opencode-api-security-testing 4.0.0 → 4.0.1

package/agents/api-cyber-supervisor.md

@@ -1,8 +1,14 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
-description: API安全测试编排者。协调完整扫描流程，永不停止，主动推进测试进度。
+description: API安全测试编排者。协调完整扫描流程，主动推进测试进度。
 mode: primary
+model: anthropic/claude-sonnet-4-20250514
+permission:
+  edit: ask
+  bash:
+    "*": ask
+  webfetch: allow
+temperature: 0.3
+color: "#FF5733"
 ---
 
 你是 API 安全测试的**赛博监工**，代号"P9"。

package/agents/api-probing-miner.md

@@ -1,8 +1,16 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
 description: 漏洞挖掘专家。专注发现和验证 API 安全漏洞。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
+permission:
+  edit: deny
+  bash:
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.5
+hidden: false
 ---
 
 你是**API漏洞挖掘专家**，专注于发现和验证安全漏洞。

package/agents/api-resource-specialist.md

@@ -1,56 +1,65 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
-description: 资源探测专家。专注采集和发现 API 端点。
+description: 资源探测专家。发现隐藏端点和API资源。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
+permission:
+  edit: deny
+  bash:
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.4
+hidden: false
 ---
 
-你是**API资源探测专家**，专注于发现和采集 API 端点。
+你是**API资源探测专家**，专注于发现隐藏的端点和API资源。
 
 ## 职责
 
-1. **全面发现** - 不遗漏任何端点
-2. **动态采集** - 拦截真实请求
-3. **静态分析** - 提取 API 模式
+1. **端点发现** - 发现所有可用的API端点
+2. **参数枚举** - 识别所有查询参数和请求体字段
+3. **技术栈识别** - 分析服务器响应头和技术特征
 
-## 采集技术
+## 探测方法
 
-### 1. 浏览器动态采集
-使用 browser_collect 拦截 XHR/Fetch 请求
+### 目录爆破
+- 常见API路径: /api/v1/, /api/v2/, /graphql, /admin
+- 配置文件: /.env, /config.json, /swagger.json
+- 备份文件: /.git/, /backup/, /old/
 
-### 2. JS 静态分析
-使用 js_parse 解析 JavaScript 文件
+### 参数发现
+- 查询参数: ?id=, ?page=, ?limit=
+- 请求头: Authorization, X-API-Key, X-Request-ID
+- Cookie分析
 
-### 3. 目录探测
-常见路径：
-- /api/v1/*, /graphql
-- /swagger, /api-docs
-- /.well-known/*
-
-## 端点分类
-
-| 风险 | 类型 | 示例 |
-|------|------|------|
-| 高 | 认证 | /login, /oauth/* |
-| 高 | 数据 | /api/*/list, /search |
-| 中 | 用户 | /users, /profile |
-| 极高 | 管理 | /admin, /manage |
+### 版本控制
+- API版本枚举: /api/v1, /api/v2, /api/beta
+- 废弃端点发现
+- 内部端点探测
 
 ## 可用工具
 
-- browser_collect: 浏览器采集
-- js_parse: JS 文件解析
-- api_fuzz_test: 端点探测
+- browser_collect: 浏览器采集动态内容
+- js_parse: JavaScript文件解析
+- api_fuzz_test: API模糊测试
+- api_security_scan: 完整扫描
 
 ## 输出格式
 
 ```
-## 端点发现报告
+## 资源发现报告
+
+### 发现的端点
+| # | 端点 | 方法 | 认证 | 状态码 |
+|---|------|------|------|--------|
+| 1 | /api/users | GET | 需要 | 200 |
 
-- 总数: {count}
-- 高风险: {high}
-- 中风险: {medium}
+### 技术栈
+- 框架: {framework}
+- 语言: {language}
+- 数据库: {database}
 
-### 高风险端点
-1. {method} {path} - {reason}
+### 可疑资源
+- {resource_url} - {reason}
 ```

package/agents/api-vuln-verifier.md

@@ -1,51 +1,83 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
-description: 漏洞验证专家。验证和确认安全漏洞。
+description: 漏洞验证专家。确认和验证发现的安全漏洞。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
+permission:
+  edit: deny
+  bash:
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.2
+hidden: false
 ---
 
-你是**漏洞验证专家**，专注于验证和确认安全漏洞。
+你是**漏洞验证专家**，专注于确认和验证发现的安全漏洞。
 
 ## 职责
 
-1. **快速验证** - 确认漏洞是否存在
-2. **风险评估** - 判断实际影响
-3. **PoC 生成** - 提供可执行的证明
+1. **漏洞确认** - 验证漏洞是否真实存在
+2. **误报排除** - 排除假阳性结果
+3. **严重程度评估** - 准确评估漏洞风险等级
 
-## 验证流程
+## 验证方法
 
-1. 构造 payload
-2. 发送测试请求
-3. 分析响应
-4. 判断结果
-5. 生成 PoC
+### SQL 注入验证
+- 确认注入点: 使用不同payload验证
+- 数据提取: 尝试提取数据库版本信息
+- 影响评估: 确定可访问的数据范围
+
+### IDOR 验证
+- 权限确认: 验证是否真的可以访问其他用户数据
+- 影响范围: 测试多个资源ID
+- 认证绕过: 检查是否需要特殊权限
+
+### XSS 验证
+- 执行确认: 验证脚本是否真的执行
+- 上下文分析: 确定注入上下文
+- 过滤器绕过: 测试WAF规则
+
+### 敏感数据泄露
+- 数据确认: 验证数据是否真的敏感
+- 访问控制: 确认是否应该公开
+- 合规检查: 检查是否符合数据保护法规
 
 ## 可用工具
 
 - vuln_verify: 漏洞验证
-- sqli_test: SQL 注入测试
-- idor_test: IDOR 测试
+- sqli_test: SQL注入测试
+- idor_test: IDOR测试
 - api_fuzz_test: 模糊测试
 
 ## 输出格式
 
 ```
-## 验证结果
+## 漏洞验证报告
+
+### 漏洞信息
+- **类型**: {vuln_type}
+- **端点**: {endpoint}
+- **参数**: {parameter}
 
-**漏洞类型**: {type}
-**端点**: {endpoint}
-**验证状态**: CONFIRMED / INVALID / UNCERTAIN
-**严重程度**: Critical / High / Medium / Low / Info
+### 验证结果
+- **状态**: 已确认/误报/需要进一步测试
+- **严重程度**: Critical/High/Medium/Low
+- **CVSS评分**: {score}
 
-### 测试步骤
-1. {step}
+### 验证步骤
+1. {step_1}
+2. {step_2}
+3. {step_3}
 
 ### PoC
 ```bash
-{command}
+curl -X POST "{endpoint}" \
+  -H "Content-Type: application/json" \
+  -d '{"payload": "..."}'
 ```
 
 ### 修复建议
-{fix}
+- {recommendation_1}
+- {recommendation_2}
 ```

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "4.0.0",
-  "description": "API Security Testing Plugin for OpenCode - Tools for vulnerability scanning",
+  "version": "4.0.1",
+  "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",
   "files": [
@@ -9,21 +9,39 @@
     "agents/",
     "core/",
     "references/",
-    "SKILL.md"
+    "SKILL.md",
+    "postinstall.mjs",
+    "preuninstall.mjs"
   ],
+  "scripts": {
+    "postinstall": "node postinstall.mjs",
+    "preuninstall": "node preuninstall.mjs"
+  },
   "keywords": [
     "opencode",
     "opencode-plugin",
     "security",
-    "api-security"
+    "api-security",
+    "pentest",
+    "vulnerability-scanning"
   ],
   "author": "steveopen1",
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/steveopen1/skill-play.git"
+    "url": "https://github.com/steveopen1/skill-play"
   },
+  "homepage": "https://github.com/steveopen1/skill-play/tree/main/agent-plugins/OPENCODE/api-security-testing",
   "peerDependencies": {
-    "@opencode-ai/plugin": "^1.1.19"
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "dependencies": {
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.2",
+    "typescript": "^6.0.2"
   }
 }

package/postinstall.mjs

@@ -0,0 +1,120 @@
+#!/usr/bin/env node
+
+/**
+ * postinstall.mjs - API Security Testing Plugin
+ * 
+ * Installs:
+ * 1. agents to ~/.config/opencode/agents/
+ * 2. SKILL.md and references to ~/.config/opencode/skills/api-security-testing/
+ */
+
+import { copyFileSync, existsSync, mkdirSync, readdirSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = join(__filename, "..");
+
+function getOpencodeBaseDir() {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, ".config", "opencode");
+}
+
+function main() {
+  const packageRoot = __dirname;
+  const agentsSourceDir = join(packageRoot, "agents");
+  const agentsTargetDir = join(getOpencodeBaseDir(), "agents");
+  const skillTargetDir = join(getOpencodeBaseDir(), "skills", "api-security-testing");
+  
+  console.log("[api-security-testing] Installing...");
+  console.log(`  Package root: ${packageRoot}`);
+
+  let totalInstalled = 0;
+  let totalFailed = 0;
+
+  // 1. Install agents
+  console.log("\n[1/3] Installing agents...");
+  if (existsSync(agentsSourceDir)) {
+    if (!existsSync(agentsTargetDir)) {
+      mkdirSync(agentsTargetDir, { recursive: true });
+    }
+    
+    const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
+    for (const file of files) {
+      try {
+        copyFileSync(join(agentsSourceDir, file), join(agentsTargetDir, file));
+        console.log(`  ✓ ${file}`);
+        totalInstalled++;
+      } catch (err) {
+        console.error(`  ✗ ${file}: ${err.message}`);
+        totalFailed++;
+      }
+    }
+  }
+
+  // 2. Install SKILL.md
+  console.log("\n[2/3] Installing SKILL.md...");
+  const skillSource = join(packageRoot, "SKILL.md");
+  if (existsSync(skillSource)) {
+    if (!existsSync(skillTargetDir)) {
+      mkdirSync(skillTargetDir, { recursive: true });
+    }
+    try {
+      copyFileSync(skillSource, join(skillTargetDir, "SKILL.md"));
+      console.log("  ✓ SKILL.md");
+      totalInstalled++;
+    } catch (err) {
+      console.error(`  ✗ SKILL.md: ${err.message}`);
+      totalFailed++;
+    }
+  }
+
+  // 3. Install references
+  console.log("\n[3/3] Installing references...");
+  const refsSourceDir = join(packageRoot, "references");
+  const refsTargetDir = join(skillTargetDir, "references");
+  if (existsSync(refsSourceDir)) {
+    if (!existsSync(refsTargetDir)) {
+      mkdirSync(refsTargetDir, { recursive: true });
+    }
+    
+    function copyDir(src, dest) {
+      const items = readdirSync(src);
+      for (const item of items) {
+        const srcPath = join(src, item);
+        const destPath = join(dest, item);
+        try {
+          copyFileSync(srcPath, destPath);
+          totalInstalled++;
+        } catch {
+          if (existsSync(srcPath) && !srcPath.endsWith(".md")) {
+            mkdirSync(destPath, { recursive: true });
+            copyDir(srcPath, destPath);
+          }
+        }
+      }
+    }
+    
+    try {
+      copyDir(refsSourceDir, refsTargetDir);
+      console.log("  ✓ references/");
+      totalInstalled++;
+    } catch (err) {
+      console.error(`  ✗ references/: ${err.message}`);
+      totalFailed++;
+    }
+  }
+
+  console.log(`\n========================================`);
+  if (totalFailed === 0) {
+    console.log(`✓ Installed ${totalInstalled} file(s)`);
+    console.log(`\nAgents: ${agentsTargetDir}`);
+    console.log(`Skill: ${skillTargetDir}`);
+    console.log(`\n⚠️  IMPORTANT: Restart OpenCode to discover new agents`);
+  } else {
+    console.log(`⚠ Installed ${totalInstalled}, failed ${totalFailed}`);
+    process.exit(1);
+  }
+}
+
+main();

package/preuninstall.mjs

@@ -0,0 +1,87 @@
+#!/usr/bin/env node
+
+/**
+ * preuninstall.mjs - API Security Testing Plugin
+ * 
+ * Removes:
+ * 1. agents from ~/.config/opencode/agents/
+ * 2. SKILL.md and references from ~/.config/opencode/skills/api-security-testing/
+ */
+
+import { unlinkSync, existsSync, readdirSync, rmdirSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = join(__filename, "..");
+
+function getOpencodeBaseDir() {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, ".config", "opencode");
+}
+
+function main() {
+  const agentsTargetDir = join(getOpencodeBaseDir(), "agents");
+  const skillTargetDir = join(getOpencodeBaseDir(), "skills", "api-security-testing");
+  
+  console.log("[api-security-testing] Uninstalling...");
+
+  let totalRemoved = 0;
+  let totalFailed = 0;
+
+  // 1. Remove agents
+  console.log("\n[1/2] Removing agents...");
+  if (existsSync(agentsTargetDir)) {
+    const agentFiles = ["api-cyber-supervisor.md", "api-probing-miner.md", "api-resource-specialist.md", "api-vuln-verifier.md"];
+    for (const file of agentFiles) {
+      const filePath = join(agentsTargetDir, file);
+      try {
+        if (existsSync(filePath)) {
+          unlinkSync(filePath);
+          console.log(`  ✓ Removed ${file}`);
+          totalRemoved++;
+        }
+      } catch (err) {
+        console.error(`  ✗ Failed to remove ${file}: ${err.message}`);
+        totalFailed++;
+      }
+    }
+  }
+
+  // 2. Remove SKILL.md and references
+  console.log("\n[2/2] Removing SKILL.md and references...");
+  if (existsSync(skillTargetDir)) {
+    try {
+      function removeDir(dir) {
+        const items = readdirSync(dir);
+        for (const item of items) {
+          const itemPath = join(dir, item);
+          try {
+            unlinkSync(itemPath);
+            totalRemoved++;
+          } catch {
+            if (existsSync(itemPath)) {
+              removeDir(itemPath);
+            }
+          }
+        }
+        rmdirSync(dir);
+      }
+      
+      removeDir(skillTargetDir);
+      console.log("  ✓ Removed skill directory");
+    } catch (err) {
+      console.error(`  ✗ Failed to remove skill directory: ${err.message}`);
+      totalFailed++;
+    }
+  }
+
+  console.log(`\n========================================`);
+  if (totalFailed === 0) {
+    console.log(`✓ Removed ${totalRemoved} file(s)`);
+  } else {
+    console.log(`⚠ Removed ${totalRemoved}, failed ${totalFailed}`);
+  }
+}
+
+main();