gencow 0.1.110 → 0.1.112

package/core/index.js

@@ -2027,7 +2027,8 @@ function crud(table, options) {
     const countResult = await db.select({ count: drizzleCount() }).from(anyTable).where(whereClause);
     return { data, total: Number(countResult[0]?.count ?? 0) };
   }
-  const listDef = query(`${prefix}.list`, {
+  const enabledMethods = new Set(options?.methods ?? ["list", "get", "create", "update", "remove"]);
+  const listDef = !enabledMethods.has("list") ? void 0 : query(`${prefix}.list`, {
     public: isPublic,
     args: {
       page: v.optional(v.number()),
@@ -2058,7 +2059,7 @@ function crud(table, options) {
       };
     }
   });
-  const getDef = query(`${prefix}.get`, {
+  const getDef = !enabledMethods.has("get") ? void 0 : query(`${prefix}.get`, {
     public: isPublic,
     args: { id: idValidator },
     handler: async (ctx, args) => {
@@ -2072,7 +2073,7 @@ function crud(table, options) {
       return result ?? null;
     }
   });
-  const createDef = mutation(`${prefix}.create`, {
+  const createDef = !enabledMethods.has("create") ? void 0 : mutation(`${prefix}.create`, {
     public: isPublic,
     invalidates: [],
     handler: async (ctx, args) => {
@@ -2085,14 +2086,14 @@ function crud(table, options) {
         insertData = await options.hooks.beforeCreate(insertData);
       }
       const [result] = await ctx.db.insert(anyTable).values(insertData).returning();
-      if (useRealtime) {
+      if (useRealtime && enabledMethods.has("list")) {
         const listResult = await fetchListWithTotal(ctx.db);
         ctx.realtime.emit(`${prefix}.list`, listResult);
       }
       return result;
     }
   });
-  const updateDef = mutation(`${prefix}.update`, {
+  const updateDef = !enabledMethods.has("update") ? void 0 : mutation(`${prefix}.update`, {
     public: isPublic,
     invalidates: [],
     handler: async (ctx, args) => {
@@ -2107,14 +2108,18 @@ function crud(table, options) {
       }
       const [result] = await ctx.db.update(anyTable).set(updateData).where(eq(pk, id)).returning();
       if (useRealtime) {
-        const listResult = await fetchListWithTotal(ctx.db);
-        ctx.realtime.emit(`${prefix}.list`, listResult);
-        ctx.realtime.emit(`${prefix}.get`, result);
+        if (enabledMethods.has("list")) {
+          const listResult = await fetchListWithTotal(ctx.db);
+          ctx.realtime.emit(`${prefix}.list`, listResult);
+        }
+        if (enabledMethods.has("get")) {
+          ctx.realtime.emit(`${prefix}.get`, result);
+        }
       }
       return result;
     }
   });
-  const removeDef = mutation(`${prefix}.remove`, {
+  const removeDef = !enabledMethods.has("remove") ? void 0 : mutation(`${prefix}.remove`, {
     public: isPublic,
     invalidates: [],
     handler: async (ctx, args) => {
@@ -2125,7 +2130,7 @@ function crud(table, options) {
       } else {
         await ctx.db.delete(anyTable).where(eq(pk, args.id));
       }
-      if (useRealtime) {
+      if (useRealtime && enabledMethods.has("list")) {
         const listResult = await fetchListWithTotal(ctx.db);
         ctx.realtime.emit(`${prefix}.list`, listResult);
       }

package/lib/__tests__/readme-codegen.test.ts

@@ -223,8 +223,24 @@ describe("buildAiPrompt — AI Vibe-Coding 프롬프트", () => {
 
     it("mutation 제한 경고 포함", () => {
         const md = buildAiPrompt(SIMPLE_API, ["tasks"]);
-        expect(md).toContain("mutation은 10초 이내");
-        expect(md).toContain("scheduler.runAfter");
+        expect(md).toContain("mutation: 30초");
+        expect(md).toContain("FUNCTION_TIMEOUT");
+        expect(md).toContain("별도 mutation으로 분리");
+    });
+
+    it("mutation 간 공유 로직 패턴 포함", () => {
+        const md = buildAiPrompt(SIMPLE_API, ["tasks"]);
+        expect(md).toContain("mutation 간 로직 공유");
+        expect(md).toContain("일반 async 함수로 분리");
+        expect(md).toContain("mutation은 래핑만");
+    });
+
+    it("AI 우회 금지 목록 포함", () => {
+        const md = buildAiPrompt(SIMPLE_API, ["tasks"]);
+        expect(md).toContain("절대 금지");
+        expect(md).toContain("openai-direct.ts");
+        expect(md).toContain("ai.ts 수정 또는 우회 금지");
+        expect(md).toContain("SDK 직접 설치/사용 금지");
     });
 
     it("크론 잡 사용법 포함", () => {

package/lib/readme-codegen.mjs

@@ -300,15 +300,23 @@ export function buildAiPrompt(apiObj, namespaces) {
     md += `- gencow/index.ts의 re-export는 export * as moduleName from "./moduleName" 패턴을 써.\n`;
     md += `  Module, Mod 같은 접미사를 붙이지 마.\n`;
     md += `\n`;
-    md += `⚠️ mutation 제한:\n`;
-    md += `- mutation은 10초 이내에 완료되어야 해. 외부 API나 LLM 호출이 길면 단계별로 분리해.\n`;
+    md += `⚠️ mutation 제한 (타임아웃):\n`;
+    md += `- query: 30초, mutation: 30초, cron: 10분. 이 시간을 초과하면 FUNCTION_TIMEOUT 에러.\n`;
     md += `- ✅ 1순위: 각 단계를 별도 mutation으로 분리하고, 프론트엔드에서 순차 호출해.\n`;
     md += `  예: 크롤링(Step1) → 필터링(Step2) → 요약(Step3) 각각 별도 mutation으로 분리.\n`;
     md += `  프론트엔드: await crawl(); await filter(); await summarize();\n`;
-    md += `- ⚠️ 보조: ctx.scheduler.runAfter(0, "module.nextStep", { sessionId }) — 로컬 dev에서만 안정적. 클라우드에서는 앱 sleep 시 타이머가 소멸할 수 있어.\n`;
-    md += `- 같은 서버의 다른 모듈 함수를 호출할 때는 fetch()가 아닌 직접 import해서 호출해.\n`;
-    md += `  예: import { fetchNews } from "./naverApi"; → const result = await fetchNews.handler(ctx, { keyword });\n`;
-    md += `  HTTP self-fetch (fetch("/api/mutation")) 패턴은 불필요한 네트워크 우회이므로 사용하지 마.\n`;
+    md += `- ⚠️ 보조: ctx.scheduler.runAfter(0, "module.nextStep", { sessionId }) — 로컬 dev에서만 안정적. 클라우드에서는 앱이 idle 상태로 전환 시 타이머가 소멸돼.\n`;
+    md += `\n`;
+    md += `⚠️ mutation 간 로직 공유:\n`;
+    md += `- mutation().handler()를 다른 mutation에서 직접 호출하면 안 돼.\n`;
+    md += `- ✅ 공유 로직은 일반 async 함수로 분리하고, 각 mutation에서 래핑해:\n`;
+    md += `  // 공유 함수 (일반 async 함수)\n`;
+    md += `  async function filterBatch(ctx, ids) { /* 실제 로직 */ }\n`;
+    md += `  // mutation은 래핑만\n`;
+    md += `  export const filter = mutation("pipeline.filter", {\n`;
+    md += `      handler: async (ctx, args) => filterBatch(ctx, args.ids),\n`;
+    md += `  });\n`;
+    md += `- ❌ fetch("/api/mutation") self-fetch 패턴은 사용하지 마.\n`;
 
     md += `\n`;
     md += `크론 잡 (예약 작업):\n`;
@@ -373,12 +381,18 @@ export function buildAiPrompt(apiObj, namespaces) {
     md += `  const hash = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(text));\n`;
     md += `  const hex = [...new Uint8Array(hash)].map(b => b.toString(16).padStart(2, "0")).join("");\n`;
     md += `- 직접 구현한 simpleHash 같은 32비트 해시는 충돌 위험이 있으니 SHA-256을 사용해.\n`;
-    md += `- AI 호출은 import { ai } from "./ai" 를 사용해:\n`;
+    md += `⚠️ AI 호출 규칙 (반드시 준수):\n`;
+    md += `- ✅ AI 호출은 반드시 import { ai } from "./ai"를 사용해:\n`;
     md += `  import { ai } from "./ai";\n`;
     md += `  const result = await ai.chat({ messages: [{ role: "user", content: "안녕" }] });\n`;
-    md += `  ❌ import OpenAI from "openai"; → 시크릿 관리, 비용 추적, 보안 문제 발생\n`;
-    md += `  ❌ OpenAI/Anthropic SDK 직접 설치 금지\n`;
     md += `  ✅ ai.chat()은 로컬(OPENAI_API_KEY)과 클라우드(Gencow 프록시) 자동 전환\n`;
+    md += `- ❌ 절대 금지:\n`;
+    md += `  - import OpenAI from "openai" — SDK 직접 설치/사용 금지\n`;
+    md += `  - fetch("https://api.openai.com/...") — API 직접 호출 금지\n`;
+    md += `  - openai-direct.ts, ai-wrapper.ts 같은 별도 래퍼 파일 생성 금지\n`;
+    md += `  - ai.ts 수정 또는 우회 금지 (프록시 우회 시 크레딧 차감 불가 + 장애 위험)\n`;
+    md += `- AI 에러 발생 시: .env의 OPENAI_API_KEY 확인 또는 npx gencow add AI로 재설치\n`;
+    md += `- JSON 응답 필요 시: ai.generateObject({ schema: z.object({...}), prompt: "..." })\n`;
     md += `- AI 컴포넌트가 없으면: gencow add AI 로 설치해.\n`;
     md += `- RAG가 필요하면: gencow add RAG (AI 자동 포함).\n`;
     md += `- 메모리가 필요하면: gencow add Memory.\n`;

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "gencow",
-    "version": "0.1.110",
+    "version": "0.1.112",
     "description": "Gencow — AI Backend Engine",
     "type": "module",
     "bin": {

package/server/index.js

@@ -2076,7 +2076,8 @@ function crud(table, options) {
     const countResult = await db.select({ count: drizzleCount() }).from(anyTable).where(whereClause);
     return { data, total: Number(countResult[0]?.count ?? 0) };
   }
-  const listDef = query(`${prefix}.list`, {
+  const enabledMethods = new Set(options?.methods ?? ["list", "get", "create", "update", "remove"]);
+  const listDef = !enabledMethods.has("list") ? void 0 : query(`${prefix}.list`, {
     public: isPublic,
     args: {
       page: v.optional(v.number()),
@@ -2107,7 +2108,7 @@ function crud(table, options) {
       };
     }
   });
-  const getDef = query(`${prefix}.get`, {
+  const getDef = !enabledMethods.has("get") ? void 0 : query(`${prefix}.get`, {
     public: isPublic,
     args: { id: idValidator },
     handler: async (ctx, args) => {
@@ -2121,7 +2122,7 @@ function crud(table, options) {
       return result ?? null;
     }
   });
-  const createDef = mutation(`${prefix}.create`, {
+  const createDef = !enabledMethods.has("create") ? void 0 : mutation(`${prefix}.create`, {
     public: isPublic,
     invalidates: [],
     handler: async (ctx, args) => {
@@ -2134,14 +2135,14 @@ function crud(table, options) {
         insertData = await options.hooks.beforeCreate(insertData);
       }
       const [result] = await ctx.db.insert(anyTable).values(insertData).returning();
-      if (useRealtime) {
+      if (useRealtime && enabledMethods.has("list")) {
         const listResult = await fetchListWithTotal(ctx.db);
         ctx.realtime.emit(`${prefix}.list`, listResult);
       }
       return result;
     }
   });
-  const updateDef = mutation(`${prefix}.update`, {
+  const updateDef = !enabledMethods.has("update") ? void 0 : mutation(`${prefix}.update`, {
     public: isPublic,
     invalidates: [],
     handler: async (ctx, args) => {
@@ -2156,14 +2157,18 @@ function crud(table, options) {
       }
       const [result] = await ctx.db.update(anyTable).set(updateData).where(eq(pk, id)).returning();
       if (useRealtime) {
-        const listResult = await fetchListWithTotal(ctx.db);
-        ctx.realtime.emit(`${prefix}.list`, listResult);
-        ctx.realtime.emit(`${prefix}.get`, result);
+        if (enabledMethods.has("list")) {
+          const listResult = await fetchListWithTotal(ctx.db);
+          ctx.realtime.emit(`${prefix}.list`, listResult);
+        }
+        if (enabledMethods.has("get")) {
+          ctx.realtime.emit(`${prefix}.get`, result);
+        }
       }
       return result;
     }
   });
-  const removeDef = mutation(`${prefix}.remove`, {
+  const removeDef = !enabledMethods.has("remove") ? void 0 : mutation(`${prefix}.remove`, {
     public: isPublic,
     invalidates: [],
     handler: async (ctx, args) => {
@@ -2174,7 +2179,7 @@ function crud(table, options) {
       } else {
         await ctx.db.delete(anyTable).where(eq(pk, args.id));
       }
-      if (useRealtime) {
+      if (useRealtime && enabledMethods.has("list")) {
         const listResult = await fetchListWithTotal(ctx.db);
         ctx.realtime.emit(`${prefix}.list`, listResult);
       }
@@ -81506,6 +81511,110 @@ function findTsFiles(dir) {
   }
   return results;
 }
+function auditAIBypass(functionsDir) {
+  const issues = [];
+  try {
+    const fs2 = __require("fs");
+    const path2 = __require("path");
+    const files = findTsFiles(functionsDir);
+    const SUSPECT_FILENAMES = /* @__PURE__ */ new Set([
+      "openai-direct.ts",
+      "openai-direct.tsx",
+      "ai-wrapper.ts",
+      "ai-wrapper.tsx",
+      "ai-helper.ts",
+      "ai-helper.tsx",
+      "ai-client.ts",
+      "ai-client.tsx",
+      "gpt.ts",
+      "gpt.tsx",
+      "openai.ts",
+      "openai.tsx",
+      "llm.ts",
+      "llm.tsx"
+    ]);
+    const DIRECT_OPENAI_FETCH = /fetch\s*\(\s*[`"']https?:\/\/api\.openai\.com/;
+    const DIRECT_OPENAI_CONSTRUCTOR = /new\s+OpenAI\s*\(/;
+    const INLINE_AI_FUNC = /(?:async\s+)?function\s+(?:callGPT|callOpenAI|callAI|fetchGPT|aiCall|directAI)\s*\(/;
+    const OPENAI_IMPORT = /(?:import|require)\s*\(?.*['"]openai['"]/;
+    for (const file3 of files) {
+      const basename = path2.basename(file3);
+      const relPath = path2.relative(functionsDir, file3);
+      if (basename === "ai.ts") continue;
+      if (SUSPECT_FILENAMES.has(basename)) {
+        issues.push({
+          file: relPath,
+          line: 0,
+          snippet: `\uD30C\uC77C\uBA85 "${basename}" \u2014 AI \uC6B0\uD68C \uB798\uD37C \uC758\uC2EC`,
+          type: "suspect-file"
+        });
+      }
+      const content = fs2.readFileSync(file3, "utf-8");
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const trimmed = line.trim();
+        if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*")) continue;
+        if (DIRECT_OPENAI_FETCH.test(line)) {
+          issues.push({
+            file: relPath,
+            line: i + 1,
+            snippet: trimmed.slice(0, 100),
+            type: "direct-fetch"
+          });
+        }
+        if (DIRECT_OPENAI_CONSTRUCTOR.test(line)) {
+          issues.push({
+            file: relPath,
+            line: i + 1,
+            snippet: trimmed.slice(0, 100),
+            type: "openai-constructor"
+          });
+        }
+        if (INLINE_AI_FUNC.test(line)) {
+          issues.push({
+            file: relPath,
+            line: i + 1,
+            snippet: trimmed.slice(0, 100),
+            type: "inline-ai-func"
+          });
+        }
+        if (OPENAI_IMPORT.test(line)) {
+          issues.push({
+            file: relPath,
+            line: i + 1,
+            snippet: trimmed.slice(0, 100),
+            type: "openai-import"
+          });
+        }
+      }
+    }
+  } catch {
+  }
+  return { issues };
+}
+function printAIBypassReport(result) {
+  if (result.issues.length === 0) return;
+  const typeLabels = {
+    "suspect-file": "\u{1F5C2}\uFE0F  AI \uC6B0\uD68C \uB798\uD37C \uD30C\uC77C",
+    "direct-fetch": "\u{1F534} OpenAI API \uC9C1\uC811 \uD638\uCD9C",
+    "openai-constructor": "\u{1F534} OpenAI \uC0DD\uC131\uC790 \uC9C1\uC811 \uC0AC\uC6A9",
+    "inline-ai-func": "\u26A0\uFE0F  \uC778\uB77C\uC778 AI \uD568\uC218 \uC815\uC758",
+    "openai-import": "\u26A0\uFE0F  openai \uD328\uD0A4\uC9C0 \uC9C1\uC811 import"
+  };
+  console.log(`
+[auditor] \u{1F916} AI \uC6B0\uD68C \uD328\uD134 \uAC10\uC9C0 (${result.issues.length}\uAC74):`);
+  for (const issue3 of result.issues) {
+    const label = typeLabels[issue3.type] || "\u26A0\uFE0F  \uAE30\uD0C0";
+    const loc = issue3.line > 0 ? `${issue3.file}:${issue3.line}` : issue3.file;
+    console.log(`[auditor]   ${label} \u2014 ${loc}`);
+    console.log(`[auditor]     ${issue3.snippet}`);
+  }
+  console.log(`[auditor]   \u2192 AI \uD638\uCD9C\uC740 \uBC18\uB4DC\uC2DC import { ai } from "./ai" \uB97C \uC0AC\uC6A9\uD558\uC138\uC694.`);
+  console.log(`[auditor]   \u2192 ai.ts\uB294 \uB85C\uCEEC/\uD074\uB77C\uC6B0\uB4DC \uC790\uB3D9 \uC804\uD658\uC744 \uC9C0\uC6D0\uD569\uB2C8\uB2E4.`);
+  console.log(`[auditor]   \u2192 fetch()\uB85C OpenAI\uB97C \uC9C1\uC811 \uD638\uCD9C\uD558\uBA74 \uD074\uB77C\uC6B0\uB4DC\uC5D0\uC11C \uACFC\uAE08\uC774 \uC548 \uB429\uB2C8\uB2E4.
+`);
+}
 
 // ../server/src/admin.ts
 init_src();
@@ -82244,7 +82353,7 @@ async function executeWithTimeout(fn, type, functionName) {
       new Promise((_, reject) => {
         controller.signal.addEventListener("abort", () => {
           const err = new Error(
-            `Function "${functionName}" exceeded ${timeoutMs / 1e3}s time limit. Use ctx.scheduler.runAfter() for long-running tasks.`
+            `Function "${functionName}" exceeded ${timeoutMs / 1e3}s time limit. Split into smaller mutations and call them sequentially from the frontend. Limits: query 30s, mutation 30s, httpAction 5min, cron 10min.`
           );
           err.code = "FUNCTION_TIMEOUT";
           reject(err);
@@ -82390,6 +82499,8 @@ async function main() {
       }
       const selfFetchResult = auditSelfFetch(functionsPath);
       printSelfFetchReport(selfFetchResult);
+      const aiBypassResult = auditAIBypass(functionsPath);
+      printAIBypassReport(aiBypassResult);
       const projectDir = resolve6(functionsPath, "..");
       const frontendResult = auditFrontendAntiPatterns(projectDir);
       printFrontendAntiPatternReport(frontendResult);
@@ -83373,10 +83484,10 @@ async function main() {
       } : void 0),
       scheduler: scheduler ?? {
         runAfter: () => {
-          throw new Error("Scheduler not initialized");
+          throw new Error("Scheduler not initialized \u2014 add gencow/crons.ts to enable. Note: In BaaS mode, scheduler.runAfter() is sleep-unsafe (timers are lost when app goes idle). Recommended: split into separate mutations and call sequentially from frontend.");
         },
         runAt: () => {
-          throw new Error("Scheduler not initialized");
+          throw new Error("Scheduler not initialized \u2014 add gencow/crons.ts to enable. Note: In BaaS mode, scheduler.runAt() is sleep-unsafe.");
         },
         cancel: () => false,
         cron: () => {