Merge pull request 'feat/refactor/kiro/fix-1' (#75) from feat/refactor/kiro/fix-1 into feat/refactor/kiro/fix

Reviewed-on: jiantw83/code-review#75

.gitea/ai-review/exclusions.json

@@ -3,5 +3,9 @@
     "role": "Rex",
     "location": "app/git.js",
     "suggestion": "請避免將敏感資料（如 GITEA_TOKEN）直接寫入環境變數"
+  },
+  {
+    "location": "app/git.js",
+    "suggestion": "GITEA_TOKEN 直接嵌入 URL 中"
   }
 ]

.gitea/ai-review/findings.json

@@ -1,37 +1 @@
-[
-  {
-    "level": "critical",
-    "role": "Rex",
-    "location": "app/git.js:14",
-    "suggestion": "請避免將 GIT_TOKEN 直接寫入腳本中，應使用安全的秘密管理工具來管理這些敏感資訊.",
-    "is_new": true
-  },
-  {
-    "level": "warning",
-    "role": "Leo",
-    "location": "app/git.js:14",
-    "suggestion": "建議在 cloneRepo 函數中增加對於 GIT_TOKEN 的安全性處理，避免敏感資訊洩漏.",
-    "is_new": true
-  },
-  {
-    "level": "warning",
-    "role": "Leo",
-    "location": "app/findings.js:93",
-    "suggestion": "建議在 loadExclusions 函式中增加對於 JSON 格式的驗證，確保讀取的資料符合預期格式，避免潛在的錯誤.",
-    "is_new": false
-  },
-  {
-    "level": "warning",
-    "role": "Leo",
-    "location": "app/findings.js:40",
-    "suggestion": "在 applyExclusions 函式中，建議增加對於 findings 和 exclusions 參數的有效性檢查，以提高程式的健壯性.",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Leo",
-    "location": "README.md",
-    "suggestion": "建議在 README 中增加對於新功能（如排除問題過濾）的詳細說明，以便未來的維護者能快速了解其功能.",
-    "is_new": true
-  }
-]
+[]

app/git.test.js

@@ -3,7 +3,7 @@ import assert from 'node:assert/strict';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
-import { commitAndPush } from './git.js';
+import { commitAndPush, cloneRepo } from './git.js';
 
 // --- helpers ---
 function makeTmpWorkspace() {
@@ -91,3 +91,59 @@ describe('commitAndPush', () => {
     await assert.doesNotReject(() => commitAndPush(workspace, failSpawn));
   });
 });
+
+describe('cloneRepo', () => {
+  let workspace;
+
+  before(() => { workspace = fs.mkdtempSync(path.join(os.tmpdir(), 'clone-test-')); });
+  after(() => { fs.rmSync(workspace, { recursive: true, force: true }); });
+
+  it('clones repo when repoDir does not exist', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
+    assert.ok(cloneCalled, 'expected git clone to be called');
+  });
+
+  it('fetches and checks out when repoDir already exists', () => {
+    const repoDir = path.join(workspace, 'repo');
+    fs.mkdirSync(repoDir, { recursive: true });
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
+    const fetchCalled = spawn.calls.some(c => c.args[0] === 'fetch');
+    assert.ok(!cloneCalled, 'clone should not run when repoDir exists');
+    assert.ok(fetchCalled, 'fetch should run when repoDir exists');
+  });
+
+  it('does not embed token in any git command argument', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    for (const { args } of spawn.calls) {
+      assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`);
+    }
+  });
+
+  it('uses GIT_ASKPASS for network operations', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const networkCalls = spawn.calls.filter(c => ['clone', 'fetch'].includes(c.args[0]));
+    assert.ok(networkCalls.length > 0, 'expected at least one network git call');
+    for (const { args, opts } of networkCalls) {
+      assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`);
+    }
+  });
+
+  it('cleans up askpass script after run', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
+    assert.equal(leftover.length, 0, 'askpass script was not cleaned up');
+  });
+
+  it('returns repoDir path', () => {
+    const spawn = makeSpawn();
+    const result = cloneRepo(workspace, spawn);
+    assert.equal(result, path.join(workspace, 'repo'));
+  });
+});