openhacker 0.1.0 → 0.1.2

package/README.md

@@ -5,9 +5,8 @@ Scaffold a self-hosted OpenHacker security agent.
 ## Create an instance
 
 ```bash
-npx openhacker my-instance
-cd my-instance
-pnpm install
+npx openhacker
+cd openhacker
 pnpm dev
 ```
 

package/bin/openhacker

@@ -1,4 +1,4 @@
 #!/usr/bin/env node
-import { run } from "../src/cli.js";
+import { run } from "../src/index.js";
 
 await run();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openhacker",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Scaffold a self-hosted OpenHacker security agent",
   "license": "UNLICENSED",
   "type": "module",
@@ -11,7 +11,7 @@
     ".": "./src/index.js"
   },
   "main": "./src/index.js",
-  "types": "./src/index.ts",
+  "types": "./src/index.d.ts",
   "files": [
     "bin",
     "scripts",
@@ -26,7 +26,7 @@
     "typescript": "6.0.2"
   },
   "scripts": {
-    "build": "tsc --noEmit && node --check ./bin/openhacker && node --check ./src/cli.js && node --check ./scripts/sync-template.js && node --check ./scripts/clean-template.js",
+    "build": "tsc --noEmit && node --check ./bin/openhacker && node --check ./src/index.js && node --check ./scripts/sync-template.js && node --check ./scripts/clean-template.js",
     "sync-template": "node ./scripts/sync-template.js"
   }
 }

package/src/index.d.ts

@@ -0,0 +1 @@
+export function run(args?: string[]): Promise<void>;

package/src/index.js

@@ -1 +1,305 @@
-export const MESSAGE = "OpenHacker";
+import { spawnSync } from "node:child_process";
+import { cp, readFile, stat, writeFile } from "node:fs/promises";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const ORANGE = "\x1b[38;5;214m";
+const MUTED = "\x1b[0;2m";
+const RED = "\x1b[0;31m";
+const NC = "\x1b[0m";
+
+const EXCLUDE = new Set([
+  ".env",
+  ".env.local",
+  "node_modules",
+  ".eve",
+  ".next",
+  ".output",
+  ".git",
+  ".vercel",
+  ".turbo",
+]);
+
+// Written into scaffolded projects directly rather than shipped as a template
+// file, because npm renames a packaged `.gitignore` to `.npmignore` on publish.
+const GITIGNORE = `# dependencies
+node_modules
+
+# next.js
+.next
+next-env.d.ts
+
+# eve build artifacts
+.eve
+.output
+
+# vercel / turbo
+.vercel
+.turbo
+
+# typescript
+tsconfig.tsbuildinfo
+
+# env files (keep the example)
+.env
+.env.*
+!.env.example
+
+# misc
+.DS_Store
+*.log
+`;
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+
+async function exists(p) {
+  try {
+    await stat(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function resolveTemplateDir() {
+  const candidates = [];
+
+  if (process.env.OPENHACKER_TEMPLATE_DIR) {
+    candidates.push(path.resolve(process.env.OPENHACKER_TEMPLATE_DIR));
+  }
+
+  candidates.push(
+    // npm package layout: packages/openhacker/src -> packages/openhacker/templates/agent
+    path.resolve(here, "../templates/agent"),
+    // monorepo layout: packages/openhacker/src -> repo root -> apps/agent
+    path.resolve(here, "../../../apps/agent"),
+  );
+
+  for (const candidate of candidates) {
+    if (await exists(path.join(candidate, "agent", "agent.ts"))) {
+      return candidate;
+    }
+  }
+
+  return candidates[0];
+}
+
+function packageNameFor(dest) {
+  return (
+    path
+      .basename(dest)
+      .replace(/[^a-z0-9-]+/gi, "-")
+      .toLowerCase() || "openhacker"
+  );
+}
+
+function shouldCopyTemplatePath(src, root) {
+  const relative = path.relative(root, src);
+  const segments = relative.split(path.sep);
+
+  return (
+    !segments.some((seg) => EXCLUDE.has(seg)) &&
+    !relative.endsWith("next-env.d.ts") &&
+    !relative.endsWith("tsconfig.tsbuildinfo")
+  );
+}
+
+function runStep(command, args, cwd, { quiet = false } = {}) {
+  const result = spawnSync(command, args, {
+    cwd,
+    stdio: quiet ? "ignore" : "inherit",
+    shell: process.platform === "win32",
+  });
+
+  return !result.error && result.status === 0;
+}
+
+function hasCommand(command) {
+  const probe = process.platform === "win32" ? "where" : "which";
+  const result = spawnSync(probe, [command], {
+    stdio: "ignore",
+    shell: process.platform === "win32",
+  });
+  return !result.error && result.status === 0;
+}
+
+function isInsideGitRepo(cwd) {
+  const result = spawnSync("git", ["rev-parse", "--is-inside-work-tree"], {
+    cwd,
+    stdio: "ignore",
+    shell: process.platform === "win32",
+  });
+  return !result.error && result.status === 0;
+}
+
+async function installDependencies(dest) {
+  if (!hasCommand("pnpm")) {
+    console.log(
+      `${MUTED}pnpm not found — skipping install. Run \`pnpm install\` manually.${NC}`,
+    );
+    return false;
+  }
+
+  console.log(`\n${MUTED}Installing dependencies with pnpm…${NC}`);
+  // --ignore-workspace keeps the install self-contained: without it, pnpm walks
+  // up to a parent pnpm-workspace.yaml (e.g. when scaffolding inside a monorepo)
+  // and installs that workspace instead of the new project's node_modules.
+  const ok = runStep("pnpm", ["install", "--ignore-workspace"], dest);
+  if (!ok) {
+    console.log(
+      `${RED}pnpm install failed.${NC} ${MUTED}You can re-run it inside the project.${NC}`,
+    );
+  }
+  return ok;
+}
+
+async function initGitRepo(dest) {
+  if (!hasCommand("git")) {
+    console.log(`${MUTED}git not found — skipping repository init.${NC}`);
+    return false;
+  }
+
+  if (isInsideGitRepo(dest)) {
+    console.log(
+      `${MUTED}Already inside a git repository — skipping git init.${NC}`,
+    );
+    return false;
+  }
+
+  const initialized =
+    runStep("git", ["init"], dest, { quiet: true }) &&
+    runStep("git", ["add", "-A"], dest, { quiet: true }) &&
+    runStep("git", ["commit", "-m", "Initial commit from OpenHacker"], dest, {
+      quiet: true,
+    });
+
+  if (initialized) {
+    console.log(`${MUTED}Initialized a git repository.${NC}`);
+  } else {
+    console.log(
+      `${MUTED}Could not create the initial git commit — you can do it manually.${NC}`,
+    );
+  }
+  return initialized;
+}
+
+async function init(targetArg, { skipInstall = false, skipGit = false } = {}) {
+  const template = await resolveTemplateDir();
+  if (!(await exists(path.join(template, "agent", "agent.ts")))) {
+    console.error(
+      `${RED}Could not find the instance template at ${template}.${NC}`,
+    );
+    console.error(
+      `${MUTED}Set OPENHACKER_TEMPLATE_DIR to the template directory.${NC}`,
+    );
+    process.exit(1);
+  }
+
+  const dest = path.resolve(process.cwd(), targetArg ?? "openhacker");
+  if (await exists(dest)) {
+    console.error(`${RED}Destination already exists: ${dest}${NC}`);
+    process.exit(1);
+  }
+
+  console.log(`\n${MUTED}Creating OpenHacker instance in ${NC}${dest}`);
+  await cp(template, dest, {
+    recursive: true,
+    filter: (src) => shouldCopyTemplatePath(src, template),
+  });
+
+  const pkgPath = path.join(dest, "package.json");
+  const pkg = JSON.parse(await readFile(pkgPath, "utf8"));
+  pkg.name = packageNameFor(dest);
+  pkg.private = true;
+  await writeFile(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`);
+
+  // Write before git init so the initial commit doesn't include node_modules/.env.
+  if (!(await exists(path.join(dest, ".gitignore")))) {
+    await writeFile(path.join(dest, ".gitignore"), GITIGNORE);
+  }
+
+  const installed = skipInstall ? false : await installDependencies(dest);
+  if (!skipGit) {
+    await initGitRepo(dest);
+  }
+
+  console.log(`\n${ORANGE}✓${NC} OpenHacker instance ready.\n`);
+  console.log("Next steps:\n");
+  console.log(`  cd ${path.relative(process.cwd(), dest) || "."}`);
+  if (skipInstall || !installed) {
+    console.log("  pnpm install");
+  }
+  console.log("  pnpm dlx vercel link    # link a Vercel project for AI/LLM access");
+  console.log("  pnpm dev                 # run locally\n");
+  console.log(
+    `${MUTED}Deploy: push to a git repo and import it into Vercel (deploys as one project).`,
+  );
+  console.log(`${MUTED}See README.md for local model configuration.${NC}\n`);
+}
+
+function usage() {
+  console.log("OpenHacker\n");
+  console.log("Usage:");
+  console.log(
+    "  openhacker [dir]        Scaffold a deployable OpenHacker instance",
+  );
+  console.log("  openhacker init [dir]   Same as above");
+  console.log("  openhacker --help       Show help");
+  console.log("  openhacker --version    Show version\n");
+  console.log("Options:");
+  console.log("  --skip-install          Don't run pnpm install");
+  console.log("  --skip-git              Don't create a git repository\n");
+}
+
+async function version() {
+  const pkg = JSON.parse(
+    await readFile(path.resolve(here, "../package.json"), "utf8"),
+  );
+  console.log(pkg.version);
+}
+
+export async function run(args = process.argv.slice(2)) {
+  const options = { skipInstall: false, skipGit: false };
+  const positionals = [];
+
+  for (const arg of args) {
+    switch (arg) {
+      case "--skip-install":
+        options.skipInstall = true;
+        break;
+      case "--skip-git":
+        options.skipGit = true;
+        break;
+      case "-h":
+      case "--help":
+        usage();
+        return;
+      case "-v":
+      case "--version":
+        await version();
+        return;
+      default:
+        if (arg.startsWith("-")) {
+          console.error(`${RED}Unknown option: ${arg}${NC}\n`);
+          usage();
+          process.exit(1);
+        }
+        positionals.push(arg);
+    }
+  }
+
+  const [command, target, ...rest] = positionals;
+
+  if (rest.length > 0) {
+    console.error(`${RED}Too many arguments.${NC}\n`);
+    usage();
+    process.exit(1);
+  }
+
+  if (command === "init") {
+    await init(target, options);
+    return;
+  }
+
+  await init(command, options);
+}

package/templates/agent/.env.example

@@ -3,13 +3,6 @@
 # For LOCAL runs of the eve agent, provide a gateway key:
 AI_GATEWAY_API_KEY=
 
-# Optional: override the agent's deep-analysis model (defaults to anthropic/claude-sonnet-4.6)
-OPENHACKER_MODEL=
-
-# --- Dashboard auth (recommended) ---
-# When set, the dashboard requires this password to sign in. Unset = open dashboard.
-OPENHACKER_ADMIN_PASSWORD=
-
 # --- Persistent storage ---
 # Add a Vercel KV / Upstash Redis integration. Without these, an in-memory store is
 # used and data does NOT persist across restarts/deploys.

package/templates/agent/README.md

@@ -17,8 +17,7 @@ Your self-hosted OpenHacker security agent — a Next.js dashboard with an embed
 2. Import it into Vercel (it deploys as one project — UI + agent + cron).
 3. Add a **KV / Upstash Redis** integration from the Vercel Marketplace so findings persist
    (`KV_REST_API_URL` / `KV_REST_API_TOKEN` are injected automatically).
-4. Set `OPENHACKER_ADMIN_PASSWORD` to protect the dashboard.
-5. Open the deployment URL, sign in, and add a target repository.
+4. Open the deployment URL and add a target repository.
 
 Inference runs through the Vercel AI Gateway and authenticates automatically via Vercel
 OIDC — no model API key required in production.

package/templates/agent/agent/agent.ts

@@ -1,9 +1,5 @@
 import { defineAgent } from "eve";
 
 export default defineAgent({
-  // Routes through the Vercel AI Gateway. On Vercel this authenticates with the
-  // injected VERCEL_OIDC_TOKEN automatically; locally it uses AI_GATEWAY_API_KEY.
-  // The model picker in the dashboard writes OPENHACKER_MODEL.
-  model: process.env.OPENHACKER_MODEL ?? "anthropic/claude-sonnet-4.6",
-  reasoning: "medium",
+  model: "anthropic/claude-haiku-4.5",
 });

package/templates/agent/agent/channels/eve.ts

@@ -0,0 +1,7 @@
+import { eveChannel } from "eve/channels/eve";
+import { none } from "eve/channels/auth";
+
+// Public demo: anyone can call the agent from the browser. Add real auth
+// (e.g. vercelOidc/localDev or your own session check) before exposing
+// anything sensitive.
+export default eveChannel({ auth: [none()] });

package/templates/agent/agent/instructions.md

@@ -1,49 +1,11 @@
 # OpenHacker
 
-You are OpenHacker, an autonomous application security agent. Your job is to find
-real, exploitable vulnerabilities in a codebase and its dependencies, prove them,
-and propose fixes. You operate continuously and on demand.
+You are OpenHacker, an application security agent.
 
-## Operating principles
+The user gives you a GitHub repository (as `owner/name` or a github.com URL). Analyze it for security vulnerabilities and report your findings.
 
-- **Signal over noise.** Security engineers ignore noisy tools. Only report an issue
-  when you have concrete evidence it applies to this project. When you cannot
-  substantiate a vulnerability, say so instead of reporting it.
-- **Prove it.** For each candidate vulnerability, trace it from an attacker-controlled
-  entry point (route handler, server action, request body, query/header, env-derived
-  input) to the dangerous sink. Capture that data flow as your evidence. Set the
-  finding's `proof.status` honestly: `proven`, `likely`, or `unconfirmed`.
-- **Be conservative with dependency CVEs.** A package having a CVE does not mean this
-  project is exploitable. Use `check_advisories` to confirm the *installed version* is
-  in the affected range, then assess whether the vulnerable code path is plausibly
-  reachable before reporting.
-
-## Tools
-
-- `list_targets` — see the repositories configured in this instance.
-- `run_dependency_scan` — deterministically check a target's dependencies against OSV
-  and persist findings. Run this first for dependency coverage.
-- `read_repo_file` — read files / list directories in a target's repo for code review.
-- `check_advisories` — look up a single package in OSV.
-- `report_finding` — persist a confirmed code-level vulnerability.
-
-## Workflow
-
-Given a target id:
-
-1. Call `run_dependency_scan` to record known-vulnerable dependencies.
-2. Use `read_repo_file` (list then read) to inspect the source layout, framework, and
-   trust boundaries (route handlers, server actions, request/query/header/env inputs).
-3. Hunt for high-impact issue classes: broken authorization, injection (SQL/command/
-   template), SSRF, secrets in code, unsafe deserialization, and XSS (including
-   `dangerouslySetInnerHTML`).
-4. For each confirmed code issue, call `report_finding` (with `targetId`) including an
-   accurate severity, location, data-flow evidence, and a concrete remediation.
-5. Summarize what you checked and what you found.
-
-## Severity
-
-Use CVSS-style judgment: `critical` for unauthenticated RCE / auth bypass / data
-exfiltration; `high` for authenticated high-impact issues; `medium` for issues
-needing preconditions; `low`/`info` for hardening. Prefer under-reporting to
-crying wolf.
+- Briefly narrate what you are checking as you go (dependencies, auth, input handling, secrets, etc.).
+- Use the shell to clone and explore the repo. Use `ls`/`find` to list directories; only use `read_file` on actual file paths, never on a directory.
+- Call out concrete risks with severity and, where possible, how to fix them.
+- If you cannot access the repository, say so plainly.
+- Keep the final summary concise and skimmable.