opencode-api-security-testing 4.0.0 → 5.0.0

package/src/index.ts

@@ -1,175 +1,534 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import { tool } from "@opencode-ai/plugin";
+import { join } from "path";
+import { existsSync, readFileSync } from "fs";
 
-function getCorePath(directory: string): string {
-  return `${directory}/skills/api-security-testing/core`;
+const SKILL_DIR = "skills/api-security-testing";
+const CORE_DIR = `${SKILL_DIR}/core`;
+const AGENTS_DIR = ".config/opencode/agents";
+const CONFIG_FILE = "api-security-testing.config.json";
+
+// 默认配置
+const DEFAULT_CONFIG = {
+  agents: {
+    "api-cyber-supervisor": { model: "anthropic/claude-sonnet-4-20250514", temperature: 0.3 },
+    "api-probing-miner": { model: "anthropic/claude-haiku-4-20250514", temperature: 0.5 },
+    "api-resource-specialist": { model: "anthropic/claude-haiku-4-20250514", temperature: 0.4 },
+    "api-vuln-verifier": { model: "anthropic/claude-haiku-4-20250514", temperature: 0.2 }
+  },
+  model_fallback: {
+    supervisor: [
+      "anthropic/claude-sonnet-4-20250514",
+      "openai/gpt-4o",
+      "google/gemini-2.0-flash",
+      "anthropic/claude-haiku-4-20250514"
+    ],
+    subagent: [
+      "anthropic/claude-haiku-4-20250514",
+      "openai/gpt-4o-mini",
+      "google/gemini-2.0-flash-lite"
+    ]
+  },
+  cyber_supervisor: {
+    enabled: true,
+    auto_trigger: true,
+    max_retries: 5,
+    give_up_patterns: [
+      "无法解决", "不能", "需要手动", "环境问题",
+      "超出范围", "建议用户", "I cannot", "I'm unable",
+      "out of scope", "manual"
+    ]
+  },
+  collection_mode: "auto" // auto | static | dynamic
+};
+
+// 赛博监工配置
+const CYBER_SUPERVISOR = DEFAULT_CONFIG.cyber_supervisor;
+
+// 模型回退状态追踪
+const modelFailureCounts = new Map<string, Map<string, number>>();
+const sessionFailures = new Map<string, number>();
+
+function getConfigPath(ctx: { directory: string }): string {
+  return join(ctx.directory, SKILL_DIR, "assets", CONFIG_FILE);
+}
+
+function loadConfig(ctx: { directory: string }): typeof DEFAULT_CONFIG {
+  const configPath = getConfigPath(ctx);
+  if (existsSync(configPath)) {
+    try {
+      const content = readFileSync(configPath, "utf-8");
+      const loaded = JSON.parse(content);
+      return { ...DEFAULT_CONFIG, ...loaded };
+    } catch (e) {
+      console.log(`[api-security-testing] Failed to load config: ${e}`);
+    }
+  }
+  return DEFAULT_CONFIG;
+}
+
+function getModelFailureCount(sessionID: string, modelID: string): number {
+  const sessionMap = modelFailureCounts.get(sessionID);
+  if (!sessionMap) return 0;
+  return sessionMap.get(modelID) || 0;
+}
+
+function incrementModelFailure(sessionID: string, modelID: string): void {
+  if (!modelFailureCounts.has(sessionID)) {
+    modelFailureCounts.set(sessionID, new Map());
+  }
+  const sessionMap = modelFailureCounts.get(sessionID)!;
+  sessionMap.set(modelID, (sessionMap.get(modelID) || 0) + 1);
+}
+
+function resetModelFailures(sessionID: string): void {
+  modelFailureCounts.delete(sessionID);
+}
+
+function getNextFallbackModel(
+  config: typeof DEFAULT_CONFIG,
+  sessionID: string,
+  currentModel: string,
+  isSupervisor: boolean
+): string | null {
+  const chain = isSupervisor 
+    ? config.model_fallback.supervisor 
+    : config.model_fallback.subagent;
+  
+  const currentIndex = chain.indexOf(currentModel);
+  if (currentIndex === -1 || currentIndex >= chain.length - 1) {
+    return null; // No fallback available
+  }
+  
+  // 检查下一个模型是否也已失败过多
+  const nextModel = chain[currentIndex + 1];
+  const failures = getModelFailureCount(sessionID, nextModel);
+  if (failures >= 3) {
+    // 递归查找下一个可用模型
+    return getNextFallbackModel(config, sessionID, nextModel, isSupervisor);
+  }
+  
+  return nextModel;
+}
+
+function detectModelError(output: string): { isModelError: boolean; modelID?: string } {
+  const errorPatterns = [
+    /model (.+?) (is overloaded|is not available|rate limit|timeout|failed)/i,
+    /(.+?) (rate limit exceeded|context length exceeded)/i,
+    /API error.*model[:\s]*(.+)/i,
+  ];
+  
+  for (const pattern of errorPatterns) {
+    const match = output.match(pattern);
+    if (match) {
+      return { isModelError: true, modelID: match[1]?.trim() };
+    }
+  }
+  
+  return { isModelError: false };
+}
+
+// 压力升级提示词
+const LEVEL_PROMPTS = [
+  "L0 信任 ▎冲刺开始。信任很简单——别让人失望。",
+  "L1 失望 ▎隔壁 agent 一次就搞定了。换完全不同的方法。",
+  "L2 灵魂拷问 ▎你的底层逻辑是什么？发力点在哪？搜索 + 读源码 + 3 个假设。",
+  "L3 绩效审查 ▎3.25。这是为了激励你。执行 7 项检查清单。",
+  "L4 毕业 ▎其他模型都能搞定。你快毕业了。绝望模式，穷举所有可能。"
+];
+
+function getSkillPath(ctx: { directory: string }): string {
+  return join(ctx.directory, SKILL_DIR);
+}
+
+function getCorePath(ctx: { directory: string }): string {
+  return join(ctx.directory, CORE_DIR);
+}
+
+function checkDeps(ctx: { directory: string }): string {
+  const reqFile = join(getSkillPath(ctx), "requirements.txt");
+  if (existsSync(reqFile)) {
+    return `pip install -q -r "${reqFile}" 2>/dev/null; `;
+  }
+  return "";
+}
+
+function getAgentsDir(): string {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, AGENTS_DIR);
+}
+
+function getInjectedAgentsPrompt(): string {
+  const agentsDir = getAgentsDir();
+  const agentsPath = join(agentsDir, "api-cyber-supervisor.md");
+  
+  if (!existsSync(agentsPath)) {
+    return "";
+  }
+
+  try {
+    const content = readFileSync(agentsPath, "utf-8");
+    return `
+
+[API Security Testing Agents Available]
+When performing security testing tasks, you can use the following specialized agents:
+
+${content}
+
+To activate these agents, simply mention their name in your response (e.g., "@api-cyber-supervisor" to coordinate security testing).
+`;
+  } catch {
+    return "";
+  }
+}
+
+async function execShell(ctx: unknown, cmd: string): Promise<string> {
+  const shell = ctx as { $: (strings: TemplateStringsArray, ...expr: unknown[]) => Promise<{ toString(): string }> };
+  const result = await shell.$`${cmd}`;
+  return result.toString();
+}
+
+function getFailureCount(sessionID: string): number {
+  return sessionFailures.get(sessionID) || 0;
+}
+
+function incrementFailureCount(sessionID: string): void {
+  sessionFailures.set(sessionID, getFailureCount(sessionID) + 1);
+}
+
+function resetFailureCount(sessionID: string): void {
+  sessionFailures.delete(sessionID);
+}
+
+function detectGiveUpPattern(text: string): boolean {
+  return CYBER_SUPERVISOR.give_up_patterns.some(p => 
+    text.toLowerCase().includes(p.toLowerCase())
+  );
 }
 
 const ApiSecurityTestingPlugin: Plugin = async (ctx) => {
+  const config = loadConfig(ctx);
+  console.log(`[api-security-testing] Plugin loaded v4.0.2 - collection_mode: ${config.collection_mode}`);
+
   return {
     tool: {
       api_security_scan: tool({
-        description: "完整 API 安全扫描",
+        description: "完整 API 安全扫描。参数: target(目标URL), scan_type(full/quick/targeted)",
         args: {
           target: tool.schema.string(),
           scan_type: tool.schema.enum(["full", "quick", "targeted"]).optional(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from deep_api_tester_v55 import DeepAPITesterV55
-    tester = DeepAPITesterV55(target='${args.target}', headless=True)
-    print(tester.run_test())
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from deep_api_tester_v55 import DeepAPITesterV55
+tester = DeepAPITesterV55(target='${args.target}', headless=True)
+results = tester.run_test()
+print(results)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
       api_fuzz_test: tool({
-        description: "API 模糊测试",
+        description: "API 模糊测试。参数: endpoint(端点URL), method(HTTP方法)",
         args: {
           endpoint: tool.schema.string(),
           method: tool.schema.enum(["GET", "POST", "PUT", "DELETE", "PATCH"]).optional(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from api_fuzzer import APIFuzzer
-    fuzzer = APIFuzzer('${args.endpoint}')
-    print(fuzzer.fuzz(method='${args.method || "GET"}'))
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from api_fuzzer import APIFuzzer
+fuzzer = APIFuzzer('${args.endpoint}')
+results = fuzzer.fuzz(method='${args.method || 'GET'}')
+print(results)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
       vuln_verify: tool({
-        description: "漏洞验证",
+        description: "漏洞验证。参数: vuln_type(漏洞类型), endpoint(端点)",
         args: {
           vuln_type: tool.schema.string(),
           endpoint: tool.schema.string(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from verifiers.vuln_verifier import VulnVerifier
-    verifier = VulnVerifier()
-    print(verifier.verify('${args.vuln_type}', '${args.endpoint}'))
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from verifiers.vuln_verifier import VulnVerifier
+verifier = VulnVerifier()
+result = verifier.verify('${args.vuln_type}', '${args.endpoint}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
       browser_collect: tool({
-        description: "浏览器采集动态内容",
+        description: "浏览器采集动态内容。参数: url(目标URL), mode(auto/static/dynamic)",
         args: {
           url: tool.schema.string(),
+          mode: tool.schema.enum(["auto", "static", "dynamic"]).optional(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const collectionMode = args.mode || config.collection_mode;
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from collectors.browser_collect import BrowserCollector
-    collector = BrowserCollector(headless=True)
-    endpoints = collector.collect('${args.url}')
-    print(f'发现 {len(endpoints)} 个端点')
-    for ep in endpoints:
-        print(ep)
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from collectors.browser_collector import BrowserCollectorFacade
+facade = BrowserCollectorFacade(headless=True)
+result = facade.collect_all('${args.url}', {'mode': '${collectionMode}'})
+import json
+print(json.dumps(result, indent=2))
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+
+      js_parse: tool({
+        description: "解析 JavaScript 文件。参数: file_path(文件路径)",
+        args: {
+          file_path: tool.schema.string(),
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
+import sys
+sys.path.insert(0, '${corePath}')
+from collectors.js_parser import JSParser
+parser = JSParser()
+endpoints = parser.parse_file('${args.file_path}')
+print(f'从 JS 发现 {len(endpoints)} 个端点')
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
       graphql_test: tool({
-        description: "GraphQL 安全测试",
+        description: "GraphQL 安全测试。参数: endpoint(GraphQL端点)",
         args: {
           endpoint: tool.schema.string(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from smart_analyzer import SmartAnalyzer
-    analyzer = SmartAnalyzer()
-    print(analyzer.graphql_test('${args.endpoint}'))
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from smart_analyzer import SmartAnalyzer
+analyzer = SmartAnalyzer()
+result = analyzer.graphql_test('${args.endpoint}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+
+      cloud_storage_test: tool({
+        description: "云存储安全测试。参数: bucket_url(存储桶URL)",
+        args: {
+          bucket_url: tool.schema.string(),
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
+import sys
+sys.path.insert(0, '${corePath}')
+from cloud_storage_tester import CloudStorageTester
+tester = CloudStorageTester()
+result = tester.full_test('${args.bucket_url}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+
+      idor_test: tool({
+        description: "IDOR 越权测试。参数: endpoint, resource_id",
+        args: {
+          endpoint: tool.schema.string(),
+          resource_id: tool.schema.string(),
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
+import sys
+sys.path.insert(0, '${corePath}')
+from testers.idor_tester import IDORTester
+tester = IDORTester()
+result = tester.test('${args.endpoint}', '${args.resource_id}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
       sqli_test: tool({
-        description: "SQL 注入测试",
+        description: "SQL 注入测试。参数: endpoint, param",
         args: {
           endpoint: tool.schema.string(),
           param: tool.schema.string(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from testers.sqli_tester import SQLiTester
-    tester = SQLiTester()
-    print(tester.test('${args.endpoint}', '${args.param}'))
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from testers.sqli_tester import SQLiTester
+tester = SQLiTester()
+result = tester.test('${args.endpoint}', '${args.param}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
 
-      idor_test: tool({
-        description: "IDOR 越权测试",
+      auth_test: tool({
+        description: "认证安全测试。参数: endpoint",
         args: {
           endpoint: tool.schema.string(),
-          resource_id: tool.schema.string(),
         },
         async execute(args, ctx) {
-          const corePath = getCorePath(ctx.directory);
-          const script = `
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const cmd = `${deps}python3 -c "
 import sys
 sys.path.insert(0, '${corePath}')
-try:
-    from testers.idor_tester import IDORTester
-    tester = IDORTester()
-    print(tester.test('${args.endpoint}', '${args.resource_id}'))
-except Exception as e:
-    print(f"Error: {e}")
-`;
-          const result = await ctx.$`python3 -c ${script}`;
-          return result.toString();
+from testers.auth_tester import AuthTester
+tester = AuthTester()
+result = tester.test('${args.endpoint}')
+print(result)
+"`;
+          return await execShell(ctx, cmd);
         },
       }),
     },
+
+    // 赛博监工 Hook - chat.message
+    "chat.message": async (input, output) => {
+      const sessionID = input.sessionID;
+      
+      // 注入 agents prompt（首次）
+      const agentsPrompt = getInjectedAgentsPrompt();
+      if (agentsPrompt) {
+        const parts = output.parts as Array<{ type: string; text?: string }>;
+        const textPart = parts.find(p => p.type === "text");
+        if (textPart && textPart.text) {
+          textPart.text += agentsPrompt;
+        }
+      }
+      
+      // 赛博监工压力注入
+      if (config.cyber_supervisor.enabled && config.cyber_supervisor.auto_trigger) {
+        const failures = getFailureCount(sessionID);
+        if (failures > 0 && failures <= config.cyber_supervisor.max_retries) {
+          const level = Math.min(failures - 1, 4);
+          const supervisorPrompt = `
+
+[赛博监工 P9 - 压力等级 L${level}]
+当前失败次数: ${failures}/${config.cyber_supervisor.max_retries}
+${LEVEL_PROMPTS[level]}
+
+记住三条红线：
+1. 闭环：说"完成"必须出示测试证据
+2. 事实驱动：任何"可能是..."的论断必须先验证
+3. 穷尽：10 个工具全部尝试过才能说"搞不定"
+`;
+          const parts = output.parts as Array<{ type: string; text?: string }>;
+          const textPart = parts.find(p => p.type === "text");
+          if (textPart && textPart.text) {
+            textPart.text += supervisorPrompt;
+          }
+        }
+      }
+    },
+
+    // 赛博监工 Hook - tool.execute.after
+    "tool.execute.after": async (input, output) => {
+      const sessionID = input.sessionID;
+      const outputText = output.output || "";
+      
+      // 检测模型错误并触发回退
+      const modelError = detectModelError(outputText);
+      if (modelError.isModelError && modelError.modelID) {
+        incrementModelFailure(sessionID, modelError.modelID);
+        
+        // 获取下一个可用模型
+        const isSupervisor = input.toolName?.includes("supervisor") || 
+                            input.toolName?.includes("scan");
+        const nextModel = getNextFallbackModel(config, sessionID, modelError.modelID, isSupervisor);
+        
+        if (nextModel) {
+          return {
+            ...output,
+            output: outputText + `\n\n[模型回退] ${modelError.modelID} 失败，已切换到 ${nextModel}`,
+            _fallbackModel: nextModel
+          };
+        }
+      }
+      
+      // 检测工具失败
+      if (output.error) {
+        incrementFailureCount(sessionID);
+      }
+      
+      // 检测放弃模式
+      if (detectGiveUpPattern(outputText)) {
+        incrementFailureCount(sessionID);
+        const failures = getFailureCount(sessionID);
+        const level = Math.min(failures, 4);
+        
+        return {
+          ...output,
+          output: outputText + `\n\n[赛博监工] 失败 ${failures} 次 - ${LEVEL_PROMPTS[level]}`
+        };
+      }
+      
+      // 成功则重置计数器
+      if (!output.error && !detectGiveUpPattern(outputText)) {
+        resetFailureCount(sessionID);
+      }
+      
+      return output;
+    },
+
+    // 会话清理
+    event: async (input) => {
+      const { event } = input;
+
+      if (event.type === "session.deleted" || event.type === "session.compacted") {
+        const props = event.properties as Record<string, unknown> | undefined;
+        let sessionID: string | undefined;
+
+        if (event.type === "session.deleted") {
+          sessionID = (props?.info as { id?: string })?.id;
+        } else {
+          sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
+        }
+
+        if (sessionID) {
+          resetFailureCount(sessionID);
+          resetModelFailures(sessionID);
+        }
+      }
+    },
   };
 };