⚡ 성능 최적화: EventList Row 컴포넌트에 React.memo 적용

.github/workflows/ci.yml

@@ -26,3 +26,5 @@ jobs:
           JWT_SECRET: "ci-placeholder-jwt-secret-min-32-chars"
           DATABASE_URL: "postgresql://placeholder:placeholder@localhost:5432/placeholder"
           DIRECT_URL: "postgresql://placeholder:placeholder@localhost:5432/placeholder"
+          ADMIN_USERNAME: "ci-admin"
+          ADMIN_PASSWORD: "ci-admin-password"

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+name: Dependency Review
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  dependency-review:
+    name: dependency-review
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Dependency review
+        continue-on-error: true
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: moderate
+      - name: Dependency review availability note
+        if: always()
+        run: |
+          echo "Dependency Review requires GitHub Dependency Graph to be enabled for this repository."
+          echo "OSV-Scanner remains the blocking dependency vulnerability gate."

.github/workflows/osvscanner.yml

@@ -0,0 +1,24 @@
+name: OSV-Scanner
+
+on:
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  scan:
+    name: scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - name: Run OSV-Scanner
+        uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2
+        with:
+          scan-args: |-
+            --recursive
+            .

.gitignore

@@ -13,3 +13,4 @@ backups/
 persuasion-data/runs/
 __pycache__/
 *.pyc
+.jules/

.pnpmfile.cjs

@@ -0,0 +1,11 @@
+module.exports = {
+  hooks: {
+    readPackage(pkg) {
+      if (pkg.name === 'next' && pkg.version === '15.5.18') {
+        pkg.dependencies = pkg.dependencies || {}
+        pkg.dependencies.postcss = '8.5.15'
+      }
+      return pkg
+    },
+  },
+}

package.json

@@ -10,7 +10,7 @@
   "devDependencies": {
     "@eslint/eslintrc": "^3",
     "eslint": "^9",
-    "turbo": "^2",
+    "turbo": "^2.9.16",
     "typescript-eslint": "^8"
   },
   "packageManager": "pnpm@9.15.4+sha512.b2dc20e2fc72b3e18848459b37359a32064663e5627a51e4c74b2c29dd8e8e0491483c3abb40789cfd578bf362fb6ba8261b05f0387d76792ed6e23ea3b1b6a0"

packages/cli/package.json

@@ -29,7 +29,7 @@
     "@argos/shared": "workspace:*",
     "@types/node": "^20",
     "typescript": "^5",
-    "vitest": "^2.1.9"
+    "vitest": "^3.2.6"
   },
   "engines": {
     "node": ">=18"

packages/cli/src/lib/event-sender.test.ts

@@ -2,13 +2,18 @@ import { describe, it, expect, beforeAll } from 'vitest'
 import { buildSelfHealScript } from './event-sender.js'
 
 const TMP_FILE = '/tmp/argos-test-payload.json'
+const TMP_DIR = '/tmp/argos-test-dir'
 const PROJECT_JSON_PATH = '/repo/.argos/project.json'
 
 describe('buildSelfHealScript', () => {
   let script: string
 
   beforeAll(() => {
-    script = buildSelfHealScript({ tmpFile: TMP_FILE, projectJsonPath: PROJECT_JSON_PATH })
+    script = buildSelfHealScript({
+      tmpFile: TMP_FILE,
+      tmpDir: TMP_DIR,
+      projectJsonPath: PROJECT_JSON_PATH,
+    })
   })
 
   it('returns a non-empty string', () => {
@@ -34,6 +39,19 @@ describe('buildSelfHealScript', () => {
     expect(script).toContain('renameSync')
   })
 
+  it('holds an inter-process lock while rewriting project.json', () => {
+    expect(script).toContain(`const lockDir=${JSON.stringify(PROJECT_JSON_PATH)}+'.lock'`)
+    const mkdirIdx = script.indexOf('fs.mkdirSync(lockDir)')
+    const readIdx = script.indexOf(`JSON.parse(fs.readFileSync(${JSON.stringify(PROJECT_JSON_PATH)},'utf8'))`)
+    const renameIdx = script.indexOf(`fs.renameSync(atomicTmp,${JSON.stringify(PROJECT_JSON_PATH)})`)
+    const releaseIdx = script.indexOf('fs.rmdirSync(lockDir)')
+
+    expect(mkdirIdx).toBeGreaterThanOrEqual(0)
+    expect(readIdx).toBeGreaterThan(mkdirIdx)
+    expect(renameIdx).toBeGreaterThan(readIdx)
+    expect(releaseIdx).toBeGreaterThan(renameIdx)
+  })
+
   it('(d) contains res.status !== 202 guard', () => {
     expect(script).toContain('res.status!==202')
   })
@@ -76,6 +94,15 @@ describe('buildSelfHealScript', () => {
     expect(afterFinally).toContain('unlinkSync')
   })
 
+  it('cleans up the private tmp directory in finally block', () => {
+    const finallyIdx = script.indexOf('finally')
+    const afterFinally = script.slice(finallyIdx)
+    expect(afterFinally).toContain(TMP_DIR)
+    expect(afterFinally).toContain('rmSync')
+    expect(afterFinally).toContain('recursive:true')
+    expect(afterFinally).toContain('force:true')
+  })
+
   it('is wrapped in an async IIFE', () => {
     expect(script).toContain('async()')
   })

packages/cli/src/lib/event-sender.ts

@@ -1,4 +1,4 @@
-import { existsSync, unlinkSync, writeFileSync } from 'fs'
+import { mkdtempSync, rmSync, writeFileSync } from 'fs'
 import { join } from 'path'
 import { tmpdir } from 'os'
 import { spawn } from 'child_process'
@@ -48,13 +48,16 @@ export interface SendEventBackgroundOpts {
  */
 export function buildSelfHealScript({
   tmpFile,
+  tmpDir,
   projectJsonPath,
 }: {
   tmpFile: string
+  tmpDir?: string
   projectJsonPath: string
 }): string {
   // Serialize paths as JSON so they are safely embedded in the script string.
   const tmpFileJson = JSON.stringify(tmpFile)
+  const tmpDirJson = tmpDir ? JSON.stringify(tmpDir) : 'null'
   const projectJsonPathJson = JSON.stringify(projectJsonPath)
 
   return [
@@ -75,24 +78,32 @@ export function buildSelfHealScript({
     `if(!body||!body.project||typeof body.project.id!=='string'||typeof body.project.orgId!=='string'||typeof body.project.orgSlug!=='string')return;`,
     // Step 5: Guard — must be for the same project (cross-project contamination check)
     `if(body.project.id!==currentConfig.projectId)return;`,
-    // Step 6: Re-read projectJsonPath (race protection for concurrent hooks)
+    // Step 6: Acquire a project-local lock before re-reading and rewriting.
+    // mkdirSync is atomic across processes and prevents concurrent self-heal
+    // writers from overwriting each other's updates between read and rename.
+    `const lockDir=${projectJsonPathJson}+'.lock';`,
+    `let locked=false;`,
+    `for(let i=0;i<20;i++){try{fs.mkdirSync(lockDir);locked=true;break;}catch(e){if(!e||e.code!=='EEXIST')return;await new Promise(r=>setTimeout(r,25));}}`,
+    `if(!locked)return;`,
+    `let atomicTmp;`,
+    `try{`,
+    // Step 7: Re-read projectJsonPath (race protection for concurrent hooks)
     `let latest;`,
     `try{latest=JSON.parse(fs.readFileSync(${projectJsonPathJson},'utf8'));}catch{return;}`,
-    // Step 7: Guard — projectId must still match after re-read
+    // Step 8: Guard — projectId must still match after re-read
     `if(latest.projectId!==body.project.id)return;`,
-    // Step 8: No-op if already up to date (idempotent)
+    // Step 9: No-op if already up to date (idempotent)
     `if(latest.orgId===body.project.orgId&&latest.orgSlug===body.project.orgSlug)return;`,
-    // Step 9: Merge new orgId/orgSlug, preserving all other fields and key order
+    // Step 10: Merge new orgId/orgSlug, preserving all other fields and key order
     `const updated={...latest,orgId:body.project.orgId,orgSlug:body.project.orgSlug};`,
-    // Step 10: Atomic write via tmp + renameSync
-    `const atomicTmp=${projectJsonPathJson}+'.tmp.'+process.pid+'.'+Math.random().toString(36).slice(2);`,
-    `try{`,
+    // Step 11: Atomic write via tmp + renameSync
+    `atomicTmp=${projectJsonPathJson}+'.tmp.'+process.pid+'.'+Math.random().toString(36).slice(2);`,
     `fs.writeFileSync(atomicTmp,JSON.stringify(updated,null,2),'utf8');`,
     `fs.renameSync(atomicTmp,${projectJsonPathJson});`,
-    `}catch{try{fs.unlinkSync(atomicTmp);}catch{}}`,
+    `}catch{try{if(atomicTmp)fs.unlinkSync(atomicTmp);}catch{}}finally{try{fs.rmdirSync(lockDir);}catch{}}`,
     `}catch{}`,
-    // Cleanup tmp file in finally (runs whether self-heal succeeded or any early return)
-    `finally{try{fs.unlinkSync(${tmpFileJson});}catch{}}`,
+    // Cleanup tmp file/dir in finally (runs whether self-heal succeeded or any early return)
+    `finally{try{fs.unlinkSync(${tmpFileJson});}catch{};if(${tmpDirJson})try{fs.rmSync(${tmpDirJson},{recursive:true,force:true});}catch{}}`,
     `})()`,
   ].join('')
 }
@@ -109,22 +120,26 @@ export function buildSelfHealScript({
 export function sendEventBackground(opts: SendEventBackgroundOpts): void {
   const { url, token, payload, projectJsonPath, currentConfig } = opts
 
-  const tmpFile = join(tmpdir(), `argos-${Date.now()}-${Math.random().toString(36).slice(2)}.json`)
+  let tmpDir: string | undefined
   try {
+    tmpDir = mkdtempSync(join(tmpdir(), 'argos-'))
+    const tmpFile = join(tmpDir, 'payload.json')
     writeFileSync(
       tmpFile,
       JSON.stringify({ url, token, payload, projectJsonPath, currentConfig }),
       'utf8',
     )
 
-    const script = buildSelfHealScript({ tmpFile, projectJsonPath })
+    const script = buildSelfHealScript({ tmpFile, tmpDir, projectJsonPath })
 
     const child = spawn(process.execPath, ['-e', script], {
       detached: true,
       stdio: 'ignore',
     })
     child.unref()
   } catch {
-    try { if (existsSync(tmpFile)) unlinkSync(tmpFile) } catch {}
+    try {
+      if (tmpDir) rmSync(tmpDir, { recursive: true, force: true })
+    } catch {}
   }
 }

packages/cli/src/lib/project.test.ts

@@ -0,0 +1,39 @@
+import { afterEach, describe, expect, it } from 'vitest'
+import { mkdtempSync, mkdirSync, realpathSync, rmSync } from 'fs'
+import { join, resolve } from 'path'
+import { tmpdir } from 'os'
+import { findProjectConfigWithPath, writeProjectConfig } from './project.js'
+
+const originalCwd = process.cwd()
+
+afterEach(() => {
+  process.chdir(originalCwd)
+})
+
+describe('findProjectConfigWithPath', () => {
+  it('resolves relative startDir segments before walking parent directories', () => {
+    const tmpRoot = mkdtempSync(join(tmpdir(), 'argos-project-test-'))
+
+    try {
+      const repoRoot = join(tmpRoot, 'repo')
+      const nestedDir = join(repoRoot, 'packages', 'cli')
+      mkdirSync(nestedDir, { recursive: true })
+      writeProjectConfig({
+        projectId: 'project-1',
+        orgId: 'org-1',
+        orgName: 'Org',
+        projectName: 'Project',
+      }, repoRoot)
+
+      process.chdir(repoRoot)
+
+      const result = findProjectConfigWithPath('packages/../packages/cli')
+
+      expect(result?.config.projectId).toBe('project-1')
+      expect(result?.configPath).toBe(realpathSync(resolve(repoRoot, '.argos', 'project.json')))
+    } finally {
+      process.chdir(originalCwd)
+      rmSync(tmpRoot, { recursive: true, force: true })
+    }
+  })
+})

packages/cli/src/lib/project.ts

@@ -1,4 +1,4 @@
-import { dirname, join } from 'path'
+import { dirname, join, resolve } from 'path'
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs'
 import { normalizeApiUrl } from './config.js'
 
@@ -22,7 +22,7 @@ export interface ProjectConfig {
 export function findProjectConfigWithPath(
   startDir?: string,
 ): { config: ProjectConfig; configPath: string } | null {
-  let currentDir = startDir || process.cwd()
+  let currentDir = resolve(startDir || process.cwd())
   let depth = 0
   const maxDepth = 10
 

packages/web/.env.example

@@ -4,3 +4,5 @@ AUTH_SECRET=replace-with-min-32-char-random-string
 DATABASE_URL="postgresql://postgres.[project]:[password]@aws-0-ap-northeast-1.pooler.supabase.com:6543/postgres?pgbouncer=true"
 DIRECT_URL="postgresql://postgres.[project]:[password]@db.uwxfseowdzuuepeeudrx.supabase.co:5432/postgres"
 JWT_SECRET="replace-with-32-char-minimum-random-string"
+ADMIN_USERNAME="admin"
+ADMIN_PASSWORD="replace-with-secure-admin-password"

packages/web/package.json

@@ -35,7 +35,7 @@
     "recharts": "^2",
     "remark-gfm": "^4.0.1",
     "server-only": "^0.0.1",
-    "shadcn": "^4.2.0",
+    "shadcn": "^4.10.0",
     "tailwind-merge": "^3.5.0",
     "tw-animate-css": "^1.4.0",
     "zod": "^3"
@@ -51,6 +51,6 @@
     "prisma": "^6",
     "tailwindcss": "^4",
     "typescript": "^5",
-    "vitest": "^2.1.9"
+    "vitest": "^3.2.6"
   }
 }

packages/web/src/app/api/orgs/[orgSlug]/dashboard/sessions/[sessionId]/route.ts

@@ -43,18 +43,25 @@ export async function GET(
       return forbiddenByRole(access.role, '본인 세션만 열람 가능')
     }
 
-    const totalInput = session.usageRecords.reduce((sum, r) => sum + r.inputTokens, 0)
-    const totalOutput = session.usageRecords.reduce((sum, r) => sum + r.outputTokens, 0)
-    const totalCost = session.usageRecords.reduce((sum, r) => sum + (r.estimatedCostUsd ?? 0), 0)
-
-    const usageTimeline: SessionTimelineUsage[] = session.usageRecords.map((r) => ({
-      timestamp: r.timestamp.toISOString(),
-      inputTokens: r.inputTokens,
-      outputTokens: r.outputTokens,
-      estimatedCostUsd: r.estimatedCostUsd ?? 0,
-      model: r.model,
-      isSubagent: r.isSubagent,
-    }))
+    let totalInput = 0
+    let totalOutput = 0
+    let totalCost = 0
+    const usageTimeline: SessionTimelineUsage[] = new Array(session.usageRecords.length)
+
+    for (let i = 0; i < session.usageRecords.length; i++) {
+      const r = session.usageRecords[i]
+      totalInput += r.inputTokens
+      totalOutput += r.outputTokens
+      totalCost += r.estimatedCostUsd ?? 0
+      usageTimeline[i] = {
+        timestamp: r.timestamp.toISOString(),
+        inputTokens: r.inputTokens,
+        outputTokens: r.outputTokens,
+        estimatedCostUsd: r.estimatedCostUsd ?? 0,
+        model: r.model,
+        isSubagent: r.isSubagent,
+      }
+    }
 
     // 각 UsageRecord를 "직전 ASSISTANT 턴"에 귀속시켜 메시지별 토큰/비용/모델 집계.
     // TOOL 메시지는 건너뛰고 가장 가까운 선행 ASSISTANT로 타고 올라감.

packages/web/src/app/api/orgs/[orgSlug]/dashboard/sessions/route.ts

@@ -33,14 +33,17 @@ const sessionInclude = {
 type SessionWithInclude = Prisma.ClaudeSessionGetPayload<{ include: typeof sessionInclude }>
 
 function getSessionTotals(session: SessionWithInclude) {
-  return {
-    inputTokens: session.usageRecords.reduce((sum, r) => sum + r.inputTokens, 0),
-    outputTokens: session.usageRecords.reduce((sum, r) => sum + r.outputTokens, 0),
-    estimatedCostUsd: session.usageRecords.reduce(
-      (sum, r) => sum + (r.estimatedCostUsd ?? 0),
-      0,
-    ),
+  let inputTokens = 0
+  let outputTokens = 0
+  let estimatedCostUsd = 0
+
+  for (const r of session.usageRecords) {
+    inputTokens += r.inputTokens
+    outputTokens += r.outputTokens
+    estimatedCostUsd += r.estimatedCostUsd ?? 0
   }
+
+  return { inputTokens, outputTokens, estimatedCostUsd }
 }
 
 function mapSessionItem(session: SessionWithInclude): SessionItem {