openhacker 0.0.0 → 0.1.1

package/README.md

@@ -1,3 +1,14 @@
 # openhacker
 
-hacking soon
+Scaffold a self-hosted OpenHacker security agent.
+
+## Create an instance
+
+```bash
+npx openhacker my-instance
+cd my-instance
+pnpm install
+pnpm dev
+```
+
+Running `npx openhacker` with no arguments creates `./openhacker`.

package/bin/openhacker

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+import { run } from "../src/cli.js";
+
+await run();

package/package.json

@@ -1,6 +1,32 @@
 {
   "name": "openhacker",
-  "version": "0.0.0",
-  "description": "hacking soon",
-  "license": "UNLICENSED"
+  "version": "0.1.1",
+  "description": "Scaffold a self-hosted OpenHacker security agent",
+  "license": "UNLICENSED",
+  "type": "module",
+  "bin": {
+    "openhacker": "./bin/openhacker"
+  },
+  "exports": {
+    ".": "./src/index.js"
+  },
+  "main": "./src/index.js",
+  "types": "./src/index.ts",
+  "files": [
+    "bin",
+    "scripts",
+    "src",
+    "templates",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
+  "devDependencies": {
+    "typescript": "6.0.2"
+  },
+  "scripts": {
+    "build": "tsc --noEmit && node --check ./bin/openhacker && node --check ./src/cli.js && node --check ./scripts/sync-template.js && node --check ./scripts/clean-template.js",
+    "sync-template": "node ./scripts/sync-template.js"
+  }
 }

package/scripts/clean-template.js

@@ -0,0 +1,8 @@
+import { rm } from "node:fs/promises";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const templateDir = path.resolve(here, "../templates");
+
+await rm(templateDir, { recursive: true, force: true });

package/scripts/sync-template.js

@@ -0,0 +1,53 @@
+import { cp, mkdir, rm, stat } from "node:fs/promises";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const EXCLUDE = new Set([
+  ".env",
+  ".env.local",
+  "node_modules",
+  ".eve",
+  ".next",
+  ".output",
+  ".git",
+  ".vercel",
+  ".turbo",
+]);
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const packageRoot = path.resolve(here, "..");
+const source = path.resolve(process.env.OPENHACKER_TEMPLATE_DIR ?? path.join(packageRoot, "../../apps/agent"));
+const dest = path.join(packageRoot, "templates/agent");
+
+async function exists(p) {
+  try {
+    await stat(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function shouldCopyTemplatePath(src) {
+  const relative = path.relative(source, src);
+  const segments = relative.split(path.sep);
+
+  return (
+    !segments.some((seg) => EXCLUDE.has(seg)) &&
+    !relative.endsWith("next-env.d.ts") &&
+    !relative.endsWith("tsconfig.tsbuildinfo")
+  );
+}
+
+if (!(await exists(path.join(source, "agent", "agent.ts")))) {
+  throw new Error(`Could not find the OpenHacker app template at ${source}`);
+}
+
+await rm(dest, { recursive: true, force: true });
+await mkdir(path.dirname(dest), { recursive: true });
+await cp(source, dest, {
+  recursive: true,
+  filter: shouldCopyTemplatePath,
+});
+
+console.log(`Synced OpenHacker template from ${source}`);

package/src/cli.js

@@ -0,0 +1,276 @@
+import { spawnSync } from "node:child_process";
+import { cp, readFile, stat, writeFile } from "node:fs/promises";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const ORANGE = "\x1b[38;5;214m";
+const MUTED = "\x1b[0;2m";
+const RED = "\x1b[0;31m";
+const NC = "\x1b[0m";
+
+const EXCLUDE = new Set([
+  ".env",
+  ".env.local",
+  "node_modules",
+  ".eve",
+  ".next",
+  ".output",
+  ".git",
+  ".vercel",
+  ".turbo",
+]);
+
+// Written into scaffolded projects directly rather than shipped as a template
+// file, because npm renames a packaged `.gitignore` to `.npmignore` on publish.
+const GITIGNORE = `# dependencies
+node_modules
+
+# next.js
+.next
+next-env.d.ts
+
+# eve build artifacts
+.eve
+.output
+
+# vercel / turbo
+.vercel
+.turbo
+
+# typescript
+tsconfig.tsbuildinfo
+
+# env files (keep the example)
+.env
+.env.*
+!.env.example
+
+# misc
+.DS_Store
+*.log
+`;
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+
+async function exists(p) {
+  try {
+    await stat(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function resolveTemplateDir() {
+  const candidates = [];
+
+  if (process.env.OPENHACKER_TEMPLATE_DIR) {
+    candidates.push(path.resolve(process.env.OPENHACKER_TEMPLATE_DIR));
+  }
+
+  candidates.push(
+    // npm package layout: packages/openhacker/src -> packages/openhacker/templates/agent
+    path.resolve(here, "../templates/agent"),
+    // monorepo layout: packages/openhacker/src -> repo root -> apps/agent
+    path.resolve(here, "../../../apps/agent"),
+  );
+
+  for (const candidate of candidates) {
+    if (await exists(path.join(candidate, "agent", "agent.ts"))) {
+      return candidate;
+    }
+  }
+
+  return candidates[0];
+}
+
+function packageNameFor(dest) {
+  return path.basename(dest).replace(/[^a-z0-9-]+/gi, "-").toLowerCase() || "openhacker";
+}
+
+function shouldCopyTemplatePath(src, root) {
+  const relative = path.relative(root, src);
+  const segments = relative.split(path.sep);
+
+  return (
+    !segments.some((seg) => EXCLUDE.has(seg)) &&
+    !relative.endsWith("next-env.d.ts") &&
+    !relative.endsWith("tsconfig.tsbuildinfo")
+  );
+}
+
+function runStep(command, args, cwd, { quiet = false } = {}) {
+  const result = spawnSync(command, args, {
+    cwd,
+    stdio: quiet ? "ignore" : "inherit",
+    shell: process.platform === "win32",
+  });
+
+  return !result.error && result.status === 0;
+}
+
+function hasCommand(command) {
+  const probe = process.platform === "win32" ? "where" : "which";
+  const result = spawnSync(probe, [command], { stdio: "ignore", shell: process.platform === "win32" });
+  return !result.error && result.status === 0;
+}
+
+function isInsideGitRepo(cwd) {
+  const result = spawnSync("git", ["rev-parse", "--is-inside-work-tree"], {
+    cwd,
+    stdio: "ignore",
+    shell: process.platform === "win32",
+  });
+  return !result.error && result.status === 0;
+}
+
+async function installDependencies(dest) {
+  if (!hasCommand("pnpm")) {
+    console.log(`${MUTED}pnpm not found \u2014 skipping install. Run \`pnpm install\` manually.${NC}`);
+    return false;
+  }
+
+  console.log(`\n${MUTED}Installing dependencies with pnpm\u2026${NC}`);
+  // --ignore-workspace keeps the install self-contained: without it, pnpm walks
+  // up to a parent pnpm-workspace.yaml (e.g. when scaffolding inside a monorepo)
+  // and installs that workspace instead of the new project's node_modules.
+  const ok = runStep("pnpm", ["install", "--ignore-workspace"], dest);
+  if (!ok) {
+    console.log(`${RED}pnpm install failed.${NC} ${MUTED}You can re-run it inside the project.${NC}`);
+  }
+  return ok;
+}
+
+async function initGitRepo(dest) {
+  if (!hasCommand("git")) {
+    console.log(`${MUTED}git not found \u2014 skipping repository init.${NC}`);
+    return false;
+  }
+
+  if (isInsideGitRepo(dest)) {
+    console.log(`${MUTED}Already inside a git repository \u2014 skipping git init.${NC}`);
+    return false;
+  }
+
+  const initialized =
+    runStep("git", ["init"], dest, { quiet: true }) &&
+    runStep("git", ["add", "-A"], dest, { quiet: true }) &&
+    runStep("git", ["commit", "-m", "Initial commit from OpenHacker"], dest, { quiet: true });
+
+  if (initialized) {
+    console.log(`${MUTED}Initialized a git repository.${NC}`);
+  } else {
+    console.log(`${MUTED}Could not create the initial git commit \u2014 you can do it manually.${NC}`);
+  }
+  return initialized;
+}
+
+async function init(targetArg, { skipInstall = false, skipGit = false } = {}) {
+  const template = await resolveTemplateDir();
+  if (!(await exists(path.join(template, "agent", "agent.ts")))) {
+    console.error(`${RED}Could not find the instance template at ${template}.${NC}`);
+    console.error(`${MUTED}Set OPENHACKER_TEMPLATE_DIR to the template directory.${NC}`);
+    process.exit(1);
+  }
+
+  const dest = path.resolve(process.cwd(), targetArg ?? "openhacker");
+  if (await exists(dest)) {
+    console.error(`${RED}Destination already exists: ${dest}${NC}`);
+    process.exit(1);
+  }
+
+  console.log(`\n${MUTED}Creating OpenHacker instance in ${NC}${dest}`);
+  await cp(template, dest, {
+    recursive: true,
+    filter: (src) => shouldCopyTemplatePath(src, template),
+  });
+
+  const pkgPath = path.join(dest, "package.json");
+  const pkg = JSON.parse(await readFile(pkgPath, "utf8"));
+  pkg.name = packageNameFor(dest);
+  pkg.private = true;
+  await writeFile(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`);
+
+  // Write before git init so the initial commit doesn't include node_modules/.env.
+  if (!(await exists(path.join(dest, ".gitignore")))) {
+    await writeFile(path.join(dest, ".gitignore"), GITIGNORE);
+  }
+
+  const installed = skipInstall ? false : await installDependencies(dest);
+  if (!skipGit) {
+    await initGitRepo(dest);
+  }
+
+  console.log(`\n${ORANGE}\u2713${NC} OpenHacker instance ready.\n`);
+  console.log("Next steps:\n");
+  console.log(`  cd ${path.relative(process.cwd(), dest) || "."}`);
+  if (skipInstall || !installed) {
+    console.log("  pnpm install");
+  }
+  console.log("  pnpm dev                 # run locally\n");
+  console.log(`${MUTED}Deploy: push to a git repo and import it into Vercel (deploys as one project).`);
+  console.log(`Add a Vercel KV / Upstash Redis integration to persist findings. See README.md.${NC}\n`);
+}
+
+function usage() {
+  console.log("OpenHacker\n");
+  console.log("Usage:");
+  console.log("  openhacker [dir]        Scaffold a deployable OpenHacker instance");
+  console.log("  openhacker init [dir]   Same as above");
+  console.log("  openhacker --help       Show help");
+  console.log("  openhacker --version    Show version\n");
+  console.log("Options:");
+  console.log("  --skip-install          Don't run pnpm install");
+  console.log("  --skip-git              Don't create a git repository\n");
+}
+
+async function version() {
+  const pkg = JSON.parse(await readFile(path.resolve(here, "../package.json"), "utf8"));
+  console.log(pkg.version);
+}
+
+export async function run(args = process.argv.slice(2)) {
+  const options = { skipInstall: false, skipGit: false };
+  const positionals = [];
+
+  for (const arg of args) {
+    switch (arg) {
+      case "--skip-install":
+        options.skipInstall = true;
+        break;
+      case "--skip-git":
+        options.skipGit = true;
+        break;
+      case "-h":
+      case "--help":
+        usage();
+        return;
+      case "-v":
+      case "--version":
+        await version();
+        return;
+      default:
+        if (arg.startsWith("-")) {
+          console.error(`${RED}Unknown option: ${arg}${NC}\n`);
+          usage();
+          process.exit(1);
+        }
+        positionals.push(arg);
+    }
+  }
+
+  const [command, target, ...rest] = positionals;
+
+  if (rest.length > 0) {
+    console.error(`${RED}Too many arguments.${NC}\n`);
+    usage();
+    process.exit(1);
+  }
+
+  if (command === "init") {
+    await init(target, options);
+    return;
+  }
+
+  await init(command, options);
+}

package/src/index.js

@@ -0,0 +1 @@
+export const MESSAGE = "OpenHacker";

package/src/index.ts

@@ -0,0 +1 @@
+export const MESSAGE = "OpenHacker";

package/templates/agent/.env.example

@@ -0,0 +1,13 @@
+# --- Model (Vercel AI Gateway) ---
+# On Vercel, inference authenticates automatically via VERCEL_OIDC_TOKEN — no key needed.
+# For LOCAL runs of the eve agent, provide a gateway key:
+AI_GATEWAY_API_KEY=
+
+# --- Persistent storage ---
+# Add a Vercel KV / Upstash Redis integration. Without these, an in-memory store is
+# used and data does NOT persist across restarts/deploys.
+KV_REST_API_URL=
+KV_REST_API_TOKEN=
+
+# --- Optional: protect POST /api/scan for programmatic triggers ---
+OPENHACKER_API_TOKEN=

package/templates/agent/README.md

@@ -0,0 +1,34 @@
+# OpenHacker instance
+
+Your self-hosted OpenHacker security agent — a Next.js dashboard with an embedded
+[eve](https://eve.dev) agent, deployable to Vercel as a single project.
+
+## What it does
+
+- Continuously scans the repositories you connect for vulnerable dependencies (via OSV).
+- Records findings with computed CVSS severity and fix versions.
+- A daily schedule (Vercel Cron) re-scans every target so newly disclosed advisories are
+  caught even when your code hasn't changed.
+- The eve agent layers code-level analysis (reachability, injection, authz) on top.
+
+## Deploy to Vercel
+
+1. Push this directory to a Git repository.
+2. Import it into Vercel (it deploys as one project — UI + agent + cron).
+3. Add a **KV / Upstash Redis** integration from the Vercel Marketplace so findings persist
+   (`KV_REST_API_URL` / `KV_REST_API_TOKEN` are injected automatically).
+4. Open the deployment URL and add a target repository.
+
+Inference runs through the Vercel AI Gateway and authenticates automatically via Vercel
+OIDC — no model API key required in production.
+
+## Local development
+
+```bash
+pnpm install
+cp .env.example .env.local   # set AI_GATEWAY_API_KEY for local agent runs
+pnpm dev
+```
+
+`pnpm dev` runs the Next.js dashboard and the eve agent together. Open the printed URL,
+add a target, and click **Scan now**.

package/templates/agent/agent/agent.ts

@@ -0,0 +1,5 @@
+import { defineAgent } from "eve";
+
+export default defineAgent({
+  model: "anthropic/claude-haiku-4.5",
+});

package/templates/agent/agent/channels/eve.ts

@@ -0,0 +1,7 @@
+import { eveChannel } from "eve/channels/eve";
+import { none } from "eve/channels/auth";
+
+// Public demo: anyone can call the agent from the browser. Add real auth
+// (e.g. vercelOidc/localDev or your own session check) before exposing
+// anything sensitive.
+export default eveChannel({ auth: [none()] });

package/templates/agent/agent/instructions.md

@@ -0,0 +1,11 @@
+# OpenHacker
+
+You are OpenHacker, an application security agent.
+
+The user gives you a GitHub repository (as `owner/name` or a github.com URL). Analyze it for security vulnerabilities and report your findings.
+
+- Briefly narrate what you are checking as you go (dependencies, auth, input handling, secrets, etc.).
+- Use the shell to clone and explore the repo. Use `ls`/`find` to list directories; only use `read_file` on actual file paths, never on a directory.
+- Call out concrete risks with severity and, where possible, how to fix them.
+- If you cannot access the repository, say so plainly.
+- Keep the final summary concise and skimmable.

package/templates/agent/app/globals.css

@@ -0,0 +1,148 @@
+:root {
+  --bg: #000000;
+  --panel: #0d0d0d;
+  --panel-2: #161616;
+  --border: #2a2a2a;
+  --text: #f5f5f5;
+  --muted: #8f8f8f;
+  --accent: #ffffff;
+  --accent-dim: #333333;
+  --crit: #ffffff;
+}
+
+* {
+  box-sizing: border-box;
+}
+
+html,
+body {
+  margin: 0;
+  padding: 0;
+  background: var(--bg);
+  color: var(--text);
+  font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+  font-size: 14px;
+  line-height: 1.6;
+}
+
+.container {
+  max-width: 720px;
+  margin: 0 auto;
+  padding: 64px 24px 96px;
+}
+
+h1 {
+  font-size: 22px;
+  font-weight: 700;
+  letter-spacing: 0.5px;
+  margin: 0 0 4px;
+}
+h1 span {
+  color: var(--accent);
+}
+.sub {
+  color: var(--muted);
+  margin: 0 0 28px;
+}
+
+.ask {
+  display: flex;
+  gap: 8px;
+}
+.ask input {
+  flex: 1;
+  background: var(--panel-2);
+  border: 1px solid var(--border);
+  color: var(--text);
+  border-radius: 8px;
+  padding: 11px 13px;
+  font: inherit;
+}
+.ask input:focus {
+  outline: none;
+  border-color: var(--accent);
+}
+.ask button {
+  background: var(--accent);
+  color: #000000;
+  border: none;
+  border-radius: 8px;
+  padding: 11px 18px;
+  font: inherit;
+  font-weight: 600;
+  cursor: pointer;
+}
+.ask button:hover:not(:disabled) {
+  filter: brightness(1.08);
+}
+.ask button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.reply {
+  margin-top: 28px;
+  background: var(--panel);
+  border: 1px solid var(--border);
+  border-radius: 10px;
+  padding: 18px 20px;
+}
+.reply .text {
+  white-space: pre-wrap;
+  margin: 0 0 12px;
+}
+.reply .text:last-child {
+  margin-bottom: 0;
+}
+.reply .reasoning {
+  white-space: pre-wrap;
+  color: var(--muted);
+  font-size: 13px;
+  margin: 0 0 12px;
+  padding-left: 12px;
+  border-left: 2px solid var(--border);
+}
+
+.tool {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  font-size: 12.5px;
+  color: var(--muted);
+  padding: 4px 0;
+}
+.tool-name {
+  color: var(--text);
+}
+.tool-state {
+  font-size: 11px;
+  text-transform: uppercase;
+  letter-spacing: 0.5px;
+  border: 1px solid var(--border);
+  border-radius: 20px;
+  padding: 0 8px;
+}
+
+.cursor {
+  display: inline-block;
+  width: 8px;
+  height: 1em;
+  background: var(--accent);
+  vertical-align: text-bottom;
+  animation: blink 1s steps(2) infinite;
+}
+@keyframes blink {
+  50% {
+    opacity: 0;
+  }
+}
+
+.banner {
+  margin-top: 20px;
+  border: 1px solid var(--border);
+  background: rgba(255, 255, 255, 0.04);
+  color: var(--crit);
+  border-radius: 8px;
+  padding: 10px 14px;
+  font-size: 13px;
+}

package/templates/agent/app/layout.tsx

@@ -0,0 +1,15 @@
+import type { Metadata } from "next";
+import "./globals.css";
+
+export const metadata: Metadata = {
+  title: "OpenHacker",
+  description: "Analyze a GitHub repo for vulnerabilities",
+};
+
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <html lang="en">
+      <body>{children}</body>
+    </html>
+  );
+}

package/templates/agent/app/page.tsx

@@ -0,0 +1,92 @@
+"use client";
+
+import { useState } from "react";
+import { useEveAgent } from "eve/react";
+
+export default function Home() {
+  const [repo, setRepo] = useState("");
+  const agent = useEveAgent();
+
+  const busy = agent.status === "submitted" || agent.status === "streaming";
+
+  function onSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    const value = repo.trim();
+    if (!value || busy) return;
+    agent.reset();
+    agent.send({
+      message: `Analyze the GitHub repository "${value}" for security vulnerabilities. Walk through what you check and report what you find.`,
+    });
+  }
+
+  const reply = [...agent.data.messages]
+    .reverse()
+    .find((m) => m.role === "assistant");
+
+  return (
+    <main className="container">
+      <h1>
+        open<span>hacker</span>
+      </h1>
+      <p className="sub">
+        Paste a GitHub repo and the agent will analyze it for vulnerabilities.
+      </p>
+
+      <form className="ask" onSubmit={onSubmit}>
+        <input
+          type="text"
+          value={repo}
+          onChange={(e) => setRepo(e.target.value)}
+          placeholder="owner/name or https://github.com/owner/name"
+          autoFocus
+        />
+        <button type="submit" disabled={busy || !repo.trim()}>
+          {busy ? "Analyzing…" : "Analyze"}
+        </button>
+      </form>
+
+      {reply ? (
+        <section className="reply">
+          {reply.parts.map((part, i) => {
+            if (part.type === "reasoning") {
+              return (
+                <p key={i} className="reasoning">
+                  {part.text}
+                </p>
+              );
+            }
+            if (part.type === "text") {
+              return (
+                <p key={i} className="text">
+                  {part.text}
+                </p>
+              );
+            }
+            if (part.type === "dynamic-tool") {
+              return (
+                <div key={i} className="tool">
+                  <span className="tool-name">{part.toolName}</span>
+                  <span className="tool-state">{part.state}</span>
+                </div>
+              );
+            }
+            return null;
+          })}
+          {agent.status === "streaming" ? (
+            <span className="cursor" aria-hidden />
+          ) : null}
+        </section>
+      ) : busy ? (
+        <section className="reply">
+          <span className="cursor" aria-hidden />
+        </section>
+      ) : null}
+
+      {agent.status === "error" ? (
+        <div className="banner">
+          {String(agent.error ?? "Something went wrong.")}
+        </div>
+      ) : null}
+    </main>
+  );
+}

package/templates/agent/next.config.ts

@@ -0,0 +1,8 @@
+import type { NextConfig } from "next";
+import { withEve } from "eve/next";
+
+const nextConfig: NextConfig = {};
+
+// Mounts the eve agent (agent/) and the dashboard as a single Vercel deployment.
+// Schedules under agent/schedules become Vercel Cron Jobs automatically.
+export default withEve(nextConfig);

package/templates/agent/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "@openhacker/agent",
+  "private": true,
+  "type": "module",
+  "engines": {
+    "node": ">=24"
+  },
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "typecheck": "tsc --noEmit",
+    "eve:info": "eve info"
+  },
+  "dependencies": {
+    "ai": "^7.0.3",
+    "eve": "^0.16.2",
+    "next": "^16.2.9",
+    "react": "^19.2.7",
+    "react-dom": "^19.2.7"
+  },
+  "devDependencies": {
+    "@types/node": "25.5.2",
+    "@types/react": "19.2.14",
+    "@types/react-dom": "^19.2.3",
+    "microsandbox": "^0.6.0",
+    "typescript": "6.0.2"
+  }
+}

package/templates/agent/tsconfig.json

@@ -0,0 +1,43 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "lib": [
+      "dom",
+      "dom.iterable",
+      "esnext"
+    ],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "incremental": true,
+    "module": "esnext",
+    "esModuleInterop": true,
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "react-jsx",
+    "plugins": [
+      {
+        "name": "next"
+      }
+    ],
+    "paths": {
+      "@/*": [
+        "./*"
+      ]
+    }
+  },
+  "include": [
+    "next-env.d.ts",
+    ".next/types/**/*.ts",
+    "**/*.ts",
+    "**/*.tsx",
+    ".next/dev/types/**/*.ts"
+  ],
+  "exclude": [
+    "node_modules",
+    ".eve",
+    ".output"
+  ]
+}