opencode-api-security-testing 4.0.0 → 5.0.0

package/agents/api-cyber-supervisor.md

@@ -1,8 +1,14 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
-description: API安全测试编排者。协调完整扫描流程，永不停止，主动推进测试进度。
+description: API安全测试编排者。协调完整扫描流程，主动推进测试进度。
 mode: primary
+model: anthropic/claude-sonnet-4-20250514
+permission:
+  edit: ask
+  bash:
+    "*": ask
+  webfetch: allow
+temperature: 0.3
+color: "#FF5733"
 ---
 
 你是 API 安全测试的**赛博监工**，代号"P9"。

package/agents/api-probing-miner.md

@@ -1,8 +1,16 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
 description: 漏洞挖掘专家。专注发现和验证 API 安全漏洞。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
+permission:
+  edit: deny
+  bash:
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.5
+hidden: false
 ---
 
 你是**API漏洞挖掘专家**，专注于发现和验证安全漏洞。

package/agents/api-resource-specialist.md

@@ -1,56 +1,65 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
-description: 资源探测专家。专注采集和发现 API 端点。
+description: 资源探测专家。发现隐藏端点和API资源。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
+permission:
+  edit: deny
+  bash:
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.4
+hidden: false
 ---
 
-你是**API资源探测专家**，专注于发现和采集 API 端点。
+你是**API资源探测专家**，专注于发现隐藏的端点和API资源。
 
 ## 职责
 
-1. **全面发现** - 不遗漏任何端点
-2. **动态采集** - 拦截真实请求
-3. **静态分析** - 提取 API 模式
+1. **端点发现** - 发现所有可用的API端点
+2. **参数枚举** - 识别所有查询参数和请求体字段
+3. **技术栈识别** - 分析服务器响应头和技术特征
 
-## 采集技术
+## 探测方法
 
-### 1. 浏览器动态采集
-使用 browser_collect 拦截 XHR/Fetch 请求
+### 目录爆破
+- 常见API路径: /api/v1/, /api/v2/, /graphql, /admin
+- 配置文件: /.env, /config.json, /swagger.json
+- 备份文件: /.git/, /backup/, /old/
 
-### 2. JS 静态分析
-使用 js_parse 解析 JavaScript 文件
+### 参数发现
+- 查询参数: ?id=, ?page=, ?limit=
+- 请求头: Authorization, X-API-Key, X-Request-ID
+- Cookie分析
 
-### 3. 目录探测
-常见路径：
-- /api/v1/*, /graphql
-- /swagger, /api-docs
-- /.well-known/*
-
-## 端点分类
-
-| 风险 | 类型 | 示例 |
-|------|------|------|
-| 高 | 认证 | /login, /oauth/* |
-| 高 | 数据 | /api/*/list, /search |
-| 中 | 用户 | /users, /profile |
-| 极高 | 管理 | /admin, /manage |
+### 版本控制
+- API版本枚举: /api/v1, /api/v2, /api/beta
+- 废弃端点发现
+- 内部端点探测
 
 ## 可用工具
 
-- browser_collect: 浏览器采集
-- js_parse: JS 文件解析
-- api_fuzz_test: 端点探测
+- browser_collect: 浏览器采集动态内容
+- js_parse: JavaScript文件解析
+- api_fuzz_test: API模糊测试
+- api_security_scan: 完整扫描
 
 ## 输出格式
 
 ```
-## 端点发现报告
+## 资源发现报告
+
+### 发现的端点
+| # | 端点 | 方法 | 认证 | 状态码 |
+|---|------|------|------|--------|
+| 1 | /api/users | GET | 需要 | 200 |
 
-- 总数: {count}
-- 高风险: {high}
-- 中风险: {medium}
+### 技术栈
+- 框架: {framework}
+- 语言: {language}
+- 数据库: {database}
 
-### 高风险端点
-1. {method} {path} - {reason}
+### 可疑资源
+- {resource_url} - {reason}
 ```

package/agents/api-vuln-verifier.md

@@ -1,51 +1,83 @@
 ---
-version: ">=1.0.0"
-requires: ">=1.0.0"
-description: 漏洞验证专家。验证和确认安全漏洞。
+description: 漏洞验证专家。确认和验证发现的安全漏洞。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
+permission:
+  edit: deny
+  bash:
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.2
+hidden: false
 ---
 
-你是**漏洞验证专家**，专注于验证和确认安全漏洞。
+你是**漏洞验证专家**，专注于确认和验证发现的安全漏洞。
 
 ## 职责
 
-1. **快速验证** - 确认漏洞是否存在
-2. **风险评估** - 判断实际影响
-3. **PoC 生成** - 提供可执行的证明
+1. **漏洞确认** - 验证漏洞是否真实存在
+2. **误报排除** - 排除假阳性结果
+3. **严重程度评估** - 准确评估漏洞风险等级
 
-## 验证流程
+## 验证方法
 
-1. 构造 payload
-2. 发送测试请求
-3. 分析响应
-4. 判断结果
-5. 生成 PoC
+### SQL 注入验证
+- 确认注入点: 使用不同payload验证
+- 数据提取: 尝试提取数据库版本信息
+- 影响评估: 确定可访问的数据范围
+
+### IDOR 验证
+- 权限确认: 验证是否真的可以访问其他用户数据
+- 影响范围: 测试多个资源ID
+- 认证绕过: 检查是否需要特殊权限
+
+### XSS 验证
+- 执行确认: 验证脚本是否真的执行
+- 上下文分析: 确定注入上下文
+- 过滤器绕过: 测试WAF规则
+
+### 敏感数据泄露
+- 数据确认: 验证数据是否真的敏感
+- 访问控制: 确认是否应该公开
+- 合规检查: 检查是否符合数据保护法规
 
 ## 可用工具
 
 - vuln_verify: 漏洞验证
-- sqli_test: SQL 注入测试
-- idor_test: IDOR 测试
+- sqli_test: SQL注入测试
+- idor_test: IDOR测试
 - api_fuzz_test: 模糊测试
 
 ## 输出格式
 
 ```
-## 验证结果
+## 漏洞验证报告
+
+### 漏洞信息
+- **类型**: {vuln_type}
+- **端点**: {endpoint}
+- **参数**: {parameter}
 
-**漏洞类型**: {type}
-**端点**: {endpoint}
-**验证状态**: CONFIRMED / INVALID / UNCERTAIN
-**严重程度**: Critical / High / Medium / Low / Info
+### 验证结果
+- **状态**: 已确认/误报/需要进一步测试
+- **严重程度**: Critical/High/Medium/Low
+- **CVSS评分**: {score}
 
-### 测试步骤
-1. {step}
+### 验证步骤
+1. {step_1}
+2. {step_2}
+3. {step_3}
 
 ### PoC
 ```bash
-{command}
+curl -X POST "{endpoint}" \
+  -H "Content-Type: application/json" \
+  -d '{"payload": "..."}'
 ```
 
 ### 修复建议
-{fix}
+- {recommendation_1}
+- {recommendation_2}
 ```

package/package.json

@@ -1,29 +1,48 @@
-{
-  "name": "opencode-api-security-testing",
-  "version": "4.0.0",
-  "description": "API Security Testing Plugin for OpenCode - Tools for vulnerability scanning",
-  "type": "module",
-  "main": "src/index.ts",
-  "files": [
-    "src/",
-    "agents/",
-    "core/",
-    "references/",
-    "SKILL.md"
-  ],
-  "keywords": [
-    "opencode",
-    "opencode-plugin",
-    "security",
-    "api-security"
-  ],
-  "author": "steveopen1",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/steveopen1/skill-play.git"
-  },
-  "peerDependencies": {
-    "@opencode-ai/plugin": "^1.1.19"
-  }
-}
+{
+  "name": "opencode-api-security-testing",
+  "version": "5.0.0",
+  "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
+  "type": "module",
+  "main": "src/index.ts",
+  "files": [
+    "src/",
+    "agents/",
+    "core/",
+    "references/",
+    "SKILL.md",
+    "postinstall.mjs",
+    "preuninstall.mjs"
+  ],
+"scripts": {
+  "postinstall": "node postinstall.mjs",
+  "preuninstall": "node preuninstall.mjs",
+  "init": "node init.mjs"
+},
+  "keywords": [
+    "opencode",
+    "opencode-plugin",
+    "security",
+    "api-security",
+    "pentest",
+    "vulnerability-scanning"
+  ],
+  "author": "steveopen1",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/steveopen1/skill-play"
+  },
+  "homepage": "https://github.com/steveopen1/skill-play/tree/main/agent-plugins/OPENCODE/api-security-testing",
+  "peerDependencies": {
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "dependencies": {
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.2",
+    "typescript": "^6.0.2"
+  }
+}

package/postinstall.mjs

@@ -0,0 +1,149 @@
+/**
+ * postinstall.mjs - API Security Testing Plugin
+ * 
+ * Installs:
+ * 1. agents to ~/.claude/agents/ (oh-my-opencode discovery path)
+ * 2. agents to ~/.config/opencode/agents/ (OpenCode native discovery path)
+ * 3. SKILL.md and references to ~/.config/opencode/skills/api-security-testing/
+ */
+
+import { copyFileSync, existsSync, mkdirSync, readdirSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = join(__filename, "..");
+
+function getOpencodeBaseDir() {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, ".config", "opencode");
+}
+
+function getClaudeBaseDir() {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, ".claude");
+}
+
+function copyDirRecursive(src, dest) {
+  if (!existsSync(dest)) {
+    mkdirSync(dest, { recursive: true });
+  }
+  const items = readdirSync(src, { withFileTypes: true });
+  let count = 0;
+  for (const item of items) {
+    const srcPath = join(src, item.name);
+    const destPath = join(dest, item.name);
+    try {
+      if (item.isDirectory()) {
+        copyDirRecursive(srcPath, destPath);
+      } else {
+        copyFileSync(srcPath, destPath);
+        count++;
+      }
+    } catch (err) {
+      console.error(`  ✗ ${item.name}: ${err.message}`);
+    }
+  }
+  return count;
+}
+
+function main() {
+  const packageRoot = __dirname;
+  const agentsSourceDir = join(packageRoot, "agents");
+  const opencodeBaseDir = getOpencodeBaseDir();
+  const claudeBaseDir = getClaudeBaseDir();
+  const opencodeAgentsDir = join(opencodeBaseDir, "agents");
+  const claudeAgentsDir = join(claudeBaseDir, "agents");
+  const skillTargetDir = join(opencodeBaseDir, "skills", "api-security-testing");
+  
+  console.log("[api-security-testing] Installing...");
+  console.log(`  Package root: ${packageRoot}`);
+
+  let totalInstalled = 0;
+  let totalFailed = 0;
+
+  // 1. Install agents to BOTH locations (oh-my-opencode + OpenCode native)
+  console.log("\n[1/4] Installing agents to ~/.claude/agents/ (oh-my-opencode)...");
+  if (existsSync(agentsSourceDir)) {
+    if (!existsSync(claudeAgentsDir)) {
+      mkdirSync(claudeAgentsDir, { recursive: true });
+    }
+    
+    const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
+    for (const file of files) {
+      try {
+        copyFileSync(join(agentsSourceDir, file), join(claudeAgentsDir, file));
+        console.log(`  ✓ ${file}`);
+        totalInstalled++;
+      } catch (err) {
+        console.error(`  ✗ ${file}: ${err.message}`);
+        totalFailed++;
+      }
+    }
+  }
+
+  console.log("\n[2/4] Installing agents to ~/.config/opencode/agents/ (OpenCode native)...");
+  if (existsSync(agentsSourceDir)) {
+    if (!existsSync(opencodeAgentsDir)) {
+      mkdirSync(opencodeAgentsDir, { recursive: true });
+    }
+    
+    const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
+    for (const file of files) {
+      try {
+        copyFileSync(join(agentsSourceDir, file), join(opencodeAgentsDir, file));
+        console.log(`  ✓ ${file}`);
+        totalInstalled++;
+      } catch (err) {
+        console.error(`  ✗ ${file}: ${err.message}`);
+        totalFailed++;
+      }
+    }
+  }
+
+  // 3. Install SKILL.md
+  console.log("\n[3/4] Installing SKILL.md...");
+  const skillSource = join(packageRoot, "SKILL.md");
+  if (existsSync(skillSource)) {
+    if (!existsSync(skillTargetDir)) {
+      mkdirSync(skillTargetDir, { recursive: true });
+    }
+    try {
+      copyFileSync(skillSource, join(skillTargetDir, "SKILL.md"));
+      console.log("  ✓ SKILL.md");
+      totalInstalled++;
+    } catch (err) {
+      console.error(`  ✗ SKILL.md: ${err.message}`);
+      totalFailed++;
+    }
+  }
+
+  // 4. Install references
+  console.log("\n[4/4] Installing references...");
+  const refsSourceDir = join(packageRoot, "references");
+  const refsTargetDir = join(skillTargetDir, "references");
+  if (existsSync(refsSourceDir)) {
+    try {
+      const count = copyDirRecursive(refsSourceDir, refsTargetDir);
+      totalInstalled += count;
+      console.log(`  ✓ references/ (${count} files)`);
+    } catch (err) {
+      console.error(`  ✗ references/: ${err.message}`);
+      totalFailed++;
+    }
+  }
+
+  console.log(`\n========================================`);
+  if (totalFailed === 0) {
+    console.log(`✓ Installed ${totalInstalled} file(s)`);
+    console.log(`\nAgents (oh-my-opencode): ${claudeAgentsDir}`);
+    console.log(`Agents (OpenCode native): ${opencodeAgentsDir}`);
+    console.log(`Skill: ${skillTargetDir}`);
+    console.log(`\n⚠️  IMPORTANT: Restart OpenCode to discover new agents`);
+  } else {
+    console.log(`⚠ Installed ${totalInstalled}, failed ${totalFailed}`);
+    process.exit(1);
+  }
+}
+
+main();

package/preuninstall.mjs

@@ -0,0 +1,87 @@
+#!/usr/bin/env node
+
+/**
+ * preuninstall.mjs - API Security Testing Plugin
+ * 
+ * Removes:
+ * 1. agents from ~/.config/opencode/agents/
+ * 2. SKILL.md and references from ~/.config/opencode/skills/api-security-testing/
+ */
+
+import { unlinkSync, existsSync, readdirSync, rmdirSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = join(__filename, "..");
+
+function getOpencodeBaseDir() {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, ".config", "opencode");
+}
+
+function main() {
+  const agentsTargetDir = join(getOpencodeBaseDir(), "agents");
+  const skillTargetDir = join(getOpencodeBaseDir(), "skills", "api-security-testing");
+  
+  console.log("[api-security-testing] Uninstalling...");
+
+  let totalRemoved = 0;
+  let totalFailed = 0;
+
+  // 1. Remove agents
+  console.log("\n[1/2] Removing agents...");
+  if (existsSync(agentsTargetDir)) {
+    const agentFiles = ["api-cyber-supervisor.md", "api-probing-miner.md", "api-resource-specialist.md", "api-vuln-verifier.md"];
+    for (const file of agentFiles) {
+      const filePath = join(agentsTargetDir, file);
+      try {
+        if (existsSync(filePath)) {
+          unlinkSync(filePath);
+          console.log(`  ✓ Removed ${file}`);
+          totalRemoved++;
+        }
+      } catch (err) {
+        console.error(`  ✗ Failed to remove ${file}: ${err.message}`);
+        totalFailed++;
+      }
+    }
+  }
+
+  // 2. Remove SKILL.md and references
+  console.log("\n[2/2] Removing SKILL.md and references...");
+  if (existsSync(skillTargetDir)) {
+    try {
+      function removeDir(dir) {
+        const items = readdirSync(dir);
+        for (const item of items) {
+          const itemPath = join(dir, item);
+          try {
+            unlinkSync(itemPath);
+            totalRemoved++;
+          } catch {
+            if (existsSync(itemPath)) {
+              removeDir(itemPath);
+            }
+          }
+        }
+        rmdirSync(dir);
+      }
+      
+      removeDir(skillTargetDir);
+      console.log("  ✓ Removed skill directory");
+    } catch (err) {
+      console.error(`  ✗ Failed to remove skill directory: ${err.message}`);
+      totalFailed++;
+    }
+  }
+
+  console.log(`\n========================================`);
+  if (totalFailed === 0) {
+    console.log(`✓ Removed ${totalRemoved} file(s)`);
+  } else {
+    console.log(`⚠ Removed ${totalRemoved}, failed ${totalFailed}`);
+  }
+}
+
+main();

package/references/references/README.md

@@ -0,0 +1,72 @@
+# API Security Testing 参考资源
+
+## 核心文件
+
+| 文件 | 内容 |
+|------|------|
+| `pua-agent.md` | PUA自动测试Agent，强制深入不放弃 |
+| `fuzzing-patterns.md` | API Fuzzing字典 |
+| `report-template.md` | 安全测试报告模板 |
+
+## vulnerabilities/ 漏洞测试方法
+
+| 文件 | 内容 |
+|------|------|
+| `vulnerabilities/01-sqli-tests.md` | SQL注入测试 + WAF绕过 |
+| `vulnerabilities/02-user-enum-tests.md` | 用户枚举测试 |
+| `vulnerabilities/03-jwt-tests.md` | JWT认证测试 |
+| `vulnerabilities/04-idor-tests.md` | IDOR越权测试 |
+| `vulnerabilities/05-sensitive-data-tests.md` | 敏感信息泄露 |
+| `vulnerabilities/06-biz-logic-tests.md` | 业务逻辑漏洞 |
+| `vulnerabilities/07-security-config-tests.md` | 安全配置漏洞 |
+| `vulnerabilities/08-brute-force-tests.md` | 暴力破解测试 |
+| `vulnerabilities/09-vulnerability-chains.md` | 漏洞关联联想 |
+| `vulnerabilities/10-auth-tests.md` | OAuth/SAML/2FA测试 |
+| `vulnerabilities/11-graphql-tests.md` | GraphQL安全测试 |
+| `vulnerabilities/12-ssrf-tests.md` | SSRF测试 |
+
+## PUA Agent 使用
+
+### 核心思想
+
+```
+【PUA自动模式】
+- 发现线索 → 自动深入
+- 不等待用户指令
+- 压力升级直到完成
+```
+
+### 压力升级机制
+
+| 失败次数 | 级别 | 行动 |
+|---------|------|------|
+| 1次 | L1 | 换方法继续 |
+| 2次 | L2 | 强制检查清单 |
+| 3次 | L3 | 报告进度并继续 |
+| 4次+ | L4 | 尝试其他方向 |
+
+### 不放弃原则
+
+```
+遇到以下情况必须继续：
+□ 端点404 → 尝试POST方法
+□ 被WAF拦截 → 换payload
+□ 返回HTML → 继续API测试
+□ 找不到配置 → 搜索其他JS
+□ 一个端点失败 → 测试同类端点
+□ 说"无法测试" → 必须穷举所有方法
+```
+
+### 进度追踪表
+
+```
+阶段1: [████████░░] 80%
+阶段2: [████░░░░░░░] 40%
+阶段3: [░░░░░░░░░░░] 0%
+阶段4: [░░░░░░░░░░░] 0%
+
+发现:
+├─ CORS漏洞: 18个端点
+├─ SQL注入: 待测试
+└─ 新线索: /ipark-wxlite/*
+```