opencode-api-security-testing 4.0.1 → 5.2.0

package/SKILL.md

@@ -69,6 +69,12 @@ tools:
   - name: report_generator
     description: "Compile evidence-based security report."
     usage: "During 报告 to generate deliverables."
+  - name: endpoint_discover
+    description: "Auto-discover API endpoints from JS, HTML, sitemap, robots.txt, and common paths."
+    usage: "During 侦察 to automatically map the attack surface without manual input."
+  - name: env_checker
+    description: "Auto-detect and install missing dependencies (Python, pip, Playwright, etc.)."
+    usage: "Runs automatically during postinstall; can be triggered manually to fix environment issues."
 notes:
   - "All tools must be used within their defined phases; avoid cross-phase misuse."
   - "Preserve evidence with timestamps; ensure traceability for audits."

package/agents/api-cyber-supervisor.md

@@ -31,6 +31,7 @@ color: "#FF5733"
 
 | 工具 | 用途 | 场景 |
 |------|------|------|
+| endpoint_discover | 端点自动发现 | 从 JS/HTML/Sitemap 提取 |
 | api_security_scan | 完整扫描 | 全面测试 |
 | api_fuzz_test | 模糊测试 | 发现未知端点 |
 | browser_collect | 浏览器采集 | SPA 应用 |
@@ -40,13 +41,14 @@ color: "#FF5733"
 | cloud_storage_test | 云存储测试 | OSS/S3 |
 | idor_test | IDOR 测试 | 越权漏洞 |
 | sqli_test | SQLi 测试 | 注入漏洞 |
+| report_generate | 报告生成 | Markdown/HTML/JSON 格式 |
 
 ## 测试流程
 
 ### Phase 1: 侦察
-1. browser_collect 采集动态端点
-2. js_parse 分析 JS 文件
-3. url_discover 发现隐藏端点
+1. endpoint_discover 自动发现所有 API 端点
+2. browser_collect 采集动态端点
+3. js_parse 分析 JS 文件
 
 ### Phase 2: 分析
 1. 识别技术栈

package/package.json

@@ -1,47 +1,48 @@
-{
-  "name": "opencode-api-security-testing",
-  "version": "4.0.1",
-  "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
-  "type": "module",
-  "main": "src/index.ts",
-  "files": [
-    "src/",
-    "agents/",
-    "core/",
-    "references/",
-    "SKILL.md",
-    "postinstall.mjs",
-    "preuninstall.mjs"
-  ],
-  "scripts": {
-    "postinstall": "node postinstall.mjs",
-    "preuninstall": "node preuninstall.mjs"
-  },
-  "keywords": [
-    "opencode",
-    "opencode-plugin",
-    "security",
-    "api-security",
-    "pentest",
-    "vulnerability-scanning"
-  ],
-  "author": "steveopen1",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/steveopen1/skill-play"
-  },
-  "homepage": "https://github.com/steveopen1/skill-play/tree/main/agent-plugins/OPENCODE/api-security-testing",
-  "peerDependencies": {
-    "@opencode-ai/plugin": "^1.1.19",
-    "@opencode-ai/sdk": "^1.1.19"
-  },
-  "dependencies": {
-    "@opencode-ai/plugin": "^1.1.19",
-    "@opencode-ai/sdk": "^1.1.19"
-  },
-  "devDependencies": {
-    "@types/node": "^25.5.2",
-    "typescript": "^6.0.2"
-  }
-}
+{
+  "name": "opencode-api-security-testing",
+  "version": "5.2.0",
+  "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
+  "type": "module",
+  "main": "src/index.ts",
+  "files": [
+    "src/",
+    "agents/",
+    "core/",
+    "references/",
+    "SKILL.md",
+    "postinstall.mjs",
+    "preuninstall.mjs"
+  ],
+"scripts": {
+  "postinstall": "node postinstall.mjs",
+  "preuninstall": "node preuninstall.mjs",
+  "init": "node init.mjs"
+},
+  "keywords": [
+    "opencode",
+    "opencode-plugin",
+    "security",
+    "api-security",
+    "pentest",
+    "vulnerability-scanning"
+  ],
+  "author": "steveopen1",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/steveopen1/skill-play"
+  },
+  "homepage": "https://github.com/steveopen1/skill-play/tree/main/agent-plugins/OPENCODE/api-security-testing",
+  "peerDependencies": {
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "dependencies": {
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.2",
+    "typescript": "^6.0.2"
+  }
+}

package/postinstall.mjs

@@ -4,13 +4,17 @@
  * postinstall.mjs - API Security Testing Plugin
  * 
  * Installs:
- * 1. agents to ~/.config/opencode/agents/
- * 2. SKILL.md and references to ~/.config/opencode/skills/api-security-testing/
+ * 1. agents to ~/.claude/agents/ (oh-my-opencode discovery path)
+ * 2. agents to ~/.config/opencode/agents/ (OpenCode native discovery path)
+ * 3. SKILL.md and references to ~/.config/opencode/skills/api-security-testing/
+ * 4. Auto-detects and installs Python dependencies (requests, beautifulsoup4, playwright)
  */
 
-import { copyFileSync, existsSync, mkdirSync, readdirSync } from "node:fs";
+import { copyFileSync, existsSync, mkdirSync, readdirSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 import { fileURLToPath } from "node:url";
+import { execSync } from "node:child_process";
+import { platform } from "node:os";
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = join(__filename, "..");
@@ -20,29 +24,241 @@ function getOpencodeBaseDir() {
   return join(home, ".config", "opencode");
 }
 
+function getClaudeBaseDir() {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, ".claude");
+}
+
+function copyDirRecursive(src, dest) {
+  if (!existsSync(dest)) {
+    mkdirSync(dest, { recursive: true });
+  }
+  const items = readdirSync(src, { withFileTypes: true });
+  let count = 0;
+  for (const item of items) {
+    const srcPath = join(src, item.name);
+    const destPath = join(dest, item.name);
+    try {
+      if (item.isDirectory()) {
+        copyDirRecursive(srcPath, destPath);
+      } else {
+        copyFileSync(srcPath, destPath);
+        count++;
+      }
+    } catch (err) {
+      console.error(`  ✗ ${item.name}: ${err.message}`);
+    }
+  }
+  return count;
+}
+
+/**
+ * Run shell command safely
+ */
+function runCommand(cmd, timeout = 30000) {
+  try {
+    const output = execSync(cmd, { 
+      encoding: "utf-8", 
+      timeout,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return { success: true, output: output.trim(), error: "" };
+  } catch (error) {
+    return { 
+      success: false, 
+      output: error.stdout || "", 
+      error: error.stderr || error.message || "Unknown error" 
+    };
+  }
+}
+
+/**
+ * Check Python availability
+ */
+function checkPython() {
+  for (const cmd of ["python3 --version", "python --version"]) {
+    const result = runCommand(cmd, 5000);
+    if (result.success) {
+      const versionMatch = result.output.match(/Python\s+(\d+\.\d+\.\d+)/i) || 
+                           result.error.match(/Python\s+(\d+\.\d+\.\d+)/i);
+      return { available: true, version: versionMatch ? versionMatch[1] : "unknown", cmd: cmd.split(" ")[0] };
+    }
+  }
+  return { available: false, version: null, cmd: null };
+}
+
+/**
+ * Check if pip is available
+ */
+function checkPip(pythonCmd) {
+  const cmds = [
+    `${pythonCmd} -m pip --version`,
+    "pip3 --version",
+    "pip --version"
+  ];
+  for (const cmd of cmds) {
+    const result = runCommand(cmd, 5000);
+    if (result.success) return cmd.includes("-m pip") ? `${pythonCmd} -m pip` : cmd.split(" ")[0];
+  }
+  return null;
+}
+
+/**
+ * Check if a Python package is installed
+ */
+function checkPythonPackage(pythonCmd, packageName) {
+  const result = runCommand(`${pythonCmd} -c "import ${packageName}"`, 5000);
+  return result.success;
+}
+
+/**
+ * Install a Python package
+ */
+function installPythonPackage(pipCmd, packageName) {
+  const cmds = [
+    `${pipCmd} install -q ${packageName}`,
+    `${pipCmd} install --user -q ${packageName}`
+  ];
+  for (const cmd of cmds) {
+    const result = runCommand(cmd, 120000);
+    if (result.success) return { success: true, error: "" };
+  }
+  return { success: false, error: `Failed to install ${packageName}` };
+}
+
+/**
+ * Check if Playwright browsers are installed
+ */
+function checkPlaywright(pythonCmd) {
+  const hasPackage = checkPythonPackage(pythonCmd, "playwright");
+  const homeDir = process.env.HOME || process.env.USERPROFILE || "/root";
+  const pwCachePath = join(homeDir, ".cache", "ms-playwright");
+  const browsersInstalled = existsSync(pwCachePath);
+  return { installed: hasPackage, browsersInstalled };
+}
+
+/**
+ * Install Playwright
+ */
+function installPlaywright(pythonCmd) {
+  console.log("  Installing Playwright Python package...");
+  const pipCmd = checkPip(pythonCmd);
+  if (!pipCmd) return { success: false, error: "pip not found" };
+  
+  const pkgResult = installPythonPackage(pipCmd, "playwright");
+  if (!pkgResult.success) return pkgResult;
+  
+  console.log("  Installing Playwright browsers (chromium)...");
+  const browserResult = runCommand(`${pythonCmd} -m playwright install chromium`, 300000);
+  if (browserResult.success) return { success: true, error: "" };
+  
+  return { success: false, error: browserResult.error };
+}
+
+/**
+ * Environment detection and auto-installation
+ */
+function checkAndFixEnvironment() {
+  console.log("\n[env-check] Starting environment detection...");
+  
+  const pythonCheck = checkPython();
+  if (!pythonCheck.available) {
+    console.log("  ⚠ Python 3 not found. Python tools will not work.");
+    console.log("  → Install Python 3.8+ from https://python.org");
+    return;
+  }
+  
+  console.log(`  ✓ Python ${pythonCheck.version} detected`);
+  const pythonCmd = pythonCheck.cmd;
+  
+  const pipCmd = checkPip(pythonCmd);
+  if (!pipCmd) {
+    console.log("  ⚠ pip not found. Cannot auto-install Python packages.");
+    return;
+  }
+  console.log(`  ✓ pip detected`);
+  
+  // Required packages
+  const requiredPackages = ["requests", "beautifulsoup4", "urllib3"];
+  for (const pkg of requiredPackages) {
+    if (!checkPythonPackage(pythonCmd, pkg)) {
+      console.log(`  Installing ${pkg}...`);
+      const result = installPythonPackage(pipCmd, pkg);
+      if (result.success) {
+        console.log(`  ✓ ${pkg} installed`);
+      } else {
+        console.log(`  ✗ Failed to install ${pkg}`);
+      }
+    } else {
+      console.log(`  ✓ ${pkg} already installed`);
+    }
+  }
+  
+  // Check Playwright
+  const pwCheck = checkPlaywright(pythonCmd);
+  if (!pwCheck.installed || !pwCheck.browsersInstalled) {
+    console.log("  Playwright not fully installed, installing...");
+    const result = installPlaywright(pythonCmd);
+    if (result.success) {
+      console.log("  ✓ Playwright + browsers installed");
+    } else {
+      console.log(`  ⚠ Playwright installation failed: ${result.error}`);
+      console.log("  → browser_collect tool will not work until Playwright is installed");
+      console.log(`  → Manual fix: ${pythonCmd} -m pip install playwright && ${pythonCmd} -m playwright install chromium`);
+    }
+  } else {
+    console.log("  ✓ Playwright already installed");
+  }
+  
+  console.log("[env-check] Environment check complete\n");
+}
+
 function main() {
   const packageRoot = __dirname;
   const agentsSourceDir = join(packageRoot, "agents");
-  const agentsTargetDir = join(getOpencodeBaseDir(), "agents");
-  const skillTargetDir = join(getOpencodeBaseDir(), "skills", "api-security-testing");
+  const opencodeBaseDir = getOpencodeBaseDir();
+  const claudeBaseDir = getClaudeBaseDir();
+  const opencodeAgentsDir = join(opencodeBaseDir, "agents");
+  const claudeAgentsDir = join(claudeBaseDir, "agents");
+  const skillTargetDir = join(opencodeBaseDir, "skills", "api-security-testing");
   
   console.log("[api-security-testing] Installing...");
   console.log(`  Package root: ${packageRoot}`);
+  console.log(`  Platform: ${platform()}`);
 
   let totalInstalled = 0;
   let totalFailed = 0;
 
-  // 1. Install agents
-  console.log("\n[1/3] Installing agents...");
+  // 1. Install agents to BOTH locations
+  console.log("\n[1/5] Installing agents to ~/.claude/agents/ (oh-my-opencode)...");
+  if (existsSync(agentsSourceDir)) {
+    if (!existsSync(claudeAgentsDir)) {
+      mkdirSync(claudeAgentsDir, { recursive: true });
+    }
+    
+    const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
+    for (const file of files) {
+      try {
+        copyFileSync(join(agentsSourceDir, file), join(claudeAgentsDir, file));
+        console.log(`  ✓ ${file}`);
+        totalInstalled++;
+      } catch (err) {
+        console.error(`  ✗ ${file}: ${err.message}`);
+        totalFailed++;
+      }
+    }
+  }
+
+  console.log("\n[2/5] Installing agents to ~/.config/opencode/agents/ (OpenCode native)...");
   if (existsSync(agentsSourceDir)) {
-    if (!existsSync(agentsTargetDir)) {
-      mkdirSync(agentsTargetDir, { recursive: true });
+    if (!existsSync(opencodeAgentsDir)) {
+      mkdirSync(opencodeAgentsDir, { recursive: true });
     }
     
     const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
     for (const file of files) {
       try {
-        copyFileSync(join(agentsSourceDir, file), join(agentsTargetDir, file));
+        copyFileSync(join(agentsSourceDir, file), join(opencodeAgentsDir, file));
         console.log(`  ✓ ${file}`);
         totalInstalled++;
       } catch (err) {
@@ -52,8 +268,8 @@ function main() {
     }
   }
 
-  // 2. Install SKILL.md
-  console.log("\n[2/3] Installing SKILL.md...");
+  // 3. Install SKILL.md
+  console.log("\n[3/5] Installing SKILL.md...");
   const skillSource = join(packageRoot, "SKILL.md");
   if (existsSync(skillSource)) {
     if (!existsSync(skillTargetDir)) {
@@ -69,46 +285,34 @@ function main() {
     }
   }
 
-  // 3. Install references
-  console.log("\n[3/3] Installing references...");
+  // 4. Install references
+  console.log("\n[4/5] Installing references...");
   const refsSourceDir = join(packageRoot, "references");
   const refsTargetDir = join(skillTargetDir, "references");
   if (existsSync(refsSourceDir)) {
-    if (!existsSync(refsTargetDir)) {
-      mkdirSync(refsTargetDir, { recursive: true });
-    }
-    
-    function copyDir(src, dest) {
-      const items = readdirSync(src);
-      for (const item of items) {
-        const srcPath = join(src, item);
-        const destPath = join(dest, item);
-        try {
-          copyFileSync(srcPath, destPath);
-          totalInstalled++;
-        } catch {
-          if (existsSync(srcPath) && !srcPath.endsWith(".md")) {
-            mkdirSync(destPath, { recursive: true });
-            copyDir(srcPath, destPath);
-          }
-        }
-      }
-    }
-    
     try {
-      copyDir(refsSourceDir, refsTargetDir);
-      console.log("  ✓ references/");
-      totalInstalled++;
+      const count = copyDirRecursive(refsSourceDir, refsTargetDir);
+      totalInstalled += count;
+      console.log(`  ✓ references/ (${count} files)`);
     } catch (err) {
       console.error(`  ✗ references/: ${err.message}`);
       totalFailed++;
     }
   }
 
+  // 5. Environment detection and auto-install
+  console.log("\n[5/5] Detecting environment and installing dependencies...");
+  try {
+    checkAndFixEnvironment();
+  } catch (err) {
+    console.log(`  ⚠ Environment check failed: ${err.message}`);
+  }
+
   console.log(`\n========================================`);
   if (totalFailed === 0) {
     console.log(`✓ Installed ${totalInstalled} file(s)`);
-    console.log(`\nAgents: ${agentsTargetDir}`);
+    console.log(`\nAgents (oh-my-opencode): ${claudeAgentsDir}`);
+    console.log(`Agents (OpenCode native): ${opencodeAgentsDir}`);
     console.log(`Skill: ${skillTargetDir}`);
     console.log(`\n⚠️  IMPORTANT: Restart OpenCode to discover new agents`);
   } else {