npm - oh-my-customcode - Versions diffs - 0.13.2 → 0.13.3 - Mend

oh-my-customcode 0.13.2 → 0.13.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/cli/index.js +374 -8
package/package.json +1 -1

package/dist/cli/index.js CHANGED Viewed

@@ -11852,6 +11852,30 @@ var en_default = {
           fail: "Some index.yaml files are invalid"
         }
       }
+    },
+    security: {
+      description: "Scan for security issues in hooks, configs, and templates",
+      verboseOption: "Show detailed scan results",
+      scanning: "Running security scan...",
+      passed: "Security scan passed! No issues found.",
+      failed: "Security issues detected.",
+      summary: "Security: {{pass}} passed, {{warn}} warnings, {{fail}} failed",
+      checks: {
+        hooks: {
+          pass: "Hook scripts are safe",
+          warn: "Hook scripts have potential concerns",
+          fail: "Hook scripts contain dangerous patterns"
+        },
+        secrets: {
+          pass: "No secrets found in configuration files",
+          fail: "Secrets or credentials found in configuration"
+        },
+        integrity: {
+          pass: "Template file permissions are secure",
+          warn: "Some files have overly permissive settings",
+          fail: "Security-sensitive files found in project"
+        }
+      }
     }
   },
   init: {
@@ -12144,6 +12168,30 @@ var ko_default = {
           fail: "일부 index.yaml 파일이 잘못됨"
         }
       }
+    },
+    security: {
+      description: "훅, 설정, 템플릿의 보안 문제 검사",
+      verboseOption: "상세 검사 결과 표시",
+      scanning: "보안 검사 실행 중...",
+      passed: "보안 검사 통과! 문제가 발견되지 않았습니다.",
+      failed: "보안 문제가 발견되었습니다.",
+      summary: "보안: {{pass}}개 통과, {{warn}}개 경고, {{fail}}개 실패",
+      checks: {
+        hooks: {
+          pass: "훅 스크립트가 안전합니다",
+          warn: "훅 스크립트에 잠재적 우려사항이 있습니다",
+          fail: "훅 스크립트에 위험한 패턴이 포함되어 있습니다"
+        },
+        secrets: {
+          pass: "설정 파일에 비밀 정보가 없습니다",
+          fail: "설정 파일에서 비밀 정보 또는 인증 정보가 발견되었습니다"
+        },
+        integrity: {
+          pass: "템플릿 파일 권한이 안전합니다",
+          warn: "일부 파일의 권한이 과도하게 허용되어 있습니다",
+          fail: "보안에 민감한 파일이 프로젝트에 존재합니다"
+        }
+      }
     }
   },
   init: {
@@ -14635,6 +14683,320 @@ async function listCommand(type = "all", options = {}) {
   }
 }
+// src/cli/security.ts
+import { constants as constants2, promises as fs2 } from "node:fs";
+import path2 from "node:path";
+async function pathExists2(targetPath) {
+  try {
+    await fs2.access(targetPath, constants2.F_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isValidUtf8Text(content) {
+  try {
+    content.toString("utf-8");
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function findAllFiles(dir2) {
+  const results = [];
+  try {
+    const entries = await fs2.readdir(dir2, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path2.join(dir2, entry.name);
+      if (entry.isDirectory()) {
+        const subResults = await findAllFiles(fullPath);
+        results.push(...subResults);
+      } else if (entry.isFile()) {
+        results.push(fullPath);
+      }
+    }
+  } catch {}
+  return results;
+}
+var DANGEROUS_PATTERNS = [
+  {
+    pattern: /rm\s+-rf\s+[/~]/,
+    name: "rm -rf with root/home path",
+    severity: "fail"
+  },
+  {
+    pattern: /curl\s+.*\|\s*(bash|sh|eval)/,
+    name: "curl pipe to shell",
+    severity: "fail"
+  },
+  {
+    pattern: /wget\s+.*\|\s*(bash|sh|eval)/,
+    name: "wget pipe to shell",
+    severity: "fail"
+  },
+  { pattern: /\bsudo\b/, name: "sudo usage", severity: "warn" },
+  { pattern: /chmod\s+777/, name: "chmod 777", severity: "warn" },
+  { pattern: /\beval\s*\(/, name: "eval() usage", severity: "warn" },
+  {
+    pattern: /\$\{.*:-.*\}.*>\s*\/etc/,
+    name: "write to /etc",
+    severity: "fail"
+  },
+  {
+    pattern: /base64\s+(-d|--decode).*\|\s*(bash|sh)/,
+    name: "base64 decode to shell",
+    severity: "fail"
+  }
+];
+function extractCommands(hooks) {
+  const commands = [];
+  if (!hooks || typeof hooks !== "object")
+    return commands;
+  for (const hookName in hooks) {
+    const hook = hooks[hookName];
+    if (hook && typeof hook === "object") {
+      for (const eventName in hook) {
+        const event = hook[eventName];
+        if (Array.isArray(event)) {
+          for (const item of event) {
+            if (typeof item === "object" && item && "command" in item) {
+              commands.push(String(item.command));
+            }
+          }
+        }
+      }
+    }
+  }
+  return commands;
+}
+function scanCommands(commands) {
+  const findings = [];
+  let worstSeverity = "pass";
+  for (const command of commands) {
+    for (const { pattern, name, severity } of DANGEROUS_PATTERNS) {
+      if (pattern.test(command)) {
+        findings.push(`${name}: ${command.substring(0, 80)}${command.length > 80 ? "..." : ""}`);
+        if (severity === "fail") {
+          worstSeverity = "fail";
+        } else if (severity === "warn" && worstSeverity === "pass") {
+          worstSeverity = "warn";
+        }
+      }
+    }
+  }
+  return { findings, worstSeverity };
+}
+async function checkHookScripts(targetDir, rootDir = ".claude") {
+  const hooksFile = path2.join(targetDir, rootDir, "hooks", "hooks.json");
+  const exists2 = await pathExists2(hooksFile);
+  if (!exists2) {
+    return {
+      name: "Hook scripts",
+      status: "pass",
+      message: i18n.t("cli.security.checks.hooks.pass"),
+      fixable: false
+    };
+  }
+  try {
+    const content = await fs2.readFile(hooksFile, "utf-8");
+    const hooks = JSON.parse(content);
+    const commands = extractCommands(hooks);
+    const { findings, worstSeverity } = scanCommands(commands);
+    if (findings.length > 0) {
+      const message = worstSeverity === "fail" ? i18n.t("cli.security.checks.hooks.fail") : i18n.t("cli.security.checks.hooks.warn");
+      return {
+        name: "Hook scripts",
+        status: worstSeverity,
+        message: `${message} (${findings.length} issues)`,
+        fixable: false,
+        details: findings
+      };
+    }
+    return {
+      name: "Hook scripts",
+      status: "pass",
+      message: i18n.t("cli.security.checks.hooks.pass"),
+      fixable: false
+    };
+  } catch (error2) {
+    return {
+      name: "Hook scripts",
+      status: "warn",
+      message: `Failed to parse hooks.json: ${error2 instanceof Error ? error2.message : String(error2)}`,
+      fixable: false
+    };
+  }
+}
+async function checkConfigSecrets(targetDir, rootDir = ".claude") {
+  const configDir = path2.join(targetDir, rootDir);
+  const exists2 = await pathExists2(configDir);
+  if (!exists2) {
+    return {
+      name: "Config secrets",
+      status: "pass",
+      message: i18n.t("cli.security.checks.secrets.pass"),
+      fixable: false
+    };
+  }
+  const SECRET_PATTERNS = [
+    {
+      pattern: /(?:AWS_SECRET|AWS_ACCESS_KEY|AWS_SESSION)[_A-Z]*\s*[=:]\s*['"]?[A-Za-z0-9/+=]{20,}/,
+      name: "AWS credential"
+    },
+    {
+      pattern: /(?:GITHUB_TOKEN|GH_TOKEN|GITHUB_PAT)\s*[=:]\s*['"]?(?:ghp_|gho_|ghs_|ghr_|github_pat_)[A-Za-z0-9_]+/,
+      name: "GitHub token"
+    },
+    {
+      pattern: /(?:sk-|sk_live_|sk_test_)[A-Za-z0-9]{20,}/,
+      name: "API secret key (sk-*)"
+    },
+    {
+      pattern: /(?:password|passwd|secret)\s*[=:]\s*['"]?[^\s'"]{8,}/i,
+      name: "Hardcoded password/secret"
+    },
+    {
+      pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/,
+      name: "Private key"
+    }
+  ];
+  const files = await findAllFiles(configDir);
+  const findings = [];
+  for (const file of files) {
+    try {
+      const content = await fs2.readFile(file);
+      if (!isValidUtf8Text(content)) {
+        continue;
+      }
+      const text = content.toString("utf-8");
+      for (const { pattern, name } of SECRET_PATTERNS) {
+        if (pattern.test(text)) {
+          const relativePath = path2.relative(targetDir, file);
+          findings.push(`${relativePath}: ${name}`);
+        }
+      }
+    } catch {}
+  }
+  if (findings.length > 0) {
+    return {
+      name: "Config secrets",
+      status: "fail",
+      message: `${i18n.t("cli.security.checks.secrets.fail")} (${findings.length} found)`,
+      fixable: false,
+      details: findings
+    };
+  }
+  return {
+    name: "Config secrets",
+    status: "pass",
+    message: i18n.t("cli.security.checks.secrets.pass"),
+    fixable: false
+  };
+}
+async function checkEnvFiles(targetDir) {
+  const findings = [];
+  let severity = "pass";
+  const envFiles = [".env", ".env.local", ".env.production", ".env.development"];
+  for (const envFile of envFiles) {
+    const envPath = path2.join(targetDir, envFile);
+    if (await pathExists2(envPath)) {
+      findings.push(`Security-sensitive file found: ${envFile}`);
+      severity = "fail";
+    }
+  }
+  return { findings, severity };
+}
+async function checkShellPermissions(targetDir, shellScripts) {
+  const findings = [];
+  let severity = "pass";
+  for (const script of shellScripts) {
+    try {
+      const stats = await fs2.stat(script);
+      const mode = stats.mode & 511;
+      const relativePath = path2.relative(targetDir, script);
+      if (mode === 511) {
+        findings.push(`Overly permissive permissions (777): ${relativePath}`);
+        if (severity === "pass") {
+          severity = "warn";
+        }
+      } else if (mode & 2) {
+        findings.push(`World-writable: ${relativePath}`);
+        if (severity === "pass") {
+          severity = "warn";
+        }
+      }
+    } catch {}
+  }
+  return { findings, severity };
+}
+async function checkTemplateIntegrity(targetDir) {
+  let worstSeverity = "pass";
+  const allFindings = [];
+  const envCheck = await checkEnvFiles(targetDir);
+  allFindings.push(...envCheck.findings);
+  if (envCheck.severity === "fail") {
+    worstSeverity = "fail";
+  }
+  const allFiles = await findAllFiles(targetDir);
+  const shellScripts = allFiles.filter((f) => f.endsWith(".sh"));
+  const permCheck = await checkShellPermissions(targetDir, shellScripts);
+  allFindings.push(...permCheck.findings);
+  if (permCheck.severity === "warn" && worstSeverity === "pass") {
+    worstSeverity = "warn";
+  }
+  if (allFindings.length > 0) {
+    const message = worstSeverity === "fail" ? i18n.t("cli.security.checks.integrity.fail") : i18n.t("cli.security.checks.integrity.warn");
+    return {
+      name: "Template integrity",
+      status: worstSeverity,
+      message: `${message} (${allFindings.length} issues)`,
+      fixable: false,
+      details: allFindings
+    };
+  }
+  return {
+    name: "Template integrity",
+    status: "pass",
+    message: i18n.t("cli.security.checks.integrity.pass"),
+    fixable: false
+  };
+}
+async function securityCommand(_options = {}) {
+  const targetDir = process.cwd();
+  console.log(i18n.t("cli.security.scanning"));
+  console.log("");
+  const layout = getProviderLayout();
+  const checks = await Promise.all([
+    checkHookScripts(targetDir, layout.rootDir),
+    checkConfigSecrets(targetDir, layout.rootDir),
+    checkTemplateIntegrity(targetDir)
+  ]);
+  for (const check of checks) {
+    printCheck(check);
+  }
+  const passCount = checks.filter((c) => c.status === "pass").length;
+  const warnCount = checks.filter((c) => c.status === "warn").length;
+  const failCount = checks.filter((c) => c.status === "fail").length;
+  console.log("");
+  if (failCount === 0 && warnCount === 0) {
+    console.log(i18n.t("cli.security.passed"));
+  } else {
+    console.log(i18n.t("cli.security.failed"));
+  }
+  console.log(i18n.t("cli.security.summary", {
+    pass: passCount,
+    warn: warnCount,
+    fail: failCount
+  }));
+  return {
+    success: failCount === 0,
+    checks,
+    passCount,
+    warnCount,
+    failCount
+  };
+}
 // src/core/updater.ts
 import { join as join8 } from "node:path";
@@ -14807,11 +15169,11 @@ function getEntryTemplateName2(language) {
   return language === "ko" ? `${baseName}.md.ko` : `${baseName}.md.en`;
 }
 async function backupFile(filePath) {
-  const fs2 = await import("node:fs/promises");
+  const fs3 = await import("node:fs/promises");
   const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
   const backupPath = `${filePath}.backup-${timestamp}`;
   if (await fileExists(filePath)) {
-    await fs2.copyFile(filePath, backupPath);
+    await fs3.copyFile(filePath, backupPath);
     debug("update.file_backed_up", { path: filePath, backup: backupPath });
   }
 }
@@ -15023,8 +15385,8 @@ async function updateComponent(targetDir, component, customizations, options, co
       skipPaths.push(cc.path);
     }
   }
-  const path2 = await import("node:path");
-  const normalizedSkipPaths = skipPaths.map((p) => path2.relative(destPath, join8(targetDir, p)));
+  const path3 = await import("node:path");
+  const normalizedSkipPaths = skipPaths.map((p) => path3.relative(destPath, join8(targetDir, p)));
   await copyDirectory(srcPath, destPath, {
     overwrite: true,
     skipPaths: normalizedSkipPaths.length > 0 ? normalizedSkipPaths : undefined
@@ -15045,7 +15407,7 @@ function getComponentPath2(component) {
 async function backupInstallation(targetDir) {
   const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
   const backupDir = join8(targetDir, `.omcustom-backup-${timestamp}`);
-  const fs2 = await import("node:fs/promises");
+  const fs3 = await import("node:fs/promises");
   await ensureDirectory(backupDir);
   const layout = getProviderLayout();
   const dirsToBackup = [layout.rootDir, "guides"];
@@ -15058,7 +15420,7 @@ async function backupInstallation(targetDir) {
   }
   const entryPath = join8(targetDir, layout.entryFile);
   if (await fileExists(entryPath)) {
-    await fs2.copyFile(entryPath, join8(backupDir, layout.entryFile));
+    await fs3.copyFile(entryPath, join8(backupDir, layout.entryFile));
   }
   return backupDir;
 }
@@ -15131,8 +15493,8 @@ function printUpdateResults(result) {
     console.log(i18n.t("cli.update.preservedFiles", { count: result.preservedFiles.length }));
   }
   if (result.backedUpPaths.length > 0) {
-    for (const path2 of result.backedUpPaths) {
-      console.log(i18n.t("cli.update.backupCreated", { path: path2 }));
+    for (const path3 of result.backedUpPaths) {
+      console.log(i18n.t("cli.update.backupCreated", { path: path3 }));
     }
   }
   for (const warning of result.warnings) {
@@ -15169,6 +15531,10 @@ function createProgram() {
   program2.command("doctor").description(i18n.t("cli.doctor.description")).option("--fix", i18n.t("cli.doctor.fixOption")).action(async (options) => {
     await doctorCommand(options);
   });
+  program2.command("security").description(i18n.t("cli.security.description")).option("--verbose", i18n.t("cli.security.verboseOption")).action(async (options) => {
+    const result = await securityCommand(options);
+    process.exitCode = result.success ? 0 : 1;
+  });
   program2.hook("preAction", async (thisCommand, actionCommand) => {
     const opts = thisCommand.optsWithGlobals();
     const skipCheck = opts.skipVersionCheck || false;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "oh-my-customcode",
-  "version": "0.13.2",
+  "version": "0.13.3",
   "description": "Batteries-included agent harness for Claude Code",
   "type": "module",
   "bin": {