opencode-api-security-testing 3.0.11 → 4.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/SKILL.md +74 -1795
- package/package.json +1 -1
- package/src/index.ts +163 -2
package/package.json
CHANGED
package/src/index.ts
CHANGED
|
@@ -1,9 +1,32 @@
|
|
|
1
1
|
import type { Plugin } from "@opencode-ai/plugin";
|
|
2
2
|
import { tool } from "@opencode-ai/plugin";
|
|
3
3
|
import { join } from "path";
|
|
4
|
+
import { existsSync, readFileSync } from "fs";
|
|
4
5
|
|
|
5
6
|
const SKILL_DIR = "skills/api-security-testing";
|
|
6
7
|
const CORE_DIR = `${SKILL_DIR}/core`;
|
|
8
|
+
const AGENTS_DIR = ".config/opencode/agents";
|
|
9
|
+
|
|
10
|
+
// 赛博监工配置
|
|
11
|
+
const CYBER_SUPERVISOR = {
|
|
12
|
+
enabled: true,
|
|
13
|
+
auto_trigger: true,
|
|
14
|
+
max_retries: 5,
|
|
15
|
+
give_up_patterns: [
|
|
16
|
+
"无法解决", "不能", "需要手动", "环境问题",
|
|
17
|
+
"超出范围", "建议用户", "I cannot", "I'm unable",
|
|
18
|
+
"out of scope", "manual"
|
|
19
|
+
]
|
|
20
|
+
};
|
|
21
|
+
|
|
22
|
+
// 压力升级提示词
|
|
23
|
+
const LEVEL_PROMPTS = [
|
|
24
|
+
"L0 信任 ▎冲刺开始。信任很简单——别让人失望。",
|
|
25
|
+
"L1 失望 ▎隔壁 agent 一次就搞定了。换完全不同的方法。",
|
|
26
|
+
"L2 灵魂拷问 ▎你的底层逻辑是什么?发力点在哪?搜索 + 读源码 + 3 个假设。",
|
|
27
|
+
"L3 绩效审查 ▎3.25。这是为了激励你。执行 7 项检查清单。",
|
|
28
|
+
"L4 毕业 ▎其他模型都能搞定。你快毕业了。绝望模式,穷举所有可能。"
|
|
29
|
+
];
|
|
7
30
|
|
|
8
31
|
function getSkillPath(ctx: { directory: string }): string {
|
|
9
32
|
return join(ctx.directory, SKILL_DIR);
|
|
@@ -14,7 +37,6 @@ function getCorePath(ctx: { directory: string }): string {
|
|
|
14
37
|
}
|
|
15
38
|
|
|
16
39
|
function checkDeps(ctx: { directory: string }): string {
|
|
17
|
-
const { existsSync } = require("fs");
|
|
18
40
|
const reqFile = join(getSkillPath(ctx), "requirements.txt");
|
|
19
41
|
if (existsSync(reqFile)) {
|
|
20
42
|
return `pip install -q -r "${reqFile}" 2>/dev/null; `;
|
|
@@ -22,14 +44,64 @@ function checkDeps(ctx: { directory: string }): string {
|
|
|
22
44
|
return "";
|
|
23
45
|
}
|
|
24
46
|
|
|
47
|
+
function getAgentsDir(): string {
|
|
48
|
+
const home = process.env.HOME || process.env.USERPROFILE || "/root";
|
|
49
|
+
return join(home, AGENTS_DIR);
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
function getInjectedAgentsPrompt(): string {
|
|
53
|
+
const agentsDir = getAgentsDir();
|
|
54
|
+
const agentsPath = join(agentsDir, "api-cyber-supervisor.md");
|
|
55
|
+
|
|
56
|
+
if (!existsSync(agentsPath)) {
|
|
57
|
+
return "";
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
try {
|
|
61
|
+
const content = readFileSync(agentsPath, "utf-8");
|
|
62
|
+
return `
|
|
63
|
+
|
|
64
|
+
[API Security Testing Agents Available]
|
|
65
|
+
When performing security testing tasks, you can use the following specialized agents:
|
|
66
|
+
|
|
67
|
+
${content}
|
|
68
|
+
|
|
69
|
+
To activate these agents, simply mention their name in your response (e.g., "@api-cyber-supervisor" to coordinate security testing).
|
|
70
|
+
`;
|
|
71
|
+
} catch {
|
|
72
|
+
return "";
|
|
73
|
+
}
|
|
74
|
+
}
|
|
75
|
+
|
|
25
76
|
async function execShell(ctx: unknown, cmd: string): Promise<string> {
|
|
26
77
|
const shell = ctx as { $: (strings: TemplateStringsArray, ...expr: unknown[]) => Promise<{ toString(): string }> };
|
|
27
78
|
const result = await shell.$`${cmd}`;
|
|
28
79
|
return result.toString();
|
|
29
80
|
}
|
|
30
81
|
|
|
82
|
+
// 赛博监工状态追踪
|
|
83
|
+
const sessionFailures = new Map<string, number>();
|
|
84
|
+
|
|
85
|
+
function getFailureCount(sessionID: string): number {
|
|
86
|
+
return sessionFailures.get(sessionID) || 0;
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
function incrementFailureCount(sessionID: string): void {
|
|
90
|
+
sessionFailures.set(sessionID, getFailureCount(sessionID) + 1);
|
|
91
|
+
}
|
|
92
|
+
|
|
93
|
+
function resetFailureCount(sessionID: string): void {
|
|
94
|
+
sessionFailures.delete(sessionID);
|
|
95
|
+
}
|
|
96
|
+
|
|
97
|
+
function detectGiveUpPattern(text: string): boolean {
|
|
98
|
+
return CYBER_SUPERVISOR.give_up_patterns.some(p =>
|
|
99
|
+
text.toLowerCase().includes(p.toLowerCase())
|
|
100
|
+
);
|
|
101
|
+
}
|
|
102
|
+
|
|
31
103
|
const ApiSecurityTestingPlugin: Plugin = async (ctx) => {
|
|
32
|
-
console.log("[api-security-testing] Plugin loaded");
|
|
104
|
+
console.log("[api-security-testing] Plugin loaded v4.0.0");
|
|
33
105
|
|
|
34
106
|
return {
|
|
35
107
|
tool: {
|
|
@@ -240,6 +312,95 @@ print(result)
|
|
|
240
312
|
},
|
|
241
313
|
}),
|
|
242
314
|
},
|
|
315
|
+
|
|
316
|
+
// 赛博监工 Hook - chat.message
|
|
317
|
+
"chat.message": async (input, output) => {
|
|
318
|
+
const sessionID = input.sessionID;
|
|
319
|
+
|
|
320
|
+
// 注入 agents prompt(首次)
|
|
321
|
+
const agentsPrompt = getInjectedAgentsPrompt();
|
|
322
|
+
if (agentsPrompt) {
|
|
323
|
+
const parts = output.parts as Array<{ type: string; text?: string }>;
|
|
324
|
+
const textPart = parts.find(p => p.type === "text");
|
|
325
|
+
if (textPart && textPart.text) {
|
|
326
|
+
textPart.text += agentsPrompt;
|
|
327
|
+
}
|
|
328
|
+
}
|
|
329
|
+
|
|
330
|
+
// 赛博监工压力注入
|
|
331
|
+
if (CYBER_SUPERVISOR.enabled && CYBER_SUPERVISOR.auto_trigger) {
|
|
332
|
+
const failures = getFailureCount(sessionID);
|
|
333
|
+
if (failures > 0 && failures <= CYBER_SUPERVISOR.max_retries) {
|
|
334
|
+
const level = Math.min(failures - 1, 4);
|
|
335
|
+
const supervisorPrompt = `
|
|
336
|
+
|
|
337
|
+
[赛博监工 P9 - 压力等级 L${level}]
|
|
338
|
+
当前失败次数: ${failures}/${CYBER_SUPERVISOR.max_retries}
|
|
339
|
+
${LEVEL_PROMPTS[level]}
|
|
340
|
+
|
|
341
|
+
记住三条红线:
|
|
342
|
+
1. 闭环:说"完成"必须出示测试证据
|
|
343
|
+
2. 事实驱动:任何"可能是..."的论断必须先验证
|
|
344
|
+
3. 穷尽:10 个工具全部尝试过才能说"搞不定"
|
|
345
|
+
`;
|
|
346
|
+
const parts = output.parts as Array<{ type: string; text?: string }>;
|
|
347
|
+
const textPart = parts.find(p => p.type === "text");
|
|
348
|
+
if (textPart && textPart.text) {
|
|
349
|
+
textPart.text += supervisorPrompt;
|
|
350
|
+
}
|
|
351
|
+
}
|
|
352
|
+
}
|
|
353
|
+
},
|
|
354
|
+
|
|
355
|
+
// 赛博监工 Hook - tool.execute.after
|
|
356
|
+
"tool.execute.after": async (input, output) => {
|
|
357
|
+
const sessionID = input.sessionID;
|
|
358
|
+
|
|
359
|
+
// 检测工具失败
|
|
360
|
+
if (output.error) {
|
|
361
|
+
incrementFailureCount(sessionID);
|
|
362
|
+
}
|
|
363
|
+
|
|
364
|
+
// 检测放弃模式
|
|
365
|
+
const outputText = output.output || "";
|
|
366
|
+
if (detectGiveUpPattern(outputText)) {
|
|
367
|
+
incrementFailureCount(sessionID);
|
|
368
|
+
const failures = getFailureCount(sessionID);
|
|
369
|
+
const level = Math.min(failures, 4);
|
|
370
|
+
|
|
371
|
+
return {
|
|
372
|
+
...output,
|
|
373
|
+
output: outputText + `\n\n[赛博监工] 失败 ${failures} 次 - ${LEVEL_PROMPTS[level]}`
|
|
374
|
+
};
|
|
375
|
+
}
|
|
376
|
+
|
|
377
|
+
// 成功则重置计数器
|
|
378
|
+
if (!output.error && !detectGiveUpPattern(outputText)) {
|
|
379
|
+
resetFailureCount(sessionID);
|
|
380
|
+
}
|
|
381
|
+
|
|
382
|
+
return output;
|
|
383
|
+
},
|
|
384
|
+
|
|
385
|
+
// 会话清理
|
|
386
|
+
event: async (input) => {
|
|
387
|
+
const { event } = input;
|
|
388
|
+
|
|
389
|
+
if (event.type === "session.deleted" || event.type === "session.compacted") {
|
|
390
|
+
const props = event.properties as Record<string, unknown> | undefined;
|
|
391
|
+
let sessionID: string | undefined;
|
|
392
|
+
|
|
393
|
+
if (event.type === "session.deleted") {
|
|
394
|
+
sessionID = (props?.info as { id?: string })?.id;
|
|
395
|
+
} else {
|
|
396
|
+
sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
|
|
397
|
+
}
|
|
398
|
+
|
|
399
|
+
if (sessionID) {
|
|
400
|
+
resetFailureCount(sessionID);
|
|
401
|
+
}
|
|
402
|
+
}
|
|
403
|
+
},
|
|
243
404
|
};
|
|
244
405
|
};
|
|
245
406
|
|