claude-opencode-viewer 2.6.51 → 2.6.52

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/index-pc.html CHANGED
@@ -958,6 +958,7 @@
958
958
  <select id="mode-select">
959
959
  <option value="opencode">OpenCode</option>
960
960
  <option value="claude">Claude</option>
961
+ <option value="shell">Shell</option>
961
962
  </select>
962
963
  </div>
963
964
  </div>
@@ -1675,7 +1676,7 @@
1675
1676
  currentMode = mode;
1676
1677
  modeSelect.value = mode;
1677
1678
  document.getElementById('mode-label').textContent = '';
1678
- var label = mode === 'claude' ? 'Claude' : 'OpenCode';
1679
+ var label = mode === 'claude' ? 'Claude' : mode === 'shell' ? 'Shell' : 'OpenCode';
1679
1680
  var initOv = document.getElementById('init-overlay');
1680
1681
  initOv.textContent = '正在启动 ' + label + (sessionId ? '(恢复会话)' : '');
1681
1682
  initOv.classList.add('visible');
@@ -1745,7 +1746,11 @@
1745
1746
  else if (msg.type === 'exit') {
1746
1747
  if (!isCreatingNewSession && !isTransitioning) {
1747
1748
  throttledWrite('\r\n[进程已退出: ' + msg.exitCode + ']\r\n');
1748
- throttledWrite('按 Enter 键重新启动 ' + currentMode + '...\r\n');
1749
+ if (currentMode === 'shell') {
1750
+ throttledWrite('shell 已结束,切换上方下拉框可启动 Claude / OpenCode / Shell\r\n');
1751
+ } else {
1752
+ throttledWrite('按 Enter 键重新启动 ' + currentMode + '...\r\n');
1753
+ }
1749
1754
  }
1750
1755
  }
1751
1756
  else if (msg.type === 'mode') {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "claude-opencode-viewer",
3
- "version": "2.6.51",
3
+ "version": "2.6.52",
4
4
  "description": "A unified terminal viewer for Claude Code and OpenCode with seamless switching",
5
5
  "type": "module",
6
6
  "main": "server.js",
@@ -8,6 +8,14 @@
8
8
  "cov": "bin/cov.js",
9
9
  "claude-opencode-viewer": "bin/cov.js"
10
10
  },
11
+ "files": [
12
+ "bin/",
13
+ "server.js",
14
+ "index.html",
15
+ "index-pc.html",
16
+ "install.sh",
17
+ "README.md"
18
+ ],
11
19
  "scripts": {
12
20
  "start": "node server.js",
13
21
  "postinstall": "node -e \"console.log('\\n✅ claude-opencode-viewer 安装成功!\\n\\n使用方法:\\n - 全局启动:cov\\n - 或通过 npm 启动:npx cov\\n')\""
package/server.js CHANGED
@@ -89,6 +89,7 @@ const execFileAsync = promisify(execFile);
89
89
  let ptyModule = null;
90
90
  let claudeProcess = null;
91
91
  let opencodeProcess = null;
92
+ let shellProcess = null;
92
93
  let currentProcess = null;
93
94
  let outputBuffer = '';
94
95
  const dataListeners = [];
@@ -241,6 +242,11 @@ async function spawnProcess(mode, sessionId = null) {
241
242
  args.push('--resume', sessionId);
242
243
  LOG(`[claude] 恢复会话: ${sessionId}`);
243
244
  }
245
+ } else if (mode === 'shell') {
246
+ // 普通 shell 终端: 优先使用 $SHELL,回退到 zsh/bash
247
+ command = process.env.SHELL || (existsSync('/bin/zsh') ? '/bin/zsh' : '/bin/bash');
248
+ args = ['-l']; // 登录 shell,加载 PATH/alias
249
+ LOG(`[shell] 启动 shell: ${command} ${args.join(' ')}`);
244
250
  } else {
245
251
  const t2 = Date.now();
246
252
  command = findCommand('opencode');
@@ -335,6 +341,9 @@ async function spawnProcess(mode, sessionId = null) {
335
341
  if (opencodeProcess === proc) {
336
342
  opencodeProcess = null;
337
343
  }
344
+ if (shellProcess === proc) {
345
+ shellProcess = null;
346
+ }
338
347
  // 已被替换的旧进程或切换中的进程,不通知前端
339
348
  if (isSwitching || currentProcess !== null) return;
340
349
  exitListeners.forEach(cb => cb(exitCode || 0));
@@ -349,6 +358,14 @@ async function spawnProcess(mode, sessionId = null) {
349
358
  } catch {}
350
359
  }
351
360
  claudeProcess = proc;
361
+ } else if (mode === 'shell') {
362
+ if (shellProcess && shellProcess !== proc && shellProcess.pid) {
363
+ try {
364
+ LOG(`[spawnProcess] 清理旧 shell 进程 PID: ${shellProcess.pid}`);
365
+ killProcessTree(shellProcess);
366
+ } catch {}
367
+ }
368
+ shellProcess = proc;
352
369
  } else {
353
370
  if (opencodeProcess && opencodeProcess !== proc && opencodeProcess.pid) {
354
371
  try {
@@ -369,7 +386,8 @@ async function spawnProcess(mode, sessionId = null) {
369
386
  }
370
387
 
371
388
  currentProcess = proc;
372
- LOG(`[claude-opencode-viewer] ${mode === 'claude' ? 'Claude Code' : 'OpenCode'} 已启动 (PID: ${proc.pid})`);
389
+ const modeLabel = mode === 'claude' ? 'Claude Code' : mode === 'shell' ? 'Shell' : 'OpenCode';
390
+ LOG(`[claude-opencode-viewer] ${modeLabel} 已启动 (PID: ${proc.pid})`);
373
391
  return proc;
374
392
  }
375
393
 
@@ -400,6 +418,14 @@ async function switchMode(newMode) {
400
418
  LOG('[switchMode] 杀死 opencode 进程失败:', e.message);
401
419
  }
402
420
  opencodeProcess = null;
421
+ } else if (currentMode === 'shell' && shellProcess) {
422
+ try {
423
+ LOG(`[switchMode] 杀死 shell 进程 PID: ${shellProcess.pid}`);
424
+ killProcessTree(shellProcess);
425
+ } catch (e) {
426
+ LOG('[switchMode] 杀死 shell 进程失败:', e.message);
427
+ }
428
+ shellProcess = null;
403
429
  }
404
430
  currentProcess = null;
405
431
 
@@ -1232,7 +1258,8 @@ wssInst.on('connection', (ws, req) => {
1232
1258
  if (msg.type === 'input') {
1233
1259
  // 进程已退出时,自动重新启动(参考 cc-viewer 逻辑)
1234
1260
  // 模式切换/新建会话期间不触发 respawn
1235
- if (!currentProcess && !isSwitching) {
1261
+ // shell 模式不自动 respawn,避免用户输入 exit 后又被重新拉起
1262
+ if (!currentProcess && !isSwitching && currentMode !== 'shell') {
1236
1263
  try {
1237
1264
  LOG(`[respawn] 进程已退出,自动重新启动 ${currentMode}`);
1238
1265
  outputBuffer = '';
@@ -1,74 +0,0 @@
1
- # Code Review Expert
2
-
3
- A comprehensive code review skill for AI agents. Performs structured reviews with a senior engineer lens, covering architecture, security, performance, and code quality.
4
-
5
- ## Installation
6
-
7
- ```bash
8
- npx skills add sanyuan0704/sanyuan-skills --path skills/code-review-expert
9
- ```
10
-
11
- ## Features
12
-
13
- - **SOLID Principles** - Detect SRP, OCP, LSP, ISP, DIP violations
14
- - **Security Scan** - XSS, injection, SSRF, race conditions, auth gaps, secrets leakage
15
- - **Performance** - N+1 queries, CPU hotspots, missing cache, memory issues
16
- - **Error Handling** - Swallowed exceptions, async errors, missing boundaries
17
- - **Boundary Conditions** - Null handling, empty collections, off-by-one, numeric limits
18
- - **Removal Planning** - Identify dead code with safe deletion plans
19
-
20
- ## Usage
21
-
22
- After installation, simply run:
23
-
24
- ```
25
- /code-review-expert
26
- ```
27
-
28
- The skill will automatically review your current git changes.
29
-
30
- ## Workflow
31
-
32
- 1. **Preflight** - Scope changes via `git diff`
33
- 2. **SOLID + Architecture** - Check design principles
34
- 3. **Removal Candidates** - Find dead/unused code
35
- 4. **Security Scan** - Vulnerability detection
36
- 5. **Code Quality** - Error handling, performance, boundaries
37
- 6. **Output** - Findings by severity (P0-P3)
38
- 7. **Confirmation** - Ask user before implementing fixes
39
-
40
- ## Severity Levels
41
-
42
- | Level | Name | Action |
43
- |-------|------|--------|
44
- | P0 | Critical | Must block merge |
45
- | P1 | High | Should fix before merge |
46
- | P2 | Medium | Fix or create follow-up |
47
- | P3 | Low | Optional improvement |
48
-
49
- ## Structure
50
-
51
- ```
52
- code-review-expert/
53
- ├── SKILL.md # Main skill definition
54
- ├── agents/
55
- │ └── agent.yaml # Agent interface config
56
- └── references/
57
- ├── solid-checklist.md # SOLID smell prompts
58
- ├── security-checklist.md # Security & reliability
59
- ├── code-quality-checklist.md # Error, perf, boundaries
60
- └── removal-plan.md # Deletion planning template
61
- ```
62
-
63
- ## References
64
-
65
- Each checklist provides detailed prompts and anti-patterns:
66
-
67
- - **solid-checklist.md** - SOLID violations + common code smells
68
- - **security-checklist.md** - OWASP risks, race conditions, crypto, supply chain
69
- - **code-quality-checklist.md** - Error handling, caching, N+1, null safety
70
- - **removal-plan.md** - Safe vs deferred deletion with rollback plans
71
-
72
- ## License
73
-
74
- MIT
@@ -1,156 +0,0 @@
1
- ---
2
- name: code-review-expert
3
- description: "Expert code review of current git changes with a senior engineer lens. Detects SOLID violations, security risks, and proposes actionable improvements."
4
- ---
5
-
6
- # Code Review Expert
7
-
8
- ## Overview
9
-
10
- Perform a structured review of the current git changes with focus on SOLID, architecture, removal candidates, and security risks. Default to review-only output unless the user asks to implement changes.
11
-
12
- ## Severity Levels
13
-
14
- | Level | Name | Description | Action |
15
- |-------|------|-------------|--------|
16
- | **P0** | Critical | Security vulnerability, data loss risk, correctness bug | Must block merge |
17
- | **P1** | High | Logic error, significant SOLID violation, performance regression | Should fix before merge |
18
- | **P2** | Medium | Code smell, maintainability concern, minor SOLID violation | Fix in this PR or create follow-up |
19
- | **P3** | Low | Style, naming, minor suggestion | Optional improvement |
20
-
21
- ## Workflow
22
-
23
- ### 1) Preflight context
24
-
25
- - Use `git status -sb`, `git diff --stat`, and `git diff` to scope changes.
26
- - If needed, use `rg` or `grep` to find related modules, usages, and contracts.
27
- - Identify entry points, ownership boundaries, and critical paths (auth, payments, data writes, network).
28
-
29
- **Edge cases:**
30
- - **No changes**: If `git diff` is empty, inform user and ask if they want to review staged changes or a specific commit range.
31
- - **Large diff (>500 lines)**: Summarize by file first, then review in batches by module/feature area.
32
- - **Mixed concerns**: Group findings by logical feature, not just file order.
33
-
34
- ### 2) SOLID + architecture smells
35
-
36
- - Load `references/solid-checklist.md` for specific prompts.
37
- - Look for:
38
- - **SRP**: Overloaded modules with unrelated responsibilities.
39
- - **OCP**: Frequent edits to add behavior instead of extension points.
40
- - **LSP**: Subclasses that break expectations or require type checks.
41
- - **ISP**: Wide interfaces with unused methods.
42
- - **DIP**: High-level logic tied to low-level implementations.
43
- - When you propose a refactor, explain *why* it improves cohesion/coupling and outline a minimal, safe split.
44
- - If refactor is non-trivial, propose an incremental plan instead of a large rewrite.
45
-
46
- ### 3) Removal candidates + iteration plan
47
-
48
- - Load `references/removal-plan.md` for template.
49
- - Identify code that is unused, redundant, or feature-flagged off.
50
- - Distinguish **safe delete now** vs **defer with plan**.
51
- - Provide a follow-up plan with concrete steps and checkpoints (tests/metrics).
52
-
53
- ### 4) Security and reliability scan
54
-
55
- - Load `references/security-checklist.md` for coverage.
56
- - Check for:
57
- - XSS, injection (SQL/NoSQL/command), SSRF, path traversal
58
- - AuthZ/AuthN gaps, missing tenancy checks
59
- - Secret leakage or API keys in logs/env/files
60
- - Rate limits, unbounded loops, CPU/memory hotspots
61
- - Unsafe deserialization, weak crypto, insecure defaults
62
- - **Race conditions**: concurrent access, check-then-act, TOCTOU, missing locks
63
- - Call out both **exploitability** and **impact**.
64
-
65
- ### 5) Code quality scan
66
-
67
- - Load `references/code-quality-checklist.md` for coverage.
68
- - Check for:
69
- - **Error handling**: swallowed exceptions, overly broad catch, missing error handling, async errors
70
- - **Performance**: N+1 queries, CPU-intensive ops in hot paths, missing cache, unbounded memory
71
- - **Boundary conditions**: null/undefined handling, empty collections, numeric boundaries, off-by-one
72
- - Flag issues that may cause silent failures or production incidents.
73
-
74
- ### 6) Output format
75
-
76
- Structure your review as follows:
77
-
78
- ```markdown
79
- ## Code Review Summary
80
-
81
- **Files reviewed**: X files, Y lines changed
82
- **Overall assessment**: [APPROVE / REQUEST_CHANGES / COMMENT]
83
-
84
- ---
85
-
86
- ## Findings
87
-
88
- ### P0 - Critical
89
- (none or list)
90
-
91
- ### P1 - High
92
- 1. **[file:line]** Brief title
93
- - Description of issue
94
- - Suggested fix
95
-
96
- ### P2 - Medium
97
- 2. (continue numbering across sections)
98
- - ...
99
-
100
- ### P3 - Low
101
- ...
102
-
103
- ---
104
-
105
- ## Removal/Iteration Plan
106
- (if applicable)
107
-
108
- ## Additional Suggestions
109
- (optional improvements, not blocking)
110
- ```
111
-
112
- **Inline comments**: Use this format for file-specific findings:
113
- ```
114
- ::code-comment{file="path/to/file.ts" line="42" severity="P1"}
115
- Description of the issue and suggested fix.
116
- ::
117
- ```
118
-
119
- **Clean review**: If no issues found, explicitly state:
120
- - What was checked
121
- - Any areas not covered (e.g., "Did not verify database migrations")
122
- - Residual risks or recommended follow-up tests
123
-
124
- ### 7) Next steps confirmation
125
-
126
- After presenting findings, ask user how to proceed:
127
-
128
- ```markdown
129
- ---
130
-
131
- ## Next Steps
132
-
133
- I found X issues (P0: _, P1: _, P2: _, P3: _).
134
-
135
- **How would you like to proceed?**
136
-
137
- 1. **Fix all** - I'll implement all suggested fixes
138
- 2. **Fix P0/P1 only** - Address critical and high priority issues
139
- 3. **Fix specific items** - Tell me which issues to fix
140
- 4. **No changes** - Review complete, no implementation needed
141
-
142
- Please choose an option or provide specific instructions.
143
- ```
144
-
145
- **Important**: Do NOT implement any changes until user explicitly confirms. This is a review-first workflow.
146
-
147
- ## Resources
148
-
149
- ### references/
150
-
151
- | File | Purpose |
152
- |------|---------|
153
- | `solid-checklist.md` | SOLID smell prompts and refactor heuristics |
154
- | `security-checklist.md` | Web/app security and runtime risk checklist |
155
- | `code-quality-checklist.md` | Error handling, performance, boundary conditions |
156
- | `removal-plan.md` | Template for deletion candidates and follow-up plan |
@@ -1,7 +0,0 @@
1
- interface:
2
- display_name: "Code Review Expert"
3
- short_description: "Senior engineer code review: SOLID, security, performance, error handling"
4
- default_prompt: "Review current git changes for SOLID violations, security risks, race conditions, error handling issues, performance problems, and boundary condition bugs."
5
-
6
- # Agent-agnostic skill - works with any LLM provider.
7
- # No provider-specific configuration required.
@@ -1,130 +0,0 @@
1
- # Code Quality Checklist
2
-
3
- ## Error Handling
4
-
5
- ### Anti-patterns to Flag
6
-
7
- - **Swallowed exceptions**: Empty catch blocks or catch with only logging
8
- ```javascript
9
- try { ... } catch (e) { } // Silent failure
10
- try { ... } catch (e) { console.log(e) } // Log and forget
11
- ```
12
- - **Overly broad catch**: Catching `Exception`/`Error` base class instead of specific types
13
- - **Error information leakage**: Stack traces or internal details exposed to users
14
- - **Missing error handling**: No try-catch around fallible operations (I/O, network, parsing)
15
- - **Async error handling**: Unhandled promise rejections, missing `.catch()`, no error boundary
16
-
17
- ### Best Practices to Check
18
-
19
- - [ ] Errors are caught at appropriate boundaries
20
- - [ ] Error messages are user-friendly (no internal details exposed)
21
- - [ ] Errors are logged with sufficient context for debugging
22
- - [ ] Async errors are properly propagated or handled
23
- - [ ] Fallback behavior is defined for recoverable errors
24
- - [ ] Critical errors trigger alerts/monitoring
25
-
26
- ### Questions to Ask
27
- - "What happens when this operation fails?"
28
- - "Will the caller know something went wrong?"
29
- - "Is there enough context to debug this error?"
30
-
31
- ---
32
-
33
- ## Performance & Caching
34
-
35
- ### CPU-Intensive Operations
36
-
37
- - **Expensive operations in hot paths**: Regex compilation, JSON parsing, crypto in loops
38
- - **Blocking main thread**: Sync I/O, heavy computation without worker/async
39
- - **Unnecessary recomputation**: Same calculation done multiple times
40
- - **Missing memoization**: Pure functions called repeatedly with same inputs
41
-
42
- ### Database & I/O
43
-
44
- - **N+1 queries**: Loop that makes a query per item instead of batch
45
- ```javascript
46
- // Bad: N+1
47
- for (const id of ids) {
48
- const user = await db.query(`SELECT * FROM users WHERE id = ?`, id)
49
- }
50
- // Good: Batch
51
- const users = await db.query(`SELECT * FROM users WHERE id IN (?)`, ids)
52
- ```
53
- - **Missing indexes**: Queries on unindexed columns
54
- - **Over-fetching**: SELECT * when only few columns needed
55
- - **No pagination**: Loading entire dataset into memory
56
-
57
- ### Caching Issues
58
-
59
- - **Missing cache for expensive operations**: Repeated API calls, DB queries, computations
60
- - **Cache without TTL**: Stale data served indefinitely
61
- - **Cache without invalidation strategy**: Data updated but cache not cleared
62
- - **Cache key collisions**: Insufficient key uniqueness
63
- - **Caching user-specific data globally**: Security/privacy issue
64
-
65
- ### Memory
66
-
67
- - **Unbounded collections**: Arrays/maps that grow without limit
68
- - **Large object retention**: Holding references preventing GC
69
- - **String concatenation in loops**: Use StringBuilder/join instead
70
- - **Loading large files entirely**: Use streaming instead
71
-
72
- ### Questions to Ask
73
- - "What's the time complexity of this operation?"
74
- - "How does this behave with 10x/100x data?"
75
- - "Is this result cacheable? Should it be?"
76
- - "Can this be batched instead of one-by-one?"
77
-
78
- ---
79
-
80
- ## Boundary Conditions
81
-
82
- ### Null/Undefined Handling
83
-
84
- - **Missing null checks**: Accessing properties on potentially null objects
85
- - **Truthy/falsy confusion**: `if (value)` when `0` or `""` are valid
86
- - **Optional chaining overuse**: `a?.b?.c?.d` hiding structural issues
87
- - **Null vs undefined inconsistency**: Mixed usage without clear convention
88
-
89
- ### Empty Collections
90
-
91
- - **Empty array not handled**: Code assumes array has items
92
- - **Empty object edge case**: `for...in` or `Object.keys` on empty object
93
- - **First/last element access**: `arr[0]` or `arr[arr.length-1]` without length check
94
-
95
- ### Numeric Boundaries
96
-
97
- - **Division by zero**: Missing check before division
98
- - **Integer overflow**: Large numbers exceeding safe integer range
99
- - **Floating point comparison**: Using `===` instead of epsilon comparison
100
- - **Negative values**: Index or count that shouldn't be negative
101
- - **Off-by-one errors**: Loop bounds, array slicing, pagination
102
-
103
- ### String Boundaries
104
-
105
- - **Empty string**: Not handled as edge case
106
- - **Whitespace-only string**: Passes truthy check but is effectively empty
107
- - **Very long strings**: No length limits causing memory/display issues
108
- - **Unicode edge cases**: Emoji, RTL text, combining characters
109
-
110
- ### Common Patterns to Flag
111
-
112
- ```javascript
113
- // Dangerous: no null check
114
- const name = user.profile.name
115
-
116
- // Dangerous: array access without check
117
- const first = items[0]
118
-
119
- // Dangerous: division without check
120
- const avg = total / count
121
-
122
- // Dangerous: truthy check excludes valid values
123
- if (value) { ... } // fails for 0, "", false
124
- ```
125
-
126
- ### Questions to Ask
127
- - "What if this is null/undefined?"
128
- - "What if this collection is empty?"
129
- - "What's the valid range for this number?"
130
- - "What happens at the boundaries (0, -1, MAX_INT)?"
@@ -1,52 +0,0 @@
1
- # Removal and Iteration Plan Template
2
-
3
- ## Priority Levels
4
-
5
- - [ ] **P0**: Immediate removal needed (security risk, significant cost, blocking other work)
6
- - [ ] **P1**: Remove in current sprint
7
- - [ ] **P2**: Backlog / next iteration
8
-
9
- ---
10
-
11
- ## Safe to Remove Now
12
-
13
- ### Item: [Name/Description]
14
-
15
- | Field | Details |
16
- |-------|---------|
17
- | **Location** | `path/to/file.ts:line` |
18
- | **Rationale** | Why this should be removed |
19
- | **Evidence** | Unused (no references), dead feature flag, deprecated API |
20
- | **Impact** | None / Low - no active consumers |
21
- | **Deletion steps** | 1. Remove code 2. Remove tests 3. Remove config |
22
- | **Verification** | Run tests, check no runtime errors, monitor logs |
23
-
24
- ---
25
-
26
- ## Defer Removal (Plan Required)
27
-
28
- ### Item: [Name/Description]
29
-
30
- | Field | Details |
31
- |-------|---------|
32
- | **Location** | `path/to/file.ts:line` |
33
- | **Why defer** | Active consumers, needs migration, stakeholder sign-off |
34
- | **Preconditions** | Feature flag off for 2 weeks, telemetry shows 0 usage |
35
- | **Breaking changes** | List any API/contract changes |
36
- | **Migration plan** | Steps for consumers to migrate |
37
- | **Timeline** | Target date or sprint |
38
- | **Owner** | Person/team responsible |
39
- | **Validation** | Metrics to confirm safe removal (error rates, usage counts) |
40
- | **Rollback plan** | How to restore if issues found |
41
-
42
- ---
43
-
44
- ## Checklist Before Removal
45
-
46
- - [ ] Searched codebase for all references (`rg`, `grep`)
47
- - [ ] Checked for dynamic/reflection-based usage
48
- - [ ] Verified no external consumers (APIs, SDKs, docs)
49
- - [ ] Feature flag telemetry reviewed (if applicable)
50
- - [ ] Tests updated/removed
51
- - [ ] Documentation updated
52
- - [ ] Team notified (if shared code)
@@ -1,118 +0,0 @@
1
- # Security and Reliability Checklist
2
-
3
- ## Input/Output Safety
4
-
5
- - **XSS**: Unsafe HTML injection, `dangerouslySetInnerHTML`, unescaped templates, innerHTML assignments
6
- - **Injection**: SQL/NoSQL/command/GraphQL injection via string concatenation or template literals
7
- - **SSRF**: User-controlled URLs reaching internal services without allowlist validation
8
- - **Path traversal**: User input in file paths without sanitization (`../` attacks)
9
- - **Prototype pollution**: Unsafe object merging in JavaScript (`Object.assign`, spread with user input)
10
-
11
- ## AuthN/AuthZ
12
-
13
- - Missing tenant or ownership checks for read/write operations
14
- - New endpoints without auth guards or RBAC enforcement
15
- - Trusting client-provided roles/flags/IDs
16
- - Broken access control (IDOR - Insecure Direct Object Reference)
17
- - Session fixation or weak session management
18
-
19
- ## JWT & Token Security
20
-
21
- - Algorithm confusion attacks (accepting `none` or `HS256` when expecting `RS256`)
22
- - Weak or hardcoded secrets
23
- - Missing expiration (`exp`) or not validating it
24
- - Sensitive data in JWT payload (tokens are base64, not encrypted)
25
- - Not validating `iss` (issuer) or `aud` (audience)
26
-
27
- ## Secrets and PII
28
-
29
- - API keys, tokens, or credentials in code/config/logs
30
- - Secrets in git history or environment variables exposed to client
31
- - Excessive logging of PII or sensitive payloads
32
- - Missing data masking in error messages
33
-
34
- ## Supply Chain & Dependencies
35
-
36
- - Unpinned dependencies allowing malicious updates
37
- - Dependency confusion (private package name collision)
38
- - Importing from untrusted sources or CDNs without integrity checks
39
- - Outdated dependencies with known CVEs
40
-
41
- ## CORS & Headers
42
-
43
- - Overly permissive CORS (`Access-Control-Allow-Origin: *` with credentials)
44
- - Missing security headers (CSP, X-Frame-Options, X-Content-Type-Options)
45
- - Exposed internal headers or stack traces
46
-
47
- ## Runtime Risks
48
-
49
- - Unbounded loops, recursive calls, or large in-memory buffers
50
- - Missing timeouts, retries, or rate limiting on external calls
51
- - Blocking operations on request path (sync I/O in async context)
52
- - Resource exhaustion (file handles, connections, memory)
53
- - ReDoS (Regular Expression Denial of Service)
54
-
55
- ## Cryptography
56
-
57
- - Weak algorithms (MD5, SHA1 for security purposes)
58
- - Hardcoded IVs or salts
59
- - Using encryption without authentication (ECB mode, no HMAC)
60
- - Insufficient key length
61
-
62
- ## Race Conditions
63
-
64
- Race conditions are subtle bugs that cause intermittent failures and security vulnerabilities. Pay special attention to:
65
-
66
- ### Shared State Access
67
- - Multiple threads/goroutines/async tasks accessing shared variables without synchronization
68
- - Global state or singletons modified concurrently
69
- - Lazy initialization without proper locking (double-checked locking issues)
70
- - Non-thread-safe collections used in concurrent context
71
-
72
- ### Check-Then-Act (TOCTOU)
73
- - `if (exists) then use` patterns without atomic operations
74
- - `if (authorized) then perform` where authorization can change
75
- - File existence check followed by file operation
76
- - Balance check followed by deduction (financial operations)
77
- - Inventory check followed by order placement
78
-
79
- ### Database Concurrency
80
- - Missing optimistic locking (`version` column, `updated_at` checks)
81
- - Missing pessimistic locking (`SELECT FOR UPDATE`)
82
- - Read-modify-write without transaction isolation
83
- - Counter increments without atomic operations (`UPDATE SET count = count + 1`)
84
- - Unique constraint violations in concurrent inserts
85
-
86
- ### Distributed Systems
87
- - Missing distributed locks for shared resources
88
- - Leader election race conditions
89
- - Cache invalidation races (stale reads after writes)
90
- - Event ordering dependencies without proper sequencing
91
- - Split-brain scenarios in cluster operations
92
-
93
- ### Common Patterns to Flag
94
- ```
95
- # Dangerous patterns:
96
- if not exists(key): # TOCTOU
97
- create(key)
98
-
99
- value = get(key) # Read-modify-write
100
- value += 1
101
- set(key, value)
102
-
103
- if user.balance >= amount: # Check-then-act
104
- user.balance -= amount
105
- ```
106
-
107
- ### Questions to Ask
108
- - "What happens if two requests hit this code simultaneously?"
109
- - "Is this operation atomic or can it be interrupted?"
110
- - "What shared state does this code access?"
111
- - "How does this behave under high concurrency?"
112
-
113
- ## Data Integrity
114
-
115
- - Missing transactions, partial writes, or inconsistent state updates
116
- - Weak validation before persistence (type coercion issues)
117
- - Missing idempotency for retryable operations
118
- - Lost updates due to concurrent modifications
@@ -1,65 +0,0 @@
1
- # SOLID Smell Prompts
2
-
3
- ## SRP (Single Responsibility)
4
-
5
- - File owns unrelated concerns (e.g., HTTP + DB + domain rules in one file)
6
- - Large class/module with low cohesion or multiple reasons to change
7
- - Functions that orchestrate many unrelated steps
8
- - God objects that know too much about the system
9
- - **Ask**: "What is the single reason this module would change?"
10
-
11
- ## OCP (Open/Closed)
12
-
13
- - Adding a new behavior requires editing many switch/if blocks
14
- - Feature growth requires modifying core logic rather than extending
15
- - No plugin/strategy/hook points for variation
16
- - **Ask**: "Can I add a new variant without touching existing code?"
17
-
18
- ## LSP (Liskov Substitution)
19
-
20
- - Subclass checks for concrete type or throws for base method
21
- - Overridden methods weaken preconditions or strengthen postconditions
22
- - Subclass ignores or no-ops parent behavior
23
- - **Ask**: "Can I substitute any subclass without the caller knowing?"
24
-
25
- ## ISP (Interface Segregation)
26
-
27
- - Interfaces with many methods, most unused by implementers
28
- - Callers depend on broad interfaces for narrow needs
29
- - Empty/stub implementations of interface methods
30
- - **Ask**: "Do all implementers use all methods?"
31
-
32
- ## DIP (Dependency Inversion)
33
-
34
- - High-level logic depends on concrete IO, storage, or network types
35
- - Hard-coded implementations instead of abstractions or injection
36
- - Import chains that couple business logic to infrastructure
37
- - **Ask**: "Can I swap the implementation without changing business logic?"
38
-
39
- ---
40
-
41
- ## Common Code Smells (Beyond SOLID)
42
-
43
- | Smell | Signs |
44
- |-------|-------|
45
- | **Long method** | Function > 30 lines, multiple levels of nesting |
46
- | **Feature envy** | Method uses more data from another class than its own |
47
- | **Data clumps** | Same group of parameters passed together repeatedly |
48
- | **Primitive obsession** | Using strings/numbers instead of domain types |
49
- | **Shotgun surgery** | One change requires edits across many files |
50
- | **Divergent change** | One file changes for many unrelated reasons |
51
- | **Dead code** | Unreachable or never-called code |
52
- | **Speculative generality** | Abstractions for hypothetical future needs |
53
- | **Magic numbers/strings** | Hardcoded values without named constants |
54
-
55
- ---
56
-
57
- ## Refactor Heuristics
58
-
59
- 1. **Split by responsibility, not by size** - A small file can still violate SRP
60
- 2. **Introduce abstraction only when needed** - Wait for the second use case
61
- 3. **Keep refactors incremental** - Isolate behavior before moving
62
- 4. **Preserve behavior first** - Add tests before restructuring
63
- 5. **Name things by intent** - If naming is hard, the abstraction might be wrong
64
- 6. **Prefer composition over inheritance** - Inheritance creates tight coupling
65
- 7. **Make illegal states unrepresentable** - Use types to enforce invariants
@@ -1,18 +0,0 @@
1
- {
2
- "permissions": {
3
- "allow": [
4
- "Bash(npm start:*)",
5
- "Bash(kill:*)",
6
- "Bash(pkill:*)",
7
- "Bash(node:*)",
8
- "Bash(lsof -ti:7008)",
9
- "Bash(sqlite3:*)",
10
- "Bash(ps:*)",
11
- "Bash(git add:*)",
12
- "Bash(git commit -m ':*)",
13
- "Bash(git push:*)",
14
- "Bash(npm publish:*)",
15
- "Bash(git commit:*)"
16
- ]
17
- }
18
- }
@@ -1,9 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <module type="JAVA_MODULE" version="4">
3
- <component name="NewModuleRootManager" inherit-compiler-output="true">
4
- <exclude-output />
5
- <content url="file://$MODULE_DIR$" />
6
- <orderEntry type="inheritedJdk" />
7
- <orderEntry type="sourceFolder" forTests="false" />
8
- </component>
9
- </module>
@@ -1,5 +0,0 @@
1
- <component name="InspectionProjectProfileManager">
2
- <profile version="1.0">
3
- <option name="myName" value="Project Default" />
4
- </profile>
5
- </component>
package/.idea/modules.xml DELETED
@@ -1,8 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <project version="4">
3
- <component name="ProjectModuleManager">
4
- <modules>
5
- <module fileurl="file://$PROJECT_DIR$/.idea/claude_opencode_viewer.iml" filepath="$PROJECT_DIR$/.idea/claude_opencode_viewer.iml" />
6
- </modules>
7
- </component>
8
- </project>
@@ -1,9 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <project version="4">
3
- <component name="SmartFoxWorkToolsProjectState">
4
- <option name="branch" value="fix/v2.1.0-keyboard" />
5
- <option name="gitUrl" value="https://github.com/ChrisJason121238/claude-opencode-viewer.git" />
6
- <option name="localBranch" value="fix/v2.1.0-keyboard" />
7
- <option name="revision" value="e81a3afd4423f60c1d4f185dd4b16cf7ad1848cc" />
8
- </component>
9
- </project>
@@ -1,6 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <project version="4">
3
- <component name="tdkConfig">
4
- <option name="projectKey" value="0c137ba0-d5df-44aa-97f8-3eee32813208" />
5
- </component>
6
- </project>
package/.idea/vcs.xml DELETED
@@ -1,6 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <project version="4">
3
- <component name="VcsDirectoryMappings">
4
- <mapping directory="" vcs="Git" />
5
- </component>
6
- </project>
package/skills-lock.json DELETED
@@ -1,10 +0,0 @@
1
- {
2
- "version": 1,
3
- "skills": {
4
- "code-review-expert": {
5
- "source": "sanyuan0704/sanyuan-skills",
6
- "sourceType": "github",
7
- "computedHash": "6c2fe31851a34e63e033257527eab04eea835ca1cf4c4276d1392a323e36e377"
8
- }
9
- }
10
- }
package/test-doc.md DELETED
@@ -1,86 +0,0 @@
1
- # Claude OpenCode Viewer 使用指南
2
-
3
- ## 简介
4
-
5
- Claude OpenCode Viewer(COV)是一个统一的终端查看器,支持在浏览器中远程查看和操作 Claude Code 与 OpenCode 的终端会话。适用于需要在手机或其他设备上查看 AI 编程助手工作进度的场景。
6
-
7
- ## 安装
8
-
9
- ```bash
10
- npm install -g claude-opencode-viewer
11
- ```
12
-
13
- 安装完成后,可以通过以下命令启动:
14
-
15
- ```bash
16
- cov
17
- ```
18
-
19
- 默认监听端口 7008,PC 模式使用 `--pc` 参数启动。
20
-
21
- ## 功能特性
22
-
23
- ### 终端查看
24
-
25
- 支持实时查看终端输出,基于 xterm.js 实现完整的终端模拟,包括:
26
-
27
- - 颜色渲染
28
- - Unicode 字符支持
29
- - WebGL 加速渲染
30
- - 移动端触摸滚动
31
-
32
- ### 会话管理
33
-
34
- 可以管理多个会话,支持以下操作:
35
-
36
- 1. 查看历史会话列表
37
- 2. 恢复已有会话
38
- 3. 创建新会话
39
- 4. 在 Claude 和 OpenCode 之间切换
40
-
41
- ### Git 变更查看
42
-
43
- 集成了 Git 状态查看功能,可以直接在页面上查看:
44
-
45
- | 状态 | 含义 | 颜色 |
46
- |------|------|------|
47
- | M | 已修改 | 橙色 |
48
- | A | 新增 | 绿色 |
49
- | D | 已删除 | 红色 |
50
- | ?? | 未跟踪 | 灰色 |
51
-
52
- ### 文档浏览
53
-
54
- 支持浏览项目中的 Markdown 文档,自动扫描项目目录下的 `.md` 文件并以富文本格式展示。
55
-
56
- ## 配置说明
57
-
58
- > 注意:以下配置需要在项目根目录下操作,确保 `PROJECT_DIR` 环境变量指向正确的项目路径。
59
-
60
- 常用环境变量:
61
-
62
- - `PROJECT_DIR` — 指定项目工作目录
63
- - `PORT` — 自定义端口号
64
- - `COV_MODE` — 默认启动模式(claude / opencode)
65
-
66
- ## 常见问题
67
-
68
- ### 连接断开怎么办?
69
-
70
- 页面会自动显示重连提示并尝试重新连接。如果持续无法连接,请检查:
71
-
72
- 1. 服务进程是否仍在运行
73
- 2. 网络是否可达
74
- 3. 端口是否被占用
75
-
76
- ### 移动端键盘遮挡问题
77
-
78
- 在 iOS 设备上,系统会自动调整终端高度以适应键盘弹出。如果遇到显示异常,可以尝试旋转屏幕后再旋转回来。
79
-
80
- ## 更新日志
81
-
82
- **v2.6.48** — 修复重连内容重复、模式切换黑屏问题
83
-
84
- **v2.6.47** — 添加 PC 端重连覆盖层
85
-
86
- **v2.6.46** — 移动端键盘交互优化