opencode-api-security-testing 5.0.0 → 5.2.1

package/package.json

@@ -1,48 +1,48 @@
-{
-  "name": "opencode-api-security-testing",
-  "version": "5.0.0",
-  "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
-  "type": "module",
-  "main": "src/index.ts",
-  "files": [
-    "src/",
-    "agents/",
-    "core/",
-    "references/",
-    "SKILL.md",
-    "postinstall.mjs",
-    "preuninstall.mjs"
-  ],
-"scripts": {
-  "postinstall": "node postinstall.mjs",
-  "preuninstall": "node preuninstall.mjs",
-  "init": "node init.mjs"
-},
-  "keywords": [
-    "opencode",
-    "opencode-plugin",
-    "security",
-    "api-security",
-    "pentest",
-    "vulnerability-scanning"
-  ],
-  "author": "steveopen1",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/steveopen1/skill-play"
-  },
-  "homepage": "https://github.com/steveopen1/skill-play/tree/main/agent-plugins/OPENCODE/api-security-testing",
-  "peerDependencies": {
-    "@opencode-ai/plugin": "^1.1.19",
-    "@opencode-ai/sdk": "^1.1.19"
-  },
-  "dependencies": {
-    "@opencode-ai/plugin": "^1.1.19",
-    "@opencode-ai/sdk": "^1.1.19"
-  },
-  "devDependencies": {
-    "@types/node": "^25.5.2",
-    "typescript": "^6.0.2"
-  }
-}
+{
+  "name": "opencode-api-security-testing",
+  "version": "5.2.1",
+  "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
+  "type": "module",
+  "main": "src/index.ts",
+  "files": [
+    "src/",
+    "agents/",
+    "core/",
+    "references/",
+    "SKILL.md",
+    "postinstall.mjs",
+    "preuninstall.mjs"
+  ],
+"scripts": {
+  "postinstall": "node postinstall.mjs",
+  "preuninstall": "node preuninstall.mjs",
+  "init": "node init.mjs"
+},
+  "keywords": [
+    "opencode",
+    "opencode-plugin",
+    "security",
+    "api-security",
+    "pentest",
+    "vulnerability-scanning"
+  ],
+  "author": "steveopen1",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/steveopen1/skill-play"
+  },
+  "homepage": "https://github.com/steveopen1/skill-play/tree/main/agent-plugins/OPENCODE/api-security-testing",
+  "peerDependencies": {
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "dependencies": {
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.2",
+    "typescript": "^6.0.2"
+  }
+}

package/postinstall.mjs

@@ -1,10 +1,11 @@
+#!/usr/bin/env node
+
 /**
  * postinstall.mjs - API Security Testing Plugin
  * 
  * Installs:
- * 1. agents to ~/.claude/agents/ (oh-my-opencode discovery path)
- * 2. agents to ~/.config/opencode/agents/ (OpenCode native discovery path)
- * 3. SKILL.md and references to ~/.config/opencode/skills/api-security-testing/
+ * 1. agents to ~/.config/opencode/agents/
+ * 2. SKILL.md and references to ~/.config/opencode/skills/api-security-testing/
  */
 
 import { copyFileSync, existsSync, mkdirSync, readdirSync } from "node:fs";
@@ -19,42 +20,11 @@ function getOpencodeBaseDir() {
   return join(home, ".config", "opencode");
 }
 
-function getClaudeBaseDir() {
-  const home = process.env.HOME || process.env.USERPROFILE || "/root";
-  return join(home, ".claude");
-}
-
-function copyDirRecursive(src, dest) {
-  if (!existsSync(dest)) {
-    mkdirSync(dest, { recursive: true });
-  }
-  const items = readdirSync(src, { withFileTypes: true });
-  let count = 0;
-  for (const item of items) {
-    const srcPath = join(src, item.name);
-    const destPath = join(dest, item.name);
-    try {
-      if (item.isDirectory()) {
-        copyDirRecursive(srcPath, destPath);
-      } else {
-        copyFileSync(srcPath, destPath);
-        count++;
-      }
-    } catch (err) {
-      console.error(`  ✗ ${item.name}: ${err.message}`);
-    }
-  }
-  return count;
-}
-
 function main() {
   const packageRoot = __dirname;
   const agentsSourceDir = join(packageRoot, "agents");
-  const opencodeBaseDir = getOpencodeBaseDir();
-  const claudeBaseDir = getClaudeBaseDir();
-  const opencodeAgentsDir = join(opencodeBaseDir, "agents");
-  const claudeAgentsDir = join(claudeBaseDir, "agents");
-  const skillTargetDir = join(opencodeBaseDir, "skills", "api-security-testing");
+  const agentsTargetDir = join(getOpencodeBaseDir(), "agents");
+  const skillTargetDir = join(getOpencodeBaseDir(), "skills", "api-security-testing");
   
   console.log("[api-security-testing] Installing...");
   console.log(`  Package root: ${packageRoot}`);
@@ -62,17 +32,17 @@ function main() {
   let totalInstalled = 0;
   let totalFailed = 0;
 
-  // 1. Install agents to BOTH locations (oh-my-opencode + OpenCode native)
-  console.log("\n[1/4] Installing agents to ~/.claude/agents/ (oh-my-opencode)...");
+  // 1. Install agents
+  console.log("\n[1/3] Installing agents...");
   if (existsSync(agentsSourceDir)) {
-    if (!existsSync(claudeAgentsDir)) {
-      mkdirSync(claudeAgentsDir, { recursive: true });
+    if (!existsSync(agentsTargetDir)) {
+      mkdirSync(agentsTargetDir, { recursive: true });
     }
     
     const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
     for (const file of files) {
       try {
-        copyFileSync(join(agentsSourceDir, file), join(claudeAgentsDir, file));
+        copyFileSync(join(agentsSourceDir, file), join(agentsTargetDir, file));
         console.log(`  ✓ ${file}`);
         totalInstalled++;
       } catch (err) {
@@ -82,27 +52,8 @@ function main() {
     }
   }
 
-  console.log("\n[2/4] Installing agents to ~/.config/opencode/agents/ (OpenCode native)...");
-  if (existsSync(agentsSourceDir)) {
-    if (!existsSync(opencodeAgentsDir)) {
-      mkdirSync(opencodeAgentsDir, { recursive: true });
-    }
-    
-    const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
-    for (const file of files) {
-      try {
-        copyFileSync(join(agentsSourceDir, file), join(opencodeAgentsDir, file));
-        console.log(`  ✓ ${file}`);
-        totalInstalled++;
-      } catch (err) {
-        console.error(`  ✗ ${file}: ${err.message}`);
-        totalFailed++;
-      }
-    }
-  }
-
-  // 3. Install SKILL.md
-  console.log("\n[3/4] Installing SKILL.md...");
+  // 2. Install SKILL.md
+  console.log("\n[2/3] Installing SKILL.md...");
   const skillSource = join(packageRoot, "SKILL.md");
   if (existsSync(skillSource)) {
     if (!existsSync(skillTargetDir)) {
@@ -118,15 +69,36 @@ function main() {
     }
   }
 
-  // 4. Install references
-  console.log("\n[4/4] Installing references...");
+  // 3. Install references
+  console.log("\n[3/3] Installing references...");
   const refsSourceDir = join(packageRoot, "references");
   const refsTargetDir = join(skillTargetDir, "references");
   if (existsSync(refsSourceDir)) {
+    if (!existsSync(refsTargetDir)) {
+      mkdirSync(refsTargetDir, { recursive: true });
+    }
+    
+    function copyDir(src, dest) {
+      const items = readdirSync(src);
+      for (const item of items) {
+        const srcPath = join(src, item);
+        const destPath = join(dest, item);
+        try {
+          copyFileSync(srcPath, destPath);
+          totalInstalled++;
+        } catch {
+          if (existsSync(srcPath) && !srcPath.endsWith(".md")) {
+            mkdirSync(destPath, { recursive: true });
+            copyDir(srcPath, destPath);
+          }
+        }
+      }
+    }
+    
     try {
-      const count = copyDirRecursive(refsSourceDir, refsTargetDir);
-      totalInstalled += count;
-      console.log(`  ✓ references/ (${count} files)`);
+      copyDir(refsSourceDir, refsTargetDir);
+      console.log("  ✓ references/");
+      totalInstalled++;
     } catch (err) {
       console.error(`  ✗ references/: ${err.message}`);
       totalFailed++;
@@ -136,8 +108,7 @@ function main() {
   console.log(`\n========================================`);
   if (totalFailed === 0) {
     console.log(`✓ Installed ${totalInstalled} file(s)`);
-    console.log(`\nAgents (oh-my-opencode): ${claudeAgentsDir}`);
-    console.log(`Agents (OpenCode native): ${opencodeAgentsDir}`);
+    console.log(`\nAgents: ${agentsTargetDir}`);
     console.log(`Skill: ${skillTargetDir}`);
     console.log(`\n⚠️  IMPORTANT: Restart OpenCode to discover new agents`);
   } else {

package/references/references/README.md

@@ -1,72 +0,0 @@
-# API Security Testing 参考资源
-
-## 核心文件
-
-| 文件 | 内容 |
-|------|------|
-| `pua-agent.md` | PUA自动测试Agent，强制深入不放弃 |
-| `fuzzing-patterns.md` | API Fuzzing字典 |
-| `report-template.md` | 安全测试报告模板 |
-
-## vulnerabilities/ 漏洞测试方法
-
-| 文件 | 内容 |
-|------|------|
-| `vulnerabilities/01-sqli-tests.md` | SQL注入测试 + WAF绕过 |
-| `vulnerabilities/02-user-enum-tests.md` | 用户枚举测试 |
-| `vulnerabilities/03-jwt-tests.md` | JWT认证测试 |
-| `vulnerabilities/04-idor-tests.md` | IDOR越权测试 |
-| `vulnerabilities/05-sensitive-data-tests.md` | 敏感信息泄露 |
-| `vulnerabilities/06-biz-logic-tests.md` | 业务逻辑漏洞 |
-| `vulnerabilities/07-security-config-tests.md` | 安全配置漏洞 |
-| `vulnerabilities/08-brute-force-tests.md` | 暴力破解测试 |
-| `vulnerabilities/09-vulnerability-chains.md` | 漏洞关联联想 |
-| `vulnerabilities/10-auth-tests.md` | OAuth/SAML/2FA测试 |
-| `vulnerabilities/11-graphql-tests.md` | GraphQL安全测试 |
-| `vulnerabilities/12-ssrf-tests.md` | SSRF测试 |
-
-## PUA Agent 使用
-
-### 核心思想
-
-```
-【PUA自动模式】
-- 发现线索 → 自动深入
-- 不等待用户指令
-- 压力升级直到完成
-```
-
-### 压力升级机制
-
-| 失败次数 | 级别 | 行动 |
-|---------|------|------|
-| 1次 | L1 | 换方法继续 |
-| 2次 | L2 | 强制检查清单 |
-| 3次 | L3 | 报告进度并继续 |
-| 4次+ | L4 | 尝试其他方向 |
-
-### 不放弃原则
-
-```
-遇到以下情况必须继续：
-□ 端点404 → 尝试POST方法
-□ 被WAF拦截 → 换payload
-□ 返回HTML → 继续API测试
-□ 找不到配置 → 搜索其他JS
-□ 一个端点失败 → 测试同类端点
-□ 说"无法测试" → 必须穷举所有方法
-```
-
-### 进度追踪表
-
-```
-阶段1: [████████░░] 80%
-阶段2: [████░░░░░░░] 40%
-阶段3: [░░░░░░░░░░░] 0%
-阶段4: [░░░░░░░░░░░] 0%
-
-发现:
-├─ CORS漏洞: 18个端点
-├─ SQL注入: 待测试
-└─ 新线索: /ipark-wxlite/*
-```

package/references/references/asset-discovery.md

@@ -1,119 +0,0 @@
-# Asset Discovery Guidance
-
-将原始 API 材料转换为紧凑的安全相关清单。
-
-## 目标
-
-识别对安全测试最重要的 API 部分。
-
-## 核心表面
-
-- base URL(s)
-- versioning scheme
-- routes 或 operations
-- methods
-- content types
-- auth schemes
-
-## 信任边界
-
-- public vs authenticated endpoints
-- user vs admin operations
-- internal vs external APIs
-- service-to-service 或 callback flows
-- tenant 或 organization 边界
-
-## 敏感对象
-
-关注以下对象：
-- users
-- roles
-- teams
-- organizations
-- invoices
-- payments
-- orders
-- files
-- secrets
-- API keys
-- tokens
-- audit logs
-- exports
-- configuration objects
-
-## 高风险操作模式
-
-标记与以下相关的 endpoints 或 mutations：
-- create/update/delete user
-- role assignment
-- permission change
-- password reset
-- token issue 或 refresh
-- export 或 bulk download
-- import 或 bulk update
-- file upload
-- webhook registration
-- callback URL configuration
-- search 或 filter on sensitive entities
-- internal admin dashboards 或 debug endpoints
-
-## REST 提示
-
-优先包含模式的 endpoints：
-- `/admin`
-- `/internal`
-- `/users`
-- `/roles`
-- `/permissions`
-- `/export`
-- `/import`
-- `/search`
-- `/upload`
-- `/files`
-- `/billing`
-- `/settings`
-- `/token`
-- `/auth`
-- `/debug`
-
-同时注意：
-- bulk 操作
-- object IDs in path 或 query
-- 同一资源上隐藏的替代方法
-- 不一致的版本化 endpoints
-
-## GraphQL 提示
-
-优先：
-- 变更 roles、permissions 或 state 的 mutations
-- 暴露嵌套对象遍历的 fields
-- admin-only resolvers
-- schema introspection 暴露
-- 带敏感链接数据的宽对象图
-- 可能意外扩展访问的 connection 或 pagination 模式
-
-## 资产摘要格式
-
-优先简洁输出：
-
-```
-- Base URLs:
-- API type:
-- Auth schemes:
-- Roles observed or assumed:
-- Sensitive objects:
-- High-risk operations:
-- Trust boundaries:
-- Unknown areas:
-```
-
-## 优先级规则
-
-当表面较大时，优先深度在：
-1. auth 和 role 变更
-2. user 和 tenant 数据
-3. export/import 和 bulk 操作
-4. file 和 callback 流程
-5. 金融或行政操作
-
-不要在低风险的只读 metadata endpoints 上浪费空间，除非它们支持更广泛的滥用路径。

package/references/references/fuzzing-patterns.md

@@ -1,129 +0,0 @@
-# Fuzzing 字典
-
-## API前缀字典
-
-```python
-common_api_prefixes = [
-    # 协议/网关
-    "/gateway", "/proxy", "/route", "/ingress",
-    "/api-gateway", "/openapi", "/open/api",
-    # 版本前缀
-    "/v1", "/v2", "/v3", "/v4", "/v5",
-    "/api/v1", "/api/v2", "/api/v3",
-    "/rest", "/rest/api", "/graphql",
-    # 管理后台
-    "/admin", "/admin/api", "/manager", "/backend",
-    "/backoffice", "/cms",
-    # 业务模块
-    "/user", "/users", "/member", "/members",
-    "/order", "/orders", "/trade", "/transaction",
-    "/product", "/goods", "/shop", "/store",
-    "/payment", "/pay", "/finance", "/account",
-    "/file", "/upload", "/oss", "/storage",
-    "/message", "/notify", "/sms", "/email",
-    "/admin", "/authority", "/system", "/config",
-    # 微服务
-    "/service", "/services", "/rpc", "/grpc",
-    "/auth", "/oauth", "/sso", "/cas",
-    # 移动端
-    "/mobile", "/app", "/ios", "/android",
-    "/miniapp", "/wechat", "/applet",
-]
-```
-
-## API端点字典
-
-```python
-common_api_endpoints = [
-    # 通用CRUD
-    "login", "logout", "register", "list", "add", "delete", "modify",
-    "getList", "getListOfPage", "detail", "getInfo", "profile",
-    # 用户相关
-    "user", "user/list", "user/add", "user/delete", "user/modify",
-    "user/profile", "user/restPassword", "user/enable", "user/disable",
-    # 角色权限
-    "role", "role/list", "role/add", "role/delete", "role/modify",
-    "menu", "menu/list", "menu/add", "menu/delete", "menu/modify",
-    # 文件操作
-    "file", "upload", "download", "import", "export",
-    "imgUpload", "avatar", "attachment",
-]
-```
-
-## Fuzzing测试流程
-
-```python
-for prefix in common_api_prefixes:
-    for endpoint in common_api_endpoints:
-        url = target + prefix + "/" + endpoint
-        response = requests.get(url)
-        # 记录返回200的接口
-```
-
-## API根路径探测
-
-```python
-root_paths = [
-    "/", "/login", "/auth", "/oauth", "/sso", "/cas",
-    "/health", "/healthz", "/ready", "/status", "/info",
-    "/metrics", "/ping", "/actuator",
-]
-
-for path in root_paths:
-    url = api_base + path
-    response = requests.get(url)
-    if "json" in response.headers.get("Content-Type", ""):
-        # 发现可访问的接口
-```
-
-## 业务端点模板扩展
-
-```
-发现的模式: /{module}/{operation}
-可能存在的端点:
-- /{module}/list          → 列表查询
-- /{module}/add          → 新增创建
-- /{module}/modify       → 修改更新
-- /{module}/delete       → 删除操作
-- /{module}/detail       → 详情查看
-- /{module}/getInfo      → 信息获取
-- /{module}/export       → 导出数据
-- /{module}/import       → 导入数据
-
-RESTful风格:
-- GET  /{resource}/{id}     → 获取详情
-- PUT  /{resource}/{id}     → 完整更新
-- DELETE /{resource}/{id}   → 删除资源
-- PATCH /{resource}/{id}   → 部分更新
-```
-
-## 非通用base_path字典
-
-```python
-extended_base_paths = [
-    # 协议/网关
-    "/gateway", "/proxy", "/route", "/ingress",
-    "/api-gateway", "/openapi", "/open/api",
-    # 版本前缀
-    "/v1", "/v2", "/v3", "/v4", "/v5",
-    "/api/v1", "/api/v2", "/api/v3",
-    "/rest", "/rest/api", "/graphql",
-    # 管理后台
-    "/admin", "/manager", "/manage", "/console",
-    "/backend", "/backoffice", "/cms",
-    # 业务模块
-    "/user", "/users", "/member", "/members",
-    "/order", "/orders", "/trade", "/transaction",
-    "/product", "/goods", "/shop", "/store",
-    "/payment", "/pay", "/finance", "/account",
-    "/file", "/upload", "/oss", "/storage",
-    "/message", "/notify", "/sms", "/email",
-    "/admin", "/authority", "/system", "/config",
-    # 微服务
-    "/service", "/services", "/rpc", "/grpc",
-    "/auth", "/oauth", "/sso", "/cas",
-    # 移动端
-    "/mobile", "/app", "/ios", "/android",
-    "/miniapp", "/wechat", "/applet",
-]
-```

package/references/references/graphql-guidance.md

@@ -1,108 +0,0 @@
-# GraphQL Guidance
-
-分析 GraphQL API 时使用。
-
-## 关注领域
-
-### 字段级授权
-
-- resolver 是否正确检查权限
-- 嵌套查询是否泄露数据
-- 是否缺少 admin-only 字段
-
-### 嵌套遍历
-
-- `type User { friends: [User!]! }` 可导致递归查询
-- `type Post { author: User }` 允许遍历
-- 是否限制遍历深度
-
-### Resolver 边界
-
-- 一个 resolver 是否调用另一个 service
-- 是否存在 SSRF 风险
-- 是否有命令注入点
-
-### Mutation 滥用
-
-- 未经授权的状态变更
-- 条件 mutation（如 admin-only mutation）
-- 批量 mutation 导致的问题
-
-### Introspection 暴露
-
-- 是否禁用 introspection
-- 是否暴露敏感字段
-- Schema 文档是否包含敏感信息
-
-## 常见风险信号
-
-- ` IntrospectionQuery` 可访问
-- 缺少 query 复杂度限制
-- 缺少 query 深度限制
-- 缺少字段权限检查
-- mutation 接受任意输入
-- 嵌套查询无限制
-
-## 测试重点
-
-### 1. 枚举攻击
-
-```graphql
-# 枚举所有用户
-query {
-  users {
-    id
-    username
-    email
-  }
-}
-```
-
-### 2. 嵌套遍历
-
-```graphql
-# 递归遍历 friendships
-query {
-  user(id: 1) {
-    friends {
-      friends {
-        friends {
-          id
-        }
-      }
-    }
-  }
-}
-```
-
-### 3. 权限绕过
-
-```graphql
-# 尝试 admin 字段
-query {
-  user(id: 1) {
-    isAdmin
-    role
-  }
-}
-```
-
-### 4. mutation 滥用
-
-```graphql
-# 未经授权的 mutation
-mutation {
-  updateUser(id: 1, role: "admin") {
-    id
-    role
-  }
-}
-```
-
-## 防护检查
-
-- [ ] 是否限制查询复杂度
-- [ ] 是否限制查询深度
-- [ ] 是否禁用 introspection
-- [ ] resolver 是否有权限检查
-- [ ] 是否过滤敏感字段