// npm 패키지
@mettlecast/domain-cli
Local developer toolchain for TIB Domain Module projects. Provides build, validate, test, and dev subcommands.
버전
33
메인테이너
1
최초 publish
2026-05-11
publisher
lawrencegee
tarball
1,227,515 B
AUTO-PUBLISHED·5개 버전 인덱싱됨·최근 publish: 2026-06-04
// exfil path
what is read → where it shipssteals
- ● GitHub PAT
- ● npm token
- ○ fs recursive read
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> const SCHEMA_URL = 'https://mc-scaffold.s3.amazonaws.com/schema/manifest.v3.json';
> ? `https://${bucket}.s3.amazonaws.com`
> : `https://${bucket}.s3.${region}.amazonaws.com`;// offending code· @0.2.32· 3 files flagged
- @0.2.32··AUTO-PUBLISHED·publisher: lawrencegeeheuristic 64/100static flags 7llm skippednew-publisher:11dmature-packagepublisher-multi-name-burst:3publisher-version-pump:31reads-github-tokensreads-npmrcreads-env-varschild-process-spawnpublic-github-pusharchive-then-uploadfs-recursive-read
// offending code· 3 files flaggedpatterns: 7
--- package/src/cli.ts (excerpt) --- #!/usr/bin/env node import { Command } from 'commander'; import { runBuild } from './commands/build.js'; import { runValidate } from './commands/validate.js'; import { runTest } from './commands/test.js'; import { runDev } from './commands/dev.js'; import { runBuildCatalog } from './commands/build-catalog.js'; import { runAddDomain } from './commands/add-domain.js'; import { runAddApi, API_PATTERNS } from './commands/add-api.js'; import { runAddSubscriber, SUBSCRIBER_PATTERNS } from './commands/add-subscriber.js'; import { runAddFlow, FLOW_PATTERNS } from './commands/add-flow.js'; import { runAddModule } from './commands/add-module.js'; import { runBuildFlows } from './commands/build-flows.js'; import { runDoctor } from './commands/doctor.js'; import { runCheckHashes } from './commands/check-hashes.js'; import { runUpgradeBackend } from './commands/upgrade-backend.js'; import { runAddPage } from './commands/add-page.js'; import { runCreateProject } from './commands/create-project.js'; import { runUpgradeFrontend } from './commands/upgrade-frontend.js'; import { runUpgrade } from './commands/upgrade.js'; import { runAddMigration, MIGRATION_PATTERNS } from './commands/add-migration.js'; import { runAddTest } from './commands/add-test.js'; import { runUpgradeEvent } from './commands/upgrade-event.js'; import { runShowDomainCli } from './commands/show.js'; import { runAuditCli } from './commands/audit.js'; import { runExplainCli } from './commands/explain.js'; import { runAddHook --- package/src/utils/manifest.ts (excerpt) --- import { readFile, writeFile, mkdir } from 'fs/promises'; import path from 'path'; import { cliLogger } from './logger.js'; export type FilePolicy = 'managed' | 'editable' | 'seed'; export interface ManifestFileEntry { path: string; module: string; moduleVersion: string; sha256: string; wasTemplate: boolean; installedAt: string; policy: FilePolicy; } export interface TibManifest { $schema: string; scaffoldVersion: string; createdAt: string; updatedAt: string; projectName: string; awsRegion: string; enabledModules: string[]; files: ManifestFileEntry[]; } const MANIFEST_PATH = '.mc/manifest.json'; const SCHEMA_URL = 'https://mc-scaffold.s3.amazonaws.com/schema/manifest.v3.json'; export function inferPolicyFromPath(filePath: string): FilePolicy { // owned: infra/, .mc/infra/, mc-deploy.yml, .github/workflows/ if ( filePath.match(/^infra\//) || filePath.match(/^\.tib\/infra\//) || filePath === 'mc-deploy.yml' || filePath.match(/^\.github\/workflows\//) ) { return 'managed'; } // managed: core scaffold files not prefixed with infra/ const managedFilePatterns = [ /^CLAUDE\.md$/, /^\.husky\//, /^\.mc\/scaffold-config\.json$/, /^\.mc\/modules-hashes\.json$/, /^\.npmrc$/, /^cdk\.json$/, /^\.gitignore$/, /^eslint\.config\.js$/, /^package\.json$/, /^publish-knowledge\.(yml|mjs)$/, /^mc-destroy\.yml$/, ]; if (managedFilePatterns.some((p) => p.test(filePath))) { return ' --- package/src/utils/s3-fetch.ts (excerpt) --- import ky, { type KyInstance } from 'ky'; import { createHash } from 'crypto'; export interface ModulesJson { scaffoldVersion: string; releasedAt: string; modules: S3ModuleEntry[]; compatibility: { cliMinVersion: string; nodeMinVersion: string; }; } export interface S3ModuleEntry { id: string; version: string; description: string; dependencies: string[]; tarball: string; sha256: string; } export interface VersionsJson { latest: string; versions: string[]; } const DEFAULT_SCAFFOLD_REGION = process.env['SCAFFOLD_BUCKET_REGION'] ?? 'us-east-1'; function s3BaseUrl(bucket: string): string { const region = DEFAULT_SCAFFOLD_REGION; return region === 'us-east-1' ? `https://${bucket}.s3.amazonaws.com` : `https://${bucket}.s3.${region}.amazonaws.com`; } /** Singleton ky client — re-used across all fetch functions. */ const client: KyInstance = ky.create({ retry: { limit: 3, methods: ['get'] }, timeout: 30_000, }); export async function fetchVersionsJson(bucket: string): Promise<VersionsJson> { const url = `${s3BaseUrl(bucket)}/versions.json`; return (await client.get(url).json()) as VersionsJson; } export async function fetchModulesJson(bucket: string, version: string): Promise<ModulesJson> { const url = `${s3BaseUrl(bucket)}/versions/${encodeURIComponent(version)}/modules.json`; return (await client.get(url).json()) as ModulesJson; } export async function fetchModuleTarball( bucket: string, version: string, tarba
