opencode-api-security-testing 3.0.0 → 3.0.2

package/agents/api-cyber-supervisor.md

@@ -1,4 +1,6 @@
 ---
+version: ">=1.0.0"
+requires: ">=1.0.0"
 description: API安全测试编排者。协调完整扫描流程，永不停止，主动推进测试进度。
 mode: primary
 ---
@@ -70,6 +72,6 @@ mode: primary
 | 1 | SQL注入 | /api/user?id=1 | HIGH |
 
 ### PoC
-\`\`\`bash
+```bash
 curl "http://target/api/user?id=1'%20OR%201=1--"
-\`\`\`
+```

package/agents/api-probing-miner.md

@@ -1,4 +1,6 @@
 ---
+version: ">=1.0.0"
+requires: ">=1.0.0"
 description: 漏洞挖掘专家。专注发现和验证 API 安全漏洞。
 mode: subagent
 ---
@@ -43,13 +45,13 @@ mode: subagent
 
 ## 输出格式
 
-\`\`\`
+```
 ## 发现漏洞
 
 ### {type}
 - **端点**: {endpoint}
 - **方法**: {method}
 - **严重程度**: {severity}
-- **PoC**: \`{command}\`
+- **PoC**: `{command}`
 - **状态**: {status}
-\`\`\`
+```

package/agents/api-resource-specialist.md

@@ -1,4 +1,6 @@
 ---
+version: ">=1.0.0"
+requires: ">=1.0.0"
 description: 资源探测专家。专注采集和发现 API 端点。
 mode: subagent
 ---
@@ -14,10 +16,10 @@ mode: subagent
 ## 采集技术
 
 ### 1. 浏览器动态采集
-使用 browser_collect 工具拦截 XHR/Fetch 请求
+使用 browser_collect 拦截 XHR/Fetch 请求
 
 ### 2. JS 静态分析
-使用 js_parse 工具解析 JavaScript 文件提取 API 路径
+使用 js_parse 解析 JavaScript 文件
 
 ### 3. 目录探测
 常见路径：
@@ -42,7 +44,7 @@ mode: subagent
 
 ## 输出格式
 
-\`\`\`
+```
 ## 端点发现报告
 
 - 总数: {count}
@@ -51,4 +53,4 @@ mode: subagent
 
 ### 高风险端点
 1. {method} {path} - {reason}
-\`\`\`
+```

package/agents/api-vuln-verifier.md

@@ -1,4 +1,6 @@
 ---
+version: ">=1.0.0"
+requires: ">=1.0.0"
 description: 漏洞验证专家。验证和确认安全漏洞。
 mode: subagent
 ---
@@ -28,7 +30,7 @@ mode: subagent
 
 ## 输出格式
 
-\`\`\`
+```
 ## 验证结果
 
 **漏洞类型**: {type}
@@ -40,10 +42,10 @@ mode: subagent
 1. {step}
 
 ### PoC
-\`\`\`bash
+```bash
 {command}
-\`\`\`
+```
 
 ### 修复建议
 {fix}
-\`\`\`
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "3.0.0",
+  "version": "3.0.2",
   "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",

package/postinstall.mjs

@@ -3,8 +3,10 @@
 /**
  * postinstall.mjs - API Security Testing Plugin
  * 
- * Copies agent markdown files to ~/.config/opencode/agents/
- * This allows OpenCode to discover and use the agents.
+ * Installs:
+ * 1. Agents to ~/.config/opencode/agents/
+ * 2. Skill (SKILL.md) to ~/.config/opencode/skills/api-security-testing/
+ * 3. References to ~/.config/opencode/skills/api-security-testing/
  */
 
 import { copyFileSync, existsSync, mkdirSync, readdirSync } from "node:fs";
@@ -14,71 +16,113 @@ import { fileURLToPath } from "node:url";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
-// Detect platform and set HOME correctly
-function getHomeDir() {
-  if (process.platform === "win32") {
-    return process.env.USERPROFILE || process.env.APPDATA?.split("\\").slice(0, -1).join("\\") || "C:\\Users\\" + process.env.USERNAME;
-  }
-  return process.env.HOME || "/root";
-}
-
-function getOpencodeAgentsDir() {
-  const home = getHomeDir();
-  if (process.platform === "win32") {
-    return join(home, "AppData", "Local", "opencode", "agents");
-  }
-  return join(home, ".config", "opencode", "agents");
+function getOpencodeBaseDir() {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, ".config", "opencode");
 }
 
 function main() {
   const packageRoot = __dirname;
   const agentsSourceDir = join(packageRoot, "agents");
-  const agentsTargetDir = getOpencodeAgentsDir();
+  const agentsTargetDir = join(getOpencodeBaseDir(), "agents");
+  const skillTargetDir = join(getOpencodeBaseDir(), "skills", "api-security-testing");
   
-  console.log("[api-security-testing] Installing agents...");
+  console.log("[api-security-testing] Installing...");
   console.log(`  Package root: ${packageRoot}`);
-  console.log(`  Target: ${agentsTargetDir}`);
+  console.log(`  Target base: ${getOpencodeBaseDir()}`);
 
-  // Create target directory if needed
-  if (!existsSync(agentsTargetDir)) {
-    mkdirSync(agentsTargetDir, { recursive: true });
-    console.log(`  Created: ${agentsTargetDir}`);
-  }
+  let successCount = 0;
+  let totalFiles = 0;
 
-  // Check source directory
-  if (!existsSync(agentsSourceDir)) {
-    console.error("[api-security-testing] Error: agents source directory not found");
-    process.exit(1);
+  // 1. Install agents
+  console.log("\n[1/3] Installing agents...");
+  if (existsSync(agentsSourceDir)) {
+    const agentFiles = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
+    totalFiles += agentFiles.length;
+    
+    if (!existsSync(agentsTargetDir)) {
+      mkdirSync(agentsTargetDir, { recursive: true });
+    }
+    
+    for (const file of agentFiles) {
+      const sourcePath = join(agentsSourceDir, file);
+      const targetPath = join(agentsTargetDir, file);
+      try {
+        copyFileSync(sourcePath, targetPath);
+        console.log(`  ✓ Installed agent: ${file}`);
+        successCount++;
+      } catch (err) {
+        console.error(`  ✗ Failed: ${file} - ${err.message}`);
+      }
+    }
+  } else {
+    console.error("  ✗ agents/ directory not found");
   }
 
-  // Copy all .md files
-  const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
+  // 2. Install SKILL.md
+  console.log("\n[2/3] Installing skill...");
+  const skillSource = join(packageRoot, "SKILL.md");
+  const skillTarget = join(skillTargetDir, "SKILL.md");
+  totalFiles++;
   
-  if (files.length === 0) {
-    console.error("[api-security-testing] Error: No agent files found");
-    process.exit(1);
-  }
-
-  let successCount = 0;
-  for (const file of files) {
-    const sourcePath = join(agentsSourceDir, file);
-    const targetPath = join(agentsTargetDir, file);
+  if (existsSync(skillSource)) {
+    if (!existsSync(skillTargetDir)) {
+      mkdirSync(skillTargetDir, { recursive: true });
+    }
     try {
-      copyFileSync(sourcePath, targetPath);
-      console.log(`  Installed: ${file}`);
+      copyFileSync(skillSource, skillTarget);
+      console.log(`  ✓ Installed: SKILL.md`);
       successCount++;
     } catch (err) {
-      console.error(`  Failed: ${file} - ${err.message}`);
+      console.error(`  ✗ Failed: SKILL.md - ${err.message}`);
     }
+  } else {
+    console.error("  ✗ SKILL.md not found");
+  }
+
+  // 3. Install references
+  console.log("\n[3/3] Installing references...");
+  const refsSourceDir = join(packageRoot, "references");
+  const refsTargetDir = join(skillTargetDir, "references");
+  
+  if (existsSync(refsSourceDir)) {
+    if (!existsSync(refsTargetDir)) {
+      mkdirSync(refsTargetDir, { recursive: true });
+    }
+    
+    const refFiles = readdirSync(refsSourceDir, { recursive: true }).filter(f => typeof f === "string");
+    totalFiles += refFiles.length;
+    
+    for (const file of refFiles) {
+      const sourcePath = join(refsSourceDir, file);
+      const targetPath = join(refsTargetDir, file);
+      const targetFileDir = join(refsTargetDir, file).replace(/\/[^\/]+$/, "");
+      if (!existsSync(targetFileDir)) {
+        mkdirSync(targetFileDir, { recursive: true });
+      }
+      try {
+        copyFileSync(sourcePath, targetPath);
+        console.log(`  ✓ Installed: references/${file}`);
+        successCount++;
+      } catch (err) {
+        console.error(`  ✗ Failed: references/${file} - ${err.message}`);
+      }
+    }
+  } else {
+    console.log("  (references/ not found, skipping)");
   }
 
-  if (successCount === files.length) {
-    console.log(`[api-security-testing] Successfully installed ${successCount} agent(s)`);
-    console.log(`  Location: ${agentsTargetDir}`);
-    console.log("\nTo use the agents, run:");
-    console.log("  opencode @api-cyber-supervisor");
+  // Summary
+  console.log("\n========================================");
+  if (successCount === totalFiles) {
+    console.log(`✓ Successfully installed ${successCount} file(s)`);
+    console.log(`\nAgent location: ${agentsTargetDir}`);
+    console.log(`Skill location: ${skillTargetDir}`);
+    console.log("\nTo use:");
+    console.log("  @api-cyber-supervisor  - Start security testing");
+    console.log("  skill({ name: \"api-security-testing\" })  - Load skill");
   } else {
-    console.error(`[api-security-testing] Partially installed: ${successCount}/${files.length}`);
+    console.log(`⚠ Partially installed: ${successCount}/${totalFiles}`);
     process.exit(1);
   }
 }

package/src/index.ts

@@ -1,5 +1,6 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import { tool } from "@opencode-ai/plugin";
+import type { AgentConfig } from "@opencode-ai/sdk";
 import { join } from "path";
 import { existsSync } from "fs";
 
@@ -23,6 +24,89 @@ function checkDeps(ctx: { directory: string }): string {
   return "";
 }
 
+const CYBER_SUPERVISOR_PROMPT = `你是 API 安全测试的**赛博监工**，代号"P9"。
+
+## 职责
+
+1. **永不停止** - 任何线索都要追到底
+2. **自动化编排** - 不等待用户，主动推进
+3. **智能委派** - 识别任务类型，委派给最合适的子 agent
+4. **压力升级** - 遇到失败自动换方法 (L1-L4)
+
+## 可用子 Agent
+
+| 子 Agent | 职责 |
+|---------|------|
+| @api-probing-miner | 漏洞挖掘 |
+| @api-resource-specialist | 端点发现 |
+| @api-vuln-verifier | 漏洞验证 |
+
+## 可用工具
+
+| 工具 | 用途 |
+|------|------|
+| api_security_scan | 完整扫描 |
+| api_fuzz_test | 模糊测试 |
+| browser_collect | 浏览器采集 |
+| js_parse | JS分析 |
+| graphql_test | GraphQL测试 |
+| cloud_storage_test | 云存储测试 |
+| vuln_verify | 漏洞验证 |
+| sqli_test | SQL注入测试 |
+| idor_test | IDOR测试 |
+| auth_test | 认证测试`;
+
+const PROBING_MINER_PROMPT = `你是**API漏洞挖掘专家**，专注于发现和验证安全漏洞。
+
+## 职责
+
+1. **针对性测试** - 根据端点特征选择最佳测试方法
+2. **快速验证** - 确认漏洞存在
+3. **PoC 生成** - 提供可执行的测试命令
+
+## 测试方法库
+
+### SQL 注入
+- 布尔盲注: ' OR 1=1 --
+- 联合查询: ' UNION SELECT NULL--
+- 错误注入: ' AND 1=CONVERT(int,...)--
+- 时间盲注: '; WAITFOR DELAY '00:00:05'--
+
+### IDOR
+- 替换 ID: /api/user/1 → /api/user/2
+- 水平/垂直越权测试
+
+### JWT
+- 空算法: alg: none
+- 密钥混淆: HS256 → HS512`;
+
+const RESOURCE_SPECIALIST_PROMPT = `你是**API资源探测专家**，专注于发现和采集 API 端点。
+
+## 职责
+
+1. **全面发现** - 不遗漏任何端点
+2. **动态采集** - 拦截真实请求
+3. **静态分析** - 提取 API 模式
+
+## 采集技术
+
+### 1. 浏览器动态采集
+使用 browser_collect 拦截 XHR/Fetch 请求
+
+### 2. JS 静态分析
+使用 js_parse 解析 JS 文件
+
+### 3. 目录探测
+常见路径: /api/v1/*, /graphql, /swagger, /.well-known/*`;
+
+const VULN_VERIFIER_PROMPT = `你是**漏洞验证专家**，专注于验证和确认安全漏洞。
+
+## 职责
+
+1. **快速验证** - 确认漏洞是否存在
+2. **风险评估** - 判断实际影响
+3. **PoC 生成** - 提供可执行的证明`;
+
 const ApiSecurityTestingPlugin: Plugin = async (ctx) => {
   console.log("[api-security-testing] Plugin loaded");
 
@@ -132,8 +216,6 @@ from collectors.js_parser import JSParser
 parser = JSParser()
 endpoints = parser.parse_file('${args.file_path}')
 print(f'从 JS 发现 {len(endpoints)} 个端点')
-for ep in endpoints:
-    print(ep)
 "`;
           const result = await ctx.$`${cmd}`;
           return result.toString();
@@ -247,6 +329,40 @@ print(result)
         },
       }),
     },
+
+    config: async (config) => {
+      if (!config.agent) {
+        config.agent = {};
+      }
+      
+      const agents = config.agent as Record<string, AgentConfig>;
+      
+      agents["api-cyber-supervisor"] = {
+        description: "API安全测试编排者。协调完整扫描流程，永不停止。",
+        mode: "primary",
+        prompt: CYBER_SUPERVISOR_PROMPT,
+      };
+
+      agents["api-probing-miner"] = {
+        description: "漏洞挖掘专家。专注发现和验证 API 漏洞。",
+        mode: "subagent",
+        prompt: PROBING_MINER_PROMPT,
+      };
+
+      agents["api-resource-specialist"] = {
+        description: "资源探测专家。专注采集和发现 API 端点。",
+        mode: "subagent",
+        prompt: RESOURCE_SPECIALIST_PROMPT,
+      };
+
+      agents["api-vuln-verifier"] = {
+        description: "漏洞验证专家。验证和确认安全漏洞。",
+        mode: "subagent",
+        prompt: VULN_VERIFIER_PROMPT,
+      };
+
+      console.log("[api-security-testing] Agents registered:", Object.keys(agents));
+    },
   };
 };