npm - opencode-api-security-testing - Versions diffs - 5.4.3 → 5.4.5 - Mend

opencode-api-security-testing 5.4.3 → 5.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +6 -6
package/src/index.ts +227 -25

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "5.4.3",
+  "version": "5.4.5",
   "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",
@@ -13,11 +13,11 @@
     "postinstall.mjs",
     "preuninstall.mjs"
   ],
-"scripts": {
-  "postinstall": "node postinstall.mjs",
-  "preuninstall": "node preuninstall.mjs",
-  "init": "node init.mjs"
-},
+  "scripts": {
+    "postinstall": "node postinstall.mjs",
+    "preuninstall": "node preuninstall.mjs",
+    "init": "node init.mjs"
+  },
   "keywords": [
     "opencode",
     "opencode-plugin",

package/src/index.ts CHANGED Viewed

@@ -334,7 +334,118 @@ const CYBER_SUPERVISOR = DEFAULT_CONFIG.cyber_supervisor;
 const modelFailureCounts = new Map<string, Map<string, number>>();
 const sessionFailures = new Map<string, number>();
-// 首条消息追踪 (参考 oh-my-opencode 的 FirstMessageVariantGate 模式)
+// ============================================================================
+// 上下文注入系统 (参考 oh-my-openagent 的 ContextCollector 模式)
+// ============================================================================
+type ContextPriority = "critical" | "high" | "normal" | "low";
+interface ContextEntry {
+  id: string;
+  source: string;
+  content: string;
+  priority: ContextPriority;
+  registrationOrder: number;
+  metadata?: Record<string, unknown>;
+}
+interface PendingContext {
+  merged: string;
+  entries: ContextEntry[];
+  hasContent: boolean;
+}
+class ContextCollector {
+  private sessions = new Map<string, Map<string, ContextEntry>>();
+  private registrationCounter = 0;
+  register(sessionID: string, options: {
+    id: string;
+    source: string;
+    content: string;
+    priority?: ContextPriority;
+  metadata?: Record<string, unknown>;
+  }): void {
+    if (!this.sessions.has(sessionID)) {
+      this.sessions.set(sessionID, new Map());
+    }
+    const sessionMap = this.sessions.get(sessionID)!;
+    const key = `${options.source}:${options.id}`;
+    const entry: ContextEntry = {
+      id: options.id,
+      source: options.source,
+      content: options.content,
+      priority: options.priority ?? "normal",
+      registrationOrder: ++this.registrationCounter,
+      metadata: options.metadata,
+    };
+    sessionMap.set(key, entry);
+  }
+  getPending(sessionID: string): PendingContext {
+    const sessionMap = this.sessions.get(sessionID);
+    if (!sessionMap || sessionMap.size === 0) {
+      return {
+        merged: "",
+        entries: [],
+        hasContent: false,
+      };
+    }
+    const entries = this.sortEntries([...sessionMap.values()]);
+    const CONTEXT_SEPARATOR = "\n\n---\n\n";
+    const merged = entries.map(e => e.content).join(CONTEXT_SEPARATOR);
+    return {
+      merged,
+      entries,
+      hasContent: entries.length > 0
+    };
+  }
+  consume(sessionID: string): PendingContext {
+    const pending = this.getPending(sessionID);
+    this.clear(sessionID);
+    return pending;
+  }
+  clear(sessionID: string): void {
+    this.sessions.delete(sessionID);
+  }
+  hasPending(sessionID: string): boolean {
+    const sessionMap = this.sessions.get(sessionID);
+    return sessionMap !== undefined && sessionMap.size > 0;
+  }
+  private sortEntries(entries: ContextEntry[]): ContextEntry[] {
+    const PRIORITY_ORDER: Record<ContextPriority, number> = {
+      critical: 0,
+      high: 1,
+      normal: 2,
+      low: 3
+    };
+    return entries.sort((a, b) => {
+      const priorityDiff = PRIORITY_ORDER[a.priority] - PRIORITY_ORDER[b.priority];
+      if (priorityDiff !== 00 return priorityDiff;
+      return a.registrationOrder - b.registrationOrder;
+    });
+  }
+}
+// 全局上下文收集器实例
+const contextCollector = new ContextCollector();
+// 騡型回退状态追踪
+const modelFailureCounts = new Map<string, Map<string, number>>();
+const sessionFailures = new Map<string, number>();
+// 騡型回退状态追踪（保留向后兼容）
 const pendingFirstMessages = new Set<string>();
 const injectedSessions = new Set<string>();
@@ -472,31 +583,28 @@ function checkDeps(ctx: { directory: string }): string {
   return "";
 }
-function getAgentsDir(): string {
-  const home = process.env.HOME || process.env.USERPROFILE || "/root";
-  return join(home, AGENTS_DIR);
+// 获取插件内部的 agents 目录（而不是 ~/.config/opencode/agents/）
+function getPluginAgentsDir(): string {
+  // 使用插件的安装目录下的 agents 文件夹
+  const pluginDir = dirname(dirname(__filename));
+  return join(pluginDir, "agents");
 }
 function getInjectedAgentsPrompt(): string {
-  const agentsDir = getAgentsDir();
+  const agentsDir = getPluginAgentsDir();
   const agentsPath = join(agentsDir, "api-cyber-supervisor.md");
   if (!existsSync(agentsPath)) {
+    console.log(`[api-security-testing] Agent file not found: ${agentsPath}`);
     return "";
   }
   try {
     const content = readFileSync(agentsPath, "utf-8");
-    return `
-[API Security Testing Agents Available]
-When performing security testing tasks, you can use the following specialized agents:
-${content}
-To activate these agents, simply mention their name in your response (e.g., "@api-cyber-supervisor" to coordinate security testing).
-`;
-  } catch {
+    // 不添加 UI 显示的前缀，直接返回内容（将通过 synthetic part 注入）
+    return content;
+  } catch (e) {
+    console.log(`[api-security-testing] Failed to read agent file: ${e}`);
     return "";
   }
 }
@@ -1299,20 +1407,24 @@ print(json.dumps(result, ensure_ascii=False))
       }),
     },
-    // 赛博监工 Hook - chat.message
-    // 参考 oh-my-opencode 的 FirstMessageVariantGate 模式：只在首条消息注入一次
+    // 赛博监工 Hook - chat.message (保留用于向后兼容，但不再直接注入 agents)
     "chat.message": async (input, output) => {
       const sessionID = input.sessionID;
-      // 只在首条消息时注入 agents prompt (参考 oh-my-opencode 的 firstMessageVariantGate)
+      // 只在首条消息时注册上下文 (参考 oh-my-openagent 的 ContextCollector 模式)
       if (isFirstMessage(sessionID)) {
         const agentsPrompt = getInjectedAgentsPrompt();
         if (agentsPrompt) {
-          const parts = output.parts as Array<{ type: string; text?: string }>;
-          const textPart = parts.find(p => p.type === "text");
-          if (textPart && textPart.text) {
-            textPart.text += agentsPrompt;
-          }
+          // 注册到上下文收集器，而不是直接修改 output.parts
+          contextCollector.register(sessionID, {
+            id: "api-security-agents",
+            source: "plugin",
+            content: agentsPrompt,
+            priority: "high",
+          metadata: {
+            description: "API Security Testing Agents",
+            timestamp: Date.now().toISOString()
+          });
         }
         // 标记该 session 已注入 (参考 oh-my-opencode 的 markApplied)
         markFirstMessageApplied(sessionID);
@@ -1394,18 +1506,108 @@ ${LEVEL_PROMPTS[level]}
     // 会话事件处理
     event: async (input) => {
-      const { event } = input;
+      const { event } = input
       // 新会话创建 - 标记为首条消息待注入 (参考 oh-my-opencode)
       if (event.type === "session.created") {
         const props = event.properties as Record<string, unknown> | undefined;
         const sessionInfo = props?.info as { id?: string; parentID?: string } | undefined;
         // 只有主会话（非 fork）才注入
         if (sessionInfo?.id && !sessionInfo.parentID) {
           markSessionCreated(sessionInfo.id);
-          console.log(`[api-security-testing] New session created: ${sessionInfo.id}`);
+          console.log(`[api-security-testing] new session created: ${sessionInfo.id}`);
+        }
+      }
+      // 会话删除或压缩 - 清理状态
+      if (event.type === "session.deleted" || event.type === "session.compacted") {
+        const props = event.properties as Record<string, unknown> | undefined;
+        let sessionID: string | undefined;
+        if (event.type === "session.deleted") {
+          sessionID = (props?.info as { id?: string })?.id;
+        } else {
+          sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
+        }
+        if (sessionID) {
+          clearSessionState(sessionID);
+          resetFailureCount(sessionID);
+          resetModelFailures(sessionID);
         }
       }
+    },
+    // 上下文注入 Hook - 使用 synthetic part 模式隐藏注入内容 (参考 oh-my-openagent)
+    // 这是关键！使用 synthetic: true 标记来隐藏 UI 显示
+    "experimental.chat.messages.transform": async (_input, output) => {
+      const { messages } = output;
+      if (messages.length === 0) {
+        return;
+      }
+      // 找到最后一条用户消息
+      let lastUserMessageIndex = -1;
+      for (let i = messages.length - 1; i >= 0; i--) {
+        if (messages[i].info.role === "user") {
+          lastUserMessageIndex = i;
+          break;
+        }
+      }
+      if (lastUserMessageIndex === -1) {
+        return;
+      }
+      const lastUserMessage = messages[lastUserMessageIndex];
+      // 获取 sessionID (参考 oh-my-openagent 的实现)
+      const messageSessionID = (lastUserMessage.info as unknown as { sessionID?: string }).sessionID;
+      const sessionID = messageSessionID ?? Array.from(pendingFirstMessages)[0];
+      if (!sessionID) {
+        return;
+      }
+      // 检查是否有待注入的上下文
+      if (!contextCollector.hasPending(sessionID)) {
+        return;
+      }
+      const pending = contextCollector.consume(sessionID);
+      if (!pending.hasContent) {
+        return;
+      }
+      // 找到文本部分
+      const textPartIndex = lastUserMessage.parts.findIndex(
+        (p) => p.type === "text" && (p as { text?: string }).text
+      );
+      if (textPartIndex === -1) {
+        return;
+      }
+      // 创建 synthetic part - 关键！synthetic: true 隐藏 UI 显示
+      const syntheticPart = {
+        id: `synthetic_context_${sessionID}`,
+        messageID: lastUserMessage.info.id,
+        sessionID: sessionID,
+        type: "text" as const,
+        text: pending.merged,
+        synthetic: true,  // ← 这是关键！UI 中隐藏此内容
+      };
+      // 在文本部分之前插入 synthetic part
+      lastUserMessage.parts.splice(textPartIndex, 0, syntheticPart);
+      console.log(`[api-security-testing] Injected context via synthetic part, session=${sessionID}, length=${pending.merged.length}`);
+    },
+  };
+}
+      }
       // 会话删除或压缩 - 清理状态
       if (event.type === "session.deleted" || event.type === "session.compacted") {