codeprobe-scanner 1.0.5 → 1.0.7

package/bin/codeprobe.cjs

@@ -40,7 +40,7 @@ if (!bunCmd) {
 
 // Run the CLI
 const args = process.argv.slice(2);
-const cmd = `${bunCmd} run ${path.join(packageRoot, 'src/cli-server.ts')} ${args.join(' ')}`;
+const cmd = `${bunCmd} run ${path.join(packageRoot, 'src/cli/index.ts')} ${args.join(' ')}`;
 
 try {
   execSync(cmd, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeprobe-scanner",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "Automated vulnerability scanner with exploit verification and video evidence",
   "type": "module",
   "bin": {

package/src/cli/commands/scan.ts

@@ -8,6 +8,7 @@ import { handleError, CodeProbeError } from '../errors.js';
 import { generateScanId, formatRiskScore, msToHuman } from '../../shared/utils.js';
 import { Report } from '../../shared/types.js';
 import { createEngine } from '../../engine/index.js';
+import { getConfig } from '../config.js';
 
 interface ScanOptions {
   fix: boolean;
@@ -104,10 +105,26 @@ export async function scanCommand(args: string[]): Promise<void> {
 
   logger.printHeader();
 
+  // Check for required API key
+  const brightDataKey = process.env.BRIGHT_DATA_API_KEY || await getConfig("bright_data_api_key");
+  if (!brightDataKey) {
+    console.log(chalk.yellow('\n⚠️  No Bright Data API key configured.'));
+    console.log(chalk.dim('   CVE lookup requires a Bright Data account (free tier available).'));
+    console.log(chalk.dim('   Get a key at: https://brightdata.com'));
+    console.log('');
+    console.log(chalk.cyan('   To configure:'));
+    console.log(chalk.white('   codeprobe config set bright_data_api_key <your-key>'));
+    console.log('');
+    console.log(chalk.dim('   Optional keys for full functionality:'));
+    console.log(chalk.dim('   codeprobe config set daytona_api_key <key>    # exploit verification'));
+    console.log(chalk.dim('   codeprobe config set kimi_api_key <key>       # AI patch generation'));
+    console.log('');
+    process.exit(EXIT_CODES.SCAN_FAILED);
+  }
+
   const startTime = Date.now();
 
   try {
-    // Initialize engine
     const engine = createEngine();
 
     // Run the actual engine scan (not mocked)

package/src/engine/patcher.ts

@@ -1,6 +1,7 @@
 import { ScanCVE } from "../shared/types";
 import { PATHS, DEMO_CVE } from "../shared/constants";
 import axios from "axios";
+import { getConfig } from "../cli/config.js";
 
 interface PatchData {
   cve_id: string;
@@ -13,12 +14,14 @@ interface PatchData {
 
 export class PatchGenerator {
   private patches: Map<string, PatchData> = new Map();
-  private kimiApiKey: string;
-  private nosanaApiKey: string;
-
-  constructor() {
-    this.kimiApiKey = process.env.KIMI_API_KEY || "";
-    this.nosanaApiKey = process.env.NOSANA_API_KEY || "";
+  private kimiApiKey: string = "";
+  private nosanaApiKey: string = "";
+
+  private async resolveKeys(): Promise<void> {
+    this.kimiApiKey = process.env.KIMI_API_KEY
+      || (typeof await getConfig("kimi_api_key") === "string" ? await getConfig("kimi_api_key") as string : "");
+    this.nosanaApiKey = process.env.NOSANA_API_KEY
+      || (typeof await getConfig("nosana_api_key") === "string" ? await getConfig("nosana_api_key") as string : "");
   }
 
   async loadPrebakedPatches(): Promise<void> {
@@ -62,7 +65,8 @@ export class PatchGenerator {
   }
 
   async generatePatch(cve: ScanCVE): Promise<string | null> {
-    // Try to get prebaked patch first
+    await this.resolveKeys();
+
     const prebakedPatch = this.patches.get(cve.id);
     if (prebakedPatch) {
       cve.patch_diff = prebakedPatch.diff;

package/src/engine/sandbox.ts

@@ -2,34 +2,36 @@ import { Daytona } from "@daytona/sdk";
 import { SandboxResult } from "../shared/types";
 import { TIMEOUTS, RETRY_CONFIG, DEMO_CVE } from "../shared/constants";
 import { createVideoDBRecorder } from "../integrations/videodb";
+import { getConfig } from "../cli/config.js";
 
 export class SandboxOrchestrator {
-  private apiKey: string;
+  private apiKey: string = "";
   private daytonaClient: Daytona | null = null;
   private useDaytona: boolean = false;
   private videoRecorder = createVideoDBRecorder();
 
-  constructor() {
-    this.apiKey = process.env.DAYTONA_API_KEY || "";
+  private async resolveApiKey(): Promise<string> {
+    if (process.env.DAYTONA_API_KEY) return process.env.DAYTONA_API_KEY;
+    const stored = await getConfig("daytona_api_key");
+    return typeof stored === "string" ? stored : "";
+  }
 
-    // Initialize Daytona if API key is available
+  async initialize(): Promise<void> {
+    this.apiKey = await this.resolveApiKey();
     if (this.apiKey && this.apiKey.startsWith("dtn_")) {
       try {
         this.daytonaClient = new Daytona({ apiKey: this.apiKey });
         this.useDaytona = true;
         console.log("[Daytona] ✓ Real sandbox enabled");
-      } catch (error) {
-        console.warn("[Daytona] ⚠️ Failed to initialize, will use local simulation:",
-          error instanceof Error ? error.message : String(error));
+      } catch {
         this.useDaytona = false;
       }
-    } else {
-      console.log("[Daytona] Using simulated sandbox (no API key provided)");
     }
   }
 
   async runExploit(packageName: string, version: string, cveId: string): Promise<SandboxResult> {
-    // Only support ejs RCE for now
+    if (!this.apiKey) await this.initialize();
+
     if (packageName === DEMO_CVE.package && cveId === DEMO_CVE.id) {
       if (this.useDaytona && this.daytonaClient) {
         return await this.runEjsWithDaytona(version);

package/src/engine/scraper.ts

@@ -1,27 +1,33 @@
 import axios from "axios";
 import { CVE, ScrapeResult } from "../shared/types";
 import { API_ENDPOINTS, TIMEOUTS, PATHS, DEMO_CVE } from "../shared/constants";
+import { getConfig } from "../cli/config.js";
 
 export class CVEScraper {
-  private apiKey: string;
+  private apiKey: string = "";
   private cache: Map<string, CVE> = new Map();
 
-  constructor() {
-    this.apiKey = process.env.BRIGHT_DATA_API_KEY || "";
+  private async resolveApiKey(): Promise<string> {
+    if (process.env.BRIGHT_DATA_API_KEY) return process.env.BRIGHT_DATA_API_KEY;
+    const stored = await getConfig("bright_data_api_key");
+    return typeof stored === "string" ? stored : "";
   }
 
   async scrapeForCVEs(packageName: string, version: string): Promise<CVE[]> {
-    // For MVP, we'll focus on the demo CVE (ejs)
+    this.apiKey = await this.resolveApiKey();
+
     if (packageName === DEMO_CVE.package) {
       return [this.buildDemoCVE()];
     }
 
-    // For other packages, try to fetch from Bright Data or use fallback
+    if (!this.apiKey) {
+      return [];
+    }
+
     try {
       return await this.fetchFromBrightData(packageName, version);
     } catch (error) {
-      console.warn(`Bright Data fetch failed for ${packageName}: using cache`);
-      return await this.loadFromCache();
+      return [];
     }
   }
 

package/src/integrations/videodb.ts

@@ -1,5 +1,3 @@
-import { VideoDb } from "videodb";
-
 interface ExploitVideoRecord {
   cveId: string;
   package: string;
@@ -11,7 +9,7 @@ interface ExploitVideoRecord {
 }
 
 export class VideoDBRecorder {
-  private videoDb: VideoDb | null = null;
+  private videoDb: any = null;
   private apiKey: string;
   private recordedVideos: Map<string, ExploitVideoRecord> = new Map();
 
@@ -22,15 +20,18 @@ export class VideoDBRecorder {
 
   private initializeVideoDB(): void {
     if (!this.apiKey) {
-      console.warn("[VideoDB] API key not found, video recording disabled");
       return;
     }
 
     try {
-      this.videoDb = new VideoDb({ apiKey: this.apiKey });
-      console.log("[VideoDB] ✓ Initialized - exploit recordings enabled");
-    } catch (error) {
-      console.warn("[VideoDB] Failed to initialize:", error instanceof Error ? error.message : String(error));
+      const videodb = require("videodb");
+      const Constructor = videodb.VideoDb || videodb.Connection || videodb.connect;
+      if (typeof Constructor === "function") {
+        this.videoDb = new Constructor({ apiKey: this.apiKey });
+        console.log("[VideoDB] ✓ Initialized - exploit recordings enabled");
+      }
+    } catch {
+      // VideoDB unavailable, video recording disabled
     }
   }