", re: /SG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}/g },
+  { name: "npm-token", re: /npm_[A-Za-z0-9]{36}/g },
+  { name: "slack-webhook", re: /hooks\.slack\.com\/services\/\S+/g },
+  { name: "aws-access", re: /AKIA[A-Z0-9]{16}/g },
+  { name: "aws-sts", re: /ASIA[A-Z0-9]{16}/g },
+  { name: "google-api", re: /AIza[A-Za-z0-9_-]{35}/g },
+  { name: "stripe-live", re: /[sr]k_live_[A-Za-z0-9]{24,}/g },
+  { name: "stripe-test", re: /[sr]k_test_[A-Za-z0-9]{24,}/g },
+  // Case-insensitive hex: Twilio renders SIDs lowercase today, but tooling
+  // and docs frequently uppercase them — both must mask (review C-3).
+  { name: "twilio-account", re: /AC[a-fA-F0-9]{32}/g },
+  { name: "slack-token", re: /xox[baprs]-[A-Za-z0-9-]{10,}/g },
+  {
+    name: "jwt",
+    re: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g,
+  },
+  { name: "bearer", re: /Bearer\s+[A-Za-z0-9._-]{20,}/g },
+  { name: "op-ref", re: /op:\/\/[A-Za-z0-9._/-]+/g },
+  {
+    // Any scheme (postgres/mysql/mongodb/redis/https/...) with a user:password
+    // userinfo component — broader than the old db-url pattern so credentials
+    // in plain https:// URLs are caught too.
+    name: "url-cred",
+    re: /\b[a-z][a-z0-9+.-]*:\/\/[^\s:@/]+:[^\s:@/]+@[^\s]+/gi,
+  },
+  {
+    // Conservative catch-all: only fires on ALL-CAPS env-style names ending in
+    // a credential-ish suffix, so prose like "the key: rotate it" stays intact.
+    name: "env-assign",
+    re: /\b[A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD)\s*[=:]\s*\S{8,}/g,
+  },
+  {
+    name: "private-key",
+    re: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]+?-----END [A-Z ]*PRIVATE KEY-----/g,
+  },
+];
+
+const REPLACEMENT = "[REDACTED]";
+
+/**
+ * Mask all known secret patterns in the given string.
+ * Returns a new string; the original is not mutated.
+ */
+export function maskSecrets(input: string): string {
+  let out = input;
+  for (const { re } of SECRET_PATTERNS) {
+    out = out.replace(re, REPLACEMENT);
+  }
+  return out;
+}

package/bin/ccs-time.ts

@@ -0,0 +1,27 @@
+/**
+ * ccs-time.ts — Shared timestamp parsing for ccs list/preview renderers.
+ *
+ * state.db holds two timestamp shapes (audit logic H-2 / M-1):
+ *   1. ISO 8601 with offset — e.g. "2026-06-12T03:04:05.000Z"
+ *      (written by nowIso() / JSONL timestamps / mtime conversions)
+ *   2. SQLite naive datetime — e.g. "2026-06-12 03:04:05"
+ *      (written by `datetime('now')` DDL defaults; always UTC per SQLite docs)
+ *
+ * `Date.parse` interprets shape 2 as LOCAL time on V8, which would skew
+ * rendered ages by the UTC offset (+9h in JST). Every consumer must therefore
+ * parse DB timestamps through this module instead of calling Date.parse
+ * directly.
+ */
+
+/** Normalize a DB timestamp to an unambiguous ISO 8601 UTC string. */
+export function normalizeDbTime(iso: string): string {
+  return iso.includes("T") ? iso : iso.replace(" ", "T") + "Z";
+}
+
+/**
+ * Parse a DB timestamp into epoch milliseconds.
+ * Returns NaN for unparseable input (callers decide the fallback).
+ */
+export function parseDbTime(iso: string): number {
+  return Date.parse(normalizeDbTime(iso));
+}

package/bin/ccs-utils.ts

@@ -0,0 +1,161 @@
+/**
+ * ccs-utils.ts — Shared helpers for ccs scan/list/preview modules.
+ *
+ * Single source of truth for display-text truncation, relative-time
+ * bucketing, JSONL message-content extraction, and cross-module constants
+ * (review A-1/A-2/A-3/K-8). Before this module existed, each renderer kept
+ * its own copy of these helpers with "keep in sync" comments — and they
+ * drifted. Behavioral differences must now be expressed as explicit options,
+ * never as parallel implementations.
+ */
+
+import { stripControlChars } from "./ccs-sanitize.ts";
+import { parseDbTime } from "./ccs-time.ts";
+
+// ---------------------------------------------------------------------------
+// Cross-module constants
+// ---------------------------------------------------------------------------
+
+/** Session JSONL files above this size are never read into memory. */
+export const MAX_JSONL_SIZE = 50 * 1024 * 1024;
+
+/** Canonical session-UUID gate. Bash copies live in bin/ccs and ccs-delete.sh. */
+export const UUID_RE =
+  /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
+
+/** Current time as ISO 8601 UTC — the only timestamp format ccs writes. */
+export function nowIso(): string {
+  return new Date().toISOString();
+}
+
+// ---------------------------------------------------------------------------
+// Display truncation
+// ---------------------------------------------------------------------------
+
+/**
+ * Single-line display truncation: strips control chars (incl. ESC, DEL),
+ * collapses whitespace runs, and clips to `max` with an ellipsis.
+ *
+ * Display-side defense against terminal-escape injection (audit NEW-1):
+ * fzf renders the list with --ansi and the preview pane prints raw to the
+ * terminal. Intake sanitization in ccs-scan is the first line of defense.
+ */
+export function truncate(s: string, max: number): string {
+  if (!s) return "";
+  const flat = stripControlChars(s);
+  return flat.length <= max ? flat : flat.slice(0, max - 1) + "…";
+}
+
+// ---------------------------------------------------------------------------
+// Time formatting
+// ---------------------------------------------------------------------------
+
+export type TimeBucket =
+  | { kind: "now" } // < 1 minute (incl. clock skew into the future)
+  | { kind: "m" | "h" | "d" | "w"; value: number }
+  | { kind: "date"; iso: string } // >= 4 weeks → absolute YYYY-MM-DD
+  | { kind: "invalid" };
+
+/**
+ * Bucket a DB timestamp for relative display. The thresholds
+ * (<1m / <60m / <24h / <7d / <4w / absolute date) are the single source of
+ * truth shared by the list badges and the preview pane, so the same
+ * timestamp can never render as "52w" in one place and "2025-06-12" in the
+ * other (audit logic L-3).
+ */
+export function timeBucket(
+  iso: string | null | undefined,
+  nowMs: number = Date.now(),
+): TimeBucket {
+  if (!iso) return { kind: "invalid" };
+  // parseDbTime, not Date.parse: naive "YYYY-MM-DD HH:MM:SS" values from
+  // SQLite are UTC and must not be parsed as local time (audit logic H-2).
+  const t = parseDbTime(iso);
+  if (Number.isNaN(t)) return { kind: "invalid" };
+  const diffMs = nowMs - t;
+  if (diffMs < 60_000) return { kind: "now" };
+  const m = Math.floor(diffMs / 60_000);
+  if (m < 60) return { kind: "m", value: m };
+  const h = Math.floor(m / 60);
+  if (h < 24) return { kind: "h", value: h };
+  const d = Math.floor(h / 24);
+  if (d < 7) return { kind: "d", value: d };
+  const w = Math.floor(d / 7);
+  if (w < 4) return { kind: "w", value: w };
+  return { kind: "date", iso: new Date(t).toISOString().slice(0, 10) };
+}
+
+/**
+ * Render a DB timestamp as relative age ("5m ago", "3d ago") or an absolute
+ * date past 4 weeks. `invalid` is returned for null/unparseable input —
+ * list badges pass "" (badge omitted), the preview pane passes "-".
+ */
+export function formatRelativeTime(
+  iso: string | null | undefined,
+  invalid = "-",
+): string {
+  const b = timeBucket(iso);
+  switch (b.kind) {
+    case "invalid":
+      return invalid;
+    case "now":
+      return "<1m ago";
+    case "date":
+      return b.iso;
+    default:
+      return `${b.value}${b.kind} ago`;
+  }
+}
+
+/** Render a DB timestamp as local "YYYY-MM-DD HH:MM"; `invalid` on failure. */
+export function formatDateTime(
+  iso: string | null | undefined,
+  invalid = "-",
+): string {
+  if (!iso) return invalid;
+  const d = new Date(parseDbTime(iso));
+  if (Number.isNaN(d.getTime())) return invalid;
+  const pad = (n: number) => String(n).padStart(2, "0");
+  return `${d.getFullYear()}-${pad(d.getMonth() + 1)}-${pad(d.getDate())} ${pad(d.getHours())}:${pad(d.getMinutes())}`;
+}
+
+// ---------------------------------------------------------------------------
+// JSONL message-content extraction
+// ---------------------------------------------------------------------------
+
+export interface ExtractTextOptions {
+  /**
+   * Include "[tool: name]" / "[tool result]" placeholders for non-text
+   * blocks. The conversation preview wants them (visual flow); topic
+   * extraction in the scanner does not (the topic is the user's words).
+   */
+  includeToolBlocks?: boolean;
+}
+
+/**
+ * Flatten a Claude Code JSONL `message.content` value (string or block
+ * array) into one string. Shared by topic extraction (ccs-scan-sessions)
+ * and the conversation preview (ccs-preview-session); the historical bug
+ * class here was two copies drifting apart behind a "keep in sync" comment
+ * (review A-2) — behavioral differences belong in `opts`, not in forks.
+ */
+export function extractText(
+  content: unknown,
+  opts: ExtractTextOptions = {},
+): string {
+  if (typeof content === "string") return content;
+  if (!Array.isArray(content)) return "";
+  const texts: string[] = [];
+  for (const block of content) {
+    if (!block || typeof block !== "object") continue;
+    const b = block as { type?: unknown; text?: unknown; name?: unknown };
+    if (b.type === "text" && typeof b.text === "string") {
+      texts.push(b.text);
+    } else if (opts.includeToolBlocks && b.type === "tool_use") {
+      texts.push(`[tool: ${typeof b.name === "string" ? b.name : "?"}]`);
+    } else if (opts.includeToolBlocks && b.type === "tool_result") {
+      texts.push("[tool result]");
+    }
+  }
+  return texts.join(" ");
+}

package/docs/design/repos-yml-schema.md

@@ -0,0 +1,217 @@
+# repos.yml スキーマ設計
+
+> ccs v0.2.0 — リポジトリ定義ファイルのフォーマット仕様
+
+## 配置
+
+- パス: `~/.config/ccs/repos.yml`
+- 初回 `ccs` 実行時、存在しなければテンプレートと `README.md` を自動生成
+
+## トップレベル構造
+
+```yaml
+version: 1                    # スキーマバージョン（必須、現在 1）
+defaults:                     # 全リポジトリのデフォルト値（任意）
+  command: "claude"
+repos:                        # リポジトリ定義配列（必須、1件以上）
+  - name: ClaudeCode
+    path: ~/.claude
+    description: Claude Code設定
+    ...
+```
+
+## `repos[]` エントリのフィールド
+
+| フィールド | 型 | 必須 | デフォルト | 説明 |
+|---|---|:---:|---|---|
+| `name` | string | ✅ | — | 表示名（fzf行に出る、日本語可） |
+| `path` | string | ✅* | — | リポジトリのフルパス。`~` 展開あり |
+| `description` | string | — | `""` | プレビュー補助情報 |
+| `command` | string | — | `defaults.command` or `claude` | 起動コマンド。特殊な場合は丸ごと上書き |
+| `cwd` | string | — | `path` | 起動時の作業ディレクトリ（通常は `path` と同じ） |
+| `tags` | string[] | — | `[]` | 絞り込み用タグ（例: `["work", "backend"]`） |
+| `disabled` | bool | — | `false` | true ならリストから除外 |
+| `scan` | bool | — | `true` | false なら状態走査をスキップ（非git含む） |
+| `icon` | string | — | `📁` | 表示アイコン（絵文字1文字推奨） |
+| `custom` | object | — | `{}` | 外部システム連携情報。任意のキー/値ペア（後述） |
+
+\* `path` は `command` に `cwd:` が含まれる特殊ケースを除き必須。
+
+### `custom` フィールド（外部システム連携）
+
+ユーザー固有の連携情報を自由に保持できる。プレビューペインで「連携バッジ」として表示され、未入力なら表示しない。
+
+**よくある例:**
+
+```yaml
+repos:
+  - name: My Project
+    path: ~/projects/my-project
+    custom:
+      plane_project_id: "abc12345-xxxx"
+      plane_url: "https://plane.example.com/my-project"
+      attio_workspace: "acme-corp"
+      notion_db: "abc123"
+      linear_team: "PROJ"
+      slack_channel: "#dev-general"
+      figma_file: "https://www.figma.com/file/example123"
+```
+
+**プレビュー表示例:**
+
+```
+🔗 Integrations
+   Plane:    ✅ abc12345-xxxx
+   Attio:    ✅ acme-corp
+   Notion:   ✅ abc123
+   Slack:    ✅ #dev-general
+```
+
+**仕様:**
+- `custom` の値は文字列・数値・bool・配列・ネストobject 何でも可（JSON保存）
+- 既知キー（後述の組み込み連携）は専用の表示ロジックでバッジ化
+- 未知キーは `key: value` の形でそのまま表示
+
+**組み込み既知キー（v0.2.0）:**
+
+| キー | 表示 | 備考 |
+|---|---|---|
+| `plane_project_id` | Plane バッジ | `plane_url` あればURL併記 |
+| `plane_url` | — | バッジリンク用 |
+| `attio_workspace` | Attio バッジ | |
+| `notion_db` | Notion バッジ | |
+| `linear_team` | Linear バッジ | |
+| `slack_channel` | Slack バッジ | `#` 自動付与 |
+| `github_repo` | GitHub バッジ | `owner/repo` 形式 |
+| `figma_file` | Figma バッジ | URL でも ID でも可 |
+
+**未知キーの扱い:**
+- そのまま `key: value` 形式で「Other Integrations」セクションに表示
+- 将来需要が高まったキーは組み込み既知キーに昇格
+
+**バリデーション:**
+- `custom` がobjectでない → エラー
+- 中身の型は問わない（ユーザー責任）
+- シークレット混入注意（APIキー等は書かない、URL/IDのみ推奨）
+
+## バリデーションルール
+
+| ルール | エラー例 |
+|---|---|
+| `version` は整数、現在サポートは `1` のみ | `unsupported version: 2` |
+| `name` はユニーク | `duplicate name: "ClaudeCode"` |
+| `path` 存在チェック | `path not found: ~/projects/foo`（警告扱い、disabled 推奨） |
+| `path` は `$HOME` 配下必須 | `path outside $HOME: /etc/foo`（セキュリティ） |
+| `name` に shell metachar 不可 (`;&\|<>$\`"'\\` + 全制御文字 = `SHELL_METACHARS`、audit NEW-3。`path`/`cwd`/`command` と同一ポリシー) | `~/.config/ccs/repos.yml: repos[0].name contains shell metacharacter(s) or control char(s): "..."` |
+| `command` に shell metachar 不可 (`;&\|<>$\`"'\\` + 制御文字) | `~/.config/ccs/repos.yml: repos[0].command contains shell metacharacter(s): "claude;..."` |
+| `defaults.command`（CCS_CMD/CCR_CMD 由来含む）もロード時に同検証（レビューA-6） | `~/.config/ccs/repos.yml: defaults.command (resolved from defaults.command / CCS_CMD / CCR_CMD) contains shell metacharacter(s): "..."` |
+| `custom` のJSONサイズ 64KB 上限 | `~/.config/ccs/repos.yml: repos[0].custom exceeds 64KB JSON size limit` |
+| `disabled: true` の場合 scan/command 無視 | — |
+
+## 例1: シンプル
+
+```yaml
+version: 1
+repos:
+  - name: ClaudeCode
+    path: ~/.claude
+    description: Claude Code設定
+  - name: My Project
+    path: ~/projects/my-project
+    description: Main development repository
+    tags: [work]
+```
+
+## 例2: 特殊コマンド対応（CMS dev server起動など）
+
+```yaml
+version: 1
+defaults:
+  command: "claude"
+repos:
+  - name: ClaudeCode
+    path: ~/.claude
+
+  - name: CMS (dev server)
+    path: ~/sites/blog-cms
+    command: "npm run develop"
+    icon: "🚀"
+    scan: false                # Claude起動じゃないので状態走査不要
+    tags: [dev-server]
+
+  - name: personal-notes
+    path: ~/projects/personal-notes
+    tags: [personal]
+    disabled: true             # 今は使わない
+```
+
+## 例3: 1Passwordラッパー付き（CCR_CMD互換）
+
+```yaml
+version: 1
+defaults:
+  command: "opr claude"        # 全リポジトリで opr ラッパー経由
+repos:
+  - name: Startup MVP
+    path: ~/work/startup-mvp
+  - name: My Project
+    path: ~/projects/my-project
+```
+
+## 環境変数との優先順位
+
+`repos[].command` > `defaults.command` > `CCS_CMD` 環境変数 > `"claude"`
+
+**設計意図**: per-repo の明示的指定（`command:` フィールド）が常に最優先。`CCS_CMD` env は「全リポジトリ共通のラッパー（例: `opr claude`）を `defaults.command` 未指定時に注入したい」用途のフォールバックとして機能する。CMS 起動のような特殊コマンドが env で踏み潰されるのを防ぐため、env を最弱に置く。
+
+ccr v0.1.3 の `CCR_CMD` は `CCS_CMD` にリネーム（移行ガイドで明記、CCR_CMD指定時は警告ログ + 暫定honor）。
+
+**Security note**: `CCS_CMD` / `CCR_CMD` env values are subject to the same shell metacharacter rejection as `command:` in YAML. If env-sourced value contains any forbidden character, `loadConfig()` throws `ConfigError` before launch.
+
+**未マッピングセッションへの適用（レビューA-8）**: repos.yml に登録されていない cwd のセッション（fzf 上で `❓` 表示）も、この優先順位の `defaults.command` 以降のチェーンに従う。scan 時に解決済みフォールバックが state.db の `meta.defaults_command` に保存され、ccs-list が RESUME 行の起動コマンドとして使用する（旧実装はハードコードの `"claude"` 固定だった）。
+
+## JSON Schema（抜粋）
+
+```json
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "required": ["version", "repos"],
+  "properties": {
+    "version": { "const": 1 },
+    "defaults": {
+      "type": "object",
+      "properties": {
+        "command": { "type": "string" }
+      }
+    },
+    "repos": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "object",
+        "required": ["name"],
+        "properties": {
+          "name": { "type": "string", "pattern": "^[^\\t\\n\\\\]+$" },
+          "path": { "type": "string" },
+          "description": { "type": "string" },
+          "command": { "type": "string" },
+          "cwd": { "type": "string" },
+          "tags": { "type": "array", "items": { "type": "string" } },
+          "disabled": { "type": "boolean" },
+          "scan": { "type": "boolean" },
+          "icon": { "type": "string", "maxLength": 4 },
+          "custom": { "type": "object", "additionalProperties": true }
+        }
+      }
+    }
+  }
+}
+```
+
+## 将来拡張（v0.3.0以降・未実装）
+
+- `group`: リポジトリのグループ化（fzfヘッダーでグループ切替）
+- `env`: リポジトリ毎の環境変数注入
+- `post_launch`: 起動後に実行するフック
+- `priority`: ソート重み（上に出したいリポジトリ）