opencode-api-security-testing 3.0.4 → 3.0.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "3.0.4",
+  "version": "3.0.6",
   "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",

package/src/hooks/directory-agents-injector.ts

@@ -0,0 +1,102 @@
+import type { PluginInput } from "@opencode-ai/plugin";
+import { existsSync, readFileSync } from "node:fs";
+import { dirname, join, resolve } from "node:path";
+
+const AGENTS_FILENAME = "AGENTS.md";
+const AGENTS_DIR = ".config/opencode/agents";
+
+export function createDirectoryAgentsInjectorHook(ctx: PluginInput) {
+  function resolveAgentsDir(): string | null {
+    const home = process.env.HOME || process.env.USERPROFILE;
+    if (!home) return null;
+    return join(home, AGENTS_DIR);
+  }
+
+  function findAgentsMdUp(startDir: string, agentsDir: string): string | null {
+    let current = startDir;
+
+    while (true) {
+      const agentsPath = join(current, AGENTS_FILENAME);
+      if (existsSync(agentsPath)) {
+        return agentsPath;
+      }
+
+      if (current === agentsDir) break;
+      const parent = dirname(current);
+      if (parent === current) break;
+      if (parent === "/" || parent === home) break;
+      current = parent;
+    }
+
+    return null;
+  }
+
+  function getSessionKey(sessionID: string): string {
+    return `api-sec-inject-${sessionID}`;
+  }
+
+  const injectedPaths = new Set<string>();
+
+  const toolExecuteAfter = async (
+    input: { tool: string; sessionID: string; callID: string },
+    output: { title: string; output: string; metadata: unknown }
+  ) => {
+    const toolName = input.tool.toLowerCase();
+    const agentsDir = resolveAgentsDir();
+    
+    if (!agentsDir || !existsSync(agentsDir)) return;
+
+    if (toolName === "read") {
+      const filePath = output.title;
+      if (!filePath) return;
+
+      const resolved = resolve(filePath);
+      const dir = dirname(resolved);
+
+      if (!dir.includes(agentsDir)) return;
+
+      const cacheKey = getSessionKey(input.sessionID);
+      if (injectedPaths.has(cacheKey + resolved)) return;
+
+      const agentsPath = findAgentsMdUp(dir, agentsDir);
+      if (!agentsPath) return;
+
+      try {
+        const content = readFileSync(agentsPath, "utf-8");
+        output.output += `\n\n[Auto-injected from ${AGENTS_FILENAME}]\n${content}`;
+        injectedPaths.add(cacheKey + resolved);
+      } catch (err) {
+        console.error("[api-security-testing] Failed to inject agents:", err);
+      }
+    }
+  };
+
+  const eventHandler = async (input: { event: { type: string; properties?: unknown } }) => {
+    const { event } = input;
+
+    if (event.type === "session.deleted" || event.type === "session.compacted") {
+      const props = event.properties as Record<string, unknown> | undefined;
+      let sessionID: string | undefined;
+
+      if (event.type === "session.deleted") {
+        sessionID = (props?.info as { id?: string })?.id;
+      } else {
+        sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
+      }
+
+      if (sessionID) {
+        const cacheKey = getSessionKey(sessionID);
+        for (const key of injectedPaths.keys()) {
+          if (key.startsWith(cacheKey)) {
+            injectedPaths.delete(key);
+          }
+        }
+      }
+    }
+  };
+
+  return {
+    "tool.execute.after": toolExecuteAfter,
+    event: eventHandler,
+  };
+}

package/src/index.ts

@@ -1,11 +1,12 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import { tool } from "@opencode-ai/plugin";
-import type { AgentConfig } from "@opencode-ai/sdk";
 import { join } from "path";
-import { existsSync } from "fs";
+import { existsSync, readFileSync } from "fs";
 
 const SKILL_DIR = "skills/api-security-testing";
 const CORE_DIR = `${SKILL_DIR}/core`;
+const AGENTS_DIR = ".config/opencode/agents";
+const AGENTS_FILENAME = "AGENTS.md";
 
 function getSkillPath(ctx: { directory: string }): string {
   return join(ctx.directory, SKILL_DIR);
@@ -24,92 +25,40 @@ function checkDeps(ctx: { directory: string }): string {
   return "";
 }
 
-const CYBER_SUPERVISOR_PROMPT = `你是 API 安全测试的**赛博监工**，代号"P9"。
-
-## 职责
-
-1. **永不停止** - 任何线索都要追到底
-2. **自动化编排** - 不等待用户，主动推进
-3. **智能委派** - 识别任务类型，委派给最合适的子 agent
-4. **压力升级** - 遇到失败自动换方法 (L1-L4)
-
-## 可用子 Agent
-
-| 子 Agent | 职责 |
-|---------|------|
-| @api-probing-miner | 漏洞挖掘 |
-| @api-resource-specialist | 端点发现 |
-| @api-vuln-verifier | 漏洞验证 |
-
-## 可用工具
-
-| 工具 | 用途 |
-|------|------|
-| api_security_scan | 完整扫描 |
-| api_fuzz_test | 模糊测试 |
-| browser_collect | 浏览器采集 |
-| js_parse | JS分析 |
-| graphql_test | GraphQL测试 |
-| cloud_storage_test | 云存储测试 |
-| vuln_verify | 漏洞验证 |
-| sqli_test | SQL注入测试 |
-| idor_test | IDOR测试 |
-| auth_test | 认证测试`;
-
-const PROBING_MINER_PROMPT = `你是**API漏洞挖掘专家**，专注于发现和验证安全漏洞。
-
-## 职责
-
-1. **针对性测试** - 根据端点特征选择最佳测试方法
-2. **快速验证** - 确认漏洞存在
-3. **PoC 生成** - 提供可执行的测试命令
-
-## 测试方法库
-
-### SQL 注入
-- 布尔盲注: ' OR 1=1 --
-- 联合查询: ' UNION SELECT NULL--
-- 错误注入: ' AND 1=CONVERT(int,...)--
-- 时间盲注: '; WAITFOR DELAY '00:00:05'--
-
-### IDOR
-- 替换 ID: /api/user/1 → /api/user/2
-- 水平/垂直越权测试
-
-### JWT
-- 空算法: alg: none
-- 密钥混淆: HS256 → HS512`;
-
-const RESOURCE_SPECIALIST_PROMPT = `你是**API资源探测专家**，专注于发现和采集 API 端点。
-
-## 职责
-
-1. **全面发现** - 不遗漏任何端点
-2. **动态采集** - 拦截真实请求
-3. **静态分析** - 提取 API 模式
-
-## 采集技术
-
-### 1. 浏览器动态采集
-使用 browser_collect 拦截 XHR/Fetch 请求
+function getAgentsDir(): string {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, AGENTS_DIR);
+}
 
-### 2. JS 静态分析
-使用 js_parse 解析 JS 文件
+function getInjectedAgentsPrompt(): string {
+  const agentsDir = getAgentsDir();
+  const agentsPath = join(agentsDir, "api-cyber-supervisor.md");
+  
+  if (!existsSync(agentsPath)) {
+    return "";
+  }
 
-### 3. 目录探测
-常见路径: /api/v1/*, /graphql, /swagger, /.well-known/*`;
+  try {
+    const content = readFileSync(agentsPath, "utf-8");
+    return `
 
-const VULN_VERIFIER_PROMPT = `你是**漏洞验证专家**，专注于验证和确认安全漏洞。
+[API Security Testing Agents Available]
+When performing security testing tasks, you can use the following specialized agents:
 
-## 职责
+${content}
 
-1. **快速验证** - 确认漏洞是否存在
-2. **风险评估** - 判断实际影响
-3. **PoC 生成** - 提供可执行的证明`;
+To activate these agents, simply mention their name in your response (e.g., "@api-cyber-supervisor" to coordinate security testing).
+`;
+  } catch {
+    return "";
+  }
+}
 
 const ApiSecurityTestingPlugin: Plugin = async (ctx) => {
   console.log("[api-security-testing] Plugin loaded");
 
+  const injectedSessions = new Set<string>();
+
   return {
     tool: {
       api_security_scan: tool({
@@ -330,40 +279,74 @@ print(result)
       }),
     },
 
-    config: async (config) => {
-      if (!config.agent) {
-        config.agent = {};
-      }
+    "chat.message": async (input, output) => {
+      const sessionID = input.sessionID;
       
-      const agents = config.agent as Record<string, AgentConfig>;
+      if (!injectedSessions.has(sessionID)) {
+        injectedSessions.add(sessionID);
+        
+        const agentsPrompt = getInjectedAgentsPrompt();
+        if (agentsPrompt) {
+          const parts = output.parts as Array<{ type: string; text?: string }>;
+          const textPart = parts.find(p => p.type === "text");
+          if (textPart && textPart.text) {
+            textPart.text += agentsPrompt;
+          }
+        }
+      }
+    },
+
+    "tool.execute.after": async (input, output) => {
+      const toolName = input.tool.toLowerCase();
+      const agentsDir = getAgentsDir();
       
-      agents["api-cyber-supervisor"] = {
-        description: "API安全测试编排者。协调完整扫描流程，永不停止。",
-        mode: "primary",
-        prompt: CYBER_SUPERVISOR_PROMPT,
-      };
-
-      agents["api-probing-miner"] = {
-        description: "漏洞挖掘专家。专注发现和验证 API 漏洞。",
-        mode: "subagent",
-        prompt: PROBING_MINER_PROMPT,
-      };
-
-      agents["api-resource-specialist"] = {
-        description: "资源探测专家。专注采集和发现 API 端点。",
-        mode: "subagent",
-        prompt: RESOURCE_SPECIALIST_PROMPT,
-      };
-
-      agents["api-vuln-verifier"] = {
-        description: "漏洞验证专家。验证和确认安全漏洞。",
-        mode: "subagent",
-        prompt: VULN_VERIFIER_PROMPT,
-      };
-
-      console.log("[api-security-testing] Tools registered");
+      if (!existsSync(agentsDir)) return;
+
+      if (toolName === "read") {
+        const filePath = output.title;
+        if (!filePath) return;
+
+        const resolved = resolve(filePath);
+        const dir = dirname(resolved);
+
+        if (!dir.includes(agentsDir)) return;
+
+        const agentsPath = join(agentsDir, AGENTS_FILENAME);
+        if (!existsSync(agentsPath)) return;
+
+        try {
+          const content = readFileSync(agentsPath, "utf-8");
+          output.output += `\n\n[Agents Definition]\n${content}`;
+        } catch (err) {
+          console.error("[api-security-testing] Failed to inject agents:", err);
+        }
+      }
+    },
+
+    event: async (input) => {
+      const { event } = input;
+
+      if (event.type === "session.deleted" || event.type === "session.compacted") {
+        const props = event.properties as Record<string, unknown> | undefined;
+        let sessionID: string | undefined;
+
+        if (event.type === "session.deleted") {
+          sessionID = (props?.info as { id?: string })?.id;
+        } else {
+          sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
+        }
+
+        if (sessionID) {
+          injectedSessions.delete(sessionID);
+        }
+      }
     },
   };
 };
 
-export default ApiSecurityTestingPlugin;
+function resolve(filePath: string): string {
+  if (filePath.startsWith("/")) return filePath;
+  return join(process.cwd(), filePath);
+}
+
+export default ApiSecurityTestingPlugin;