npm - opencode-api-security-testing - Versions diffs - 5.4.3 → 5.4.4 - Mend

opencode-api-security-testing 5.4.3 → 5.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +6 -6
package/src/index.ts +216 -11

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "5.4.3",
+  "version": "5.4.4",
   "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",
@@ -13,11 +13,11 @@
     "postinstall.mjs",
     "preuninstall.mjs"
   ],
-"scripts": {
-  "postinstall": "node postinstall.mjs",
-  "preuninstall": "node preuninstall.mjs",
-  "init": "node init.mjs"
-},
+  "scripts": {
+    "postinstall": "node postinstall.mjs",
+    "preuninstall": "node preuninstall.mjs",
+    "init": "node init.mjs"
+  },
   "keywords": [
     "opencode",
     "opencode-plugin",

package/src/index.ts CHANGED Viewed

@@ -334,7 +334,118 @@ const CYBER_SUPERVISOR = DEFAULT_CONFIG.cyber_supervisor;
 const modelFailureCounts = new Map<string, Map<string, number>>();
 const sessionFailures = new Map<string, number>();
-// 首条消息追踪 (参考 oh-my-opencode 的 FirstMessageVariantGate 模式)
+// ============================================================================
+// 上下文注入系统 (参考 oh-my-openagent 的 ContextCollector 模式)
+// ============================================================================
+type ContextPriority = "critical" | "high" | "normal" | "low";
+interface ContextEntry {
+  id: string;
+  source: string;
+  content: string;
+  priority: ContextPriority;
+  registrationOrder: number;
+  metadata?: Record<string, unknown>;
+}
+interface PendingContext {
+  merged: string;
+  entries: ContextEntry[];
+  hasContent: boolean;
+}
+class ContextCollector {
+  private sessions = new Map<string, Map<string, ContextEntry>>();
+  private registrationCounter = 0;
+  register(sessionID: string, options: {
+    id: string;
+    source: string;
+    content: string;
+    priority?: ContextPriority;
+  metadata?: Record<string, unknown>;
+  }): void {
+    if (!this.sessions.has(sessionID)) {
+      this.sessions.set(sessionID, new Map());
+    }
+    const sessionMap = this.sessions.get(sessionID)!;
+    const key = `${options.source}:${options.id}`;
+    const entry: ContextEntry = {
+      id: options.id,
+      source: options.source,
+      content: options.content,
+      priority: options.priority ?? "normal",
+      registrationOrder: ++this.registrationCounter,
+      metadata: options.metadata,
+    };
+    sessionMap.set(key, entry);
+  }
+  getPending(sessionID: string): PendingContext {
+    const sessionMap = this.sessions.get(sessionID);
+    if (!sessionMap || sessionMap.size === 0) {
+      return {
+        merged: "",
+        entries: [],
+        hasContent: false,
+      };
+    }
+    const entries = this.sortEntries([...sessionMap.values()]);
+    const CONTEXT_SEPARATOR = "\n\n---\n\n";
+    const merged = entries.map(e => e.content).join(CONTEXT_SEPARATOR);
+    return {
+      merged,
+      entries,
+      hasContent: entries.length > 0
+    };
+  }
+  consume(sessionID: string): PendingContext {
+    const pending = this.getPending(sessionID);
+    this.clear(sessionID);
+    return pending;
+  }
+  clear(sessionID: string): void {
+    this.sessions.delete(sessionID);
+  }
+  hasPending(sessionID: string): boolean {
+    const sessionMap = this.sessions.get(sessionID);
+    return sessionMap !== undefined && sessionMap.size > 0;
+  }
+  private sortEntries(entries: ContextEntry[]): ContextEntry[] {
+    const PRIORITY_ORDER: Record<ContextPriority, number> = {
+      critical: 0,
+      high: 1,
+      normal: 2,
+      low: 3
+    };
+    return entries.sort((a, b) => {
+      const priorityDiff = PRIORITY_ORDER[a.priority] - PRIORITY_ORDER[b.priority];
+      if (priorityDiff !== 00 return priorityDiff;
+      return a.registrationOrder - b.registrationOrder;
+    });
+  }
+}
+// 全局上下文收集器实例
+const contextCollector = new ContextCollector();
+// 騡型回退状态追踪
+const modelFailureCounts = new Map<string, Map<string, number>>();
+const sessionFailures = new Map<string, number>();
+// 騡型回退状态追踪（保留向后兼容）
 const pendingFirstMessages = new Set<string>();
 const injectedSessions = new Set<string>();
@@ -1299,20 +1410,24 @@ print(json.dumps(result, ensure_ascii=False))
       }),
     },
-    // 赛博监工 Hook - chat.message
-    // 参考 oh-my-opencode 的 FirstMessageVariantGate 模式：只在首条消息注入一次
+    // 赛博监工 Hook - chat.message (保留用于向后兼容，但不再直接注入 agents)
     "chat.message": async (input, output) => {
       const sessionID = input.sessionID;
-      // 只在首条消息时注入 agents prompt (参考 oh-my-opencode 的 firstMessageVariantGate)
+      // 只在首条消息时注册上下文 (参考 oh-my-openagent 的 ContextCollector 模式)
       if (isFirstMessage(sessionID)) {
         const agentsPrompt = getInjectedAgentsPrompt();
         if (agentsPrompt) {
-          const parts = output.parts as Array<{ type: string; text?: string }>;
-          const textPart = parts.find(p => p.type === "text");
-          if (textPart && textPart.text) {
-            textPart.text += agentsPrompt;
-          }
+          // 注册到上下文收集器，而不是直接修改 output.parts
+          contextCollector.register(sessionID, {
+            id: "api-security-agents",
+            source: "plugin",
+            content: agentsPrompt,
+            priority: "high",
+          metadata: {
+            description: "API Security Testing Agents",
+            timestamp: Date.now().toISOString()
+          });
         }
         // 标记该 session 已注入 (参考 oh-my-opencode 的 markApplied)
         markFirstMessageApplied(sessionID);
@@ -1394,16 +1509,17 @@ ${LEVEL_PROMPTS[level]}
     // 会话事件处理
     event: async (input) => {
-      const { event } = input;
+      const { event } = input
       // 新会话创建 - 标记为首条消息待注入 (参考 oh-my-opencode)
       if (event.type === "session.created") {
         const props = event.properties as Record<string, unknown> | undefined;
         const sessionInfo = props?.info as { id?: string; parentID?: string } | undefined;
         // 只有主会话（非 fork）才注入
         if (sessionInfo?.id && !sessionInfo.parentID) {
           markSessionCreated(sessionInfo.id);
-          console.log(`[api-security-testing] New session created: ${sessionInfo.id}`);
+          console.log(`[api-security-testing] new session created: ${sessionInfo.id}`);
         }
       }
@@ -1425,6 +1541,95 @@ ${LEVEL_PROMPTS[level]}
         }
       }
     },
+    // 上下文注入 Hook - 使用 synthetic part 模式隐藏注入内容 (参考 oh-my-openagent)
+    // 这是关键！使用 synthetic: true 标记来隐藏 UI 显示
+    "experimental.chat.messages.transform": async (_input, output) => {
+      const { messages } = output;
+      if (messages.length === 0) {
+        return;
+      }
+      // 找到最后一条用户消息
+      let lastUserMessageIndex = -1;
+      for (let i = messages.length - 1; i >= 0; i--) {
+        if (messages[i].info.role === "user") {
+          lastUserMessageIndex = i;
+          break;
+        }
+      }
+      if (lastUserMessageIndex === -1) {
+        return;
+      }
+      const lastUserMessage = messages[lastUserMessageIndex];
+      // 获取 sessionID (参考 oh-my-openagent 的实现)
+      const messageSessionID = (lastUserMessage.info as unknown as { sessionID?: string }).sessionID;
+      const sessionID = messageSessionID ?? Array.from(pendingFirstMessages)[0];
+      if (!sessionID) {
+        return;
+      }
+      // 检查是否有待注入的上下文
+      if (!contextCollector.hasPending(sessionID)) {
+        return;
+      }
+      const pending = contextCollector.consume(sessionID);
+      if (!pending.hasContent) {
+        return;
+      }
+      // 找到文本部分
+      const textPartIndex = lastUserMessage.parts.findIndex(
+        (p) => p.type === "text" && (p as { text?: string }).text
+      );
+      if (textPartIndex === -1) {
+        return;
+      }
+      // 创建 synthetic part - 关键！synthetic: true 隐藏 UI 显示
+      const syntheticPart = {
+        id: `synthetic_context_${sessionID}`,
+        messageID: lastUserMessage.info.id,
+        sessionID: sessionID,
+        type: "text" as const,
+        text: pending.merged,
+        synthetic: true,  // ← 这是关键！UI 中隐藏此内容
+      };
+      // 在文本部分之前插入 synthetic part
+      lastUserMessage.parts.splice(textPartIndex, 0, syntheticPart);
+      console.log(`[api-security-testing] Injected context via synthetic part, session=${sessionID}, length=${pending.merged.length}`);
+    },
+  };
+}
+      }
+      // 会话删除或压缩 - 清理状态
+      if (event.type === "session.deleted" || event.type === "session.compacted") {
+        const props = event.properties as Record<string, unknown> | undefined;
+        let sessionID: string | undefined;
+        if (event.type === "session.deleted") {
+          sessionID = (props?.info as { id?: string })?.id;
+        } else {
+          sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
+        }
+        if (sessionID) {
+          clearSessionState(sessionID);
+          resetFailureCount(sessionID);
+          resetModelFailures(sessionID);
+        }
+      }
+    },
   };
 };