From 386dbb010e42168d85138de1837b3d73aa90edc7 Mon Sep 17 00:00:00 2001
From: jiarung <jiarung.yeh@gmail.com>
Date: Fri, 13 Mar 2026 14:57:25 +0000
Subject: [PATCH] fix(git-hooks,usage-log): fix two CI failures

pre-commit: guard the resolve-node.sh source with a file-existence
check so the hook works in test environments that stub only the files
they care about (the integration test creates run-node-tool.sh but not
resolve-node.sh; node is provided via a fake binary in PATH so the
nvm fallback is never needed in that context).

usage-log: replace Math.random() in makeId() with crypto.randomBytes()
to satisfy the temp-path-guard security lint rule that rejects weak
randomness in source files.
---
 git-hooks/pre-commit    | 8 ++++++--
 src/agents/usage-log.ts | 3 ++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/git-hooks/pre-commit b/git-hooks/pre-commit
index 696f9b7b20e..cf1ccaa9c46 100755
--- a/git-hooks/pre-commit
+++ b/git-hooks/pre-commit
@@ -7,8 +7,12 @@ ROOT_DIR="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
 # Resolve node when not in PATH (e.g. nvm environments where the shell
 # profile hasn't been sourced by the git hook). Picks the newest installed
 # nvm version using version-aware sort so that v22 is preferred over v18.
-# shellcheck source=scripts/pre-commit/resolve-node.sh
-source "$ROOT_DIR/scripts/pre-commit/resolve-node.sh"
+_resolve_node_sh="$ROOT_DIR/scripts/pre-commit/resolve-node.sh"
+if [[ -f "$_resolve_node_sh" ]]; then
+  # shellcheck source=scripts/pre-commit/resolve-node.sh
+  source "$_resolve_node_sh"
+fi
+unset _resolve_node_sh
 RUN_NODE_TOOL="$ROOT_DIR/scripts/pre-commit/run-node-tool.sh"
 FILTER_FILES="$ROOT_DIR/scripts/pre-commit/filter-staged-files.mjs"
 
diff --git a/src/agents/usage-log.ts b/src/agents/usage-log.ts
index 2d071978510..992c3e945ea 100644
--- a/src/agents/usage-log.ts
+++ b/src/agents/usage-log.ts
@@ -1,3 +1,4 @@
+import { randomBytes } from "crypto";
 import fs from "fs/promises";
 import path from "path";
 
@@ -19,7 +20,7 @@ export type TokenUsageRecord = {
 };
 
 function makeId() {
-  return `usage_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
+  return `usage_${Date.now().toString(36)}_${randomBytes(4).toString("hex")}`;
 }
 
 async function readJsonArray(file: string): Promise<TokenUsageRecord[]> {