openhacker 0.1.0 → 0.1.2

package/src/cli.js

@@ -1,153 +0,0 @@
-import { cp, readFile, stat, writeFile } from "node:fs/promises";
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-
-const ORANGE = "\x1b[38;5;214m";
-const MUTED = "\x1b[0;2m";
-const RED = "\x1b[0;31m";
-const NC = "\x1b[0m";
-
-const EXCLUDE = new Set([
-  ".env",
-  ".env.local",
-  "node_modules",
-  ".eve",
-  ".next",
-  ".output",
-  ".git",
-  ".vercel",
-  ".turbo",
-]);
-
-const here = path.dirname(fileURLToPath(import.meta.url));
-
-async function exists(p) {
-  try {
-    await stat(p);
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-async function resolveTemplateDir() {
-  const candidates = [];
-
-  if (process.env.OPENHACKER_TEMPLATE_DIR) {
-    candidates.push(path.resolve(process.env.OPENHACKER_TEMPLATE_DIR));
-  }
-
-  candidates.push(
-    // npm package layout: packages/openhacker/src -> packages/openhacker/templates/agent
-    path.resolve(here, "../templates/agent"),
-    // monorepo layout: packages/openhacker/src -> repo root -> apps/agent
-    path.resolve(here, "../../../apps/agent"),
-  );
-
-  for (const candidate of candidates) {
-    if (await exists(path.join(candidate, "agent", "agent.ts"))) {
-      return candidate;
-    }
-  }
-
-  return candidates[0];
-}
-
-function packageNameFor(dest) {
-  return path.basename(dest).replace(/[^a-z0-9-]+/gi, "-").toLowerCase() || "openhacker";
-}
-
-function shouldCopyTemplatePath(src, root) {
-  const relative = path.relative(root, src);
-  const segments = relative.split(path.sep);
-
-  return (
-    !segments.some((seg) => EXCLUDE.has(seg)) &&
-    !relative.endsWith("next-env.d.ts") &&
-    !relative.endsWith("tsconfig.tsbuildinfo")
-  );
-}
-
-async function init(targetArg) {
-  const template = await resolveTemplateDir();
-  if (!(await exists(path.join(template, "agent", "agent.ts")))) {
-    console.error(`${RED}Could not find the instance template at ${template}.${NC}`);
-    console.error(`${MUTED}Set OPENHACKER_TEMPLATE_DIR to the template directory.${NC}`);
-    process.exit(1);
-  }
-
-  const dest = path.resolve(process.cwd(), targetArg ?? "openhacker");
-  if (await exists(dest)) {
-    console.error(`${RED}Destination already exists: ${dest}${NC}`);
-    process.exit(1);
-  }
-
-  console.log(`\n${MUTED}Creating OpenHacker instance in ${NC}${dest}`);
-  await cp(template, dest, {
-    recursive: true,
-    filter: (src) => shouldCopyTemplatePath(src, template),
-  });
-
-  const pkgPath = path.join(dest, "package.json");
-  const pkg = JSON.parse(await readFile(pkgPath, "utf8"));
-  pkg.name = packageNameFor(dest);
-  pkg.private = true;
-  await writeFile(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`);
-
-  console.log(`${ORANGE}\u2713${NC} OpenHacker instance ready.\n`);
-  console.log("Next steps:\n");
-  console.log(`  cd ${path.relative(process.cwd(), dest) || "."}`);
-  console.log("  pnpm install");
-  console.log("  pnpm dev                 # run locally\n");
-  console.log(`${MUTED}Deploy: push to a git repo and import it into Vercel (deploys as one project).`);
-  console.log("Add a Vercel KV / Upstash Redis integration to persist findings, and set");
-  console.log(`OPENHACKER_ADMIN_PASSWORD to protect the dashboard. See README.md.${NC}\n`);
-}
-
-function usage() {
-  console.log("OpenHacker\n");
-  console.log("Usage:");
-  console.log("  openhacker [dir]        Scaffold a deployable OpenHacker instance");
-  console.log("  openhacker init [dir]   Same as above");
-  console.log("  openhacker --help       Show help");
-  console.log("  openhacker --version    Show version\n");
-}
-
-async function version() {
-  const pkg = JSON.parse(await readFile(path.resolve(here, "../package.json"), "utf8"));
-  console.log(pkg.version);
-}
-
-export async function run(args = process.argv.slice(2)) {
-  const [command, target, ...rest] = args;
-
-  if (rest.length > 0) {
-    console.error(`${RED}Too many arguments.${NC}\n`);
-    usage();
-    process.exit(1);
-  }
-
-  switch (command) {
-    case undefined:
-      await init();
-      break;
-    case "init":
-      await init(target);
-      break;
-    case "-h":
-    case "--help":
-      usage();
-      break;
-    case "-v":
-    case "--version":
-      await version();
-      break;
-    default:
-      if (command.startsWith("-")) {
-        console.error(`${RED}Unknown option: ${command}${NC}\n`);
-        usage();
-        process.exit(1);
-      }
-      await init(command);
-  }
-}

package/src/index.ts

@@ -1 +0,0 @@
-export const MESSAGE = "OpenHacker";

package/templates/agent/agent/lib/auth.ts

@@ -1,23 +0,0 @@
-// Web-Crypto only so this module works in both the Edge middleware and Node.
-export const SESSION_COOKIE = "oh_session";
-
-export function adminPassword(): string | null {
-  return process.env.OPENHACKER_ADMIN_PASSWORD || null;
-}
-
-export function authEnabled(): boolean {
-  return Boolean(adminPassword());
-}
-
-export async function sessionToken(password: string): Promise<string> {
-  const data = new TextEncoder().encode(`openhacker:${password}`);
-  const digest = await globalThis.crypto.subtle.digest("SHA-256", data);
-  return Array.from(new Uint8Array(digest))
-    .map((b) => b.toString(16).padStart(2, "0"))
-    .join("");
-}
-
-export async function expectedToken(): Promise<string | null> {
-  const password = adminPassword();
-  return password ? sessionToken(password) : null;
-}

package/templates/agent/agent/lib/github.ts

@@ -1,74 +0,0 @@
-const API = "https://api.github.com";
-
-function headers(token?: string | null): Record<string, string> {
-  const h: Record<string, string> = {
-    accept: "application/vnd.github+json",
-    "user-agent": "openhacker-agent",
-    "x-github-api-version": "2022-11-28",
-  };
-  if (token) h.authorization = `Bearer ${token}`;
-  return h;
-}
-
-/** Read a single file's text content. Returns null when the file is absent. */
-export async function getFile(
-  repo: string,
-  path: string,
-  ref: string,
-  token?: string | null,
-): Promise<string | null> {
-  const url = `${API}/repos/${repo}/contents/${encodeURIComponent(path).replace(/%2F/g, "/")}?ref=${encodeURIComponent(ref)}`;
-  const res = await fetch(url, { headers: headers(token) });
-
-  if (res.status === 404) return null;
-  if (!res.ok) {
-    throw new Error(`GitHub getFile ${repo}/${path}: ${res.status} ${res.statusText}`);
-  }
-
-  const data = (await res.json()) as { content?: string; encoding?: string };
-  if (!data.content) return null;
-  if (data.encoding === "base64") {
-    return Buffer.from(data.content, "base64").toString("utf8");
-  }
-  return data.content;
-}
-
-export type RepoEntry = { path: string; type: "file" | "dir"; size?: number };
-
-/** List the entries directly under a directory path ("" for the repo root). */
-export async function listDir(
-  repo: string,
-  path: string,
-  ref: string,
-  token?: string | null,
-): Promise<RepoEntry[]> {
-  const clean = path.replace(/^\/+|\/+$/g, "");
-  const url = `${API}/repos/${repo}/contents/${clean ? `${clean}` : ""}?ref=${encodeURIComponent(ref)}`;
-  const res = await fetch(url, { headers: headers(token) });
-
-  if (res.status === 404) return [];
-  if (!res.ok) {
-    throw new Error(`GitHub listDir ${repo}/${path}: ${res.status} ${res.statusText}`);
-  }
-
-  const data = (await res.json()) as Array<{ path: string; type: string; size?: number }>;
-  if (!Array.isArray(data)) return [];
-  return data.map((e) => ({
-    path: e.path,
-    type: e.type === "dir" ? "dir" : "file",
-    size: e.size,
-  }));
-}
-
-/** Confirm the repo is reachable with the given (optional) token. */
-export async function checkRepoAccess(
-  repo: string,
-  token?: string | null,
-): Promise<{ ok: boolean; private?: boolean; defaultBranch?: string; error?: string }> {
-  const res = await fetch(`${API}/repos/${repo}`, { headers: headers(token) });
-  if (!res.ok) {
-    return { ok: false, error: `${res.status} ${res.statusText}` };
-  }
-  const data = (await res.json()) as { private?: boolean; default_branch?: string };
-  return { ok: true, private: data.private, defaultBranch: data.default_branch };
-}

package/templates/agent/agent/lib/osv.ts

@@ -1,152 +0,0 @@
-export type OsvEcosystem =
-  | "npm"
-  | "PyPI"
-  | "Go"
-  | "crates.io"
-  | "Maven"
-  | "RubyGems"
-  | "NuGet";
-
-export type Severity = "critical" | "high" | "medium" | "low";
-
-export type OsvAdvisory = {
-  id: string;
-  aliases: string[];
-  summary: string | null;
-  cvssVector: string | null;
-  qualitative: string | null;
-  fixedIn: string[];
-  references: string[];
-};
-
-type OsvRawVuln = {
-  id: string;
-  aliases?: string[];
-  summary?: string;
-  severity?: Array<{ type: string; score: string }>;
-  database_specific?: { severity?: string };
-  affected?: Array<{ ranges?: Array<{ events?: Array<Record<string, string>> }> }>;
-  references?: Array<{ type: string; url: string }>;
-};
-
-export async function queryOsv(
-  name: string,
-  version: string | undefined,
-  ecosystem: OsvEcosystem = "npm",
-): Promise<OsvAdvisory[]> {
-  const body: Record<string, unknown> = { package: { name, ecosystem } };
-  if (version) body.version = version;
-
-  const res = await fetch("https://api.osv.dev/v1/query", {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify(body),
-  });
-
-  if (!res.ok) {
-    throw new Error(`OSV query failed for ${name}: ${res.status} ${res.statusText}`);
-  }
-
-  const data = (await res.json()) as { vulns?: OsvRawVuln[] };
-
-  return (data.vulns ?? []).map((v) => {
-    const fixedIn = [
-      ...new Set(
-        (v.affected ?? [])
-          .flatMap((a) => a.ranges ?? [])
-          .flatMap((r) => r.events ?? [])
-          .map((e) => e.fixed)
-          .filter((x): x is string => Boolean(x)),
-      ),
-    ];
-
-    const cvss = (v.severity ?? []).find((s) => /^CVSS_V3/.test(s.type)) ?? v.severity?.[0];
-
-    return {
-      id: v.id,
-      aliases: v.aliases ?? [],
-      summary: v.summary ?? null,
-      cvssVector: cvss?.score ?? null,
-      qualitative: v.database_specific?.severity ?? null,
-      fixedIn,
-      references: (v.references ?? []).map((r) => r.url).slice(0, 5),
-    };
-  });
-}
-
-function bucket(score: number): Severity {
-  if (score >= 9) return "critical";
-  if (score >= 7) return "high";
-  if (score >= 4) return "medium";
-  return "low";
-}
-
-const QUALITATIVE: Record<string, Severity> = {
-  LOW: "low",
-  MODERATE: "medium",
-  MEDIUM: "medium",
-  HIGH: "high",
-  CRITICAL: "critical",
-};
-
-/** Severity from OSV: prefer the computed CVSS v3 base score, then the GHSA rating. */
-export function severityFromOsv(advisory: OsvAdvisory): Severity {
-  if (advisory.cvssVector) {
-    const score = cvss3BaseScore(advisory.cvssVector);
-    if (score != null) return bucket(score);
-  }
-  if (advisory.qualitative) {
-    const mapped = QUALITATIVE[advisory.qualitative.toUpperCase()];
-    if (mapped) return mapped;
-  }
-  return "medium";
-}
-
-// --- Minimal CVSS v3.x base score calculator -------------------------------
-
-const AV = { N: 0.85, A: 0.62, L: 0.55, P: 0.2 } as const;
-const AC = { L: 0.77, H: 0.44 } as const;
-const UI = { N: 0.85, R: 0.62 } as const;
-const IMPACT = { H: 0.56, L: 0.22, N: 0 } as const;
-
-function roundUp(n: number): number {
-  return Math.ceil(n * 10) / 10;
-}
-
-/** Returns the CVSS v3.x base score for a vector string, or null if unparsable. */
-export function cvss3BaseScore(vector: string): number | null {
-  if (!/^CVSS:3/.test(vector)) return null;
-  const parts = Object.fromEntries(
-    vector
-      .split("/")
-      .slice(1)
-      .map((p) => p.split(":") as [string, string]),
-  );
-
-  const scopeChanged = parts.S === "C";
-  const prMap = scopeChanged
-    ? { N: 0.85, L: 0.68, H: 0.5 }
-    : { N: 0.85, L: 0.62, H: 0.27 };
-
-  const av = AV[parts.AV as keyof typeof AV];
-  const ac = AC[parts.AC as keyof typeof AC];
-  const pr = prMap[parts.PR as keyof typeof prMap];
-  const ui = UI[parts.UI as keyof typeof UI];
-  const c = IMPACT[parts.C as keyof typeof IMPACT];
-  const i = IMPACT[parts.I as keyof typeof IMPACT];
-  const a = IMPACT[parts.A as keyof typeof IMPACT];
-
-  if ([av, ac, pr, ui, c, i, a].some((x) => x == null)) return null;
-
-  const iscBase = 1 - (1 - c) * (1 - i) * (1 - a);
-  const impact = scopeChanged
-    ? 7.52 * (iscBase - 0.029) - 3.25 * (iscBase - 0.02) ** 15
-    : 6.42 * iscBase;
-  const exploitability = 8.22 * av * ac * pr * ui;
-
-  if (impact <= 0) return 0;
-  const raw = scopeChanged
-    ? 1.08 * (impact + exploitability)
-    : impact + exploitability;
-  return roundUp(Math.min(raw, 10));
-}

package/templates/agent/agent/lib/scan.ts

@@ -1,153 +0,0 @@
-import { createHash } from "node:crypto";
-import { getFile } from "./github";
-import { queryOsv, severityFromOsv } from "./osv";
-import { getStore } from "./store";
-import type { Finding } from "./types";
-
-export type Dependency = { name: string; version: string };
-
-/** Best-effort extraction of resolved dependencies from common manifests/lockfiles. */
-export function extractDependencies(files: {
-  packageJson?: string | null;
-  packageLock?: string | null;
-  pnpmLock?: string | null;
-}): Dependency[] {
-  const found = new Map<string, string>();
-
-  // 1. npm lockfile (exact resolved versions).
-  if (files.packageLock) {
-    try {
-      const lock = JSON.parse(files.packageLock) as {
-        packages?: Record<string, { version?: string }>;
-        dependencies?: Record<string, { version?: string }>;
-      };
-      for (const [path, meta] of Object.entries(lock.packages ?? {})) {
-        if (!path.startsWith("node_modules/") || !meta.version) continue;
-        const name = path.slice(path.lastIndexOf("node_modules/") + "node_modules/".length);
-        found.set(name, meta.version);
-      }
-      for (const [name, meta] of Object.entries(lock.dependencies ?? {})) {
-        if (meta.version && !found.has(name)) found.set(name, meta.version);
-      }
-    } catch {
-      // ignore malformed lockfile
-    }
-  }
-
-  // 2. pnpm lockfile (regex extraction of resolved package keys).
-  if (files.pnpmLock) {
-    const re = /^\s{2,}\/?((?:@[^/@\s]+\/)?[^@/\s]+)@(\d+\.\d+\.\d+[^\s:('"]*)/gm;
-    let m: RegExpExecArray | null;
-    while ((m = re.exec(files.pnpmLock))) {
-      const [, name, version] = m;
-      if (!found.has(name)) found.set(name, version);
-    }
-  }
-
-  // 3. Fall back to package.json ranges (approximate exact version).
-  if (files.packageJson) {
-    try {
-      const pkg = JSON.parse(files.packageJson) as {
-        dependencies?: Record<string, string>;
-        devDependencies?: Record<string, string>;
-      };
-      const ranges = { ...pkg.devDependencies, ...pkg.dependencies };
-      for (const [name, range] of Object.entries(ranges)) {
-        if (found.has(name)) continue;
-        const cleaned = range.match(/\d+\.\d+\.\d+[^\s]*/)?.[0];
-        if (cleaned) found.set(name, cleaned);
-      }
-    } catch {
-      // ignore malformed manifest
-    }
-  }
-
-  return [...found.entries()].map(([name, version]) => ({ name, version }));
-}
-
-function fingerprint(targetId: string, pkg: string, advisoryId: string): string {
-  return createHash("sha256").update(`${targetId}::${pkg}::${advisoryId}`).digest("hex").slice(0, 16);
-}
-
-export type ScanResult = {
-  ok: boolean;
-  dependenciesChecked: number;
-  findings: number;
-  error?: string;
-};
-
-/**
- * Run a dependency vulnerability scan of a target against OSV and persist findings.
- * Deterministic and model-free; the eve agent layers reachability reasoning on top.
- */
-export async function runScan(targetId: string): Promise<ScanResult> {
-  const store = getStore();
-  const target = await store.getTarget(targetId);
-  if (!target) return { ok: false, dependenciesChecked: 0, findings: 0, error: "Target not found" };
-
-  const token = await store.getTargetToken(targetId);
-  const now = new Date().toISOString();
-
-  try {
-    const [packageJson, packageLock, pnpmLock] = await Promise.all([
-      getFile(target.repo, "package.json", target.branch, token),
-      getFile(target.repo, "package-lock.json", target.branch, token),
-      getFile(target.repo, "pnpm-lock.yaml", target.branch, token),
-    ]);
-
-    if (!packageJson && !packageLock && !pnpmLock) {
-      throw new Error("No package.json or lockfile found at the repo root");
-    }
-
-    const deps = extractDependencies({ packageJson, packageLock, pnpmLock });
-    const existing = await store.listFindings(targetId);
-    const existingById = new Map(existing.map((f) => [f.id, f]));
-    const findings: Finding[] = [];
-
-    const results = await Promise.allSettled(
-      deps.map(async (dep) => ({ dep, advisories: await queryOsv(dep.name, dep.version) })),
-    );
-
-    for (const r of results) {
-      if (r.status !== "fulfilled") continue;
-      const { dep, advisories } = r.value;
-      for (const adv of advisories) {
-        const id = fingerprint(targetId, dep.name, adv.id);
-        const prior = existingById.get(id);
-        const aliases = adv.aliases.filter((a) => a.startsWith("CVE-"));
-        findings.push({
-          id,
-          targetId,
-          title: `${dep.name}@${dep.version}: ${adv.aliases[0] ?? adv.id}`,
-          severity: severityFromOsv(adv),
-          category: "dependency",
-          packageName: dep.name,
-          installedVersion: dep.version,
-          advisoryIds: [adv.id, ...aliases],
-          proof: {
-            status: "likely",
-            evidence:
-              `Installed version ${dep.version} of ${dep.name} is in the affected range of ` +
-              `${adv.id}${adv.summary ? `: ${adv.summary}` : ""}.`,
-          },
-          remediation: adv.fixedIn.length
-            ? { summary: `Upgrade ${dep.name} to ${adv.fixedIn[0]} or later.`, fixedVersion: adv.fixedIn[0] }
-            : { summary: `Review advisory ${adv.id} and upgrade ${dep.name}.` },
-          status: prior?.status ?? "open",
-          references: adv.references,
-          firstSeen: prior?.firstSeen ?? now,
-          lastSeen: now,
-        });
-      }
-    }
-
-    await store.replaceTargetFindings(targetId, findings);
-    await store.saveTarget({ ...target, lastScanAt: now, lastScanStatus: "ok", lastScanError: undefined });
-
-    return { ok: true, dependenciesChecked: deps.length, findings: findings.length };
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    await store.saveTarget({ ...target, lastScanAt: now, lastScanStatus: "error", lastScanError: message });
-    return { ok: false, dependenciesChecked: 0, findings: 0, error: message };
-  }
-}