openhacker 0.1.0 → 0.1.1

package/templates/agent/app/layout.tsx

@@ -1,35 +1,15 @@
 import type { Metadata } from "next";
-import Link from "next/link";
-import { authEnabled } from "@/agent/lib/auth";
-import { logout } from "./actions";
 import "./globals.css";
 
 export const metadata: Metadata = {
   title: "OpenHacker",
-  description: "Autonomous application security agent",
+  description: "Analyze a GitHub repo for vulnerabilities",
 };
 
 export default function RootLayout({ children }: { children: React.ReactNode }) {
   return (
     <html lang="en">
-      <body>
-        <nav className="nav">
-          <Link href="/" className="brand">
-            open<span>hacker</span>
-          </Link>
-          <div className="spacer" />
-          <Link href="/">Dashboard</Link>
-          <Link href="/settings">Settings</Link>
-          {authEnabled() ? (
-            <form action={logout} className="inline">
-              <button className="btn-ghost" type="submit">
-                Sign out
-              </button>
-            </form>
-          ) : null}
-        </nav>
-        {children}
-      </body>
+      <body>{children}</body>
     </html>
   );
 }

package/templates/agent/app/page.tsx

@@ -1,114 +1,92 @@
-import Link from "next/link";
-import { getStore, isPersistent } from "@/agent/lib/store";
-import { SeverityCounts } from "./_components/ui";
-import { addTarget, deleteTarget, scanTarget } from "./actions";
+"use client";
 
-export const dynamic = "force-dynamic";
+import { useState } from "react";
+import { useEveAgent } from "eve/react";
 
-export default async function Dashboard({
-  searchParams,
-}: {
-  searchParams: Promise<{ error?: string }>;
-}) {
-  const { error } = await searchParams;
-  const store = getStore();
-  const targets = await store.listTargets();
-  const findingsByTarget = new Map(
-    await Promise.all(
-      targets.map(async (t) => [t.id, await store.listFindings(t.id)] as const),
-    ),
-  );
+export default function Home() {
+  const [repo, setRepo] = useState("");
+  const agent = useEveAgent();
+
+  const busy = agent.status === "submitted" || agent.status === "streaming";
+
+  function onSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    const value = repo.trim();
+    if (!value || busy) return;
+    agent.reset();
+    agent.send({
+      message: `Analyze the GitHub repository "${value}" for security vulnerabilities. Walk through what you check and report what you find.`,
+    });
+  }
+
+  const reply = [...agent.data.messages]
+    .reverse()
+    .find((m) => m.role === "assistant");
 
   return (
     <main className="container">
-      <h1>Targets</h1>
-      <p className="sub">Repositories OpenHacker continuously scans for vulnerabilities.</p>
+      <h1>
+        open<span>hacker</span>
+      </h1>
+      <p className="sub">
+        Paste a GitHub repo and the agent will analyze it for vulnerabilities.
+      </p>
+
+      <form className="ask" onSubmit={onSubmit}>
+        <input
+          type="text"
+          value={repo}
+          onChange={(e) => setRepo(e.target.value)}
+          placeholder="owner/name or https://github.com/owner/name"
+          autoFocus
+        />
+        <button type="submit" disabled={busy || !repo.trim()}>
+          {busy ? "Analyzing…" : "Analyze"}
+        </button>
+      </form>
+
+      {reply ? (
+        <section className="reply">
+          {reply.parts.map((part, i) => {
+            if (part.type === "reasoning") {
+              return (
+                <p key={i} className="reasoning">
+                  {part.text}
+                </p>
+              );
+            }
+            if (part.type === "text") {
+              return (
+                <p key={i} className="text">
+                  {part.text}
+                </p>
+              );
+            }
+            if (part.type === "dynamic-tool") {
+              return (
+                <div key={i} className="tool">
+                  <span className="tool-name">{part.toolName}</span>
+                  <span className="tool-state">{part.state}</span>
+                </div>
+              );
+            }
+            return null;
+          })}
+          {agent.status === "streaming" ? (
+            <span className="cursor" aria-hidden />
+          ) : null}
+        </section>
+      ) : busy ? (
+        <section className="reply">
+          <span className="cursor" aria-hidden />
+        </section>
+      ) : null}
 
-      {!isPersistent() ? (
+      {agent.status === "error" ? (
         <div className="banner">
-          Using an in-memory store — data will not persist across restarts/deploys. Add a Vercel KV
-          or Upstash Redis integration and set <code>KV_REST_API_URL</code> /{" "}
-          <code>KV_REST_API_TOKEN</code> to persist.
+          {String(agent.error ?? "Something went wrong.")}
         </div>
       ) : null}
-      {error === "invalid-repo" ? (
-        <div className="banner">Enter a valid GitHub repository (owner/name or a github.com URL).</div>
-      ) : null}
-
-      <div className="panel">
-        <h2 style={{ marginTop: 0 }}>Add a target</h2>
-        <form action={addTarget}>
-          <div className="row">
-            <div>
-              <label htmlFor="repo">GitHub repository</label>
-              <input id="repo" name="repo" type="text" placeholder="owner/name or URL" required />
-            </div>
-            <div>
-              <label htmlFor="branch">Branch (optional)</label>
-              <input id="branch" name="branch" type="text" placeholder="default branch" />
-            </div>
-          </div>
-          <div className="row">
-            <div>
-              <label htmlFor="name">Display name (optional)</label>
-              <input id="name" name="name" type="text" placeholder="My app" />
-            </div>
-            <div>
-              <label htmlFor="token">Access token (optional, for private repos)</label>
-              <input id="token" name="token" type="password" placeholder="ghp_..." />
-            </div>
-          </div>
-          <div className="check" style={{ marginBottom: 14 }}>
-            <input id="autoRemediate" name="autoRemediate" type="checkbox" />
-            <label htmlFor="autoRemediate">Open remediation PRs automatically</label>
-          </div>
-          <button type="submit">Add target</button>
-        </form>
-      </div>
-
-      <h2>Configured targets</h2>
-      {targets.length === 0 ? (
-        <div className="empty">No targets yet. Add a repository above to start scanning.</div>
-      ) : (
-        targets.map((t) => {
-          const findings = findingsByTarget.get(t.id) ?? [];
-          return (
-            <div className="card" key={t.id}>
-              <div className="grow">
-                <div className="repo">
-                  <Link href={`/targets/${t.id}`}>{t.name}</Link>{" "}
-                  <span className="mono-sm">{t.repo}@{t.branch}</span>
-                </div>
-                <div className="meta">
-                  {t.lastScanAt
-                    ? `last scan ${new Date(t.lastScanAt).toLocaleString()}${
-                        t.lastScanStatus === "error" ? ` — error: ${t.lastScanError}` : ""
-                      }`
-                    : "never scanned"}
-                </div>
-                <div style={{ marginTop: 8 }}>
-                  <SeverityCounts findings={findings} />
-                </div>
-              </div>
-              <div className="actions">
-                <form action={scanTarget} className="inline">
-                  <input type="hidden" name="id" value={t.id} />
-                  <button type="submit">Scan now</button>
-                </form>
-                <Link className="btn btn-ghost" href={`/targets/${t.id}`}>
-                  View
-                </Link>
-                <form action={deleteTarget} className="inline">
-                  <input type="hidden" name="id" value={t.id} />
-                  <button type="submit" className="btn-danger">
-                    Delete
-                  </button>
-                </form>
-              </div>
-            </div>
-          );
-        })
-      )}
     </main>
   );
 }

package/templates/agent/package.json

@@ -13,18 +13,17 @@
     "eve:info": "eve info"
   },
   "dependencies": {
-    "@upstash/redis": "^1.38.0",
     "ai": "^7.0.3",
     "eve": "^0.16.2",
     "next": "^16.2.9",
     "react": "^19.2.7",
-    "react-dom": "^19.2.7",
-    "zod": "^4.4.3"
+    "react-dom": "^19.2.7"
   },
   "devDependencies": {
     "@types/node": "25.5.2",
     "@types/react": "19.2.14",
     "@types/react-dom": "^19.2.3",
+    "microsandbox": "^0.6.0",
     "typescript": "6.0.2"
   }
 }

package/templates/agent/agent/lib/auth.ts

@@ -1,23 +0,0 @@
-// Web-Crypto only so this module works in both the Edge middleware and Node.
-export const SESSION_COOKIE = "oh_session";
-
-export function adminPassword(): string | null {
-  return process.env.OPENHACKER_ADMIN_PASSWORD || null;
-}
-
-export function authEnabled(): boolean {
-  return Boolean(adminPassword());
-}
-
-export async function sessionToken(password: string): Promise<string> {
-  const data = new TextEncoder().encode(`openhacker:${password}`);
-  const digest = await globalThis.crypto.subtle.digest("SHA-256", data);
-  return Array.from(new Uint8Array(digest))
-    .map((b) => b.toString(16).padStart(2, "0"))
-    .join("");
-}
-
-export async function expectedToken(): Promise<string | null> {
-  const password = adminPassword();
-  return password ? sessionToken(password) : null;
-}

package/templates/agent/agent/lib/github.ts

@@ -1,74 +0,0 @@
-const API = "https://api.github.com";
-
-function headers(token?: string | null): Record<string, string> {
-  const h: Record<string, string> = {
-    accept: "application/vnd.github+json",
-    "user-agent": "openhacker-agent",
-    "x-github-api-version": "2022-11-28",
-  };
-  if (token) h.authorization = `Bearer ${token}`;
-  return h;
-}
-
-/** Read a single file's text content. Returns null when the file is absent. */
-export async function getFile(
-  repo: string,
-  path: string,
-  ref: string,
-  token?: string | null,
-): Promise<string | null> {
-  const url = `${API}/repos/${repo}/contents/${encodeURIComponent(path).replace(/%2F/g, "/")}?ref=${encodeURIComponent(ref)}`;
-  const res = await fetch(url, { headers: headers(token) });
-
-  if (res.status === 404) return null;
-  if (!res.ok) {
-    throw new Error(`GitHub getFile ${repo}/${path}: ${res.status} ${res.statusText}`);
-  }
-
-  const data = (await res.json()) as { content?: string; encoding?: string };
-  if (!data.content) return null;
-  if (data.encoding === "base64") {
-    return Buffer.from(data.content, "base64").toString("utf8");
-  }
-  return data.content;
-}
-
-export type RepoEntry = { path: string; type: "file" | "dir"; size?: number };
-
-/** List the entries directly under a directory path ("" for the repo root). */
-export async function listDir(
-  repo: string,
-  path: string,
-  ref: string,
-  token?: string | null,
-): Promise<RepoEntry[]> {
-  const clean = path.replace(/^\/+|\/+$/g, "");
-  const url = `${API}/repos/${repo}/contents/${clean ? `${clean}` : ""}?ref=${encodeURIComponent(ref)}`;
-  const res = await fetch(url, { headers: headers(token) });
-
-  if (res.status === 404) return [];
-  if (!res.ok) {
-    throw new Error(`GitHub listDir ${repo}/${path}: ${res.status} ${res.statusText}`);
-  }
-
-  const data = (await res.json()) as Array<{ path: string; type: string; size?: number }>;
-  if (!Array.isArray(data)) return [];
-  return data.map((e) => ({
-    path: e.path,
-    type: e.type === "dir" ? "dir" : "file",
-    size: e.size,
-  }));
-}
-
-/** Confirm the repo is reachable with the given (optional) token. */
-export async function checkRepoAccess(
-  repo: string,
-  token?: string | null,
-): Promise<{ ok: boolean; private?: boolean; defaultBranch?: string; error?: string }> {
-  const res = await fetch(`${API}/repos/${repo}`, { headers: headers(token) });
-  if (!res.ok) {
-    return { ok: false, error: `${res.status} ${res.statusText}` };
-  }
-  const data = (await res.json()) as { private?: boolean; default_branch?: string };
-  return { ok: true, private: data.private, defaultBranch: data.default_branch };
-}

package/templates/agent/agent/lib/osv.ts

@@ -1,152 +0,0 @@
-export type OsvEcosystem =
-  | "npm"
-  | "PyPI"
-  | "Go"
-  | "crates.io"
-  | "Maven"
-  | "RubyGems"
-  | "NuGet";
-
-export type Severity = "critical" | "high" | "medium" | "low";
-
-export type OsvAdvisory = {
-  id: string;
-  aliases: string[];
-  summary: string | null;
-  cvssVector: string | null;
-  qualitative: string | null;
-  fixedIn: string[];
-  references: string[];
-};
-
-type OsvRawVuln = {
-  id: string;
-  aliases?: string[];
-  summary?: string;
-  severity?: Array<{ type: string; score: string }>;
-  database_specific?: { severity?: string };
-  affected?: Array<{ ranges?: Array<{ events?: Array<Record<string, string>> }> }>;
-  references?: Array<{ type: string; url: string }>;
-};
-
-export async function queryOsv(
-  name: string,
-  version: string | undefined,
-  ecosystem: OsvEcosystem = "npm",
-): Promise<OsvAdvisory[]> {
-  const body: Record<string, unknown> = { package: { name, ecosystem } };
-  if (version) body.version = version;
-
-  const res = await fetch("https://api.osv.dev/v1/query", {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify(body),
-  });
-
-  if (!res.ok) {
-    throw new Error(`OSV query failed for ${name}: ${res.status} ${res.statusText}`);
-  }
-
-  const data = (await res.json()) as { vulns?: OsvRawVuln[] };
-
-  return (data.vulns ?? []).map((v) => {
-    const fixedIn = [
-      ...new Set(
-        (v.affected ?? [])
-          .flatMap((a) => a.ranges ?? [])
-          .flatMap((r) => r.events ?? [])
-          .map((e) => e.fixed)
-          .filter((x): x is string => Boolean(x)),
-      ),
-    ];
-
-    const cvss = (v.severity ?? []).find((s) => /^CVSS_V3/.test(s.type)) ?? v.severity?.[0];
-
-    return {
-      id: v.id,
-      aliases: v.aliases ?? [],
-      summary: v.summary ?? null,
-      cvssVector: cvss?.score ?? null,
-      qualitative: v.database_specific?.severity ?? null,
-      fixedIn,
-      references: (v.references ?? []).map((r) => r.url).slice(0, 5),
-    };
-  });
-}
-
-function bucket(score: number): Severity {
-  if (score >= 9) return "critical";
-  if (score >= 7) return "high";
-  if (score >= 4) return "medium";
-  return "low";
-}
-
-const QUALITATIVE: Record<string, Severity> = {
-  LOW: "low",
-  MODERATE: "medium",
-  MEDIUM: "medium",
-  HIGH: "high",
-  CRITICAL: "critical",
-};
-
-/** Severity from OSV: prefer the computed CVSS v3 base score, then the GHSA rating. */
-export function severityFromOsv(advisory: OsvAdvisory): Severity {
-  if (advisory.cvssVector) {
-    const score = cvss3BaseScore(advisory.cvssVector);
-    if (score != null) return bucket(score);
-  }
-  if (advisory.qualitative) {
-    const mapped = QUALITATIVE[advisory.qualitative.toUpperCase()];
-    if (mapped) return mapped;
-  }
-  return "medium";
-}
-
-// --- Minimal CVSS v3.x base score calculator -------------------------------
-
-const AV = { N: 0.85, A: 0.62, L: 0.55, P: 0.2 } as const;
-const AC = { L: 0.77, H: 0.44 } as const;
-const UI = { N: 0.85, R: 0.62 } as const;
-const IMPACT = { H: 0.56, L: 0.22, N: 0 } as const;
-
-function roundUp(n: number): number {
-  return Math.ceil(n * 10) / 10;
-}
-
-/** Returns the CVSS v3.x base score for a vector string, or null if unparsable. */
-export function cvss3BaseScore(vector: string): number | null {
-  if (!/^CVSS:3/.test(vector)) return null;
-  const parts = Object.fromEntries(
-    vector
-      .split("/")
-      .slice(1)
-      .map((p) => p.split(":") as [string, string]),
-  );
-
-  const scopeChanged = parts.S === "C";
-  const prMap = scopeChanged
-    ? { N: 0.85, L: 0.68, H: 0.5 }
-    : { N: 0.85, L: 0.62, H: 0.27 };
-
-  const av = AV[parts.AV as keyof typeof AV];
-  const ac = AC[parts.AC as keyof typeof AC];
-  const pr = prMap[parts.PR as keyof typeof prMap];
-  const ui = UI[parts.UI as keyof typeof UI];
-  const c = IMPACT[parts.C as keyof typeof IMPACT];
-  const i = IMPACT[parts.I as keyof typeof IMPACT];
-  const a = IMPACT[parts.A as keyof typeof IMPACT];
-
-  if ([av, ac, pr, ui, c, i, a].some((x) => x == null)) return null;
-
-  const iscBase = 1 - (1 - c) * (1 - i) * (1 - a);
-  const impact = scopeChanged
-    ? 7.52 * (iscBase - 0.029) - 3.25 * (iscBase - 0.02) ** 15
-    : 6.42 * iscBase;
-  const exploitability = 8.22 * av * ac * pr * ui;
-
-  if (impact <= 0) return 0;
-  const raw = scopeChanged
-    ? 1.08 * (impact + exploitability)
-    : impact + exploitability;
-  return roundUp(Math.min(raw, 10));
-}

package/templates/agent/agent/lib/scan.ts

@@ -1,153 +0,0 @@
-import { createHash } from "node:crypto";
-import { getFile } from "./github";
-import { queryOsv, severityFromOsv } from "./osv";
-import { getStore } from "./store";
-import type { Finding } from "./types";
-
-export type Dependency = { name: string; version: string };
-
-/** Best-effort extraction of resolved dependencies from common manifests/lockfiles. */
-export function extractDependencies(files: {
-  packageJson?: string | null;
-  packageLock?: string | null;
-  pnpmLock?: string | null;
-}): Dependency[] {
-  const found = new Map<string, string>();
-
-  // 1. npm lockfile (exact resolved versions).
-  if (files.packageLock) {
-    try {
-      const lock = JSON.parse(files.packageLock) as {
-        packages?: Record<string, { version?: string }>;
-        dependencies?: Record<string, { version?: string }>;
-      };
-      for (const [path, meta] of Object.entries(lock.packages ?? {})) {
-        if (!path.startsWith("node_modules/") || !meta.version) continue;
-        const name = path.slice(path.lastIndexOf("node_modules/") + "node_modules/".length);
-        found.set(name, meta.version);
-      }
-      for (const [name, meta] of Object.entries(lock.dependencies ?? {})) {
-        if (meta.version && !found.has(name)) found.set(name, meta.version);
-      }
-    } catch {
-      // ignore malformed lockfile
-    }
-  }
-
-  // 2. pnpm lockfile (regex extraction of resolved package keys).
-  if (files.pnpmLock) {
-    const re = /^\s{2,}\/?((?:@[^/@\s]+\/)?[^@/\s]+)@(\d+\.\d+\.\d+[^\s:('"]*)/gm;
-    let m: RegExpExecArray | null;
-    while ((m = re.exec(files.pnpmLock))) {
-      const [, name, version] = m;
-      if (!found.has(name)) found.set(name, version);
-    }
-  }
-
-  // 3. Fall back to package.json ranges (approximate exact version).
-  if (files.packageJson) {
-    try {
-      const pkg = JSON.parse(files.packageJson) as {
-        dependencies?: Record<string, string>;
-        devDependencies?: Record<string, string>;
-      };
-      const ranges = { ...pkg.devDependencies, ...pkg.dependencies };
-      for (const [name, range] of Object.entries(ranges)) {
-        if (found.has(name)) continue;
-        const cleaned = range.match(/\d+\.\d+\.\d+[^\s]*/)?.[0];
-        if (cleaned) found.set(name, cleaned);
-      }
-    } catch {
-      // ignore malformed manifest
-    }
-  }
-
-  return [...found.entries()].map(([name, version]) => ({ name, version }));
-}
-
-function fingerprint(targetId: string, pkg: string, advisoryId: string): string {
-  return createHash("sha256").update(`${targetId}::${pkg}::${advisoryId}`).digest("hex").slice(0, 16);
-}
-
-export type ScanResult = {
-  ok: boolean;
-  dependenciesChecked: number;
-  findings: number;
-  error?: string;
-};
-
-/**
- * Run a dependency vulnerability scan of a target against OSV and persist findings.
- * Deterministic and model-free; the eve agent layers reachability reasoning on top.
- */
-export async function runScan(targetId: string): Promise<ScanResult> {
-  const store = getStore();
-  const target = await store.getTarget(targetId);
-  if (!target) return { ok: false, dependenciesChecked: 0, findings: 0, error: "Target not found" };
-
-  const token = await store.getTargetToken(targetId);
-  const now = new Date().toISOString();
-
-  try {
-    const [packageJson, packageLock, pnpmLock] = await Promise.all([
-      getFile(target.repo, "package.json", target.branch, token),
-      getFile(target.repo, "package-lock.json", target.branch, token),
-      getFile(target.repo, "pnpm-lock.yaml", target.branch, token),
-    ]);
-
-    if (!packageJson && !packageLock && !pnpmLock) {
-      throw new Error("No package.json or lockfile found at the repo root");
-    }
-
-    const deps = extractDependencies({ packageJson, packageLock, pnpmLock });
-    const existing = await store.listFindings(targetId);
-    const existingById = new Map(existing.map((f) => [f.id, f]));
-    const findings: Finding[] = [];
-
-    const results = await Promise.allSettled(
-      deps.map(async (dep) => ({ dep, advisories: await queryOsv(dep.name, dep.version) })),
-    );
-
-    for (const r of results) {
-      if (r.status !== "fulfilled") continue;
-      const { dep, advisories } = r.value;
-      for (const adv of advisories) {
-        const id = fingerprint(targetId, dep.name, adv.id);
-        const prior = existingById.get(id);
-        const aliases = adv.aliases.filter((a) => a.startsWith("CVE-"));
-        findings.push({
-          id,
-          targetId,
-          title: `${dep.name}@${dep.version}: ${adv.aliases[0] ?? adv.id}`,
-          severity: severityFromOsv(adv),
-          category: "dependency",
-          packageName: dep.name,
-          installedVersion: dep.version,
-          advisoryIds: [adv.id, ...aliases],
-          proof: {
-            status: "likely",
-            evidence:
-              `Installed version ${dep.version} of ${dep.name} is in the affected range of ` +
-              `${adv.id}${adv.summary ? `: ${adv.summary}` : ""}.`,
-          },
-          remediation: adv.fixedIn.length
-            ? { summary: `Upgrade ${dep.name} to ${adv.fixedIn[0]} or later.`, fixedVersion: adv.fixedIn[0] }
-            : { summary: `Review advisory ${adv.id} and upgrade ${dep.name}.` },
-          status: prior?.status ?? "open",
-          references: adv.references,
-          firstSeen: prior?.firstSeen ?? now,
-          lastSeen: now,
-        });
-      }
-    }
-
-    await store.replaceTargetFindings(targetId, findings);
-    await store.saveTarget({ ...target, lastScanAt: now, lastScanStatus: "ok", lastScanError: undefined });
-
-    return { ok: true, dependenciesChecked: deps.length, findings: findings.length };
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    await store.saveTarget({ ...target, lastScanAt: now, lastScanStatus: "error", lastScanError: message });
-    return { ok: false, dependenciesChecked: 0, findings: 0, error: message };
-  }
-}