fix: 代码审查修复 — 安全、性能和正确性

- triggersApi: 添加 assertSubscriptionBaseUrl 防止 OAuth token 泄露 - claude.ts: 修复流式响应 O(n^2) 字符串拼接，改用数组累积 - claude.ts: 移除未使用的 import，动态 import 改为静态 import - StatusLine: BuiltinStatusLine 仅在 statusLineEnabled 时显示，修复双行问题 - local-vault: 修复 --reveal 标志位置解析 bug - share: 修复 sk-proj-* OpenAI 密钥未脱敏问题 - store.ts: 临时文件改用同目录创建，避免跨文件系统 rename 失败 - store.ts: 添加空字符串 key 校验 - permissionValidation: 端口正则限制为有效 TCP 范围 0-65535 - 测试 mock 补全: schedule/vault/skill-store 测试文件 - 移除过期的 biome-ignore 注释 Co-Authored-By: glm-5-turbo <zai-org@claude-code-best.win>
2026-06-17 22:05:50 +00:00 · 2026-05-10 09:39:34 +08:00
parent 4f493c83fc
commit 82be5ff05b
12 changed files with 78 additions and 32 deletions
--- a/src/commands/local-vault/tests/parseArgs.test.ts
+++ b/src/commands/local-vault/tests/parseArgs.test.ts
@@ -52,6 +52,14 @@ describe('parseLocalVaultArgs', () => {
    })
  })

+  test('get with --reveal before key → reveal=true, key correctly resolved', () => {
+    expect(parseLocalVaultArgs('get --reveal MY_KEY')).toEqual({
+      action: 'get',
+      key: 'MY_KEY',
+      reveal: true,
+    })
+  })
+
  test('get without key → invalid', () => {
    const result = parseLocalVaultArgs('get')
    expect(result.action).toBe('invalid')
--- a/src/commands/local-vault/parseArgs.ts
+++ b/src/commands/local-vault/parseArgs.ts
@@ -89,7 +89,11 @@ export function parseLocalVaultArgs(args: string): LocalVaultArgs {

  // ── get ───────────────────────────────────────────────────────────────────
  if (subCmd === 'get') {
-    const key = tokens[1]
+    // Strip flags before extracting the key so that `get --reveal MY_KEY`
+    // correctly resolves MY_KEY as the key rather than --reveal.
+    const flags = ['--reveal']
+    const argsWithoutFlags = tokens.filter(t => !flags.includes(t))
+    const key = argsWithoutFlags[1] // argsWithoutFlags[0] is 'get'
    if (!key) {
      return { action: 'invalid', reason: `get requires a key name. ${USAGE}` }
    }
--- a/src/commands/schedule/tests/api.test.ts
+++ b/src/commands/schedule/tests/api.test.ts
@@ -43,6 +43,18 @@ mock.module('src/utils/teleport/api.js', () => ({
    Authorization: `Bearer ${token}`,
    'anthropic-version': '2023-06-01',
  }),
+  prepareApiRequest: async () => ({
+    accessToken: mockAccessToken,
+    orgUUID: mockOrgUUID,
+  }),
+  prepareWorkspaceApiRequest: async () => ({
+    apiKey: 'test-workspace-key',
+  }),
+}))
+mock.module('src/services/auth/hostGuard.ts', () => ({
+  assertSubscriptionBaseUrl: () => {},
+  assertWorkspaceHost: () => {},
+  assertNoAnthropicEnvForOpenAI: () => {},
 }))

 // ── Axios mock ──────────────────────────────────────────────────────────────
--- a/src/commands/schedule/triggersApi.ts
+++ b/src/commands/schedule/triggersApi.ts
@@ -14,6 +14,7 @@

 import axios from 'axios'
 import { getOauthConfig } from '../../constants/oauth.js'
+import { assertSubscriptionBaseUrl } from '../../services/auth/hostGuard.js'
 import { getOAuthHeaders, prepareApiRequest } from '../../utils/teleport/api.js'

 export type Trigger = {
@@ -85,6 +86,8 @@ async function buildHeaders(): Promise<Record<string, string>> {
      401,
    )
  }
+  // Guard the host before sending OAuth credentials to prevent token leakage.
+  assertSubscriptionBaseUrl(triggersBaseUrl())
  return {
    ...getOAuthHeaders(accessToken),
    'anthropic-beta': TRIGGERS_BETA_HEADER,
--- a/src/commands/share/index.ts
+++ b/src/commands/share/index.ts
@@ -57,7 +57,7 @@ const SECRET_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
    replacement: '[REDACTED_ANTHROPIC_KEY]',
  },
  {
-    pattern: /\b(sk-[A-Za-z0-9]{20,})/g,
+    pattern: /\b(sk-[A-Za-z0-9_-]{20,})/g,
    replacement: '[REDACTED_API_KEY]',
  },
  // Bearer / Authorization tokens
--- a/src/commands/skill-store/tests/launchSkillStore.test.ts
+++ b/src/commands/skill-store/tests/launchSkillStore.test.ts
@@ -52,6 +52,9 @@ const realTeleportApi = await import('src/utils/teleport/api.js')
 mock.module('src/utils/teleport/api.js', () => ({
  ...realTeleportApi,
  getOAuthHeaders: (token: string) => ({ Authorization: `Bearer ${token}` }),
+  prepareWorkspaceApiRequest: async () => ({
+    apiKey: 'test-workspace-key',
+  }),
 }))

 // ── envUtils config dir injection ────────────────────────────────────────────
--- a/src/commands/vault/tests/launchVault.test.ts
+++ b/src/commands/vault/tests/launchVault.test.ts
@@ -38,6 +38,9 @@ mock.module('src/utils/teleport/api.js', () => ({
  getOAuthHeaders: (token: string) => ({
    Authorization: `Bearer ${token}`,
  }),
+  prepareWorkspaceApiRequest: async () => ({
+    apiKey: 'test-workspace-key',
+  }),
 }))

 // ── Axios mock ──────────────────────────────────────────────────────────────