triflux 10.3.4 → 10.7.0

package/scripts/config-audit.mjs

@@ -0,0 +1,232 @@
+#!/usr/bin/env node
+// scripts/config-audit.mjs — 설정 정적 보안/성능 감사
+//
+// triflux doctor --audit 또는 단독 실행.
+// settings.json, CLAUDE.md, MCP, 훅 설정을 스캔하여 위험/성능 이슈 탐지.
+//
+// 출력: JSON (--json) 또는 마크다운 테이블
+
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { homedir } from "node:os";
+import { join, basename } from "node:path";
+
+const HOME = homedir();
+const CLAUDE_DIR = join(HOME, ".claude");
+const JSON_OUTPUT = process.argv.includes("--json");
+
+// ── 결과 수집 ──
+const findings = [];
+
+function addFinding(category, severity, message, detail = "") {
+  findings.push({ category, severity, message, detail });
+}
+
+// ── 1. settings.json 감사 ──
+function auditSettings() {
+  const settingsPath = join(CLAUDE_DIR, "settings.json");
+  if (!existsSync(settingsPath)) {
+    addFinding("settings", "info", "settings.json 없음", settingsPath);
+    return;
+  }
+
+  let settings;
+  try {
+    settings = JSON.parse(readFileSync(settingsPath, "utf8"));
+  } catch {
+    addFinding("settings", "warn", "settings.json 파싱 실패", settingsPath);
+    return;
+  }
+
+  // 권한 모드
+  const mode = settings.permissions?.defaultMode;
+  if (mode === "bypassPermissions" || mode === "acceptEdits") {
+    addFinding("settings", "warn", `defaultMode: "${mode}" — 도구 승인 없이 실행됨`, "보안 리뷰 시 주의");
+  }
+
+  // 환경 변수 내 시크릿 패턴
+  const env = settings.env || {};
+  const SECRET_PATTERNS = [
+    /(?:api[_-]?key|secret|token|password|credential)s?\s*[:=]/i,
+    /(?:sk-|ghp_|gho_|github_pat_|xoxb-|xoxp-)/i,
+    /ANTHROPIC_API_KEY/i,
+    /OPENAI_API_KEY/i,
+  ];
+  for (const [key, value] of Object.entries(env)) {
+    for (const pattern of SECRET_PATTERNS) {
+      if (pattern.test(key) || pattern.test(String(value))) {
+        addFinding("settings", "critical", `env에 시크릿 패턴 감지: ${key}`, "환경변수로 분리 권장");
+        break;
+      }
+    }
+  }
+
+  // 훅 timeout 검사
+  const hooks = settings.hooks || {};
+  let totalHooks = 0;
+  let longTimeouts = 0;
+  for (const [event, matchers] of Object.entries(hooks)) {
+    for (const matcher of Array.isArray(matchers) ? matchers : []) {
+      for (const hook of matcher.hooks || []) {
+        totalHooks++;
+        if (hook.timeout && hook.timeout > 15) {
+          longTimeouts++;
+          addFinding("hooks", "warn", `${event} 훅 timeout ${hook.timeout}s (>15s)`, hook.command?.slice(0, 80));
+        }
+      }
+    }
+  }
+  if (totalHooks > 10) {
+    addFinding("hooks", "info", `settings.json에 훅 ${totalHooks}개 등록`, "SessionStart 성능에 영향 가능");
+  }
+}
+
+// ── 2. CLAUDE.md 시크릿 스캔 ──
+function auditClaudeMd() {
+  const candidates = [
+    join(process.cwd(), "CLAUDE.md"),
+    join(CLAUDE_DIR, "CLAUDE.md"),
+  ];
+
+  for (const mdPath of candidates) {
+    if (!existsSync(mdPath)) continue;
+    let content;
+    try {
+      content = readFileSync(mdPath, "utf8");
+    } catch { continue; }
+
+    const SECRET_LINE_PATTERNS = [
+      /(?:api[_-]?key|secret|password)\s*[:=]\s*["']?\S{8,}/i,
+      /(?:^|[\s"'=:])(?:sk-|ghp_|gho_|github_pat_|xoxb-|xoxp-)[A-Za-z0-9_-]{10,}/,
+      /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/,
+    ];
+
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      for (const pattern of SECRET_LINE_PATTERNS) {
+        if (pattern.test(lines[i])) {
+          addFinding("claude-md", "critical", `CLAUDE.md:${i + 1} 시크릿 패턴 감지`, basename(mdPath));
+          break;
+        }
+      }
+    }
+
+    // 길이 경고
+    const tokenEstimate = Math.ceil(Buffer.byteLength(content, "utf8") / 4);
+    if (tokenEstimate > 3000) {
+      addFinding("claude-md", "warn", `CLAUDE.md ~${tokenEstimate} 토큰 (>3000)`, `${basename(mdPath)} — 컨텍스트 로트 위험`);
+    }
+  }
+}
+
+// ── 3. MCP 설정 감사 ──
+function auditMcp() {
+  const mcpPaths = [
+    join(CLAUDE_DIR, "mcp_servers.json"),
+    join(CLAUDE_DIR, ".mcp.json"),
+    join(process.cwd(), ".mcp.json"),
+  ];
+
+  let totalServers = 0;
+  let stdioCount = 0;
+
+  for (const mcpPath of mcpPaths) {
+    if (!existsSync(mcpPath)) continue;
+    let config;
+    try {
+      config = JSON.parse(readFileSync(mcpPath, "utf8"));
+    } catch { continue; }
+
+    const servers = config.mcpServers || config.servers || config;
+    for (const [name, def] of Object.entries(servers)) {
+      if (!def || typeof def !== "object") continue;
+      totalServers++;
+
+      if (def.type === "stdio" || def.command) {
+        stdioCount++;
+      }
+
+      // 위험 패턴: 쉘 실행, eval, 알 수 없는 npx 패키지
+      const cmd = String(def.command || "");
+      if (/\beval\b|\bexec\b.*sh\b|\bcurl\b.*\|\s*(?:bash|sh)\b/i.test(cmd)) {
+        addFinding("mcp", "critical", `MCP "${name}": 위험한 명령 패턴`, cmd.slice(0, 100));
+      }
+    }
+  }
+
+  if (totalServers > 10) {
+    addFinding("mcp", "warn", `MCP 서버 ${totalServers}개 등록 (>10)`, "컨텍스트 윈도우 압박 가능");
+  }
+  if (stdioCount > 5) {
+    addFinding("mcp", "info", `stdio MCP ${stdioCount}개 — 프로세스 spawn 부하`, "불필요한 서버 비활성화 권장");
+  }
+}
+
+// ── 4. 훅 레지스트리 감사 ──
+function auditHookRegistry() {
+  const registryPath = join(process.cwd(), "hooks", "hook-registry.json");
+  if (!existsSync(registryPath)) return;
+
+  let registry;
+  try {
+    registry = JSON.parse(readFileSync(registryPath, "utf8"));
+  } catch { return; }
+
+  const events = registry.events || {};
+  let blockingCount = 0;
+  let externalCount = 0;
+
+  for (const [event, hooks] of Object.entries(events)) {
+    for (const hook of hooks) {
+      if (hook.blocking) blockingCount++;
+      if (hook.source !== "triflux" && hook.source !== "omc") externalCount++;
+
+      // 외부 훅의 명령에 위험 패턴
+      if (hook.source !== "triflux") {
+        const cmd = String(hook.command || "");
+        if (/\brm\b|\bdel\b|\bformat\b|\bgit\s+push\b/i.test(cmd)) {
+          addFinding("hooks", "warn", `외부 훅 "${hook.id}": 위험 명령 패턴`, cmd.slice(0, 80));
+        }
+      }
+    }
+  }
+
+  if (blockingCount > 5) {
+    addFinding("hooks", "info", `blocking 훅 ${blockingCount}개 — 도구 실행 지연 가능`, "불필요한 blocking 해제 검토");
+  }
+  if (externalCount > 0) {
+    addFinding("hooks", "info", `외부 훅 ${externalCount}개 등록`, "출처 확인 권장");
+  }
+}
+
+// ── 실행 ──
+auditSettings();
+auditClaudeMd();
+auditMcp();
+auditHookRegistry();
+
+// ── 출력 ──
+const summary = {
+  total: findings.length,
+  critical: findings.filter(f => f.severity === "critical").length,
+  warn: findings.filter(f => f.severity === "warn").length,
+  info: findings.filter(f => f.severity === "info").length,
+};
+
+if (JSON_OUTPUT) {
+  console.log(JSON.stringify({ summary, findings }, null, 2));
+} else {
+  const SEVERITY_ICON = { critical: "🔴", warn: "🟡", info: "🔵" };
+  console.log("\n  ⬡ triflux config audit\n");
+  if (findings.length === 0) {
+    console.log("  ✅ 이슈 없음\n");
+  } else {
+    console.log(`  | 심각도 | 카테고리 | 이슈 | 상세 |`);
+    console.log(`  |--------|----------|------|------|`);
+    for (const f of findings) {
+      console.log(`  | ${SEVERITY_ICON[f.severity] || "⚪"} ${f.severity} | ${f.category} | ${f.message} | ${f.detail} |`);
+    }
+    console.log(`\n  합계: critical=${summary.critical} warn=${summary.warn} info=${summary.info}\n`);
+  }
+}
+
+process.exit(summary.critical > 0 ? 1 : 0);

package/scripts/convert-to-tmpl.mjs

@@ -0,0 +1,54 @@
+#!/usr/bin/env node
+/**
+ * Converts SKILL.md files to SKILL.md.tmpl format.
+ * - Replaces skill name in title with {{SKILL_NAME}}
+ * - Removes expanded base block (ARGUMENTS + Telemetry)
+ * - Inserts {{> base}} after the title line
+ */
+import { existsSync, readdirSync, readFileSync, writeFileSync } from "fs";
+import { join } from "path";
+
+const SKILLS_DIR = join(import.meta.dirname, "..", "skills");
+
+const BASE_BLOCK_RE =
+  /\n> \*\*ARGUMENTS 처리\*\*.*?\n> 워크플로우의 첫 단계.*?기존 절차대로.*?\n\n> \*\*Telemetry\*\*\n>\n> - Skill:.*?\n> - Description:.*?\n> - Session:.*?\n> - Errors:.*?\n/s;
+
+let converted = 0;
+let skipped = 0;
+
+for (const name of readdirSync(SKILLS_DIR)) {
+  const dir = join(SKILLS_DIR, name);
+  const skillMd = join(dir, "SKILL.md");
+  const tmplMd = join(dir, "SKILL.md.tmpl");
+
+  if (name.startsWith("_")) continue;
+  if (!existsSync(skillMd)) continue;
+  if (existsSync(tmplMd)) {
+    skipped++;
+    continue;
+  }
+
+  let content = readFileSync(skillMd, "utf8");
+
+  // Replace skill name in title: # tfx-foo — Title -> # {{SKILL_NAME}} — Title
+  content = content.replace(
+    new RegExp(`^(# )${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}( —)`, "m"),
+    "$1{{SKILL_NAME}}$2",
+  );
+
+  // Remove expanded base block if present
+  if (BASE_BLOCK_RE.test(content)) {
+    content = content.replace(BASE_BLOCK_RE, "\n\n{{> base}}\n\n");
+  } else {
+    // Insert {{> base}} after the title line
+    content = content.replace(/^(# .+\n)/, "$1\n{{> base}}\n");
+  }
+
+  writeFileSync(tmplMd, content);
+  converted++;
+  console.log(`✅ ${name}`);
+}
+
+console.log(
+  `\nConverted: ${converted}, Skipped (already has .tmpl): ${skipped}`,
+);

package/scripts/cross-review-gate.mjs

@@ -2,17 +2,17 @@
 
 import { existsSync, readFileSync, unlinkSync } from "node:fs";
 import { join } from "node:path";
-import { nudge, deny } from "./lib/hook-utils.mjs";
 import {
-  readStdin,
-  parseJson,
+  expectedReviewer,
   nowSec,
+  parseJson,
+  readStdin,
   resolveBaseDir,
-  shouldTrackPath,
-  expectedReviewer,
   SESSION_TTL_SEC,
   STATE_REL_PATH,
+  shouldTrackPath,
 } from "./lib/cross-review-utils.mjs";
+import { deny, nudge } from "./lib/hook-utils.mjs";
 
 function loadState(statePath) {
   if (!existsSync(statePath)) return null;
@@ -84,17 +84,37 @@ async function main() {
 
     // tracker가 설정한 self_approved 플래그 명시적 체크
     if (meta.self_approved === true) {
-      selfApproved.push({ path, author, reviewer: meta.reviewer || author, expectedReviewer: requiredReviewer });
+      selfApproved.push({
+        path,
+        author,
+        reviewer: meta.reviewer || author,
+        expectedReviewer: requiredReviewer,
+      });
       continue;
     }
 
     if (reviewed && reviewer && reviewer === author) {
-      selfApproved.push({ path, author, reviewer, expectedReviewer: requiredReviewer });
+      selfApproved.push({
+        path,
+        author,
+        reviewer,
+        expectedReviewer: requiredReviewer,
+      });
       continue;
     }
 
-    if (reviewed && requiredReviewer && reviewer && reviewer !== requiredReviewer) {
-      selfApproved.push({ path, author, reviewer, expectedReviewer: requiredReviewer });
+    if (
+      reviewed &&
+      requiredReviewer &&
+      reviewer &&
+      reviewer !== requiredReviewer
+    ) {
+      selfApproved.push({
+        path,
+        author,
+        reviewer,
+        expectedReviewer: requiredReviewer,
+      });
       continue;
     }
 
@@ -105,18 +125,21 @@ async function main() {
 
   if (selfApproved.length > 0) {
     const lines = selfApproved
-      .map((item) => `  * ${item.path} (author=${item.author}, reviewer=${item.reviewer}, required=${item.expectedReviewer || "n/a"})`)
+      .map(
+        (item) =>
+          `  * ${item.path} (author=${item.author}, reviewer=${item.reviewer}, required=${item.expectedReviewer || "n/a"})`,
+      )
       .join("\n");
     deny(
       `[cross-review] self-approve 차단: 동일/비허용 reviewer가 감지되었습니다.\n${lines}\n` +
-      "규칙: author=claude -> reviewer=codex, author=codex -> reviewer=claude",
+        "규칙: author=claude -> reviewer=codex, author=codex -> reviewer=claude",
     );
   }
 
   if (pending.length > 0) {
     nudge(
       `[cross-review] git commit 전에 교차 검증이 필요합니다.\n${summarizePending(pending)}\n` +
-      "규칙: author=claude -> reviewer=codex, author=codex -> reviewer=claude",
+        "규칙: author=claude -> reviewer=codex, author=codex -> reviewer=claude",
     );
   }
 

package/scripts/cross-review-tracker.mjs

@@ -1,16 +1,22 @@
 #!/usr/bin/env node
 
-import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  unlinkSync,
+  writeFileSync,
+} from "node:fs";
 import { dirname, isAbsolute, join, relative } from "node:path";
 import {
-  readStdin,
-  parseJson,
+  expectedReviewer,
   nowSec,
+  parseJson,
+  readStdin,
   resolveBaseDir,
-  shouldTrackPath,
-  expectedReviewer,
   SESSION_TTL_SEC,
   STATE_REL_PATH,
+  shouldTrackPath,
 } from "./lib/cross-review-utils.mjs";
 
 function resolveStatePath(baseDir) {
@@ -39,7 +45,8 @@ function loadState(statePath) {
     }
 
     return {
-      files: parsed?.files && typeof parsed.files === "object" ? parsed.files : {},
+      files:
+        parsed?.files && typeof parsed.files === "object" ? parsed.files : {},
       session_start: sessionStart,
     };
   } catch {
@@ -69,7 +76,8 @@ function normalizePath(filePath, baseDir) {
 
 function extractFilePath(toolInput) {
   if (!toolInput || typeof toolInput !== "object") return "";
-  const candidate = toolInput.file_path ?? toolInput.path ?? toolInput.filePath ?? "";
+  const candidate =
+    toolInput.file_path ?? toolInput.path ?? toolInput.filePath ?? "";
   return typeof candidate === "string" ? candidate : "";
 }
 
@@ -81,7 +89,12 @@ function extractCandidatePaths(payload, baseDir) {
     const trimmed = value.trim();
     if (!trimmed || /\s/.test(trimmed)) return false;
     if (trimmed.length > 260) return false;
-    if (!trimmed.includes(".") && !trimmed.includes("/") && !trimmed.includes("\\")) return false;
+    if (
+      !trimmed.includes(".") &&
+      !trimmed.includes("/") &&
+      !trimmed.includes("\\")
+    )
+      return false;
     return /^[./\\A-Za-z0-9_-]/.test(trimmed);
   };
 

package/scripts/demo.mjs

@@ -3,14 +3,6 @@
 import childProcess from "node:child_process";
 import { parseArgs } from "node:util";
 
-const { values: flags } = parseArgs({
-  options: {
-    "dry-run": { type: "boolean", default: false },
-    keep: { type: "boolean", default: false },
-  },
-  strict: false,
-});
-
 const SESSION_NAME = "triflux-demo";
 
 const WORKERS = [
@@ -46,7 +38,10 @@ const WORKERS = [
 export function checkPsmux(opts = {}) {
   if (opts.dryRun) return false;
   try {
-    childProcess.execFileSync("psmux", ["-V"], { encoding: "utf8", stdio: "pipe" });
+    childProcess.execFileSync("psmux", ["-V"], {
+      encoding: "utf8",
+      stdio: "pipe",
+    });
     return true;
   } catch {
     return false;
@@ -60,9 +55,19 @@ export function createDemoSession(sessionName, opts = {}) {
     console.log(`[dry-run] psmux split-window -h -t ${sessionName}`);
     return;
   }
-  childProcess.execFileSync("psmux", ["new-session", "-d", "-s", sessionName], { stdio: "pipe" });
-  childProcess.execFileSync("psmux", ["split-window", "-h", "-t", sessionName], { stdio: "pipe" });
-  childProcess.execFileSync("psmux", ["split-window", "-h", "-t", sessionName], { stdio: "pipe" });
+  childProcess.execFileSync("psmux", ["new-session", "-d", "-s", sessionName], {
+    stdio: "pipe",
+  });
+  childProcess.execFileSync(
+    "psmux",
+    ["split-window", "-h", "-t", sessionName],
+    { stdio: "pipe" },
+  );
+  childProcess.execFileSync(
+    "psmux",
+    ["split-window", "-h", "-t", sessionName],
+    { stdio: "pipe" },
+  );
 }
 
 export function simulateWorker(pane, agentName, messages, opts = {}) {
@@ -70,11 +75,19 @@ export function simulateWorker(pane, agentName, messages, opts = {}) {
   for (const msg of messages) {
     const escapedMsg = msg.replace(/'/g, "'\\''");
     if (opts.dryRun) {
-      console.log(`[dry-run] psmux send-keys -t ${sessionName}:0.${pane} "echo '${escapedMsg}'" Enter`);
+      console.log(
+        `[dry-run] psmux send-keys -t ${sessionName}:0.${pane} "echo '${escapedMsg}'" Enter`,
+      );
     } else {
       childProcess.execFileSync(
         "psmux",
-        ["send-keys", "-t", `${sessionName}:0.${pane}`, `echo '${escapedMsg}'`, "Enter"],
+        [
+          "send-keys",
+          "-t",
+          `${sessionName}:0.${pane}`,
+          `echo '${escapedMsg}'`,
+          "Enter",
+        ],
         { stdio: "pipe" },
       );
     }
@@ -102,7 +115,9 @@ export function cleanup(sessionName, opts = {}) {
     return;
   }
   try {
-    childProcess.execFileSync("psmux", ["kill-session", "-t", sessionName], { stdio: "pipe" });
+    childProcess.execFileSync("psmux", ["kill-session", "-t", sessionName], {
+      stdio: "pipe",
+    });
   } catch {
     // session may already be gone
   }
@@ -143,7 +158,7 @@ async function main() {
   if (!opts.dryRun) {
     await wait(2000);
   }
-  
+
   showSummary();
 
   if (!opts.keep) {
@@ -155,7 +170,10 @@ async function main() {
 // Normalize both paths to forward-slash for cross-platform comparison
 function isDirectExec() {
   if (!process.argv[1]) return false;
-  const scriptPath = new URL(import.meta.url).pathname.replace(/^\/([A-Za-z]:)/, "$1");
+  const scriptPath = new URL(import.meta.url).pathname.replace(
+    /^\/([A-Za-z]:)/,
+    "$1",
+  );
   const argv1 = process.argv[1].replace(/\\/g, "/");
   const norm = scriptPath.replace(/\\/g, "/");
   return argv1 === norm || argv1.endsWith(norm);