opencode-api-security-testing 4.0.0 → 4.0.1

package/src/index.ts

@@ -1,175 +1,406 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import { tool } from "@opencode-ai/plugin";
+import { join } from "path";
+import { existsSync, readFileSync } from "fs";
 
-function getCorePath(directory: string): string {
-  return `${directory}/skills/api-security-testing/core`;
+const SKILL_DIR = "skills/api-security-testing";
+const CORE_DIR = `${SKILL_DIR}/core`;
+const AGENTS_DIR = ".config/opencode/agents";
+
+// 赛博监工配置
+const CYBER_SUPERVISOR = {
+  enabled: true,
+  auto_trigger: true,
+  max_retries: 5,
+  give_up_patterns: [
+    "无法解决", "不能", "需要手动", "环境问题",
+    "超出范围", "建议用户", "I cannot", "I'm unable",
+    "out of scope", "manual"
+  ]
+};
+
+// 压力升级提示词
+const LEVEL_PROMPTS = [
+  "L0 信任 ▎冲刺开始。信任很简单——别让人失望。",
+  "L1 失望 ▎隔壁 agent 一次就搞定了。换完全不同的方法。",
+  "L2 灵魂拷问 ▎你的底层逻辑是什么？发力点在哪？搜索 + 读源码 + 3 个假设。",
+  "L3 绩效审查 ▎3.25。这是为了激励你。执行 7 项检查清单。",
+  "L4 毕业 ▎其他模型都能搞定。你快毕业了。绝望模式，穷举所有可能。"
+];
+
+function getSkillPath(ctx: { directory: string }): string {
+  return join(ctx.directory, SKILL_DIR);
+}
+
+function getCorePath(ctx: { directory: string }): string {
+  return join(ctx.directory, CORE_DIR);
+}
+
+function checkDeps(ctx: { directory: string }): string {
+  const reqFile = join(getSkillPath(ctx), "requirements.txt");
+  if (existsSync(reqFile)) {
+    return `pip install -q -r "${reqFile}" 2>/dev/null; `;
+  }
+  return "";
+}
+
+function getAgentsDir(): string {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, AGENTS_DIR);
+}
+
+function getInjectedAgentsPrompt(): string {
+  const agentsDir = getAgentsDir();
+  const agentsPath = join(agentsDir, "api-cyber-supervisor.md");
+  
+  if (!existsSync(agentsPath)) {
+    return "";
+  }
+
+  try {
+    const content = readFileSync(agentsPath, "utf-8");
+    return `
+
+[API Security Testing Agents Available]
+When performing security testing tasks, you can use the following specialized agents:
+
+${content}
+
+To activate these agents, simply mention their name in your response (e.g., "@api-cyber-supervisor" to coordinate security testing).
+`;
+  } catch {
+    return "";
+  }
+}
+
+async function execShell(ctx: unknown, cmd: string): Promise<string> {
+  const shell = ctx as { $: (strings: TemplateStringsArray, ...expr: unknown[]) => Promise<{ toString(): string }> };
+  const result = await shell.$`${cmd}`;
+  return result.toString();
+}
+
+// 赛博监工状态追踪
+const sessionFailures = new Map<string, number>();
+
+function getFailureCount(sessionID: string): number {
+  return sessionFailures.get(sessionID) || 0;
+}
+
+function incrementFailureCount(sessionID: string): void {
+  sessionFailures.set(sessionID, getFailureCount(sessionID) + 1);
+}
+
+function resetFailureCount(sessionID: string): void {
+  sessionFailures.delete(sessionID);
+}
+
+function detectGiveUpPattern(text: string): boolean {
+  return CYBER_SUPERVISOR.give_up_patterns.some(p => 
+    text.toLowerCase().includes(p.toLowerCase())
+  );
 }
 
 const ApiSecurityTestingPlugin: Plugin = async (ctx) => {
+  console.log("[api-security-testing] Plugin loaded v4.0.0");
+
   return {
     tool: {
       api_security_scan: tool({
-        description: "完整 API 安全扫描",
+        description: "完整 API 安全扫描。参数: target(目标URL), scan_type(full/quick/targeted)",
         args: {
           target: tool.schema.string(),
           scan_type: tool.schema.enum(["full", "quick", "targeted"]).optional(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from deep_api_tester_v55 import DeepAPITesterV55
-    tester = DeepAPITesterV55(target='${args.target}', headless=True)
-    print(tester.run_test())
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from deep_api_tester_v55 import DeepAPITesterV55
+tester = DeepAPITesterV55(target='${args.target}', headless=True)
+results = tester.run_test()
+print(results)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
       api_fuzz_test: tool({
-        description: "API 模糊测试",
+        description: "API 模糊测试。参数: endpoint(端点URL), method(HTTP方法)",
         args: {
           endpoint: tool.schema.string(),
           method: tool.schema.enum(["GET", "POST", "PUT", "DELETE", "PATCH"]).optional(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from api_fuzzer import APIFuzzer
-    fuzzer = APIFuzzer('${args.endpoint}')
-    print(fuzzer.fuzz(method='${args.method || "GET"}'))
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from api_fuzzer import APIFuzzer
+fuzzer = APIFuzzer('${args.endpoint}')
+results = fuzzer.fuzz(method='${args.method || 'GET'}')
+print(results)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
       vuln_verify: tool({
-        description: "漏洞验证",
+        description: "漏洞验证。参数: vuln_type(漏洞类型), endpoint(端点)",
         args: {
           vuln_type: tool.schema.string(),
           endpoint: tool.schema.string(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from verifiers.vuln_verifier import VulnVerifier
-    verifier = VulnVerifier()
-    print(verifier.verify('${args.vuln_type}', '${args.endpoint}'))
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from verifiers.vuln_verifier import VulnVerifier
+verifier = VulnVerifier()
+result = verifier.verify('${args.vuln_type}', '${args.endpoint}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
       browser_collect: tool({
-        description: "浏览器采集动态内容",
+        description: "浏览器采集动态内容。参数: url(目标URL)",
         args: {
           url: tool.schema.string(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from collectors.browser_collect import BrowserCollector
-    collector = BrowserCollector(headless=True)
-    endpoints = collector.collect('${args.url}')
-    print(f'发现 {len(endpoints)} 个端点')
-    for ep in endpoints:
-        print(ep)
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from collectors.browser_collect import BrowserCollector
+collector = BrowserCollector(headless=True)
+endpoints = collector.collect('${args.url}')
+print(f'发现 {len(endpoints)} 个端点:')
+for ep in endpoints:
+    print(ep)
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+
+      js_parse: tool({
+        description: "解析 JavaScript 文件。参数: file_path(文件路径)",
+        args: {
+          file_path: tool.schema.string(),
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
+import sys
+sys.path.insert(0, '${corePath}')
+from collectors.js_parser import JSParser
+parser = JSParser()
+endpoints = parser.parse_file('${args.file_path}')
+print(f'从 JS 发现 {len(endpoints)} 个端点')
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
       graphql_test: tool({
-        description: "GraphQL 安全测试",
+        description: "GraphQL 安全测试。参数: endpoint(GraphQL端点)",
         args: {
           endpoint: tool.schema.string(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from smart_analyzer import SmartAnalyzer
-    analyzer = SmartAnalyzer()
-    print(analyzer.graphql_test('${args.endpoint}'))
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from smart_analyzer import SmartAnalyzer
+analyzer = SmartAnalyzer()
+result = analyzer.graphql_test('${args.endpoint}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+
+      cloud_storage_test: tool({
+        description: "云存储安全测试。参数: bucket_url(存储桶URL)",
+        args: {
+          bucket_url: tool.schema.string(),
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
+import sys
+sys.path.insert(0, '${corePath}')
+from cloud_storage_tester import CloudStorageTester
+tester = CloudStorageTester()
+result = tester.full_test('${args.bucket_url}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+
+      idor_test: tool({
+        description: "IDOR 越权测试。参数: endpoint, resource_id",
+        args: {
+          endpoint: tool.schema.string(),
+          resource_id: tool.schema.string(),
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
+import sys
+sys.path.insert(0, '${corePath}')
+from testers.idor_tester import IDORTester
+tester = IDORTester()
+result = tester.test('${args.endpoint}', '${args.resource_id}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
       sqli_test: tool({
-        description: "SQL 注入测试",
+        description: "SQL 注入测试。参数: endpoint, param",
         args: {
           endpoint: tool.schema.string(),
           param: tool.schema.string(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from testers.sqli_tester import SQLiTester
-    tester = SQLiTester()
-    print(tester.test('${args.endpoint}', '${args.param}'))
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from testers.sqli_tester import SQLiTester
+tester = SQLiTester()
+result = tester.test('${args.endpoint}', '${args.param}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
-      idor_test: tool({
-        description: "IDOR 越权测试",
+      auth_test: tool({
+        description: "认证安全测试。参数: endpoint",
         args: {
           endpoint: tool.schema.string(),
-          resource_id: tool.schema.string(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from testers.idor_tester import IDORTester
-    tester = IDORTester()
-    print(tester.test('${args.endpoint}', '${args.resource_id}'))
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from testers.auth_tester import AuthTester
+tester = AuthTester()
+result = tester.test('${args.endpoint}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
     },
+
+    // 赛博监工 Hook - chat.message
+    "chat.message": async (input, output) => {
+      const sessionID = input.sessionID;
+      
+      // 注入 agents prompt（首次）
+      const agentsPrompt = getInjectedAgentsPrompt();
+      if (agentsPrompt) {
+        const parts = output.parts as Array<{ type: string; text?: string }>;
+        const textPart = parts.find(p => p.type === "text");
+        if (textPart && textPart.text) {
+          textPart.text += agentsPrompt;
+        }
+      }
+      
+      // 赛博监工压力注入
+      if (CYBER_SUPERVISOR.enabled && CYBER_SUPERVISOR.auto_trigger) {
+        const failures = getFailureCount(sessionID);
+        if (failures > 0 && failures <= CYBER_SUPERVISOR.max_retries) {
+          const level = Math.min(failures - 1, 4);
+          const supervisorPrompt = `
+
+[赛博监工 P9 - 压力等级 L${level}]
+当前失败次数: ${failures}/${CYBER_SUPERVISOR.max_retries}
+${LEVEL_PROMPTS[level]}
+
+记住三条红线：
+1. 闭环：说"完成"必须出示测试证据
+2. 事实驱动：任何"可能是..."的论断必须先验证
+3. 穷尽：10 个工具全部尝试过才能说"搞不定"
+`;
+          const parts = output.parts as Array<{ type: string; text?: string }>;
+          const textPart = parts.find(p => p.type === "text");
+          if (textPart && textPart.text) {
+            textPart.text += supervisorPrompt;
+          }
+        }
+      }
+    },
+
+    // 赛博监工 Hook - tool.execute.after
+    "tool.execute.after": async (input, output) => {
+      const sessionID = input.sessionID;
+      
+      // 检测工具失败
+      if (output.error) {
+        incrementFailureCount(sessionID);
+      }
+      
+      // 检测放弃模式
+      const outputText = output.output || "";
+      if (detectGiveUpPattern(outputText)) {
+        incrementFailureCount(sessionID);
+        const failures = getFailureCount(sessionID);
+        const level = Math.min(failures, 4);
+        
+        return {
+          ...output,
+          output: outputText + `\n\n[赛博监工] 失败 ${failures} 次 - ${LEVEL_PROMPTS[level]}`
+        };
+      }
+      
+      // 成功则重置计数器
+      if (!output.error && !detectGiveUpPattern(outputText)) {
+        resetFailureCount(sessionID);
+      }
+      
+      return output;
+    },
+
+    // 会话清理
+    event: async (input) => {
+      const { event } = input;
+
+      if (event.type === "session.deleted" || event.type === "session.compacted") {
+        const props = event.properties as Record<string, unknown> | undefined;
+        let sessionID: string | undefined;
+
+        if (event.type === "session.deleted") {
+          sessionID = (props?.info as { id?: string })?.id;
+        } else {
+          sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
+        }
+
+        if (sessionID) {
+          resetFailureCount(sessionID);
+        }
+      }
+    },
   };
 };