openhacker 0.0.0 → 0.1.0

package/templates/agent/app/actions.ts

@@ -0,0 +1,120 @@
+"use server";
+
+import { cookies } from "next/headers";
+import { redirect } from "next/navigation";
+import { revalidatePath } from "next/cache";
+import { SESSION_COOKIE, adminPassword, sessionToken } from "@/agent/lib/auth";
+import { checkRepoAccess } from "@/agent/lib/github";
+import { runScan } from "@/agent/lib/scan";
+import { getStore } from "@/agent/lib/store";
+import { DEFAULT_SETTINGS, type Finding, type Target } from "@/agent/lib/types";
+
+function parseRepo(input: string): string | null {
+  const trimmed = input.trim().replace(/\.git$/, "");
+  const url = trimmed.match(/github\.com[/:]([^/]+\/[^/]+)/);
+  const candidate = url ? url[1] : trimmed;
+  return /^[^/\s]+\/[^/\s]+$/.test(candidate) ? candidate : null;
+}
+
+export async function login(formData: FormData): Promise<void> {
+  const password = String(formData.get("password") ?? "");
+  const next = String(formData.get("next") ?? "/") || "/";
+  const expected = adminPassword();
+
+  if (!expected || password !== expected) {
+    redirect(`/login?error=1&next=${encodeURIComponent(next)}`);
+  }
+
+  const jar = await cookies();
+  jar.set(SESSION_COOKIE, await sessionToken(password), {
+    httpOnly: true,
+    sameSite: "lax",
+    secure: process.env.NODE_ENV === "production",
+    path: "/",
+    maxAge: 60 * 60 * 24 * 30,
+  });
+  redirect(next);
+}
+
+export async function logout(): Promise<void> {
+  const jar = await cookies();
+  jar.delete(SESSION_COOKIE);
+  redirect("/login");
+}
+
+export async function addTarget(formData: FormData): Promise<void> {
+  const repo = parseRepo(String(formData.get("repo") ?? ""));
+  if (!repo) redirect("/?error=invalid-repo");
+
+  const name = String(formData.get("name") ?? "").trim() || repo.split("/")[1];
+  const branchInput = String(formData.get("branch") ?? "").trim();
+  const token = String(formData.get("token") ?? "").trim();
+  const autoRemediate = formData.get("autoRemediate") === "on";
+
+  const access = await checkRepoAccess(repo, token || null);
+  const branch = branchInput || access.defaultBranch || "main";
+
+  const target: Target = {
+    id: crypto.randomUUID(),
+    name,
+    repo,
+    branch,
+    provider: "github",
+    hasToken: Boolean(token),
+    autoRemediate,
+    createdAt: new Date().toISOString(),
+  };
+
+  const store = getStore();
+  await store.saveTarget(target);
+  if (token) await store.setTargetToken(target.id, token);
+
+  revalidatePath("/");
+  redirect(`/targets/${target.id}`);
+}
+
+export async function deleteTarget(formData: FormData): Promise<void> {
+  const id = String(formData.get("id") ?? "");
+  if (id) await getStore().deleteTarget(id);
+  revalidatePath("/");
+  redirect("/");
+}
+
+export async function scanTarget(formData: FormData): Promise<void> {
+  const id = String(formData.get("id") ?? "");
+  if (id) await runScan(id);
+  revalidatePath("/");
+  revalidatePath(`/targets/${id}`);
+}
+
+export async function setFindingStatus(formData: FormData): Promise<void> {
+  const targetId = String(formData.get("targetId") ?? "");
+  const findingId = String(formData.get("findingId") ?? "");
+  const status = String(formData.get("status") ?? "open") as Finding["status"];
+
+  const store = getStore();
+  const findings = await store.listFindings(targetId);
+  const match = findings.find((f) => f.id === findingId);
+  if (match) await store.upsertFinding({ ...match, status });
+
+  revalidatePath(`/targets/${targetId}`);
+}
+
+export async function saveSettings(formData: FormData): Promise<void> {
+  const store = getStore();
+  const current = await store.getSettings();
+  await store.saveSettings({
+    ...DEFAULT_SETTINGS,
+    ...current,
+    model: String(formData.get("model") ?? current.model) || DEFAULT_SETTINGS.model,
+    autoRemediate: formData.get("autoRemediate") === "on",
+    integrations: {
+      github: { connected: formData.get("githubConnected") === "on" },
+      hackerone: {
+        connected: formData.get("hackeroneConnected") === "on",
+        handle: String(formData.get("hackeroneHandle") ?? "").trim() || undefined,
+      },
+    },
+  });
+  revalidatePath("/settings");
+}

package/templates/agent/app/api/scan/route.ts

@@ -0,0 +1,34 @@
+import { runScan } from "@/agent/lib/scan";
+import { getStore } from "@/agent/lib/store";
+
+export const runtime = "nodejs";
+
+function authorized(req: Request): boolean {
+  const token = process.env.OPENHACKER_API_TOKEN;
+  if (!token) return true; // no API token configured — allow (dev)
+  const header = req.headers.get("authorization") ?? "";
+  return header === `Bearer ${token}`;
+}
+
+/** Trigger a scan programmatically. Body: { targetId?: string } — omit to scan all. */
+export async function POST(req: Request): Promise<Response> {
+  if (!authorized(req)) {
+    return Response.json({ error: "unauthorized" }, { status: 401 });
+  }
+
+  let targetId: string | undefined;
+  try {
+    const body = (await req.json()) as { targetId?: string };
+    targetId = body.targetId;
+  } catch {
+    // no body — scan all
+  }
+
+  const store = getStore();
+  const targets = targetId ? [targetId] : (await store.listTargets()).map((t) => t.id);
+  const results = await Promise.all(
+    targets.map(async (id) => ({ targetId: id, ...(await runScan(id)) })),
+  );
+
+  return Response.json({ scanned: results.length, results });
+}

package/templates/agent/app/globals.css

@@ -0,0 +1,280 @@
+:root {
+  --bg: #000000;
+  --panel: #0d0d0d;
+  --panel-2: #161616;
+  --border: #2a2a2a;
+  --text: #f5f5f5;
+  --muted: #8f8f8f;
+  --accent: #ffffff;
+  --accent-dim: #333333;
+  --crit: #ffffff;
+  --high: #cfcfcf;
+  --med: #9a9a9a;
+  --low: #6f6f6f;
+  --info: #555555;
+  --ok: #f5f5f5;
+}
+
+* {
+  box-sizing: border-box;
+}
+
+html,
+body {
+  margin: 0;
+  padding: 0;
+  background: var(--bg);
+  color: var(--text);
+  font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+  font-size: 14px;
+  line-height: 1.5;
+}
+
+a {
+  color: var(--accent);
+  text-decoration: none;
+}
+a:hover {
+  text-decoration: underline;
+}
+
+.nav {
+  display: flex;
+  align-items: center;
+  gap: 20px;
+  padding: 14px 24px;
+  border-bottom: 1px solid var(--border);
+  background: var(--panel);
+}
+.nav .brand {
+  font-weight: 700;
+  letter-spacing: 0.5px;
+  color: var(--text);
+}
+.nav .brand span {
+  color: var(--accent);
+}
+.nav .spacer {
+  flex: 1;
+}
+.nav a {
+  color: var(--muted);
+}
+.nav a:hover {
+  color: var(--text);
+  text-decoration: none;
+}
+
+.container {
+  max-width: 960px;
+  margin: 0 auto;
+  padding: 28px 24px 80px;
+}
+
+h1 {
+  font-size: 20px;
+  margin: 0 0 4px;
+}
+h2 {
+  font-size: 15px;
+  margin: 28px 0 12px;
+  color: var(--muted);
+  text-transform: uppercase;
+  letter-spacing: 1px;
+}
+.sub {
+  color: var(--muted);
+  margin: 0 0 24px;
+}
+
+.panel {
+  background: var(--panel);
+  border: 1px solid var(--border);
+  border-radius: 10px;
+  padding: 18px;
+  margin-bottom: 16px;
+}
+
+.card {
+  background: var(--panel);
+  border: 1px solid var(--border);
+  border-radius: 10px;
+  padding: 16px 18px;
+  margin-bottom: 12px;
+  display: flex;
+  align-items: center;
+  gap: 16px;
+}
+.card .grow {
+  flex: 1;
+  min-width: 0;
+}
+.card .repo {
+  font-weight: 600;
+}
+.card .meta {
+  color: var(--muted);
+  font-size: 12px;
+  margin-top: 2px;
+}
+
+label {
+  display: block;
+  font-size: 12px;
+  color: var(--muted);
+  margin-bottom: 6px;
+}
+input[type="text"],
+input[type="password"],
+select {
+  width: 100%;
+  background: var(--panel-2);
+  border: 1px solid var(--border);
+  color: var(--text);
+  border-radius: 8px;
+  padding: 9px 11px;
+  font: inherit;
+}
+input:focus,
+select:focus {
+  outline: none;
+  border-color: var(--accent);
+}
+.row {
+  display: flex;
+  gap: 12px;
+  flex-wrap: wrap;
+  margin-bottom: 12px;
+}
+.row > div {
+  flex: 1;
+  min-width: 160px;
+}
+.check {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+}
+.check label {
+  margin: 0;
+}
+
+button,
+.btn {
+  background: var(--accent);
+  color: #000000;
+  border: none;
+  border-radius: 8px;
+  padding: 9px 14px;
+  font: inherit;
+  font-weight: 600;
+  cursor: pointer;
+}
+button:hover {
+  filter: brightness(1.08);
+}
+.btn-ghost {
+  background: transparent;
+  color: var(--muted);
+  border: 1px solid var(--border);
+}
+.btn-ghost:hover {
+  color: var(--text);
+}
+.btn-danger {
+  background: transparent;
+  color: var(--crit);
+  border: 1px solid var(--accent-dim);
+}
+
+.badge {
+  display: inline-block;
+  padding: 1px 8px;
+  border-radius: 20px;
+  font-size: 11px;
+  font-weight: 700;
+  text-transform: uppercase;
+  letter-spacing: 0.5px;
+  border: 1px solid var(--border);
+  background: transparent;
+  color: var(--text);
+}
+.sev-critical {
+  background: #ffffff;
+  color: #000000;
+  border-color: #ffffff;
+}
+.sev-high {
+  color: #ffffff;
+  border-color: #cfcfcf;
+  background: rgba(255, 255, 255, 0.1);
+}
+.sev-medium {
+  color: var(--high);
+  border-color: #5a5a5a;
+}
+.sev-low {
+  color: var(--med);
+  border-color: #3a3a3a;
+}
+.sev-info {
+  color: var(--info);
+  border-color: #2a2a2a;
+}
+
+.counts {
+  display: flex;
+  gap: 6px;
+}
+
+table {
+  width: 100%;
+  border-collapse: collapse;
+}
+th,
+td {
+  text-align: left;
+  padding: 10px 12px;
+  border-bottom: 1px solid var(--border);
+  vertical-align: top;
+  font-size: 13px;
+}
+th {
+  color: var(--muted);
+  font-size: 11px;
+  text-transform: uppercase;
+  letter-spacing: 0.5px;
+}
+
+.banner {
+  border: 1px solid var(--border);
+  background: rgba(255, 255, 255, 0.04);
+  color: var(--text);
+  border-radius: 8px;
+  padding: 10px 14px;
+  margin-bottom: 18px;
+  font-size: 13px;
+}
+.empty {
+  color: var(--muted);
+  padding: 24px;
+  text-align: center;
+  border: 1px dashed var(--border);
+  border-radius: 10px;
+}
+.inline {
+  display: inline;
+}
+.actions {
+  display: flex;
+  gap: 8px;
+  align-items: center;
+}
+.mono-sm {
+  font-size: 12px;
+  color: var(--muted);
+}
+.login-wrap {
+  max-width: 360px;
+  margin: 12vh auto 0;
+}

package/templates/agent/app/layout.tsx

@@ -0,0 +1,35 @@
+import type { Metadata } from "next";
+import Link from "next/link";
+import { authEnabled } from "@/agent/lib/auth";
+import { logout } from "./actions";
+import "./globals.css";
+
+export const metadata: Metadata = {
+  title: "OpenHacker",
+  description: "Autonomous application security agent",
+};
+
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <html lang="en">
+      <body>
+        <nav className="nav">
+          <Link href="/" className="brand">
+            open<span>hacker</span>
+          </Link>
+          <div className="spacer" />
+          <Link href="/">Dashboard</Link>
+          <Link href="/settings">Settings</Link>
+          {authEnabled() ? (
+            <form action={logout} className="inline">
+              <button className="btn-ghost" type="submit">
+                Sign out
+              </button>
+            </form>
+          ) : null}
+        </nav>
+        {children}
+      </body>
+    </html>
+  );
+}

package/templates/agent/app/login/page.tsx

@@ -0,0 +1,40 @@
+import { authEnabled } from "@/agent/lib/auth";
+import { login } from "../actions";
+
+export const dynamic = "force-dynamic";
+
+export default async function LoginPage({
+  searchParams,
+}: {
+  searchParams: Promise<{ error?: string; next?: string }>;
+}) {
+  const { error, next } = await searchParams;
+
+  return (
+    <main className="container">
+      <div className="login-wrap">
+        <h1>
+          open<span style={{ color: "var(--accent)" }}>hacker</span>
+        </h1>
+        <p className="sub">Sign in to your instance.</p>
+
+        {!authEnabled() ? (
+          <div className="banner">
+            No admin password is set. The dashboard is currently open — set{" "}
+            <code>OPENHACKER_ADMIN_PASSWORD</code> to require sign-in.
+          </div>
+        ) : null}
+        {error ? <div className="banner">Incorrect password.</div> : null}
+
+        <form action={login} className="panel">
+          <input type="hidden" name="next" value={next ?? "/"} />
+          <label htmlFor="password">Password</label>
+          <input id="password" name="password" type="password" autoFocus required />
+          <button type="submit" style={{ marginTop: 14 }}>
+            Sign in
+          </button>
+        </form>
+      </div>
+    </main>
+  );
+}

package/templates/agent/app/page.tsx

@@ -0,0 +1,114 @@
+import Link from "next/link";
+import { getStore, isPersistent } from "@/agent/lib/store";
+import { SeverityCounts } from "./_components/ui";
+import { addTarget, deleteTarget, scanTarget } from "./actions";
+
+export const dynamic = "force-dynamic";
+
+export default async function Dashboard({
+  searchParams,
+}: {
+  searchParams: Promise<{ error?: string }>;
+}) {
+  const { error } = await searchParams;
+  const store = getStore();
+  const targets = await store.listTargets();
+  const findingsByTarget = new Map(
+    await Promise.all(
+      targets.map(async (t) => [t.id, await store.listFindings(t.id)] as const),
+    ),
+  );
+
+  return (
+    <main className="container">
+      <h1>Targets</h1>
+      <p className="sub">Repositories OpenHacker continuously scans for vulnerabilities.</p>
+
+      {!isPersistent() ? (
+        <div className="banner">
+          Using an in-memory store — data will not persist across restarts/deploys. Add a Vercel KV
+          or Upstash Redis integration and set <code>KV_REST_API_URL</code> /{" "}
+          <code>KV_REST_API_TOKEN</code> to persist.
+        </div>
+      ) : null}
+      {error === "invalid-repo" ? (
+        <div className="banner">Enter a valid GitHub repository (owner/name or a github.com URL).</div>
+      ) : null}
+
+      <div className="panel">
+        <h2 style={{ marginTop: 0 }}>Add a target</h2>
+        <form action={addTarget}>
+          <div className="row">
+            <div>
+              <label htmlFor="repo">GitHub repository</label>
+              <input id="repo" name="repo" type="text" placeholder="owner/name or URL" required />
+            </div>
+            <div>
+              <label htmlFor="branch">Branch (optional)</label>
+              <input id="branch" name="branch" type="text" placeholder="default branch" />
+            </div>
+          </div>
+          <div className="row">
+            <div>
+              <label htmlFor="name">Display name (optional)</label>
+              <input id="name" name="name" type="text" placeholder="My app" />
+            </div>
+            <div>
+              <label htmlFor="token">Access token (optional, for private repos)</label>
+              <input id="token" name="token" type="password" placeholder="ghp_..." />
+            </div>
+          </div>
+          <div className="check" style={{ marginBottom: 14 }}>
+            <input id="autoRemediate" name="autoRemediate" type="checkbox" />
+            <label htmlFor="autoRemediate">Open remediation PRs automatically</label>
+          </div>
+          <button type="submit">Add target</button>
+        </form>
+      </div>
+
+      <h2>Configured targets</h2>
+      {targets.length === 0 ? (
+        <div className="empty">No targets yet. Add a repository above to start scanning.</div>
+      ) : (
+        targets.map((t) => {
+          const findings = findingsByTarget.get(t.id) ?? [];
+          return (
+            <div className="card" key={t.id}>
+              <div className="grow">
+                <div className="repo">
+                  <Link href={`/targets/${t.id}`}>{t.name}</Link>{" "}
+                  <span className="mono-sm">{t.repo}@{t.branch}</span>
+                </div>
+                <div className="meta">
+                  {t.lastScanAt
+                    ? `last scan ${new Date(t.lastScanAt).toLocaleString()}${
+                        t.lastScanStatus === "error" ? ` — error: ${t.lastScanError}` : ""
+                      }`
+                    : "never scanned"}
+                </div>
+                <div style={{ marginTop: 8 }}>
+                  <SeverityCounts findings={findings} />
+                </div>
+              </div>
+              <div className="actions">
+                <form action={scanTarget} className="inline">
+                  <input type="hidden" name="id" value={t.id} />
+                  <button type="submit">Scan now</button>
+                </form>
+                <Link className="btn btn-ghost" href={`/targets/${t.id}`}>
+                  View
+                </Link>
+                <form action={deleteTarget} className="inline">
+                  <input type="hidden" name="id" value={t.id} />
+                  <button type="submit" className="btn-danger">
+                    Delete
+                  </button>
+                </form>
+              </div>
+            </div>
+          );
+        })
+      )}
+    </main>
+  );
+}