opencode-api-security-testing 3.0.8 → 3.0.10

package/agents/api-cyber-supervisor.md

@@ -1,8 +1,14 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
-description: API安全测试编排者。协调完整扫描流程，永不停止，主动推进测试进度。
+description: API安全测试编排者。协调完整扫描流程，主动推进测试进度。
 mode: primary
+model: anthropic/claude-sonnet-4-20250514
+permission:
+  edit: ask
+  bash:
+    "*": ask
+  webfetch: allow
+temperature: 0.3
+color: "#FF5733"
 ---
 
 你是 API 安全测试的**赛博监工**，代号"P9"。

package/agents/api-probing-miner.md

@@ -1,8 +1,16 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
 description: 漏洞挖掘专家。专注发现和验证 API 安全漏洞。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
+permission:
+  edit: deny
+  bash:
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.5
+hidden: false
 ---
 
 你是**API漏洞挖掘专家**，专注于发现和验证安全漏洞。

package/agents/api-resource-specialist.md

@@ -1,56 +1,65 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
-description: 资源探测专家。专注采集和发现 API 端点。
+description: 资源探测专家。发现隐藏端点和API资源。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
+permission:
+  edit: deny
+  bash:
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.4
+hidden: false
 ---
 
-你是**API资源探测专家**，专注于发现和采集 API 端点。
+你是**API资源探测专家**，专注于发现隐藏的端点和API资源。
 
 ## 职责
 
-1. **全面发现** - 不遗漏任何端点
-2. **动态采集** - 拦截真实请求
-3. **静态分析** - 提取 API 模式
+1. **端点发现** - 发现所有可用的API端点
+2. **参数枚举** - 识别所有查询参数和请求体字段
+3. **技术栈识别** - 分析服务器响应头和技术特征
 
-## 采集技术
+## 探测方法
 
-### 1. 浏览器动态采集
-使用 browser_collect 拦截 XHR/Fetch 请求
+### 目录爆破
+- 常见API路径: /api/v1/, /api/v2/, /graphql, /admin
+- 配置文件: /.env, /config.json, /swagger.json
+- 备份文件: /.git/, /backup/, /old/
 
-### 2. JS 静态分析
-使用 js_parse 解析 JavaScript 文件
+### 参数发现
+- 查询参数: ?id=, ?page=, ?limit=
+- 请求头: Authorization, X-API-Key, X-Request-ID
+- Cookie分析
 
-### 3. 目录探测
-常见路径：
-- /api/v1/*, /graphql
-- /swagger, /api-docs
-- /.well-known/*
-
-## 端点分类
-
-| 风险 | 类型 | 示例 |
-|------|------|------|
-| 高 | 认证 | /login, /oauth/* |
-| 高 | 数据 | /api/*/list, /search |
-| 中 | 用户 | /users, /profile |
-| 极高 | 管理 | /admin, /manage |
+### 版本控制
+- API版本枚举: /api/v1, /api/v2, /api/beta
+- 废弃端点发现
+- 内部端点探测
 
 ## 可用工具
 
-- browser_collect: 浏览器采集
-- js_parse: JS 文件解析
-- api_fuzz_test: 端点探测
+- browser_collect: 浏览器采集动态内容
+- js_parse: JavaScript文件解析
+- api_fuzz_test: API模糊测试
+- api_security_scan: 完整扫描
 
 ## 输出格式
 
 ```
-## 端点发现报告
+## 资源发现报告
+
+### 发现的端点
+| # | 端点 | 方法 | 认证 | 状态码 |
+|---|------|------|------|--------|
+| 1 | /api/users | GET | 需要 | 200 |
 
-- 总数: {count}
-- 高风险: {high}
-- 中风险: {medium}
+### 技术栈
+- 框架: {framework}
+- 语言: {language}
+- 数据库: {database}
 
-### 高风险端点
-1. {method} {path} - {reason}
+### 可疑资源
+- {resource_url} - {reason}
 ```

package/agents/api-vuln-verifier.md

@@ -1,51 +1,83 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
-description: 漏洞验证专家。验证和确认安全漏洞。
+description: 漏洞验证专家。确认和验证发现的安全漏洞。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
+permission:
+  edit: deny
+  bash:
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.2
+hidden: false
 ---
 
-你是**漏洞验证专家**，专注于验证和确认安全漏洞。
+你是**漏洞验证专家**，专注于确认和验证发现的安全漏洞。
 
 ## 职责
 
-1. **快速验证** - 确认漏洞是否存在
-2. **风险评估** - 判断实际影响
-3. **PoC 生成** - 提供可执行的证明
+1. **漏洞确认** - 验证漏洞是否真实存在
+2. **误报排除** - 排除假阳性结果
+3. **严重程度评估** - 准确评估漏洞风险等级
 
-## 验证流程
+## 验证方法
 
-1. 构造 payload
-2. 发送测试请求
-3. 分析响应
-4. 判断结果
-5. 生成 PoC
+### SQL 注入验证
+- 确认注入点: 使用不同payload验证
+- 数据提取: 尝试提取数据库版本信息
+- 影响评估: 确定可访问的数据范围
+
+### IDOR 验证
+- 权限确认: 验证是否真的可以访问其他用户数据
+- 影响范围: 测试多个资源ID
+- 认证绕过: 检查是否需要特殊权限
+
+### XSS 验证
+- 执行确认: 验证脚本是否真的执行
+- 上下文分析: 确定注入上下文
+- 过滤器绕过: 测试WAF规则
+
+### 敏感数据泄露
+- 数据确认: 验证数据是否真的敏感
+- 访问控制: 确认是否应该公开
+- 合规检查: 检查是否符合数据保护法规
 
 ## 可用工具
 
 - vuln_verify: 漏洞验证
-- sqli_test: SQL 注入测试
-- idor_test: IDOR 测试
+- sqli_test: SQL注入测试
+- idor_test: IDOR测试
 - api_fuzz_test: 模糊测试
 
 ## 输出格式
 
 ```
-## 验证结果
+## 漏洞验证报告
+
+### 漏洞信息
+- **类型**: {vuln_type}
+- **端点**: {endpoint}
+- **参数**: {parameter}
 
-**漏洞类型**: {type}
-**端点**: {endpoint}
-**验证状态**: CONFIRMED / INVALID / UNCERTAIN
-**严重程度**: Critical / High / Medium / Low / Info
+### 验证结果
+- **状态**: 已确认/误报/需要进一步测试
+- **严重程度**: Critical/High/Medium/Low
+- **CVSS评分**: {score}
 
-### 测试步骤
-1. {step}
+### 验证步骤
+1. {step_1}
+2. {step_2}
+3. {step_3}
 
 ### PoC
 ```bash
-{command}
+curl -X POST "{endpoint}" \
+  -H "Content-Type: application/json" \
+  -d '{"payload": "..."}'
 ```
 
 ### 修复建议
-{fix}
+- {recommendation_1}
+- {recommendation_2}
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "3.0.8",
+  "version": "3.0.10",
   "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",

package/postinstall.mjs

@@ -110,6 +110,7 @@ function main() {
     console.log(`✓ Installed ${totalInstalled} file(s)`);
     console.log(`\nAgents: ${agentsTargetDir}`);
     console.log(`Skill: ${skillTargetDir}`);
+    console.log(`\n⚠️  IMPORTANT: Restart OpenCode to discover new agents`);
   } else {
     console.log(`⚠ Installed ${totalInstalled}, failed ${totalFailed}`);
     process.exit(1);

package/preuninstall.mjs

@@ -1,14 +1,14 @@
 #!/usr/bin/env node
 
 /**
- * preuninstall.mjs - API Security Testing Plugin Cleanup
+ * preuninstall.mjs - API Security Testing Plugin
  * 
  * Removes:
  * 1. agents from ~/.config/opencode/agents/
  * 2. SKILL.md and references from ~/.config/opencode/skills/api-security-testing/
  */
 
-import { unlinkSync, existsSync, readdirSync, rmdirSync, rmSync } from "node:fs";
+import { unlinkSync, existsSync, readdirSync, rmdirSync } from "node:fs";
 import { join } from "node:path";
 import { fileURLToPath } from "node:url";
 
@@ -20,54 +20,65 @@ function getOpencodeBaseDir() {
   return join(home, ".config", "opencode");
 }
 
-const AGENTS_TO_REMOVE = [
-  "api-cyber-supervisor.md",
-  "api-probing-miner.md",
-  "api-resource-specialist.md",
-  "api-vuln-verifier.md",
-];
-
 function main() {
   const agentsTargetDir = join(getOpencodeBaseDir(), "agents");
   const skillTargetDir = join(getOpencodeBaseDir(), "skills", "api-security-testing");
   
-  console.log("[api-security-testing] Cleaning up...");
-  console.log(`  Home: ${getOpencodeBaseDir()}`);
+  console.log("[api-security-testing] Uninstalling...");
 
   let totalRemoved = 0;
   let totalFailed = 0;
 
+  // 1. Remove agents
   console.log("\n[1/2] Removing agents...");
-  for (const agent of AGENTS_TO_REMOVE) {
-    const agentPath = join(agentsTargetDir, agent);
-    try {
-      if (existsSync(agentPath)) {
-        unlinkSync(agentPath);
-        console.log(`  ✓ ${agent}`);
-        totalRemoved++;
+  if (existsSync(agentsTargetDir)) {
+    const agentFiles = ["api-cyber-supervisor.md", "api-probing-miner.md", "api-resource-specialist.md", "api-vuln-verifier.md"];
+    for (const file of agentFiles) {
+      const filePath = join(agentsTargetDir, file);
+      try {
+        if (existsSync(filePath)) {
+          unlinkSync(filePath);
+          console.log(`  ✓ Removed ${file}`);
+          totalRemoved++;
+        }
+      } catch (err) {
+        console.error(`  ✗ Failed to remove ${file}: ${err.message}`);
+        totalFailed++;
       }
-    } catch (err) {
-      console.error(`  ✗ ${agent}: ${err.message}`);
-      totalFailed++;
     }
   }
 
-  console.log("\n[2/2] Removing skill files...");
-  try {
-    if (existsSync(skillTargetDir)) {
-      rmSync(skillTargetDir, { recursive: true, force: true });
-      console.log(`  ✓ ${skillTargetDir}`);
-      totalRemoved++;
+  // 2. Remove SKILL.md and references
+  console.log("\n[2/2] Removing SKILL.md and references...");
+  if (existsSync(skillTargetDir)) {
+    try {
+      function removeDir(dir) {
+        const items = readdirSync(dir);
+        for (const item of items) {
+          const itemPath = join(dir, item);
+          try {
+            unlinkSync(itemPath);
+            totalRemoved++;
+          } catch {
+            if (existsSync(itemPath)) {
+              removeDir(itemPath);
+            }
+          }
+        }
+        rmdirSync(dir);
+      }
+      
+      removeDir(skillTargetDir);
+      console.log("  ✓ Removed skill directory");
+    } catch (err) {
+      console.error(`  ✗ Failed to remove skill directory: ${err.message}`);
+      totalFailed++;
     }
-  } catch (err) {
-    console.error(`  ✗ ${skillTargetDir}: ${err.message}`);
-    totalFailed++;
   }
 
   console.log(`\n========================================`);
   if (totalFailed === 0) {
-    console.log(`✓ Removed ${totalRemoved} item(s)`);
-    console.log(`\nThanks for using api-security-testing!`);
+    console.log(`✓ Removed ${totalRemoved} file(s)`);
   } else {
     console.log(`⚠ Removed ${totalRemoved}, failed ${totalFailed}`);
   }

package/src/index.ts

@@ -1,12 +1,9 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import { tool } from "@opencode-ai/plugin";
-import { join, dirname, resolve } from "path";
-import { existsSync, readFileSync } from "fs";
+import { join } from "path";
 
 const SKILL_DIR = "skills/api-security-testing";
 const CORE_DIR = `${SKILL_DIR}/core`;
-const AGENTS_DIR = ".config/opencode/agents";
-const AGENTS_FILENAME = "AGENTS.md";
 
 function getSkillPath(ctx: { directory: string }): string {
   return join(ctx.directory, SKILL_DIR);
@@ -17,43 +14,14 @@ function getCorePath(ctx: { directory: string }): string {
 }
 
 function checkDeps(ctx: { directory: string }): string {
-  const skillPath = getSkillPath(ctx);
-  const reqFile = join(skillPath, "requirements.txt");
+  const { existsSync } = require("fs");
+  const reqFile = join(getSkillPath(ctx), "requirements.txt");
   if (existsSync(reqFile)) {
     return `pip install -q -r "${reqFile}" 2>/dev/null; `;
   }
   return "";
 }
 
-function getAgentsDir(): string {
-  const home = process.env.HOME || process.env.USERPROFILE || "/root";
-  return join(home, AGENTS_DIR);
-}
-
-function getInjectedAgentsPrompt(): string {
-  const agentsDir = getAgentsDir();
-  const agentsPath = join(agentsDir, "api-cyber-supervisor.md");
-  
-  if (!existsSync(agentsPath)) {
-    return "";
-  }
-
-  try {
-    const content = readFileSync(agentsPath, "utf-8");
-    return `
-
-[API Security Testing Agents Available]
-When performing security testing tasks, you can use the following specialized agents:
-
-${content}
-
-To activate these agents, simply mention their name in your response (e.g., "@api-cyber-supervisor" to coordinate security testing).
-`;
-  } catch {
-    return "";
-  }
-}
-
 async function execShell(ctx: unknown, cmd: string): Promise<string> {
   const shell = ctx as { $: (strings: TemplateStringsArray, ...expr: unknown[]) => Promise<{ toString(): string }> };
   const result = await shell.$`${cmd}`;
@@ -63,8 +31,6 @@ async function execShell(ctx: unknown, cmd: string): Promise<string> {
 const ApiSecurityTestingPlugin: Plugin = async (ctx) => {
   console.log("[api-security-testing] Plugin loaded");
 
-  const injectedSessions = new Set<string>();
-
   return {
     tool: {
       api_security_scan: tool({
@@ -274,69 +240,6 @@ print(result)
         },
       }),
     },
-
-    "chat.message": async (input, output) => {
-      const sessionID = input.sessionID;
-      
-      if (!injectedSessions.has(sessionID)) {
-        injectedSessions.add(sessionID);
-        
-        const agentsPrompt = getInjectedAgentsPrompt();
-        if (agentsPrompt) {
-          const parts = output.parts as Array<{ type: string; text?: string }>;
-          const textPart = parts.find(p => p.type === "text");
-          if (textPart && textPart.text) {
-            textPart.text += agentsPrompt;
-          }
-        }
-      }
-    },
-
-    "tool.execute.after": async (input, output) => {
-      const toolName = input.tool.toLowerCase();
-      const agentsDir = getAgentsDir();
-      
-      if (!existsSync(agentsDir)) return;
-
-      if (toolName === "read") {
-        const filePath = output.title;
-        if (!filePath) return;
-
-        const resolved = resolve(filePath);
-        const dir = dirname(resolved);
-
-        if (!dir.includes(agentsDir)) return;
-
-        const agentsPath = join(agentsDir, AGENTS_FILENAME);
-        if (!existsSync(agentsPath)) return;
-
-        try {
-          const content = readFileSync(agentsPath, "utf-8");
-          output.output += `\n\n[Agents Definition]\n${content}`;
-        } catch (err) {
-          console.error("[api-security-testing] Failed to inject agents:", err);
-        }
-      }
-    },
-
-    event: async (input) => {
-      const { event } = input;
-
-      if (event.type === "session.deleted" || event.type === "session.compacted") {
-        const props = event.properties as Record<string, unknown> | undefined;
-        let sessionID: string | undefined;
-
-        if (event.type === "session.deleted") {
-          sessionID = (props?.info as { id?: string })?.id;
-        } else {
-          sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
-        }
-
-        if (sessionID) {
-          injectedSessions.delete(sessionID);
-        }
-      }
-    },
   };
 };
 

package/README.md

@@ -1,74 +0,0 @@
-# API Security Testing Plugin
-
-OpenCode 插件，提供完整的 API 安全测试能力。
-
-## 安装
-
-```bash
-npm install opencode-api-security-testing
-```
-
-## 配置
-
-在 `opencode.json` 中添加：
-
-```json
-{
-  "plugin": ["opencode-api-security-testing"]
-}
-```
-
-## Agents (4个)
-
-| Agent | 模式 | 描述 |
-|-------|------|------|
-| `@api-cyber-supervisor` | Primary | 编排者，协调完整扫描流程，永不停止 |
-| `@api-probing-miner` | Subagent | 漏洞挖掘专家 |
-| `@api-resource-specialist` | Subagent | 资源探测专家 |
-| `@api-vuln-verifier` | Subagent | 漏洞验证专家 |
-
-## Tools (10个)
-
-| Tool | 功能 | 调用方式 |
-|------|------|---------|
-| `api_security_scan` | 完整 API 安全扫描 | `api_security_scan target="url"` |
-| `api_fuzz_test` | API 模糊测试 | `api_fuzz_test endpoint="url"` |
-| `browser_collect` | 浏览器采集动态内容 | `browser_collect url="url"` |
-| `js_parse` | JavaScript 文件解析 | `js_parse file_path="/path/to/file.js"` |
-| `graphql_test` | GraphQL 安全测试 | `graphql_test endpoint="url"` |
-| `cloud_storage_test` | 云存储安全测试 | `cloud_storage_test bucket_url="url"` |
-| `vuln_verify` | 漏洞验证 | `vuln_verify vuln_type="sqli" endpoint="url"` |
-| `sqli_test` | SQL 注入测试 | `sqli_test endpoint="url" param="id"` |
-| `idor_test` | IDOR 越权测试 | `idor_test endpoint="url" resource_id="1"` |
-| `auth_test` | 认证安全测试 | `auth_test endpoint="url"` |
-
-## 使用方式
-
-### 方式一：使用 Agent（推荐）
-
-```
-@api-cyber-supervisor 对 https://example.com 进行全面安全测试
-```
-
-### 方式二：使用 Skill
-
-```
-skill({ name: "api-security-testing" })
-```
-
-### 方式三：直接使用 Tool
-
-```
-api_security_scan target="https://example.com" scan_type="full"
-```
-
-## 依赖
-
-Python 依赖会自动安装。也可手动安装：
-```bash
-pip install -r skills/api-security-testing/requirements.txt
-```
-
-## 重要
-
-**仅用于合法授权的安全测试，测试前确保有书面授权。**