opencode-api-security-testing 5.2.1 → 5.2.3

package/package.json

@@ -1,48 +1,48 @@
-{
-  "name": "opencode-api-security-testing",
-  "version": "5.2.1",
-  "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
-  "type": "module",
-  "main": "src/index.ts",
-  "files": [
-    "src/",
-    "agents/",
-    "core/",
-    "references/",
-    "SKILL.md",
-    "postinstall.mjs",
-    "preuninstall.mjs"
-  ],
-"scripts": {
-  "postinstall": "node postinstall.mjs",
-  "preuninstall": "node preuninstall.mjs",
-  "init": "node init.mjs"
-},
-  "keywords": [
-    "opencode",
-    "opencode-plugin",
-    "security",
-    "api-security",
-    "pentest",
-    "vulnerability-scanning"
-  ],
-  "author": "steveopen1",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/steveopen1/skill-play"
-  },
-  "homepage": "https://github.com/steveopen1/skill-play/tree/main/agent-plugins/OPENCODE/api-security-testing",
-  "peerDependencies": {
-    "@opencode-ai/plugin": "^1.1.19",
-    "@opencode-ai/sdk": "^1.1.19"
-  },
-  "dependencies": {
-    "@opencode-ai/plugin": "^1.1.19",
-    "@opencode-ai/sdk": "^1.1.19"
-  },
-  "devDependencies": {
-    "@types/node": "^25.5.2",
-    "typescript": "^6.0.2"
-  }
-}
+{
+  "name": "opencode-api-security-testing",
+  "version": "5.2.3",
+  "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
+  "type": "module",
+  "main": "src/index.ts",
+  "files": [
+    "src/",
+    "agents/",
+    "core/",
+    "references/",
+    "SKILL.md",
+    "postinstall.mjs",
+    "preuninstall.mjs"
+  ],
+"scripts": {
+  "postinstall": "node postinstall.mjs",
+  "preuninstall": "node preuninstall.mjs",
+  "init": "node init.mjs"
+},
+  "keywords": [
+    "opencode",
+    "opencode-plugin",
+    "security",
+    "api-security",
+    "pentest",
+    "vulnerability-scanning"
+  ],
+  "author": "steveopen1",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/steveopen1/skill-play"
+  },
+  "homepage": "https://github.com/steveopen1/skill-play/tree/main/agent-plugins/OPENCODE/api-security-testing",
+  "peerDependencies": {
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "dependencies": {
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.2",
+    "typescript": "^6.0.2"
+  }
+}

package/postinstall.mjs

@@ -4,13 +4,17 @@
  * postinstall.mjs - API Security Testing Plugin
  * 
  * Installs:
- * 1. agents to ~/.config/opencode/agents/
- * 2. SKILL.md and references to ~/.config/opencode/skills/api-security-testing/
+ * 1. agents to ~/.claude/agents/ (oh-my-opencode discovery path)
+ * 2. agents to ~/.config/opencode/agents/ (OpenCode native discovery path)
+ * 3. SKILL.md and references to ~/.config/opencode/skills/api-security-testing/
+ * 4. Auto-detects and installs Python dependencies (requests, beautifulsoup4, playwright)
  */
 
-import { copyFileSync, existsSync, mkdirSync, readdirSync } from "node:fs";
+import { copyFileSync, existsSync, mkdirSync, readdirSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 import { fileURLToPath } from "node:url";
+import { execSync } from "node:child_process";
+import { platform } from "node:os";
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = join(__filename, "..");
@@ -20,29 +24,241 @@ function getOpencodeBaseDir() {
   return join(home, ".config", "opencode");
 }
 
+function getClaudeBaseDir() {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, ".claude");
+}
+
+function copyDirRecursive(src, dest) {
+  if (!existsSync(dest)) {
+    mkdirSync(dest, { recursive: true });
+  }
+  const items = readdirSync(src, { withFileTypes: true });
+  let count = 0;
+  for (const item of items) {
+    const srcPath = join(src, item.name);
+    const destPath = join(dest, item.name);
+    try {
+      if (item.isDirectory()) {
+        copyDirRecursive(srcPath, destPath);
+      } else {
+        copyFileSync(srcPath, destPath);
+        count++;
+      }
+    } catch (err) {
+      console.error(`  ✗ ${item.name}: ${err.message}`);
+    }
+  }
+  return count;
+}
+
+/**
+ * Run shell command safely
+ */
+function runCommand(cmd, timeout = 30000) {
+  try {
+    const output = execSync(cmd, { 
+      encoding: "utf-8", 
+      timeout,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return { success: true, output: output.trim(), error: "" };
+  } catch (error) {
+    return { 
+      success: false, 
+      output: error.stdout || "", 
+      error: error.stderr || error.message || "Unknown error" 
+    };
+  }
+}
+
+/**
+ * Check Python availability
+ */
+function checkPython() {
+  for (const cmd of ["python3 --version", "python --version"]) {
+    const result = runCommand(cmd, 5000);
+    if (result.success) {
+      const versionMatch = result.output.match(/Python\s+(\d+\.\d+\.\d+)/i) || 
+                           result.error.match(/Python\s+(\d+\.\d+\.\d+)/i);
+      return { available: true, version: versionMatch ? versionMatch[1] : "unknown", cmd: cmd.split(" ")[0] };
+    }
+  }
+  return { available: false, version: null, cmd: null };
+}
+
+/**
+ * Check if pip is available
+ */
+function checkPip(pythonCmd) {
+  const cmds = [
+    `${pythonCmd} -m pip --version`,
+    "pip3 --version",
+    "pip --version"
+  ];
+  for (const cmd of cmds) {
+    const result = runCommand(cmd, 5000);
+    if (result.success) return cmd.includes("-m pip") ? `${pythonCmd} -m pip` : cmd.split(" ")[0];
+  }
+  return null;
+}
+
+/**
+ * Check if a Python package is installed
+ */
+function checkPythonPackage(pythonCmd, packageName) {
+  const result = runCommand(`${pythonCmd} -c "import ${packageName}"`, 5000);
+  return result.success;
+}
+
+/**
+ * Install a Python package
+ */
+function installPythonPackage(pipCmd, packageName) {
+  const cmds = [
+    `${pipCmd} install -q ${packageName}`,
+    `${pipCmd} install --user -q ${packageName}`
+  ];
+  for (const cmd of cmds) {
+    const result = runCommand(cmd, 120000);
+    if (result.success) return { success: true, error: "" };
+  }
+  return { success: false, error: `Failed to install ${packageName}` };
+}
+
+/**
+ * Check if Playwright browsers are installed
+ */
+function checkPlaywright(pythonCmd) {
+  const hasPackage = checkPythonPackage(pythonCmd, "playwright");
+  const homeDir = process.env.HOME || process.env.USERPROFILE || "/root";
+  const pwCachePath = join(homeDir, ".cache", "ms-playwright");
+  const browsersInstalled = existsSync(pwCachePath);
+  return { installed: hasPackage, browsersInstalled };
+}
+
+/**
+ * Install Playwright
+ */
+function installPlaywright(pythonCmd) {
+  console.log("  Installing Playwright Python package...");
+  const pipCmd = checkPip(pythonCmd);
+  if (!pipCmd) return { success: false, error: "pip not found" };
+  
+  const pkgResult = installPythonPackage(pipCmd, "playwright");
+  if (!pkgResult.success) return pkgResult;
+  
+  console.log("  Installing Playwright browsers (chromium)...");
+  const browserResult = runCommand(`${pythonCmd} -m playwright install chromium`, 300000);
+  if (browserResult.success) return { success: true, error: "" };
+  
+  return { success: false, error: browserResult.error };
+}
+
+/**
+ * Environment detection and auto-installation
+ */
+function checkAndFixEnvironment() {
+  console.log("\n[env-check] Starting environment detection...");
+  
+  const pythonCheck = checkPython();
+  if (!pythonCheck.available) {
+    console.log("  ⚠ Python 3 not found. Python tools will not work.");
+    console.log("  → Install Python 3.8+ from https://python.org");
+    return;
+  }
+  
+  console.log(`  ✓ Python ${pythonCheck.version} detected`);
+  const pythonCmd = pythonCheck.cmd;
+  
+  const pipCmd = checkPip(pythonCmd);
+  if (!pipCmd) {
+    console.log("  ⚠ pip not found. Cannot auto-install Python packages.");
+    return;
+  }
+  console.log(`  ✓ pip detected`);
+  
+  // Required packages
+  const requiredPackages = ["requests", "beautifulsoup4", "urllib3"];
+  for (const pkg of requiredPackages) {
+    if (!checkPythonPackage(pythonCmd, pkg)) {
+      console.log(`  Installing ${pkg}...`);
+      const result = installPythonPackage(pipCmd, pkg);
+      if (result.success) {
+        console.log(`  ✓ ${pkg} installed`);
+      } else {
+        console.log(`  ✗ Failed to install ${pkg}`);
+      }
+    } else {
+      console.log(`  ✓ ${pkg} already installed`);
+    }
+  }
+  
+  // Check Playwright
+  const pwCheck = checkPlaywright(pythonCmd);
+  if (!pwCheck.installed || !pwCheck.browsersInstalled) {
+    console.log("  Playwright not fully installed, installing...");
+    const result = installPlaywright(pythonCmd);
+    if (result.success) {
+      console.log("  ✓ Playwright + browsers installed");
+    } else {
+      console.log(`  ⚠ Playwright installation failed: ${result.error}`);
+      console.log("  → browser_collect tool will not work until Playwright is installed");
+      console.log(`  → Manual fix: ${pythonCmd} -m pip install playwright && ${pythonCmd} -m playwright install chromium`);
+    }
+  } else {
+    console.log("  ✓ Playwright already installed");
+  }
+  
+  console.log("[env-check] Environment check complete\n");
+}
+
 function main() {
   const packageRoot = __dirname;
   const agentsSourceDir = join(packageRoot, "agents");
-  const agentsTargetDir = join(getOpencodeBaseDir(), "agents");
-  const skillTargetDir = join(getOpencodeBaseDir(), "skills", "api-security-testing");
+  const opencodeBaseDir = getOpencodeBaseDir();
+  const claudeBaseDir = getClaudeBaseDir();
+  const opencodeAgentsDir = join(opencodeBaseDir, "agents");
+  const claudeAgentsDir = join(claudeBaseDir, "agents");
+  const skillTargetDir = join(opencodeBaseDir, "skills", "api-security-testing");
   
   console.log("[api-security-testing] Installing...");
   console.log(`  Package root: ${packageRoot}`);
+  console.log(`  Platform: ${platform()}`);
 
   let totalInstalled = 0;
   let totalFailed = 0;
 
-  // 1. Install agents
-  console.log("\n[1/3] Installing agents...");
+  // 1. Install agents to BOTH locations
+  console.log("\n[1/5] Installing agents to ~/.claude/agents/ (oh-my-opencode)...");
+  if (existsSync(agentsSourceDir)) {
+    if (!existsSync(claudeAgentsDir)) {
+      mkdirSync(claudeAgentsDir, { recursive: true });
+    }
+    
+    const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
+    for (const file of files) {
+      try {
+        copyFileSync(join(agentsSourceDir, file), join(claudeAgentsDir, file));
+        console.log(`  ✓ ${file}`);
+        totalInstalled++;
+      } catch (err) {
+        console.error(`  ✗ ${file}: ${err.message}`);
+        totalFailed++;
+      }
+    }
+  }
+
+  console.log("\n[2/5] Installing agents to ~/.config/opencode/agents/ (OpenCode native)...");
   if (existsSync(agentsSourceDir)) {
-    if (!existsSync(agentsTargetDir)) {
-      mkdirSync(agentsTargetDir, { recursive: true });
+    if (!existsSync(opencodeAgentsDir)) {
+      mkdirSync(opencodeAgentsDir, { recursive: true });
     }
     
     const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
     for (const file of files) {
       try {
-        copyFileSync(join(agentsSourceDir, file), join(agentsTargetDir, file));
+        copyFileSync(join(agentsSourceDir, file), join(opencodeAgentsDir, file));
         console.log(`  ✓ ${file}`);
         totalInstalled++;
       } catch (err) {
@@ -52,8 +268,8 @@ function main() {
     }
   }
 
-  // 2. Install SKILL.md
-  console.log("\n[2/3] Installing SKILL.md...");
+  // 3. Install SKILL.md
+  console.log("\n[3/5] Installing SKILL.md...");
   const skillSource = join(packageRoot, "SKILL.md");
   if (existsSync(skillSource)) {
     if (!existsSync(skillTargetDir)) {
@@ -69,46 +285,34 @@ function main() {
     }
   }
 
-  // 3. Install references
-  console.log("\n[3/3] Installing references...");
+  // 4. Install references
+  console.log("\n[4/5] Installing references...");
   const refsSourceDir = join(packageRoot, "references");
   const refsTargetDir = join(skillTargetDir, "references");
   if (existsSync(refsSourceDir)) {
-    if (!existsSync(refsTargetDir)) {
-      mkdirSync(refsTargetDir, { recursive: true });
-    }
-    
-    function copyDir(src, dest) {
-      const items = readdirSync(src);
-      for (const item of items) {
-        const srcPath = join(src, item);
-        const destPath = join(dest, item);
-        try {
-          copyFileSync(srcPath, destPath);
-          totalInstalled++;
-        } catch {
-          if (existsSync(srcPath) && !srcPath.endsWith(".md")) {
-            mkdirSync(destPath, { recursive: true });
-            copyDir(srcPath, destPath);
-          }
-        }
-      }
-    }
-    
     try {
-      copyDir(refsSourceDir, refsTargetDir);
-      console.log("  ✓ references/");
-      totalInstalled++;
+      const count = copyDirRecursive(refsSourceDir, refsTargetDir);
+      totalInstalled += count;
+      console.log(`  ✓ references/ (${count} files)`);
     } catch (err) {
       console.error(`  ✗ references/: ${err.message}`);
       totalFailed++;
     }
   }
 
+  // 5. Environment detection and auto-install
+  console.log("\n[5/5] Detecting environment and installing dependencies...");
+  try {
+    checkAndFixEnvironment();
+  } catch (err) {
+    console.log(`  ⚠ Environment check failed: ${err.message}`);
+  }
+
   console.log(`\n========================================`);
   if (totalFailed === 0) {
     console.log(`✓ Installed ${totalInstalled} file(s)`);
-    console.log(`\nAgents: ${agentsTargetDir}`);
+    console.log(`\nAgents (oh-my-opencode): ${claudeAgentsDir}`);
+    console.log(`Agents (OpenCode native): ${opencodeAgentsDir}`);
     console.log(`Skill: ${skillTargetDir}`);
     console.log(`\n⚠️  IMPORTANT: Restart OpenCode to discover new agents`);
   } else {

package/src/index.ts

@@ -2,6 +2,10 @@ import type { Plugin } from "@opencode-ai/plugin";
 import { tool } from "@opencode-ai/plugin";
 import { join } from "path";
 import { existsSync, readFileSync } from "fs";
+import { exec } from "child_process";
+import { promisify } from "util";
+
+const execAsync = promisify(exec);
 
 const SKILL_DIR = "skills/api-security-testing";
 const CORE_DIR = `${SKILL_DIR}/core`;
@@ -183,9 +187,24 @@ To activate these agents, simply mention their name in your response (e.g., "@ap
 }
 
 async function execShell(ctx: unknown, cmd: string): Promise<string> {
-  const shell = ctx as { $: (strings: TemplateStringsArray, ...expr: unknown[]) => Promise<{ toString(): string }> };
-  const result = await shell.$`${cmd}`;
-  return result.toString();
+  try {
+    const { stdout, stderr } = await execAsync(cmd, {
+      maxBuffer: 1024 * 1024 * 10, // 10MB buffer
+      timeout: 120000, // 2 minutes timeout
+      shell: process.platform === "win32" ? "powershell.exe" : undefined
+    });
+    if (stderr && !stdout) {
+      return `Error: ${stderr}`;
+    }
+    return stdout || stderr;
+  } catch (error: unknown) {
+    const err = error as { message?: string; stdout?: string; stderr?: string };
+    // 如果有 stdout 输出，即使命令失败也返回输出
+    if (err.stdout) {
+      return err.stdout;
+    }
+    return `Error: ${err.message || "Unknown error"}`;
+  }
 }
 
 function getFailureCount(sessionID: string): number {
@@ -208,7 +227,7 @@ function detectGiveUpPattern(text: string): boolean {
 
 const ApiSecurityTestingPlugin: Plugin = async (ctx) => {
   const config = loadConfig(ctx);
-  console.log(`[api-security-testing] Plugin loaded v4.0.2 - collection_mode: ${config.collection_mode}`);
+  console.log(`[api-security-testing] Plugin loaded v5.2.2 - collection_mode: ${config.collection_mode}`);
 
   return {
     tool: {
@@ -415,6 +434,171 @@ from testers.auth_tester import AuthTester
 tester = AuthTester()
 result = tester.test('${args.endpoint}')
 print(result)
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+
+      // 新增: 端点自动发现工具
+      endpoint_discover: tool({
+        description: "自动发现 API 端点。从 JS 文件、HTML、Sitemap 中提取所有 API 路径",
+        args: {
+          target: tool.schema.string(),
+          depth: tool.schema.enum(["shallow", "deep"]).optional(),
+          include_methods: tool.schema.boolean().optional()
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const target = args.target as string;
+          const depth = (args.depth as string) || "shallow";
+          const includeMethods = (args.include_methods as boolean) !== false;
+          const cmd = `${deps}python3 -c "
+import sys, re, json, urllib.request, ssl
+sys.path.insert(0, '${corePath}')
+ssl._create_default_https_context = ssl._create_unverified_context
+target = '${target}'
+depth = '${depth}'
+endpoints = set()
+js_endpoints = set()
+html_endpoints = set()
+patterns = [r'[\\"\\'](/api/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/v[0-9]+/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/admin/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/auth/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/graphql)[\\"\\']', r'[\\"\\'](/rest/[^\\"\\'\\s?#]+)[\\"\\']', r'axios\\.(get|post|put|delete|patch)\([\\"\\']([^\\"\\'\\s?#]+)[\\"\\']', r'fetch\([\\"\\']([^\\"\\'\\s?#]+)[\\"\\']']
+def safe_fetch(url, timeout=10):
+    try:
+        req = urllib.request.Request(url, headers={'User-Agent': 'Mozilla/5.0'})
+        with urllib.request.urlopen(req, timeout=timeout) as r: return r.read().decode('utf-8', errors='ignore')
+    except: return None
+def extract(text):
+    found = []
+    for p in patterns:
+        for m in re.findall(p, text):
+            ep = m[-1] if isinstance(m, tuple) else m
+            ep = ep.strip().lstrip('/')
+            if ep and len(ep) > 2 and not ep.startswith(('http', 'data:', '#')):
+                if not any(ep.lower().endswith(x) for x in ['.js','.css','.png','.jpg','.gif','.svg','.ico']):
+                    found.append('/' + ep)
+    return found
+parsed = __import__('urllib.parse').urlparse(target)
+base = f'{parsed.scheme}://{parsed.netloc}'
+html = safe_fetch(target)
+if html:
+    html_endpoints.update(extract(html))
+    for js_url in re.findall(r'<script[^>]+src=[\\"\\']([^\\"\\'\\s?#]+)[\\"\\']', html)[:20 if depth=='shallow' else 50]:
+        if js_url.startswith('/'): js_url = base + js_url
+        elif not js_url.startswith('http'): js_url = base + '/' + js_url
+        js_content = safe_fetch(js_url, timeout=10)
+        if js_content: js_endpoints.update(extract(js_content))
+for path in ['/api', '/api/v1', '/api/docs', '/swagger.json', '/graphql', '/admin', '/auth', '/health', '/version']:
+    content = safe_fetch(base + path, timeout=5)
+    if content and len(content) > 10:
+        endpoints.add(path)
+        if content.strip().startswith('{'):
+            try:
+                for ep in re.findall(r'[\\"\\'](/[a-zA-Z0-9_./-]+)[\\"\\']', content[:10000]): endpoints.add(ep)
+            except: pass
+if depth == 'deep':
+    for js_url in re.findall(r'<script[^>]+src=[\\"\\']([^\\"\\'\\s?#]+)[\\"\\']', html or '')[:50]:
+        if js_url.startswith('/'): js_url = base + js_url
+        elif not js_url.startswith('http'): js_url = base + '/' + js_url
+        js_content = safe_fetch(js_url, timeout=10)
+        if js_content:
+            for p in [r'[\\"\\'](/[a-zA-Z0-9_./{{}}:-]+)[\\"\\']', r'path:\\s*[\\"\\'](/[a-zA-Z0-9_./{{}}:-]+)[\\"\\']']:
+                for m in re.findall(p, js_content):
+                    ep = m[-1] if isinstance(m, tuple) else m
+                    if len(ep) > 2 and not ep.startswith(('http', 'data:', '#')): endpoints.add(ep)
+all_eps = sorted(set(endpoints) | set(html_endpoints) | set(js_endpoints))
+clean = []
+seen = set()
+for ep in all_eps:
+    ep = ep.split('?')[0].split('#')[0].rstrip('/')
+    if ep and ep not in seen and len(ep) > 1:
+        seen.add(ep)
+        clean.append(ep)
+result = {'target': target, 'total_endpoints': len(clean), 'endpoints': clean, 'sources': {'html': len(html_endpoints), 'javascript': len(js_endpoints), 'common_paths': len(endpoints)}}
+print(json.dumps(result, indent=2, ensure_ascii=False))
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+
+      // 新增: 报告生成工具
+      report_generate: tool({
+        description: "生成安全测试报告。支持 Markdown、HTML、JSON 格式，内置 OWASP API Top 10 模板",
+        args: {
+          format: tool.schema.enum(["markdown", "html", "json"]).optional(),
+          template: tool.schema.enum(["owasp-api", "custom"]).optional(),
+          target: tool.schema.string().optional(),
+          findings: tool.schema.string().optional(),
+          severity_filter: tool.schema.enum(["all", "critical", "high", "medium", "low", "info"]).optional()
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const format = (args.format as string) || "markdown";
+          const template = (args.template as string) || "owasp-api";
+          const target = (args.target as string) || "Unknown";
+          const findings = (args.findings as string) || "";
+          const severityFilter = (args.severity_filter as string) || "all";
+          const cmd = `${deps}python3 -c "
+import sys, json
+from datetime import datetime
+sys.path.insert(0, '${corePath}')
+format = '${format}'
+target = '${target.replace(/'/g, "\\'")}'
+findings = '''${findings.replace(/'/g, "\\'")}'''
+severity_filter = '${severityFilter}'
+parsed_findings = []
+if findings.strip():
+    try: parsed_findings = json.loads(findings)
+    except:
+        for line in findings.strip().split('\\n'):
+            if line.strip():
+                try: parsed_findings.append(json.loads(line))
+                except: pass
+if severity_filter != 'all' and parsed_findings:
+    parsed_findings = [f for f in parsed_findings if f.get('severity','').lower() == severity_filter.lower()]
+sev_counts = {'critical': 0, 'high': 0, 'medium': 0, 'low': 0, 'info': 0}
+for f in parsed_findings:
+    s = f.get('severity','info').lower()
+    if s in sev_counts: sev_counts[s] += 1
+total = len(parsed_findings)
+risk_score = sev_counts['critical']*10 + sev_counts['high']*7 + sev_counts['medium']*4 + sev_counts['low']*1
+risk_level = 'CRITICAL' if risk_score >= 50 else 'HIGH' if risk_score >= 30 else 'MEDIUM' if risk_score >= 15 else 'LOW' if risk_score > 0 else 'NONE'
+now = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
+if format == 'markdown':
+    report = f'# API 安全测试报告\\n\\n## 基本信息\\n\\n| 项目 | 值 |\\n|------|------|\\n| 目标 | {target} |\\n| 测试时间 | {now} |\\n| 风险等级 | **{risk_level}** |\\n| 风险分数 | {risk_score}/100 |\\n\\n## 漏洞统计\\n\\n| 严重程度 | 数量 |\\n|---------|------|\\n| Critical | {sev_counts[\\\"critical\\\"]} |\\n| High | {sev_counts[\\\"high\\\"]} |\\n| Medium | {sev_counts[\\\"medium\\\"]} |\\n| Low | {sev_counts[\\\"low\\\"]} |\\n| Info | {sev_counts[\\\"info\\\"]} |\\n| **总计** | **{total}** |\\n\\n## 漏洞详情\\n\\n'
+    if not parsed_findings: report += '未发现安全漏洞。\\n\\n'
+    else:
+        for i, f in enumerate(parsed_findings, 1):
+            title = f.get('title', f.get('vulnerability', f'Vulnerability #{i}'))
+            sev = f.get('severity', 'Unknown').upper()
+            ep = f.get('endpoint', f.get('url', 'N/A'))
+            desc = f.get('description', f.get('detail', 'No description'))
+            poc = f.get('poc', f.get('proof_of_concept', ''))
+            rec = f.get('recommendation', f.get('fix', 'Review and fix'))
+            report += f'### {i}. [{sev}] {title}\\n\\n| 属性 | 值 |\\n|------|------|\\n| 端点 | \\\`{ep}\\\` |\\n\\n**描述:**\\n\\n{desc}\\n\\n'
+            if poc: report += f'**PoC:**\\n\\n\\\`\\\`\\\`bash\\n{poc}\\n\\\`\\\`\\\`\\n\\n'
+            report += f'**修复建议:**\\n\\n{rec}\\n\\n---\\n\\n'
+    report += f'\\n## 测试覆盖范围\\n\\n| 测试类别 | 状态 |\\n|---------|------|\\n| SQL 注入 | ✅ 已测试 |\\n| XSS | ✅ 已测试 |\\n| IDOR | ✅ 已测试 |\\n| 认证绕过 | ✅ 已测试 |\\n| 敏感数据 | ✅ 已测试 |\\n| 业务逻辑 | ✅ 已测试 |\\n| 安全配置 | ✅ 已测试 |\\n| 暴力破解 | ✅ 已测试 |\\n| SSRF | ✅ 已测试 |\\n| GraphQL | ✅ 已测试 |\\n\\n---\\n\\n*报告生成时间: {now}*\\n*工具: opencode-api-security-testing v5.2.2*\\n'
+elif format == 'json':
+    report = json.dumps({'report': {'target': target, 'generated_at': now, 'tool': 'opencode-api-security-testing', 'version': '5.1.0'}, 'summary': {'total': total, 'risk_score': risk_score, 'risk_level': risk_level, 'severity_counts': sev_counts}, 'findings': parsed_findings}, indent=2, ensure_ascii=False)
+else:
+    report = f'<!DOCTYPE html><html><head><meta charset=UTF-8><title>API 安全测试报告 - {target}</title><style>body{{font-family:sans-serif;margin:20px;background:#f5f5f5}}.container{{max-width:1200px;margin:0 auto;background:white;border-radius:8px;padding:20px;box-shadow:0 2px 10px rgba(0,0,0,0.1)}}h1{{color:#333}}.stats{{display:flex;gap:15px;flex-wrap:wrap;margin:20px 0}}.stat{{background:#f8f9fa;padding:15px;border-radius:8px;text-align:center;min-width:120px}}.stat .num{{font-size:32px;font-weight:bold}}.stat.critical .num{{color:#dc3545}}.stat.high .num{{color:#fd7e14}}.stat.medium .num{{color:#ffc107}}.stat.low .num{{color:#28a745}}.finding{{border:1px solid #e9ecef;border-radius:8px;margin:15px 0;overflow:hidden}}.finding-header{{padding:15px;display:flex;align-items:center;gap:10px}}.finding-header.critical{{background:#fff5f5;border-left:4px solid #dc3545}}.finding-header.high{{background:#fff8f0;border-left:4px solid #fd7e14}}.finding-header.medium{{background:#fffdf0;border-left:4px solid #ffc107}}.finding-header.low{{background:#f0fff4;border-left:4px solid #28a745}}.badge{{padding:3px 8px;border-radius:4px;font-size:11px;font-weight:bold;color:white}}.badge.critical{{background:#dc3545}}.badge.high{{background:#fd7e14}}.badge.medium{{background:#ffc107;color:#333}}.badge.low{{background:#28a745}}.finding-body{{padding:15px}}pre{{background:#f8f9fa;padding:10px;border-radius:4px;overflow-x:auto}}</style></head><body><div class=container><h1>API 安全测试报告</h1><p>目标: {target} | 时间: {now} | 风险: <strong>{risk_level}</strong> ({risk_score}/100)</p><div class=stats><div class=stat critical><div class=num>{sev_counts[\\\"critical\\\"]}</div><div>Critical</div></div><div class=stat high><div class=num>{sev_counts[\\\"high\\\"]}</div><div>High</div></div><div class=stat medium><div class=num>{sev_counts[\\\"medium\\\"]}</div><div>Medium</div></div><div class=stat low><div class=num>{sev_counts[\\\"low\\\"]}</div><div>Low</div></div><div class=stat><div class=num>{total}</div><div>Total</div></div></div>'
+    if not parsed_findings: report += '<h2 style=color:#28a745>未发现安全漏洞</h2>'
+    else:
+        for i, f in enumerate(parsed_findings, 1):
+            title = f.get('title', f.get('vulnerability', f'#{i}'))
+            sev = f.get('severity','unknown').lower()
+            ep = f.get('endpoint', f.get('url', 'N/A'))
+            desc = f.get('description', f.get('detail', ''))
+            poc = f.get('poc', '')
+            rec = f.get('recommendation', f.get('fix', ''))
+            report += f'<div class=finding><div class=finding-header {sev}><span class=badge {sev}>{sev.upper()}</span><strong>{i}. {title}</strong></div><div class=finding-body><p><strong>端点:</strong> <code>{ep}</code></p><p>{desc}</p>'
+            if poc: report += f'<h4>PoC</h4><pre>{poc}</pre>'
+            if rec: report += f'<h4>修复建议</h4><p>{rec}</p>'
+            report += '</div></div>'
+    report += f'<p style=color:#666;font-size:12px;text-align:center;margin-top:20px>opencode-api-security-testing v5.2.2 | {now}</p></div></body></html>'
+print(report)
 "`;
           return await execShell(ctx, cmd);
         },