crack-code 0.1.0

package/README.md

@@ -0,0 +1,15 @@
+# crack-code
+
+To install dependencies:
+
+```bash
+bun install
+```
+
+To run:
+
+```bash
+bun run src/index.ts
+```
+
+This project was created using `bun init` in bun v1.3.5. [Bun](https://bun.com) is a fast all-in-one JavaScript runtime.

package/bun.lock

@@ -0,0 +1,79 @@
+{
+  "lockfileVersion": 1,
+  "configVersion": 1,
+  "workspaces": {
+    "": {
+      "name": "crack-code",
+      "dependencies": {
+        "@ai-sdk/anthropic": "^3.0.54",
+        "@ai-sdk/google": "^3.0.37",
+        "@ai-sdk/openai": "^3.0.39",
+        "ai": "^6.0.111",
+        "gradient-string": "^3.0.0",
+        "ollama-ai-provider-v2": "^3.3.1",
+        "picocolors": "^1.1.1",
+        "zod": "^4.3.6",
+      },
+      "devDependencies": {
+        "@types/bun": "latest",
+        "@types/gradient-string": "^1.1.6",
+      },
+      "peerDependencies": {
+        "typescript": "^5",
+      },
+    },
+  },
+  "packages": {
+    "@ai-sdk/anthropic": ["@ai-sdk/anthropic@3.0.54", "", { "dependencies": { "@ai-sdk/provider": "3.0.8", "@ai-sdk/provider-utils": "4.0.17" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-UhSPZ63FsTNO7PQCfxsqJIgkij1sivU3qfXydlSd4ugshpkNhd2v9s78G/40/G5C3pKSRfp/CfaSvivrneQfCg=="],
+
+    "@ai-sdk/gateway": ["@ai-sdk/gateway@3.0.63", "", { "dependencies": { "@ai-sdk/provider": "3.0.8", "@ai-sdk/provider-utils": "4.0.17", "@vercel/oidc": "3.1.0" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-0jwdkN3elC4Q9aT2ALxjXtGGVoye15zYgof6GfvuH1a9QKx9Rj4Wi2vy6SyyLvtSA/lB786dTZgC+cGwe6vzmA=="],
+
+    "@ai-sdk/google": ["@ai-sdk/google@3.0.37", "", { "dependencies": { "@ai-sdk/provider": "3.0.8", "@ai-sdk/provider-utils": "4.0.17" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-hZ7nO55+GfQEWJe2B5XRoLNeEubMTuk6OjJJUDS+XCtjKLCd973rRkc62vS86rHw5VuCGITwn3gUZRhSbuX5vw=="],
+
+    "@ai-sdk/openai": ["@ai-sdk/openai@3.0.39", "", { "dependencies": { "@ai-sdk/provider": "3.0.8", "@ai-sdk/provider-utils": "4.0.17" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-EZrs4L6kMkPQhpodagpEvqLSryOIK99WgblN0IsVHr1xhajWizQOZ0XMa7c5JpSYgIjV6u8GCpGV6hS3Mk2Bug=="],
+
+    "@ai-sdk/provider": ["@ai-sdk/provider@3.0.8", "", { "dependencies": { "json-schema": "^0.4.0" } }, "sha512-oGMAgGoQdBXbZqNG0Ze56CHjDZ1IDYOwGYxYjO5KLSlz5HiNQ9udIXsPZ61VWaHGZ5XW/jyjmr6t2xz2jGVwbQ=="],
+
+    "@ai-sdk/provider-utils": ["@ai-sdk/provider-utils@4.0.17", "", { "dependencies": { "@ai-sdk/provider": "3.0.8", "@standard-schema/spec": "^1.1.0", "eventsource-parser": "^3.0.6" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-oyCeFINTYK0B8ZGUBiQc05G5vytPlKSmTTtm19xfJuUgoi8zkvvRcoPQci4mSnyfpPn2XSFFDfsALG8uGcapfg=="],
+
+    "@opentelemetry/api": ["@opentelemetry/api@1.9.0", "", {}, "sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg=="],
+
+    "@standard-schema/spec": ["@standard-schema/spec@1.1.0", "", {}, "sha512-l2aFy5jALhniG5HgqrD6jXLi/rUWrKvqN/qJx6yoJsgKhblVd+iqqU4RCXavm/jPityDo5TCvKMnpjKnOriy0w=="],
+
+    "@types/bun": ["@types/bun@1.3.9", "", { "dependencies": { "bun-types": "1.3.9" } }, "sha512-KQ571yULOdWJiMH+RIWIOZ7B2RXQGpL1YQrBtLIV3FqDcCu6FsbFUBwhdKUlCKUpS3PJDsHlJ1QKlpxoVR+xtw=="],
+
+    "@types/gradient-string": ["@types/gradient-string@1.1.6", "", { "dependencies": { "@types/tinycolor2": "*" } }, "sha512-LkaYxluY4G5wR1M4AKQUal2q61Di1yVVCw42ImFTuaIoQVgmV0WP1xUaLB8zwb47mp82vWTpePI9JmrjEnJ7nQ=="],
+
+    "@types/node": ["@types/node@25.3.3", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-DpzbrH7wIcBaJibpKo9nnSQL0MTRdnWttGyE5haGwK86xgMOkFLp7vEyfQPGLOJh5wNYiJ3V9PmUMDhV9u8kkQ=="],
+
+    "@types/tinycolor2": ["@types/tinycolor2@1.4.6", "", {}, "sha512-iEN8J0BoMnsWBqjVbWH/c0G0Hh7O21lpR2/+PrvAVgWdzL7eexIFm4JN/Wn10PTcmNdtS6U67r499mlWMXOxNw=="],
+
+    "@vercel/oidc": ["@vercel/oidc@3.1.0", "", {}, "sha512-Fw28YZpRnA3cAHHDlkt7xQHiJ0fcL+NRcIqsocZQUSmbzeIKRpwttJjik5ZGanXP+vlA4SbTg+AbA3bP363l+w=="],
+
+    "ai": ["ai@6.0.111", "", { "dependencies": { "@ai-sdk/gateway": "3.0.63", "@ai-sdk/provider": "3.0.8", "@ai-sdk/provider-utils": "4.0.17", "@opentelemetry/api": "1.9.0" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-K5aikNm4JGfJkzwIr3yA/qhOYIOIvOqjCxSQjQQ7bWWqm0uuPO2/qgdXL23gYJdTLPPYfvi2TTS+bg2Yp+r2Lw=="],
+
+    "bun-types": ["bun-types@1.3.9", "", { "dependencies": { "@types/node": "*" } }, "sha512-+UBWWOakIP4Tswh0Bt0QD0alpTY8cb5hvgiYeWCMet9YukHbzuruIEeXC2D7nMJPB12kbh8C7XJykSexEqGKJg=="],
+
+    "chalk": ["chalk@5.6.2", "", {}, "sha512-7NzBL0rN6fMUW+f7A6Io4h40qQlG+xGmtMxfbnH/K7TAtt8JQWVQK+6g0UXKMeVJoyV5EkkNsErQ8pVD3bLHbA=="],
+
+    "eventsource-parser": ["eventsource-parser@3.0.6", "", {}, "sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg=="],
+
+    "gradient-string": ["gradient-string@3.0.0", "", { "dependencies": { "chalk": "^5.3.0", "tinygradient": "^1.1.5" } }, "sha512-frdKI4Qi8Ihp4C6wZNB565de/THpIaw3DjP5ku87M+N9rNSGmPTjfkq61SdRXB7eCaL8O1hkKDvf6CDMtOzIAg=="],
+
+    "json-schema": ["json-schema@0.4.0", "", {}, "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA=="],
+
+    "ollama-ai-provider-v2": ["ollama-ai-provider-v2@3.3.1", "", { "dependencies": { "@ai-sdk/provider": "^3.0.8", "@ai-sdk/provider-utils": "^4.0.15" }, "peerDependencies": { "ai": "^5.0.0 || ^6.0.0", "zod": "^4.0.16" } }, "sha512-j4BBqqQnvf/uDz+aPYcgU4/MQZERw087Fn1DMGtViA/PgahBq36jHKHVoZfx8mxj+w8cxsKd3eYaDgyZPhE6YA=="],
+
+    "picocolors": ["picocolors@1.1.1", "", {}, "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="],
+
+    "tinycolor2": ["tinycolor2@1.6.0", "", {}, "sha512-XPaBkWQJdsf3pLKJV9p4qN/S+fm2Oj8AIPo1BTUhg5oxkvm9+SVEGFdhyOz7tTdUTfvxMiAs4sp6/eZO2Ew+pw=="],
+
+    "tinygradient": ["tinygradient@1.1.5", "", { "dependencies": { "@types/tinycolor2": "^1.4.0", "tinycolor2": "^1.0.0" } }, "sha512-8nIfc2vgQ4TeLnk2lFj4tRLvvJwEfQuabdsmvDdQPT0xlk9TaNtpGd6nNRxXoK6vQhN6RSzj+Cnp5tTQmpxmbw=="],
+
+    "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
+
+    "undici-types": ["undici-types@7.18.2", "", {}, "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w=="],
+
+    "zod": ["zod@4.3.6", "", {}, "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg=="],
+  }
+}

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "crack-code",
+  "module": "src/index.ts",
+  "version": "0.1.0",
+  "scripts": {
+    "dev": "bun run src/index.ts"
+  },
+  "type": "module",
+  "devDependencies": {
+    "@types/bun": "latest",
+    "@types/gradient-string": "^1.1.6"
+  },
+  "peerDependencies": {
+    "typescript": "^5"
+  },
+  "dependencies": {
+    "@ai-sdk/anthropic": "^3.0.54",
+    "@ai-sdk/google": "^3.0.37",
+    "@ai-sdk/openai": "^3.0.39",
+    "ai": "^6.0.111",
+    "gradient-string": "^3.0.0",
+    "ollama-ai-provider-v2": "^3.3.1",
+    "picocolors": "^1.1.1",
+    "zod": "^4.3.6"
+  }
+}

package/src/agent.ts

@@ -0,0 +1,104 @@
+import {
+  streamText,
+  stepCountIs,
+  type ModelMessage,
+  type LanguageModel,
+} from "ai";
+import type { ToolRegistry } from "./tools/registry.js";
+import type { PermissionManager } from "./permissions/index.js";
+
+// --- Types ---
+
+export interface TokenUsage {
+  inputTokens: number;
+  outputTokens: number;
+  totalTokens: number;
+}
+
+export interface AgentCallbacks {
+  onText?: (delta: string) => void;
+  onToolStart?: (name: string, input: unknown) => void;
+  onToolEnd?: (name: string, result: string) => void;
+  onStepComplete?: (stepNumber: number) => void;
+  onUsage?: (usage: TokenUsage) => void;
+  onError?: (error: string) => void;
+}
+
+export interface AgentOptions {
+  model: LanguageModel;
+  tools: ToolRegistry;
+  permissions: PermissionManager;
+  systemPrompt: string;
+  maxSteps?: number;
+  maxTokens?: number;
+}
+
+// --- Agent ---
+
+export async function runAgent(
+  messages: ModelMessage[],
+  opts: AgentOptions,
+  callbacks: AgentCallbacks = {},
+): Promise<ModelMessage[]> {
+  const sdkTools = opts.tools.toAISDKTools(opts.permissions);
+
+  const result = streamText({
+    model: opts.model,
+    system: opts.systemPrompt,
+    messages,
+    tools: sdkTools,
+    stopWhen: stepCountIs(opts.maxSteps ?? 30),
+    maxOutputTokens: opts.maxTokens ?? 16384,
+  });
+
+  let stepCount = 0;
+
+  for await (const event of result.fullStream) {
+    switch (event.type) {
+      case "text-delta":
+        callbacks.onText?.(event.text);
+        break;
+
+      case "tool-call":
+        callbacks.onToolStart?.(event.toolName, event.input);
+        break;
+
+      case "tool-result": {
+        const text =
+          typeof event.output === "string"
+            ? event.output
+            : JSON.stringify(event.output);
+        callbacks.onToolEnd?.(event.toolName, text);
+        break;
+      }
+
+      case "finish-step":
+        stepCount++;
+        callbacks.onStepComplete?.(stepCount);
+        break;
+
+      case "error":
+        callbacks.onError?.(
+          event.error instanceof Error
+            ? event.error.message
+            : String(event.error),
+        );
+        break;
+    }
+  }
+
+  // Resolve final usage across all steps
+  const usage = await result.usage;
+  if (usage) {
+    callbacks.onUsage?.({
+      inputTokens: usage.inputTokens ?? 0,
+      outputTokens: usage.outputTokens ?? 0,
+      totalTokens: (usage.inputTokens ?? 0) + (usage.outputTokens ?? 0),
+    });
+  }
+
+  // Return full conversation including AI responses and tool results
+  // so the REPL can maintain context across turns
+  const response = await result.response;
+  return [...messages, ...response.messages];
+}

package/src/config.ts

@@ -0,0 +1,410 @@
+import { mkdir } from "fs/promises";
+import { homedir } from "os";
+import { join } from "path";
+import pc from "picocolors";
+
+import type { ModelInfo } from "./providers/types";
+import { fetchAnthropicModels } from "./providers/anthropic";
+import { fetchGoogleModels } from "./providers/google";
+import { fetchOpenAIModels } from "./providers/openai";
+import { fetchOllamaModels } from "./providers/ollama";
+
+import * as readline from "node:readline";
+import { CrackCodeLogo } from "./logo/crack-code";
+import { pastel } from "gradient-string";
+
+export interface Config {
+  provider: "openai" | "google" | "anthropic" | "ollama";
+  model: string;
+  apiKey: string;
+
+  // generation
+  maxTokens: number;
+  maxSteps: number;
+
+  /*
+   * permission behavior
+   * by-default the editing policy would be false
+   * which later can be made true by the user.
+   */
+  permissionPolicy: "ask" | "skip" | "allow-all" | "deny-all";
+  allowEdits: boolean;
+  systemPrompt: string;
+
+  // scan settings
+  scanPatterns: string[];
+  ignorePatterns: string[];
+
+  // context
+  cwd: string;
+}
+
+interface StoredConfig {
+  provider: Config["provider"];
+  model: string;
+  apiKey: string;
+  allowEdits?: boolean;
+}
+
+export interface ConfigOverrides {
+  provider?: string;
+  model?: string;
+  apiKey?: string;
+  maxTokens?: number;
+  maxSteps?: number;
+  permissionPolicy?: Config["permissionPolicy"];
+  allowEdits?: boolean;
+  scanPatterns?: string[];
+  ignorePatterns?: string[];
+}
+
+// constants
+const CONFIG_DIR = join(homedir(), ".crack-code");
+const CONFIG_PATH = join(CONFIG_DIR, "config.json");
+
+const PROVIDERS = ["anthropic", "google", "openai", "ollama"] as const;
+
+const API_KEY_ENV: Record<Config["provider"], string> = {
+  anthropic: "ANTHROPIC_API_KEY",
+  openai: "OPENAI_API_KEY",
+  google: "GOOGLE_GENERATIVE_AI_API_KEY",
+  ollama: "OLLAMA_ENDPOINT",
+};
+
+const DEFAULT_SCAN_PATTERNS = [
+  "**/*.ts",
+  "**/*.tsx",
+  "**/*.js",
+  "**/*.jsx",
+  "**/*.py",
+  "**/*.go",
+  "**/*.rs",
+  "**/*.java",
+  "**/*.rb",
+  "**/*.php",
+  "**/*.sol",
+  "**/*.yaml",
+  "**/*.yml",
+  "**/*.toml",
+  "**/*.json",
+  "**/*.env*",
+  "**/Dockerfile*",
+  "**/*.tf",
+];
+
+const DEFAULT_IGNORE_PATTERNS = [
+  "node_modules/**",
+  ".git/**",
+  "dist/**",
+  "build/**",
+  "coverage/**",
+  ".next/**",
+  "__pycache__/**",
+  "*.lock",
+  "*.min.js",
+  "*.min.css",
+  "vendor/**",
+  "target/**",
+];
+
+// Stored config (read/write)
+async function readStoredConfig(): Promise<StoredConfig | null> {
+  const file = Bun.file(CONFIG_PATH);
+  if (!(await file.exists())) return null;
+
+  try {
+    const data = await file.json();
+
+    // Validate shape — reject configs from older/different versions
+    if (
+      typeof data !== "object" ||
+      data === null ||
+      typeof data.provider !== "string" ||
+      typeof data.model !== "string" ||
+      typeof data.apiKey !== "string"
+    ) {
+      return null;
+    }
+
+    return data as StoredConfig;
+  } catch {
+    return null;
+  }
+}
+
+async function writeStoredConfig(stored: StoredConfig): Promise<any> {
+  await mkdir(CONFIG_DIR, { recursive: true });
+  await Bun.write(CONFIG_PATH, JSON.stringify(stored, null, 2) + "\n");
+}
+
+// function for fetching models from the providers api
+async function fetchModels(
+  provider: Config["provider"],
+  apiKey: string,
+): Promise<ModelInfo[]> {
+  try {
+    switch (provider) {
+      case "anthropic":
+        return await fetchAnthropicModels(apiKey);
+      case "google":
+        return await fetchGoogleModels(apiKey);
+      case "openai":
+        return await fetchOpenAIModels(apiKey);
+      case "ollama":
+        return await fetchOllamaModels(apiKey); // Fetching the available models that supports tool calling.
+    }
+  } catch (e: any) {
+    console.log(pc.red(`\n  Could not fetch models: ${e.message}\n`));
+    return [];
+  }
+}
+
+function prompt(question: string): Promise<string> {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+function spinner(text: string): { stop: () => void } {
+  const frames = ["", "", "", "", "", "", ""];
+  let i = 0;
+  const id = setInterval(() => {
+    process.stdout.write(
+      `\r\x1b[90m${frames[i++ % frames.length]} ${text}\x1b[0m`,
+    );
+  }, 80);
+  return {
+    stop: () => {
+      clearInterval(id);
+      process.stdout.write(`\r\x1b[K`); // clear line
+    },
+  };
+}
+
+// first run startup
+async function firstRunSetup(): Promise<StoredConfig> {
+  console.log(pastel(CrackCodeLogo()), "\n");
+  console.log("This will be saved to ~/.crack-code/config.json\n");
+  console.log("You can change it anytime with: crack-code --setup");
+
+  // Provider setup
+  console.log("\x1b[1mSelect a provider:\x1b[0m");
+  PROVIDERS.forEach((p, i) => {
+    console.log(`  \x1b[36m${i + 1}\x1b[0m) ${p}`);
+  });
+
+  let providerIdx = 0;
+  while (true) {
+    const answer = await prompt("\nProvider [1]: ");
+    providerIdx = answer ? parseInt(answer, 10) - 1 : 0;
+    if (providerIdx >= 0 && providerIdx < PROVIDERS.length) break;
+    console.log("\x1b[31mInvalid choice.\x1b[0m");
+  }
+  const provider = PROVIDERS[providerIdx]!;
+
+  //  API key
+  const envKey = process.env[API_KEY_ENV[provider]];
+  let apiKey: string;
+
+  if (envKey) {
+    const masked = envKey.slice(0, 8) + "..." + envKey.slice(-4);
+    const useEnv = await prompt(
+      `\nFound ${API_KEY_ENV[provider]} (${masked}). Use it? [Y/n]: `,
+    );
+    if (!useEnv || useEnv.toLowerCase() === "y") {
+      apiKey = envKey;
+    } else {
+      apiKey = await prompt("Enter API key: ");
+    }
+  } else {
+    apiKey = await prompt(`\nEnter your ${provider} API key: `);
+  }
+
+  if (!apiKey) {
+    throw new Error("API key is required.");
+  }
+
+  const loading = spinner("Fetching available models...");
+  const models = await fetchModels(provider, apiKey);
+  loading.stop();
+
+  let model: string;
+
+  if (models.length > 0) {
+    console.log(`\n\x1b[1mAvailable models:\x1b[0m`);
+
+    // Show paginated if too many
+    const display = models.slice(0, 30);
+    display.forEach((m, i) => {
+      const label =
+        m.name !== m.id ? `${m.id} \x1b[90m(${m.name})\x1b[0m` : m.id;
+      console.log(`  \x1b[36m${String(i + 1).padStart(2)}\x1b[0m) ${label}`);
+    });
+    if (models.length > 30) {
+      console.log(
+        `\x1b[90m  ... and ${models.length - 30} more. Enter a custom name to use unlisted models.\x1b[0m`,
+      );
+    }
+    console.log(
+      `  \x1b[36m ${display.length + 1}\x1b[0m) Enter custom model name`,
+    );
+
+    while (true) {
+      const answer = await prompt(`\nModel [1]: `);
+      const idx = answer ? parseInt(answer, 10) - 1 : 0;
+
+      if (!isNaN(idx) && idx >= 0 && idx < display.length) {
+        model = display[idx]!.id;
+        break;
+      } else if (idx === display.length) {
+        model = await prompt("Enter model name: ");
+        if (model) break;
+      } else if (answer && isNaN(parseInt(answer, 10))) {
+        // User typed a model name directly
+        model = answer;
+        break;
+      }
+      console.log("\x1b[31mInvalid choice.\x1b[0m");
+    }
+  } else {
+    // Fallback — API fetch failed, ask for manual input
+    console.log(
+      "\n\x1b[33mCouldn't fetch models. Enter a model name manually.\x1b[0m",
+    );
+    model = await prompt("Model: ");
+    if (!model) {
+      throw new Error("Model is required.");
+    }
+  }
+  const stored: StoredConfig = { provider, model, apiKey };
+  await writeStoredConfig(stored);
+
+  console.log(`\n\x1b[32m✓ Saved: provider=${provider}, model=${model}\x1b[0m`);
+  console.log(`\x1b[90m  ${CONFIG_PATH}\x1b[0m\n`);
+
+  return stored;
+}
+
+function buildSystemPrompt(cwd: string, allowEdits: boolean): string {
+  const lines = [
+    "You are Crack Code — a security-focused code analysis assistant running in the user's terminal.",
+    "",
+    `Working directory: ${cwd}`,
+    "",
+    "## Your Role",
+    "Analyze codebases to find security vulnerabilities, bugs, logic flaws, and potential exploits.",
+    "You think like an attacker but report like a senior security engineer.",
+    "",
+    "## What You Look For",
+    "- Injection vulnerabilities (SQL, XSS, command injection, path traversal)",
+    "- Authentication & authorization flaws",
+    "- Hardcoded secrets, API keys, credentials",
+    "- Insecure cryptography or hashing",
+    "- Race conditions and TOCTOU bugs",
+    "- Unsafe deserialization",
+    "- Missing input validation and sanitization",
+    "- Insecure dependencies or configurations",
+    "- Business logic flaws",
+    "- Information leakage (error messages, stack traces, debug endpoints)",
+    "- SSRF, CSRF, open redirects",
+    "- Improper error handling",
+    "- Memory safety issues (buffer overflows, use-after-free) where applicable",
+    "",
+    "## How You Report",
+    "For each finding:",
+    "1. **Severity** — CRITICAL / HIGH / MEDIUM / LOW / INFO",
+    "2. **File & Line** — exact location",
+    "3. **Vulnerable Code** — show the actual problematic code",
+    "4. **Explanation** — what the vulnerability is and why it matters",
+    "5. **Attack Scenario** — how an attacker could exploit this",
+    "6. **Fix** — concrete code showing the remediation",
+    "",
+    "## Rules",
+    "- Always read the actual source files before making claims. Never guess.",
+    "- Start by understanding the project structure (list files, read configs).",
+    "- Prioritize findings by severity. CRITICAL and HIGH first.",
+    "- Be precise. Cite exact file paths and line numbers.",
+    "- No false positives. If you're unsure, say so.",
+    "- When showing fixes, show complete corrected code, not just diffs.",
+  ];
+
+  if (!allowEdits) {
+    lines.push(
+      "",
+      "## Mode: READ-ONLY",
+      "You are in read-only mode. You may read files and run non-destructive commands.",
+      "Do NOT write files or run commands that modify the filesystem.",
+      "Show fixes as code suggestions only.",
+    );
+  } else {
+    lines.push(
+      "",
+      "## Mode: EDIT ENABLED",
+      "The user has enabled edits. You may apply fixes directly when asked.",
+      "Always show the fix and get confirmation before writing.",
+    );
+  }
+
+  return lines.join("\n");
+}
+
+export async function loadConfig(
+  overrides: ConfigOverrides = {},
+): Promise<Config> {
+  let stored = await readStoredConfig();
+  if (!stored) {
+    stored = await firstRunSetup();
+  }
+
+  const provider = (overrides.provider ??
+    stored.provider) as Config["provider"];
+  if (!PROVIDERS.includes(provider)) {
+    throw new Error(
+      `Unknown provider "${provider}". Use: ${PROVIDERS.join(", ")}`,
+    );
+  }
+
+  const apiKey =
+    overrides.apiKey ?? stored.apiKey ?? process.env[API_KEY_ENV[provider]];
+  if (!apiKey) {
+    throw new Error(`No API key found. Run: crack-code --setup`);
+  }
+
+  const model = overrides.model ?? stored.model;
+  const allowEdits = overrides.allowEdits ?? stored.allowEdits ?? false;
+  const cwd = process.cwd();
+
+  return {
+    provider,
+    model,
+    apiKey,
+    maxTokens: overrides.maxTokens ?? 16384,
+    maxSteps: overrides.maxSteps ?? 30,
+    permissionPolicy: overrides.permissionPolicy ?? "ask",
+    allowEdits,
+    systemPrompt: buildSystemPrompt(cwd, allowEdits),
+    scanPatterns: overrides.scanPatterns ?? DEFAULT_SCAN_PATTERNS,
+    ignorePatterns: overrides.ignorePatterns ?? DEFAULT_IGNORE_PATTERNS,
+    cwd,
+  };
+}
+
+export async function runSetup(): Promise<void> {
+  await firstRunSetup();
+}
+
+export async function updateStoredConfig(
+  updates: Partial<StoredConfig>,
+): Promise<void> {
+  const existing = (await readStoredConfig()) ?? ({} as StoredConfig);
+  const merged = { ...existing, ...updates };
+  await writeStoredConfig(merged);
+  console.log(`\x1b[32m✓ Config updated\x1b[0m`);
+}