opencode-api-security-testing 5.4.3 → 5.4.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "5.4.3",
+  "version": "5.4.5",
   "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",
@@ -13,11 +13,11 @@
     "postinstall.mjs",
     "preuninstall.mjs"
   ],
-"scripts": {
-  "postinstall": "node postinstall.mjs",
-  "preuninstall": "node preuninstall.mjs",
-  "init": "node init.mjs"
-},
+  "scripts": {
+    "postinstall": "node postinstall.mjs",
+    "preuninstall": "node preuninstall.mjs",
+    "init": "node init.mjs"
+  },
   "keywords": [
     "opencode",
     "opencode-plugin",

package/src/index.ts

@@ -334,7 +334,118 @@ const CYBER_SUPERVISOR = DEFAULT_CONFIG.cyber_supervisor;
 const modelFailureCounts = new Map<string, Map<string, number>>();
 const sessionFailures = new Map<string, number>();
 
-// 首条消息追踪 (参考 oh-my-opencode 的 FirstMessageVariantGate 模式)
+// ============================================================================
+// 上下文注入系统 (参考 oh-my-openagent 的 ContextCollector 模式)
+// ============================================================================
+
+type ContextPriority = "critical" | "high" | "normal" | "low";
+
+interface ContextEntry {
+  id: string;
+  source: string;
+  content: string;
+  priority: ContextPriority;
+  registrationOrder: number;
+  metadata?: Record<string, unknown>;
+}
+
+interface PendingContext {
+  merged: string;
+  entries: ContextEntry[];
+  hasContent: boolean;
+}
+
+class ContextCollector {
+  private sessions = new Map<string, Map<string, ContextEntry>>();
+  private registrationCounter = 0;
+
+  register(sessionID: string, options: {
+    id: string;
+    source: string;
+    content: string;
+    priority?: ContextPriority;
+  metadata?: Record<string, unknown>;
+  }): void {
+    if (!this.sessions.has(sessionID)) {
+      this.sessions.set(sessionID, new Map());
+    }
+
+    const sessionMap = this.sessions.get(sessionID)!;
+    const key = `${options.source}:${options.id}`;
+
+    const entry: ContextEntry = {
+      id: options.id,
+      source: options.source,
+      content: options.content,
+      priority: options.priority ?? "normal",
+      registrationOrder: ++this.registrationCounter,
+      metadata: options.metadata,
+    };
+
+    sessionMap.set(key, entry);
+  }
+
+  getPending(sessionID: string): PendingContext {
+    const sessionMap = this.sessions.get(sessionID);
+
+    if (!sessionMap || sessionMap.size === 0) {
+      return {
+        merged: "",
+        entries: [],
+        hasContent: false,
+      };
+    }
+
+    const entries = this.sortEntries([...sessionMap.values()]);
+    const CONTEXT_SEPARATOR = "\n\n---\n\n";
+    const merged = entries.map(e => e.content).join(CONTEXT_SEPARATOR);
+
+    return {
+      merged,
+      entries,
+      hasContent: entries.length > 0
+    };
+  }
+
+  consume(sessionID: string): PendingContext {
+    const pending = this.getPending(sessionID);
+    this.clear(sessionID);
+    return pending;
+  }
+
+  clear(sessionID: string): void {
+    this.sessions.delete(sessionID);
+  }
+
+  hasPending(sessionID: string): boolean {
+    const sessionMap = this.sessions.get(sessionID);
+    return sessionMap !== undefined && sessionMap.size > 0;
+  }
+
+  private sortEntries(entries: ContextEntry[]): ContextEntry[] {
+    const PRIORITY_ORDER: Record<ContextPriority, number> = {
+      critical: 0,
+      high: 1,
+      normal: 2,
+      low: 3
+    };
+
+    return entries.sort((a, b) => {
+      const priorityDiff = PRIORITY_ORDER[a.priority] - PRIORITY_ORDER[b.priority];
+      if (priorityDiff !== 00 return priorityDiff;
+      return a.registrationOrder - b.registrationOrder;
+    });
+  }
+}
+
+// 全局上下文收集器实例
+const contextCollector = new ContextCollector();
+
+// 騡型回退状态追踪
+const modelFailureCounts = new Map<string, Map<string, number>>();
+const sessionFailures = new Map<string, number>();
+
+// 騡型回退状态追踪（保留向后兼容）
 const pendingFirstMessages = new Set<string>();
 const injectedSessions = new Set<string>();
 
@@ -472,31 +583,28 @@ function checkDeps(ctx: { directory: string }): string {
   return "";
 }
 
-function getAgentsDir(): string {
-  const home = process.env.HOME || process.env.USERPROFILE || "/root";
-  return join(home, AGENTS_DIR);
+// 获取插件内部的 agents 目录（而不是 ~/.config/opencode/agents/）
+function getPluginAgentsDir(): string {
+  // 使用插件的安装目录下的 agents 文件夹
+  const pluginDir = dirname(dirname(__filename));
+  return join(pluginDir, "agents");
 }
 
 function getInjectedAgentsPrompt(): string {
-  const agentsDir = getAgentsDir();
+  const agentsDir = getPluginAgentsDir();
   const agentsPath = join(agentsDir, "api-cyber-supervisor.md");
   
   if (!existsSync(agentsPath)) {
+    console.log(`[api-security-testing] Agent file not found: ${agentsPath}`);
     return "";
   }
 
   try {
     const content = readFileSync(agentsPath, "utf-8");
-    return `
-
-[API Security Testing Agents Available]
-When performing security testing tasks, you can use the following specialized agents:
-
-${content}
-
-To activate these agents, simply mention their name in your response (e.g., "@api-cyber-supervisor" to coordinate security testing).
-`;
-  } catch {
+    // 不添加 UI 显示的前缀，直接返回内容（将通过 synthetic part 注入）
+    return content;
+  } catch (e) {
+    console.log(`[api-security-testing] Failed to read agent file: ${e}`);
     return "";
   }
 }
@@ -1299,20 +1407,24 @@ print(json.dumps(result, ensure_ascii=False))
       }),
     },
 
-    // 赛博监工 Hook - chat.message
-    // 参考 oh-my-opencode 的 FirstMessageVariantGate 模式：只在首条消息注入一次
+    // 赛博监工 Hook - chat.message (保留用于向后兼容，但不再直接注入 agents)
     "chat.message": async (input, output) => {
       const sessionID = input.sessionID;
       
-      // 只在首条消息时注入 agents prompt (参考 oh-my-opencode 的 firstMessageVariantGate)
+      // 只在首条消息时注册上下文 (参考 oh-my-openagent 的 ContextCollector 模式)
       if (isFirstMessage(sessionID)) {
         const agentsPrompt = getInjectedAgentsPrompt();
         if (agentsPrompt) {
-          const parts = output.parts as Array<{ type: string; text?: string }>;
-          const textPart = parts.find(p => p.type === "text");
-          if (textPart && textPart.text) {
-            textPart.text += agentsPrompt;
-          }
+          // 注册到上下文收集器，而不是直接修改 output.parts
+          contextCollector.register(sessionID, {
+            id: "api-security-agents",
+            source: "plugin",
+            content: agentsPrompt,
+            priority: "high",
+          metadata: {
+            description: "API Security Testing Agents",
+            timestamp: Date.now().toISOString()
+          });
         }
         // 标记该 session 已注入 (参考 oh-my-opencode 的 markApplied)
         markFirstMessageApplied(sessionID);
@@ -1394,18 +1506,108 @@ ${LEVEL_PROMPTS[level]}
 
     // 会话事件处理
     event: async (input) => {
-      const { event } = input;
+      const { event } = input
 
       // 新会话创建 - 标记为首条消息待注入 (参考 oh-my-opencode)
       if (event.type === "session.created") {
         const props = event.properties as Record<string, unknown> | undefined;
         const sessionInfo = props?.info as { id?: string; parentID?: string } | undefined;
+
         // 只有主会话（非 fork）才注入
         if (sessionInfo?.id && !sessionInfo.parentID) {
           markSessionCreated(sessionInfo.id);
-          console.log(`[api-security-testing] New session created: ${sessionInfo.id}`);
+          console.log(`[api-security-testing] new session created: ${sessionInfo.id}`);
+        }
+      }
+
+      // 会话删除或压缩 - 清理状态
+      if (event.type === "session.deleted" || event.type === "session.compacted") {
+        const props = event.properties as Record<string, unknown> | undefined;
+        let sessionID: string | undefined;
+
+        if (event.type === "session.deleted") {
+          sessionID = (props?.info as { id?: string })?.id;
+        } else {
+          sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
+        }
+
+        if (sessionID) {
+          clearSessionState(sessionID);
+          resetFailureCount(sessionID);
+          resetModelFailures(sessionID);
         }
       }
+    },
+
+    // 上下文注入 Hook - 使用 synthetic part 模式隐藏注入内容 (参考 oh-my-openagent)
+    // 这是关键！使用 synthetic: true 标记来隐藏 UI 显示
+    "experimental.chat.messages.transform": async (_input, output) => {
+      const { messages } = output;
+      
+      if (messages.length === 0) {
+        return;
+      }
+
+      // 找到最后一条用户消息
+      let lastUserMessageIndex = -1;
+      for (let i = messages.length - 1; i >= 0; i--) {
+        if (messages[i].info.role === "user") {
+          lastUserMessageIndex = i;
+          break;
+        }
+      }
+
+      if (lastUserMessageIndex === -1) {
+        return;
+      }
+
+      const lastUserMessage = messages[lastUserMessageIndex];
+      
+      // 获取 sessionID (参考 oh-my-openagent 的实现)
+      const messageSessionID = (lastUserMessage.info as unknown as { sessionID?: string }).sessionID;
+      const sessionID = messageSessionID ?? Array.from(pendingFirstMessages)[0];
+      
+      if (!sessionID) {
+        return;
+      }
+
+      // 检查是否有待注入的上下文
+      if (!contextCollector.hasPending(sessionID)) {
+        return;
+      }
+
+      const pending = contextCollector.consume(sessionID);
+      if (!pending.hasContent) {
+        return;
+      }
+
+      // 找到文本部分
+      const textPartIndex = lastUserMessage.parts.findIndex(
+        (p) => p.type === "text" && (p as { text?: string }).text
+      );
+
+      if (textPartIndex === -1) {
+        return;
+      }
+
+      // 创建 synthetic part - 关键！synthetic: true 隐藏 UI 显示
+      const syntheticPart = {
+        id: `synthetic_context_${sessionID}`,
+        messageID: lastUserMessage.info.id,
+        sessionID: sessionID,
+        type: "text" as const,
+        text: pending.merged,
+        synthetic: true,  // ← 这是关键！UI 中隐藏此内容
+      };
+
+      // 在文本部分之前插入 synthetic part
+      lastUserMessage.parts.splice(textPartIndex, 0, syntheticPart);
+
+      console.log(`[api-security-testing] Injected context via synthetic part, session=${sessionID}, length=${pending.merged.length}`);
+    },
+  };
+}
+      }
 
       // 会话删除或压缩 - 清理状态
       if (event.type === "session.deleted" || event.type === "session.compacted") {