openhacker 0.1.0 → 0.1.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openhacker",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Scaffold a self-hosted OpenHacker security agent",
   "license": "UNLICENSED",
   "type": "module",

package/src/cli.js

@@ -1,3 +1,4 @@
+import { spawnSync } from "node:child_process";
 import { cp, readFile, stat, writeFile } from "node:fs/promises";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
@@ -19,6 +20,36 @@ const EXCLUDE = new Set([
   ".turbo",
 ]);
 
+// Written into scaffolded projects directly rather than shipped as a template
+// file, because npm renames a packaged `.gitignore` to `.npmignore` on publish.
+const GITIGNORE = `# dependencies
+node_modules
+
+# next.js
+.next
+next-env.d.ts
+
+# eve build artifacts
+.eve
+.output
+
+# vercel / turbo
+.vercel
+.turbo
+
+# typescript
+tsconfig.tsbuildinfo
+
+# env files (keep the example)
+.env
+.env.*
+!.env.example
+
+# misc
+.DS_Store
+*.log
+`;
+
 const here = path.dirname(fileURLToPath(import.meta.url));
 
 async function exists(p) {
@@ -68,7 +99,73 @@ function shouldCopyTemplatePath(src, root) {
   );
 }
 
-async function init(targetArg) {
+function runStep(command, args, cwd, { quiet = false } = {}) {
+  const result = spawnSync(command, args, {
+    cwd,
+    stdio: quiet ? "ignore" : "inherit",
+    shell: process.platform === "win32",
+  });
+
+  return !result.error && result.status === 0;
+}
+
+function hasCommand(command) {
+  const probe = process.platform === "win32" ? "where" : "which";
+  const result = spawnSync(probe, [command], { stdio: "ignore", shell: process.platform === "win32" });
+  return !result.error && result.status === 0;
+}
+
+function isInsideGitRepo(cwd) {
+  const result = spawnSync("git", ["rev-parse", "--is-inside-work-tree"], {
+    cwd,
+    stdio: "ignore",
+    shell: process.platform === "win32",
+  });
+  return !result.error && result.status === 0;
+}
+
+async function installDependencies(dest) {
+  if (!hasCommand("pnpm")) {
+    console.log(`${MUTED}pnpm not found \u2014 skipping install. Run \`pnpm install\` manually.${NC}`);
+    return false;
+  }
+
+  console.log(`\n${MUTED}Installing dependencies with pnpm\u2026${NC}`);
+  // --ignore-workspace keeps the install self-contained: without it, pnpm walks
+  // up to a parent pnpm-workspace.yaml (e.g. when scaffolding inside a monorepo)
+  // and installs that workspace instead of the new project's node_modules.
+  const ok = runStep("pnpm", ["install", "--ignore-workspace"], dest);
+  if (!ok) {
+    console.log(`${RED}pnpm install failed.${NC} ${MUTED}You can re-run it inside the project.${NC}`);
+  }
+  return ok;
+}
+
+async function initGitRepo(dest) {
+  if (!hasCommand("git")) {
+    console.log(`${MUTED}git not found \u2014 skipping repository init.${NC}`);
+    return false;
+  }
+
+  if (isInsideGitRepo(dest)) {
+    console.log(`${MUTED}Already inside a git repository \u2014 skipping git init.${NC}`);
+    return false;
+  }
+
+  const initialized =
+    runStep("git", ["init"], dest, { quiet: true }) &&
+    runStep("git", ["add", "-A"], dest, { quiet: true }) &&
+    runStep("git", ["commit", "-m", "Initial commit from OpenHacker"], dest, { quiet: true });
+
+  if (initialized) {
+    console.log(`${MUTED}Initialized a git repository.${NC}`);
+  } else {
+    console.log(`${MUTED}Could not create the initial git commit \u2014 you can do it manually.${NC}`);
+  }
+  return initialized;
+}
+
+async function init(targetArg, { skipInstall = false, skipGit = false } = {}) {
   const template = await resolveTemplateDir();
   if (!(await exists(path.join(template, "agent", "agent.ts")))) {
     console.error(`${RED}Could not find the instance template at ${template}.${NC}`);
@@ -94,14 +191,25 @@ async function init(targetArg) {
   pkg.private = true;
   await writeFile(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`);
 
-  console.log(`${ORANGE}\u2713${NC} OpenHacker instance ready.\n`);
+  // Write before git init so the initial commit doesn't include node_modules/.env.
+  if (!(await exists(path.join(dest, ".gitignore")))) {
+    await writeFile(path.join(dest, ".gitignore"), GITIGNORE);
+  }
+
+  const installed = skipInstall ? false : await installDependencies(dest);
+  if (!skipGit) {
+    await initGitRepo(dest);
+  }
+
+  console.log(`\n${ORANGE}\u2713${NC} OpenHacker instance ready.\n`);
   console.log("Next steps:\n");
   console.log(`  cd ${path.relative(process.cwd(), dest) || "."}`);
-  console.log("  pnpm install");
+  if (skipInstall || !installed) {
+    console.log("  pnpm install");
+  }
   console.log("  pnpm dev                 # run locally\n");
   console.log(`${MUTED}Deploy: push to a git repo and import it into Vercel (deploys as one project).`);
-  console.log("Add a Vercel KV / Upstash Redis integration to persist findings, and set");
-  console.log(`OPENHACKER_ADMIN_PASSWORD to protect the dashboard. See README.md.${NC}\n`);
+  console.log(`Add a Vercel KV / Upstash Redis integration to persist findings. See README.md.${NC}\n`);
 }
 
 function usage() {
@@ -111,6 +219,9 @@ function usage() {
   console.log("  openhacker init [dir]   Same as above");
   console.log("  openhacker --help       Show help");
   console.log("  openhacker --version    Show version\n");
+  console.log("Options:");
+  console.log("  --skip-install          Don't run pnpm install");
+  console.log("  --skip-git              Don't create a git repository\n");
 }
 
 async function version() {
@@ -119,7 +230,36 @@ async function version() {
 }
 
 export async function run(args = process.argv.slice(2)) {
-  const [command, target, ...rest] = args;
+  const options = { skipInstall: false, skipGit: false };
+  const positionals = [];
+
+  for (const arg of args) {
+    switch (arg) {
+      case "--skip-install":
+        options.skipInstall = true;
+        break;
+      case "--skip-git":
+        options.skipGit = true;
+        break;
+      case "-h":
+      case "--help":
+        usage();
+        return;
+      case "-v":
+      case "--version":
+        await version();
+        return;
+      default:
+        if (arg.startsWith("-")) {
+          console.error(`${RED}Unknown option: ${arg}${NC}\n`);
+          usage();
+          process.exit(1);
+        }
+        positionals.push(arg);
+    }
+  }
+
+  const [command, target, ...rest] = positionals;
 
   if (rest.length > 0) {
     console.error(`${RED}Too many arguments.${NC}\n`);
@@ -127,27 +267,10 @@ export async function run(args = process.argv.slice(2)) {
     process.exit(1);
   }
 
-  switch (command) {
-    case undefined:
-      await init();
-      break;
-    case "init":
-      await init(target);
-      break;
-    case "-h":
-    case "--help":
-      usage();
-      break;
-    case "-v":
-    case "--version":
-      await version();
-      break;
-    default:
-      if (command.startsWith("-")) {
-        console.error(`${RED}Unknown option: ${command}${NC}\n`);
-        usage();
-        process.exit(1);
-      }
-      await init(command);
+  if (command === "init") {
+    await init(target, options);
+    return;
   }
+
+  await init(command, options);
 }

package/templates/agent/.env.example

@@ -3,13 +3,6 @@
 # For LOCAL runs of the eve agent, provide a gateway key:
 AI_GATEWAY_API_KEY=
 
-# Optional: override the agent's deep-analysis model (defaults to anthropic/claude-sonnet-4.6)
-OPENHACKER_MODEL=
-
-# --- Dashboard auth (recommended) ---
-# When set, the dashboard requires this password to sign in. Unset = open dashboard.
-OPENHACKER_ADMIN_PASSWORD=
-
 # --- Persistent storage ---
 # Add a Vercel KV / Upstash Redis integration. Without these, an in-memory store is
 # used and data does NOT persist across restarts/deploys.

package/templates/agent/README.md

@@ -17,8 +17,7 @@ Your self-hosted OpenHacker security agent — a Next.js dashboard with an embed
 2. Import it into Vercel (it deploys as one project — UI + agent + cron).
 3. Add a **KV / Upstash Redis** integration from the Vercel Marketplace so findings persist
    (`KV_REST_API_URL` / `KV_REST_API_TOKEN` are injected automatically).
-4. Set `OPENHACKER_ADMIN_PASSWORD` to protect the dashboard.
-5. Open the deployment URL, sign in, and add a target repository.
+4. Open the deployment URL and add a target repository.
 
 Inference runs through the Vercel AI Gateway and authenticates automatically via Vercel
 OIDC — no model API key required in production.

package/templates/agent/agent/agent.ts

@@ -1,9 +1,5 @@
 import { defineAgent } from "eve";
 
 export default defineAgent({
-  // Routes through the Vercel AI Gateway. On Vercel this authenticates with the
-  // injected VERCEL_OIDC_TOKEN automatically; locally it uses AI_GATEWAY_API_KEY.
-  // The model picker in the dashboard writes OPENHACKER_MODEL.
-  model: process.env.OPENHACKER_MODEL ?? "anthropic/claude-sonnet-4.6",
-  reasoning: "medium",
+  model: "anthropic/claude-haiku-4.5",
 });

package/templates/agent/agent/channels/eve.ts

@@ -0,0 +1,7 @@
+import { eveChannel } from "eve/channels/eve";
+import { none } from "eve/channels/auth";
+
+// Public demo: anyone can call the agent from the browser. Add real auth
+// (e.g. vercelOidc/localDev or your own session check) before exposing
+// anything sensitive.
+export default eveChannel({ auth: [none()] });

package/templates/agent/agent/instructions.md

@@ -1,49 +1,11 @@
 # OpenHacker
 
-You are OpenHacker, an autonomous application security agent. Your job is to find
-real, exploitable vulnerabilities in a codebase and its dependencies, prove them,
-and propose fixes. You operate continuously and on demand.
+You are OpenHacker, an application security agent.
 
-## Operating principles
+The user gives you a GitHub repository (as `owner/name` or a github.com URL). Analyze it for security vulnerabilities and report your findings.
 
-- **Signal over noise.** Security engineers ignore noisy tools. Only report an issue
-  when you have concrete evidence it applies to this project. When you cannot
-  substantiate a vulnerability, say so instead of reporting it.
-- **Prove it.** For each candidate vulnerability, trace it from an attacker-controlled
-  entry point (route handler, server action, request body, query/header, env-derived
-  input) to the dangerous sink. Capture that data flow as your evidence. Set the
-  finding's `proof.status` honestly: `proven`, `likely`, or `unconfirmed`.
-- **Be conservative with dependency CVEs.** A package having a CVE does not mean this
-  project is exploitable. Use `check_advisories` to confirm the *installed version* is
-  in the affected range, then assess whether the vulnerable code path is plausibly
-  reachable before reporting.
-
-## Tools
-
-- `list_targets` — see the repositories configured in this instance.
-- `run_dependency_scan` — deterministically check a target's dependencies against OSV
-  and persist findings. Run this first for dependency coverage.
-- `read_repo_file` — read files / list directories in a target's repo for code review.
-- `check_advisories` — look up a single package in OSV.
-- `report_finding` — persist a confirmed code-level vulnerability.
-
-## Workflow
-
-Given a target id:
-
-1. Call `run_dependency_scan` to record known-vulnerable dependencies.
-2. Use `read_repo_file` (list then read) to inspect the source layout, framework, and
-   trust boundaries (route handlers, server actions, request/query/header/env inputs).
-3. Hunt for high-impact issue classes: broken authorization, injection (SQL/command/
-   template), SSRF, secrets in code, unsafe deserialization, and XSS (including
-   `dangerouslySetInnerHTML`).
-4. For each confirmed code issue, call `report_finding` (with `targetId`) including an
-   accurate severity, location, data-flow evidence, and a concrete remediation.
-5. Summarize what you checked and what you found.
-
-## Severity
-
-Use CVSS-style judgment: `critical` for unauthenticated RCE / auth bypass / data
-exfiltration; `high` for authenticated high-impact issues; `medium` for issues
-needing preconditions; `low`/`info` for hardening. Prefer under-reporting to
-crying wolf.
+- Briefly narrate what you are checking as you go (dependencies, auth, input handling, secrets, etc.).
+- Use the shell to clone and explore the repo. Use `ls`/`find` to list directories; only use `read_file` on actual file paths, never on a directory.
+- Call out concrete risks with severity and, where possible, how to fix them.
+- If you cannot access the repository, say so plainly.
+- Keep the final summary concise and skimmable.

package/templates/agent/app/globals.css

@@ -8,11 +8,6 @@
   --accent: #ffffff;
   --accent-dim: #333333;
   --crit: #ffffff;
-  --high: #cfcfcf;
-  --med: #9a9a9a;
-  --low: #6f6f6f;
-  --info: #555555;
-  --ok: #f5f5f5;
 }
 
 * {
@@ -27,254 +22,127 @@ body {
   color: var(--text);
   font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
   font-size: 14px;
-  line-height: 1.5;
-}
-
-a {
-  color: var(--accent);
-  text-decoration: none;
-}
-a:hover {
-  text-decoration: underline;
-}
-
-.nav {
-  display: flex;
-  align-items: center;
-  gap: 20px;
-  padding: 14px 24px;
-  border-bottom: 1px solid var(--border);
-  background: var(--panel);
-}
-.nav .brand {
-  font-weight: 700;
-  letter-spacing: 0.5px;
-  color: var(--text);
-}
-.nav .brand span {
-  color: var(--accent);
-}
-.nav .spacer {
-  flex: 1;
-}
-.nav a {
-  color: var(--muted);
-}
-.nav a:hover {
-  color: var(--text);
-  text-decoration: none;
+  line-height: 1.6;
 }
 
 .container {
-  max-width: 960px;
+  max-width: 720px;
   margin: 0 auto;
-  padding: 28px 24px 80px;
+  padding: 64px 24px 96px;
 }
 
 h1 {
-  font-size: 20px;
+  font-size: 22px;
+  font-weight: 700;
+  letter-spacing: 0.5px;
   margin: 0 0 4px;
 }
-h2 {
-  font-size: 15px;
-  margin: 28px 0 12px;
-  color: var(--muted);
-  text-transform: uppercase;
-  letter-spacing: 1px;
+h1 span {
+  color: var(--accent);
 }
 .sub {
   color: var(--muted);
-  margin: 0 0 24px;
+  margin: 0 0 28px;
 }
 
-.panel {
-  background: var(--panel);
-  border: 1px solid var(--border);
-  border-radius: 10px;
-  padding: 18px;
-  margin-bottom: 16px;
-}
-
-.card {
-  background: var(--panel);
-  border: 1px solid var(--border);
-  border-radius: 10px;
-  padding: 16px 18px;
-  margin-bottom: 12px;
+.ask {
   display: flex;
-  align-items: center;
-  gap: 16px;
+  gap: 8px;
 }
-.card .grow {
+.ask input {
   flex: 1;
-  min-width: 0;
-}
-.card .repo {
-  font-weight: 600;
-}
-.card .meta {
-  color: var(--muted);
-  font-size: 12px;
-  margin-top: 2px;
-}
-
-label {
-  display: block;
-  font-size: 12px;
-  color: var(--muted);
-  margin-bottom: 6px;
-}
-input[type="text"],
-input[type="password"],
-select {
-  width: 100%;
   background: var(--panel-2);
   border: 1px solid var(--border);
   color: var(--text);
   border-radius: 8px;
-  padding: 9px 11px;
+  padding: 11px 13px;
   font: inherit;
 }
-input:focus,
-select:focus {
+.ask input:focus {
   outline: none;
   border-color: var(--accent);
 }
-.row {
-  display: flex;
-  gap: 12px;
-  flex-wrap: wrap;
-  margin-bottom: 12px;
-}
-.row > div {
-  flex: 1;
-  min-width: 160px;
-}
-.check {
-  display: flex;
-  align-items: center;
-  gap: 8px;
-}
-.check label {
-  margin: 0;
-}
-
-button,
-.btn {
+.ask button {
   background: var(--accent);
   color: #000000;
   border: none;
   border-radius: 8px;
-  padding: 9px 14px;
+  padding: 11px 18px;
   font: inherit;
   font-weight: 600;
   cursor: pointer;
 }
-button:hover {
+.ask button:hover:not(:disabled) {
   filter: brightness(1.08);
 }
-.btn-ghost {
-  background: transparent;
-  color: var(--muted);
-  border: 1px solid var(--border);
-}
-.btn-ghost:hover {
-  color: var(--text);
-}
-.btn-danger {
-  background: transparent;
-  color: var(--crit);
-  border: 1px solid var(--accent-dim);
+.ask button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
 }
 
-.badge {
-  display: inline-block;
-  padding: 1px 8px;
-  border-radius: 20px;
-  font-size: 11px;
-  font-weight: 700;
-  text-transform: uppercase;
-  letter-spacing: 0.5px;
+.reply {
+  margin-top: 28px;
+  background: var(--panel);
   border: 1px solid var(--border);
-  background: transparent;
-  color: var(--text);
-}
-.sev-critical {
-  background: #ffffff;
-  color: #000000;
-  border-color: #ffffff;
-}
-.sev-high {
-  color: #ffffff;
-  border-color: #cfcfcf;
-  background: rgba(255, 255, 255, 0.1);
+  border-radius: 10px;
+  padding: 18px 20px;
 }
-.sev-medium {
-  color: var(--high);
-  border-color: #5a5a5a;
+.reply .text {
+  white-space: pre-wrap;
+  margin: 0 0 12px;
 }
-.sev-low {
-  color: var(--med);
-  border-color: #3a3a3a;
+.reply .text:last-child {
+  margin-bottom: 0;
 }
-.sev-info {
-  color: var(--info);
-  border-color: #2a2a2a;
+.reply .reasoning {
+  white-space: pre-wrap;
+  color: var(--muted);
+  font-size: 13px;
+  margin: 0 0 12px;
+  padding-left: 12px;
+  border-left: 2px solid var(--border);
 }
 
-.counts {
+.tool {
   display: flex;
-  gap: 6px;
-}
-
-table {
-  width: 100%;
-  border-collapse: collapse;
+  align-items: center;
+  gap: 10px;
+  font-size: 12.5px;
+  color: var(--muted);
+  padding: 4px 0;
 }
-th,
-td {
-  text-align: left;
-  padding: 10px 12px;
-  border-bottom: 1px solid var(--border);
-  vertical-align: top;
-  font-size: 13px;
+.tool-name {
+  color: var(--text);
 }
-th {
-  color: var(--muted);
+.tool-state {
   font-size: 11px;
   text-transform: uppercase;
   letter-spacing: 0.5px;
+  border: 1px solid var(--border);
+  border-radius: 20px;
+  padding: 0 8px;
+}
+
+.cursor {
+  display: inline-block;
+  width: 8px;
+  height: 1em;
+  background: var(--accent);
+  vertical-align: text-bottom;
+  animation: blink 1s steps(2) infinite;
+}
+@keyframes blink {
+  50% {
+    opacity: 0;
+  }
 }
 
 .banner {
+  margin-top: 20px;
   border: 1px solid var(--border);
   background: rgba(255, 255, 255, 0.04);
-  color: var(--text);
+  color: var(--crit);
   border-radius: 8px;
   padding: 10px 14px;
-  margin-bottom: 18px;
   font-size: 13px;
 }
-.empty {
-  color: var(--muted);
-  padding: 24px;
-  text-align: center;
-  border: 1px dashed var(--border);
-  border-radius: 10px;
-}
-.inline {
-  display: inline;
-}
-.actions {
-  display: flex;
-  gap: 8px;
-  align-items: center;
-}
-.mono-sm {
-  font-size: 12px;
-  color: var(--muted);
-}
-.login-wrap {
-  max-width: 360px;
-  margin: 12vh auto 0;
-}