crack-code 0.1.0

package/src/index.ts

@@ -0,0 +1,329 @@
+#!/usr/bin/env bun
+
+import { loadConfig, runSetup, type ConfigOverrides } from "./config.js";
+import { getModel } from "./providers.js";
+import { ToolRegistry } from "./tools/registry.js";
+import {
+  PermissionManager,
+  type PermissionPolicy,
+} from "./permissions/index.js";
+import { readFileTool } from "./tools/file-read.js";
+import { writeFileTool } from "./tools/file-write.js";
+import { runCommandTool } from "./tools/shell.js";
+import { listFilesTool } from "./tools/glob.js";
+import { runAgent } from "./agent.js";
+import { startRepl } from "./repl.js";
+import * as ui from "./ui/renderer.js";
+
+// Version
+
+const VERSION = "0.1.0";
+
+// Help
+
+function printHelp(): void {
+  console.log(`
+\x1b[1m\x1b[36m🔓 Crack Code\x1b[0m v${VERSION}
+AI-powered security auditor for your codebase.
+
+\x1b[1mUsage:\x1b[0m
+  crack-code [options] [prompt]
+
+\x1b[1mExamples:\x1b[0m
+  crack-code                                  Interactive REPL
+  crack-code "scan for vulnerabilities"       One-shot scan
+  crack-code "check src/auth/ for flaws"      Scan specific area
+  crack-code --allow-edits "fix SQL injection in src/db.ts"
+
+\x1b[1mOptions:\x1b[0m
+  -i, --interactive          Force interactive REPL mode
+  --setup                    Re-run first-time setup wizard
+  --allow-edits              Enable file writing (read-only by default)
+  --provider <name>          Override provider (anthropic, openai, google)
+  --model <name>             Override model
+  --key <key>                Override API key
+  --policy <policy>          Permission policy (ask, skip, allow-all, deny-all)
+  --scan <glob>              Only scan files matching this pattern
+  --max-steps <n>            Max agent steps (default: 30)
+  --max-tokens <n>           Max tokens per response (default: 16384)
+  -h, --help                 Show this help
+  -v, --version              Show version
+
+\x1b[1mREPL Commands:\x1b[0m
+  /help       Show commands        /clear      Clear history
+  /exit       Exit                 /mode       Toggle edit mode
+  /usage      Token usage          /model      Show model info
+  /policy     Show/set policy      /compact    Reduce context size
+`);
+}
+
+// Arg Parsing
+
+interface ParsedArgs {
+  flags: Record<string, string>;
+  positional: string[];
+}
+
+function parseArgs(argv: string[]): ParsedArgs {
+  const flags: Record<string, string> = {};
+  const positional: string[] = [];
+
+  const booleanFlags = new Set([
+    "help",
+    "h",
+    "version",
+    "v",
+    "interactive",
+    "i",
+    "setup",
+    "allow-edits",
+    "yolo",
+  ]);
+
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i]!;
+
+    if (arg === "--") {
+      positional.push(...argv.slice(i + 1));
+      break;
+    }
+
+    if (arg.startsWith("--")) {
+      const key = arg.slice(2);
+      if (booleanFlags.has(key)) {
+        flags[key] = "true";
+      } else if (i + 1 < argv.length && !argv[i + 1]!.startsWith("--")) {
+        flags[key] = argv[++i]!;
+      } else {
+        flags[key] = "true";
+      }
+    } else if (arg.startsWith("-") && arg.length === 2) {
+      const key = arg.slice(1);
+      if (booleanFlags.has(key)) {
+        flags[key] = "true";
+      } else if (i + 1 < argv.length) {
+        flags[key] = argv[++i]!;
+      }
+    } else {
+      positional.push(arg);
+    }
+  }
+
+  return { flags, positional };
+}
+
+// Tool Registration
+
+function registerTools(allowEdits: boolean): ToolRegistry {
+  const tools = new ToolRegistry();
+
+  // Always available — read-only tools
+  tools.register(readFileTool);
+  tools.register(listFilesTool);
+
+  // Shell is always available but goes through permission gate
+  tools.register(runCommandTool);
+
+  // Write tools only when edits are enabled
+  if (allowEdits) {
+    tools.register(writeFileTool);
+  }
+
+  return tools;
+}
+
+// Main
+
+async function main(): Promise<void> {
+  const { flags, positional } = parseArgs(process.argv.slice(2));
+
+  // Early exits
+
+  if (flags.help || flags.h) {
+    printHelp();
+    process.exit(0);
+  }
+
+  if (flags.version || flags.v) {
+    console.log(`crack-code v${VERSION}`);
+    process.exit(0);
+  }
+
+  if (flags.setup) {
+    await runSetup();
+    process.exit(0);
+  }
+
+  // Build config overrides from flags
+
+  const overrides: ConfigOverrides = {};
+
+  if (flags.provider) overrides.provider = flags.provider;
+  if (flags.model) overrides.model = flags.model;
+  if (flags.key) overrides.apiKey = flags.key;
+  if (flags["max-tokens"])
+    overrides.maxTokens = parseInt(flags["max-tokens"], 10);
+  if (flags["max-steps"]) overrides.maxSteps = parseInt(flags["max-steps"], 10);
+  if (flags["allow-edits"]) overrides.allowEdits = true;
+  if (flags.scan) overrides.scanPatterns = [flags.scan];
+
+  if (flags.yolo) {
+    overrides.permissionPolicy = "allow-all";
+  } else if (flags.policy) {
+    overrides.permissionPolicy =
+      flags.policy as ConfigOverrides["permissionPolicy"];
+  }
+
+  // Load config (may trigger first-run wizard)
+
+  let config;
+  try {
+    config = await loadConfig(overrides);
+  } catch (e: any) {
+    ui.error(e.message);
+    process.exit(1);
+  }
+
+  // Create provider model
+
+  let model;
+  try {
+    model = getModel(config.provider, config.model, config.apiKey);
+  } catch (e: any) {
+    ui.error(e.message);
+    process.exit(1);
+  }
+
+  // Register tools
+
+  const tools = registerTools(config.allowEdits);
+
+  // Create permission manager
+
+  const permissions = new PermissionManager(config.permissionPolicy);
+
+  // Route: one-shot vs REPL
+
+  const hasPrompt = positional.length > 0;
+  const forceInteractive = flags.interactive || flags.i;
+  const isPiped = !process.stdin.isTTY;
+
+  if (hasPrompt && !forceInteractive) {
+    // One-shot mode
+    await runOneShot(positional.join(" "), model, config, tools, permissions);
+  } else if (isPiped) {
+    // Piped input: cat file.ts | crack-code
+    await runPiped(model, config, tools, permissions);
+  } else {
+    // Interactive REPL
+    await startRepl(model, config, tools, permissions);
+  }
+}
+
+// ─── One-Shot Mode ──────────────────────────────────────────────────
+
+async function runOneShot(
+  prompt: string,
+  model: any,
+  config: any,
+  tools: ToolRegistry,
+  permissions: PermissionManager,
+): Promise<void> {
+  ui.newline();
+
+  const loading = ui.spinner("Analyzing...");
+  let firstToken = true;
+
+  try {
+    await runAgent(
+      [{ role: "user" as const, content: prompt }],
+      {
+        model,
+        tools,
+        permissions,
+        systemPrompt: config.systemPrompt,
+        maxSteps: config.maxSteps,
+        maxTokens: config.maxTokens,
+      },
+      {
+        onText: (delta) => {
+          if (firstToken) {
+            loading.stop();
+            firstToken = false;
+          }
+          ui.streamText(delta);
+        },
+
+        onToolStart: (name, args) => {
+          if (firstToken) {
+            loading.stop();
+            firstToken = false;
+          }
+          ui.toolStart(name, args);
+        },
+
+        onToolEnd: (name, result) => {
+          ui.toolEnd(name, result);
+        },
+
+        onUsage: (usage) => {
+          ui.newline();
+          ui.dim(
+            `  [${usage.inputTokens} input + ${usage.outputTokens} output = ${usage.totalTokens} tokens]`,
+          );
+        },
+
+        onError: (err) => {
+          loading.stop();
+          ui.error(err);
+        },
+      },
+    );
+
+    if (firstToken) loading.stop();
+    ui.newline();
+  } catch (e: any) {
+    loading.stop();
+    ui.error(e.message);
+    process.exit(1);
+  }
+}
+
+// ─── Piped Mode ─────────────────────────────────────────────────────
+
+async function runPiped(
+  model: any,
+  config: any,
+  tools: ToolRegistry,
+  permissions: PermissionManager,
+): Promise<void> {
+  const chunks: string[] = [];
+
+  const reader = process.stdin as unknown as AsyncIterable<Buffer>;
+  for await (const chunk of reader) {
+    chunks.push(chunk.toString());
+  }
+
+  const input = chunks.join("").trim();
+
+  if (!input) {
+    ui.error("No input received from pipe.");
+    process.exit(1);
+  }
+
+  const prompt = [
+    "Analyze the following code for security vulnerabilities:\n",
+    "```",
+    input,
+    "```",
+  ].join("\n");
+
+  await runOneShot(prompt, model, config, tools, permissions);
+}
+
+// ─── Run ─────────────────────────────────────────────────────────────
+
+main().catch((e) => {
+  ui.error(e.message ?? String(e));
+  process.exit(1);
+});

package/src/logo/crack-code.ts

@@ -0,0 +1,13 @@
+export function CrackCodeLogo() {
+  const version = "0.1.0";
+
+  return String.raw`
+    _________                       __     _________            .___
+    \_   ___ \____________    ____ |  | __ \_   ___ \  ____   __| _/____
+    /    \  \/\_  __ \__  \ _/ ___\|  |/ / /    \  \/ /  _ \ / __ |/ __ \
+    \     \____|  | \// __ \\  \___|    <  \     \___(  <_> ) /_/ \  ___/
+     \______  /|__|  (____  /\___  >__|_ \  \______  /\____/\____ |\___  >
+            \/            \/     \/     \/         \/            \/    \/
+                                                               v ${version}
+  `;
+}

package/src/permissions/index.ts

@@ -0,0 +1,127 @@
+import * as readline from "node:readline";
+import * as ui from "../ui/renderer.js";
+
+export type PermissionPolicy = "ask" | "skip" | "allow-all" | "deny-all";
+
+export class PermissionManager {
+  private policy: PermissionPolicy;
+  private sessionApprovals = new Set<string>();
+
+  private readonly readOnlyTools = new Set(["read_file", "list_files"]);
+
+  constructor(policy: PermissionPolicy = "ask") {
+    this.policy = policy;
+  }
+
+  getPolicy(): PermissionPolicy {
+    return this.policy;
+  }
+
+  setPolicy(policy: PermissionPolicy): void {
+    this.policy = policy;
+  }
+
+  async check(
+    toolName: string,
+    input: Record<string, unknown>,
+  ): Promise<boolean> {
+    if (this.readOnlyTools.has(toolName)) {
+      return true;
+    }
+
+    switch (this.policy) {
+      case "allow-all":
+        return true;
+
+      case "deny-all":
+        ui.toolBlocked(toolName, "Blocked by deny-all policy.");
+        return false;
+
+      case "skip":
+        return true;
+
+      case "ask":
+        // Check session memory before prompting
+        if (this.isSessionApproved(toolName, input)) {
+          return true;
+        }
+        return this.promptUser(toolName, input);
+    }
+  }
+
+  clearSession(): void {
+    this.sessionApprovals.clear();
+  }
+
+  private isSessionApproved(
+    toolName: string,
+    input: Record<string, unknown>,
+  ): boolean {
+    // Blanket tool approval (user chose "always")
+    if (this.sessionApprovals.has(`tool:${toolName}`)) {
+      return true;
+    }
+    // Exact action approval (user chose "yes" for this specific call)
+    if (
+      this.sessionApprovals.has(`exact:${toolName}:${JSON.stringify(input)}`)
+    ) {
+      return true;
+    }
+    return false;
+  }
+
+  private async promptUser(
+    toolName: string,
+    input: Record<string, unknown>,
+  ): Promise<boolean> {
+    const summary = this.summarize(toolName, input);
+    ui.permissionPrompt(toolName, summary);
+
+    const answer = await this.ask(
+      "\x1b[33m   [y]es / [n]o / [a]lways for this session: \x1b[0m",
+    );
+
+    const choice = answer.toLowerCase();
+
+    if (choice === "y" || choice === "yes") {
+      // Remember this exact action
+      this.sessionApprovals.add(`exact:${toolName}:${JSON.stringify(input)}`);
+      return true;
+    }
+
+    if (choice === "a" || choice === "always") {
+      // Remember all future calls to this tool
+      this.sessionApprovals.add(`tool:${toolName}`);
+      return true;
+    }
+
+    // Anything else is a deny — empty input, "n", "no", gibberish
+    ui.toolBlocked(toolName, "Denied by user.");
+    return false;
+  }
+
+  private summarize(toolName: string, input: Record<string, unknown>): string {
+    switch (toolName) {
+      case "write_file":
+        return `Write to ${input.path}`;
+      case "run_command":
+        return `$ ${input.command}`;
+      default:
+        const preview = JSON.stringify(input);
+        return preview.length > 150 ? preview.slice(0, 150) + "…" : preview;
+    }
+  }
+
+  private ask(question: string): Promise<string> {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout,
+    });
+    return new Promise((resolve) => {
+      rl.question(question, (answer) => {
+        rl.close();
+        resolve(answer.trim());
+      });
+    });
+  }
+}

package/src/providers/anthropic.ts

@@ -0,0 +1,22 @@
+import type { ModelInfo } from "./types";
+
+export async function fetchAnthropicModels(
+  apiKey: string,
+): Promise<ModelInfo[]> {
+  const res = await fetch("https://api.anthropic.com/v1/models", {
+    headers: {
+      "x-api-key": apiKey,
+      "anthropic-version": "2023-06-01",
+    },
+  });
+
+  if (!res.ok) throw new Error(`API ${res.status}: ${await res.text()}`);
+
+  const data = (await res.json()) as {
+    data: Array<{ id: string; display_name?: string }>;
+  };
+
+  return data.data
+    .map((m) => ({ id: m.id, name: m.display_name ?? m.id }))
+    .sort((a, b) => a.id.localeCompare(b.id));
+}

package/src/providers/google.ts

@@ -0,0 +1,26 @@
+import type { ModelInfo } from "./types";
+
+export async function fetchGoogleModels(apiKey: string): Promise<ModelInfo[]> {
+  const res = await fetch(
+    `https://generativelanguage.googleapis.com/v1beta/models?key=${apiKey}`,
+  );
+
+  if (!res.ok) throw new Error(`API ${res.status}: ${await res.text()}`);
+
+  const data = (await res.json()) as {
+    models: Array<{
+      name: string;
+      displayName: string;
+      supportedGenerationMethods?: string[];
+    }>;
+  };
+
+  return data.models
+    .filter((m) => m.supportedGenerationMethods?.includes("generateContent"))
+    .map((m) => ({
+      // API returns "models/gemini-2.5-flash" → extract "gemini-2.5-flash"
+      id: m.name.replace("models/", ""),
+      name: m.displayName,
+    }))
+    .sort((a, b) => a.id.localeCompare(b.id));
+}

package/src/providers/ollama.ts

@@ -0,0 +1,33 @@
+import type { ModelInfo } from "./types";
+
+const DEFAULT_OLLAMA_ENDPOINT = "http://localhost:11434";
+
+export async function fetchOllamaModels(
+  endpoint?: string,
+): Promise<ModelInfo[]> {
+  const base = (endpoint || DEFAULT_OLLAMA_ENDPOINT).replace(/\/+$/, "");
+
+  const res = await fetch(`${base}/api/tags`);
+
+  if (!res.ok) throw new Error(`Ollama API ${res.status}: ${await res.text()}`);
+
+  const data = (await res.json()) as {
+    models: Array<{
+      name: string;
+      model: string;
+      details?: {
+        family?: string;
+        parameter_size?: string;
+      };
+    }>;
+  };
+
+  return data.models
+    .map((m) => ({
+      id: m.name,
+      name: m.details?.parameter_size
+        ? `${m.name} (${m.details.parameter_size})`
+        : m.name,
+    }))
+    .sort((a, b) => a.id.localeCompare(b.id));
+}

package/src/providers/openai.ts

@@ -0,0 +1,25 @@
+import type { ModelInfo } from "./types";
+
+export async function fetchOpenAIModels(apiKey: string): Promise<ModelInfo[]> {
+  const res = await fetch("https://api.openai.com/v1/models", {
+    headers: { Authorization: `Bearer ${apiKey}` },
+  });
+
+  if (!res.ok) throw new Error(`API ${res.status}: ${await res.text()}`);
+
+  const data = (await res.json()) as { data: Array<{ id: string }> };
+
+  // Filter to chat models only — skip embeddings, tts, dall-e, whisper, etc.
+  const chatPrefixes = ["gpt-", "o1", "o3", "o4", "chatgpt-"];
+  const exclude = ["instruct", "realtime", "audio", "search"];
+
+  return data.data
+    .filter((m) => {
+      const id = m.id.toLowerCase();
+      const hasPrefix = chatPrefixes.some((p) => id.startsWith(p));
+      const isExcluded = exclude.some((e) => id.includes(e));
+      return hasPrefix && !isExcluded;
+    })
+    .map((m) => ({ id: m.id, name: m.id }))
+    .sort((a, b) => a.id.localeCompare(b.id));
+}

package/src/providers/types.ts

@@ -0,0 +1,4 @@
+export interface ModelInfo {
+  id: string;
+  name: string;
+}

package/src/providers.ts

@@ -0,0 +1,39 @@
+import type { LanguageModel } from "ai";
+import type { Config } from "./config";
+
+import { createAnthropic } from "@ai-sdk/anthropic";
+import { createOpenAI } from "@ai-sdk/openai";
+import { createGoogleGenerativeAI } from "@ai-sdk/google";
+import { createOllama } from "ollama-ai-provider-v2";
+
+/**
+ * Takes a provider name, model string, and API key from config
+ * and returns an AI SDK LanguageModelV1 that streamText() can use.
+ *
+ * We use factory functions (createAnthropic, createOpenAI, etc.) instead
+ * of the default exports because the user's API key lives in
+ * ~/.crack-code/config.json, not necessarily in env vars.
+ */
+export function getModel(
+  provider: Config["provider"],
+  model: string,
+  apiKey: string,
+): LanguageModel {
+  switch (provider) {
+    case "anthropic":
+      return createAnthropic({ apiKey })(model);
+
+    case "openai":
+      return createOpenAI({ apiKey })(model);
+
+    case "google":
+      return createGoogleGenerativeAI({ apiKey })(model);
+
+    case "ollama":
+      // For ollama the "apiKey" field holds the endpoint URL
+      return createOllama({ baseURL: apiKey || undefined })(model);
+
+    default:
+      throw new Error(`Unknown provider: "${provider}"`);
+  }
+}