openhacker 0.1.0 → 0.1.2

package/templates/agent/agent/lib/store.ts

@@ -1,151 +0,0 @@
-import { Redis } from "@upstash/redis";
-import { DEFAULT_SETTINGS, type Finding, type Settings, type Target } from "./types";
-
-export interface Store {
-  listTargets(): Promise<Target[]>;
-  getTarget(id: string): Promise<Target | null>;
-  saveTarget(target: Target): Promise<void>;
-  deleteTarget(id: string): Promise<void>;
-
-  getTargetToken(id: string): Promise<string | null>;
-  setTargetToken(id: string, token: string | null): Promise<void>;
-
-  listFindings(targetId?: string): Promise<Finding[]>;
-  replaceTargetFindings(targetId: string, findings: Finding[]): Promise<void>;
-  upsertFinding(finding: Finding): Promise<void>;
-
-  getSettings(): Promise<Settings>;
-  saveSettings(settings: Settings): Promise<void>;
-}
-
-const K = {
-  targets: "oh:targets",
-  token: (id: string) => `oh:token:${id}`,
-  findings: (id: string) => `oh:findings:${id}`,
-  settings: "oh:settings",
-};
-
-class RedisStore implements Store {
-  constructor(private redis: Redis) {}
-
-  async listTargets(): Promise<Target[]> {
-    const all = (await this.redis.hgetall<Record<string, Target>>(K.targets)) ?? {};
-    return Object.values(all).sort((a, b) => a.createdAt.localeCompare(b.createdAt));
-  }
-  async getTarget(id: string): Promise<Target | null> {
-    return (await this.redis.hget<Target>(K.targets, id)) ?? null;
-  }
-  async saveTarget(target: Target): Promise<void> {
-    await this.redis.hset(K.targets, { [target.id]: target });
-  }
-  async deleteTarget(id: string): Promise<void> {
-    await this.redis.hdel(K.targets, id);
-    await this.redis.del(K.token(id), K.findings(id));
-  }
-  async getTargetToken(id: string): Promise<string | null> {
-    return (await this.redis.get<string>(K.token(id))) ?? null;
-  }
-  async setTargetToken(id: string, token: string | null): Promise<void> {
-    if (token) await this.redis.set(K.token(id), token);
-    else await this.redis.del(K.token(id));
-  }
-  async listFindings(targetId?: string): Promise<Finding[]> {
-    if (targetId) return (await this.redis.get<Finding[]>(K.findings(targetId))) ?? [];
-    const targets = await this.listTargets();
-    const lists = await Promise.all(targets.map((t) => this.listFindings(t.id)));
-    return lists.flat();
-  }
-  async replaceTargetFindings(targetId: string, findings: Finding[]): Promise<void> {
-    await this.redis.set(K.findings(targetId), findings);
-  }
-  async upsertFinding(finding: Finding): Promise<void> {
-    const existing = await this.listFindings(finding.targetId);
-    const next = existing.filter((f) => f.id !== finding.id);
-    next.push(finding);
-    await this.replaceTargetFindings(finding.targetId, next);
-  }
-  async getSettings(): Promise<Settings> {
-    return (await this.redis.get<Settings>(K.settings)) ?? DEFAULT_SETTINGS;
-  }
-  async saveSettings(settings: Settings): Promise<void> {
-    await this.redis.set(K.settings, settings);
-  }
-}
-
-// Process-local fallback so the app boots and is testable without a KV store.
-// Not durable across serverless invocations — configure Redis/KV for production.
-const mem = {
-  targets: new Map<string, Target>(),
-  tokens: new Map<string, string>(),
-  findings: new Map<string, Finding[]>(),
-  settings: null as Settings | null,
-};
-
-class MemoryStore implements Store {
-  async listTargets(): Promise<Target[]> {
-    return [...mem.targets.values()].sort((a, b) => a.createdAt.localeCompare(b.createdAt));
-  }
-  async getTarget(id: string): Promise<Target | null> {
-    return mem.targets.get(id) ?? null;
-  }
-  async saveTarget(target: Target): Promise<void> {
-    mem.targets.set(target.id, target);
-  }
-  async deleteTarget(id: string): Promise<void> {
-    mem.targets.delete(id);
-    mem.tokens.delete(id);
-    mem.findings.delete(id);
-  }
-  async getTargetToken(id: string): Promise<string | null> {
-    return mem.tokens.get(id) ?? null;
-  }
-  async setTargetToken(id: string, token: string | null): Promise<void> {
-    if (token) mem.tokens.set(id, token);
-    else mem.tokens.delete(id);
-  }
-  async listFindings(targetId?: string): Promise<Finding[]> {
-    if (targetId) return mem.findings.get(targetId) ?? [];
-    return [...mem.findings.values()].flat();
-  }
-  async replaceTargetFindings(targetId: string, findings: Finding[]): Promise<void> {
-    mem.findings.set(targetId, findings);
-  }
-  async upsertFinding(finding: Finding): Promise<void> {
-    const existing = mem.findings.get(finding.targetId) ?? [];
-    mem.findings.set(finding.targetId, [...existing.filter((f) => f.id !== finding.id), finding]);
-  }
-  async getSettings(): Promise<Settings> {
-    return mem.settings ?? DEFAULT_SETTINGS;
-  }
-  async saveSettings(settings: Settings): Promise<void> {
-    mem.settings = settings;
-  }
-}
-
-let store: Store | null = null;
-
-export function getStore(): Store {
-  if (store) return store;
-
-  const url = process.env.KV_REST_API_URL ?? process.env.UPSTASH_REDIS_REST_URL;
-  const token = process.env.KV_REST_API_TOKEN ?? process.env.UPSTASH_REDIS_REST_TOKEN;
-
-  if (url && token) {
-    store = new RedisStore(new Redis({ url, token }));
-  } else {
-    if (process.env.NODE_ENV === "production") {
-      console.warn(
-        "[openhacker] No KV/Redis env configured — using in-memory store. " +
-          "Data will NOT persist. Add a Vercel KV / Upstash Redis integration.",
-      );
-    }
-    store = new MemoryStore();
-  }
-  return store;
-}
-
-export function isPersistent(): boolean {
-  const url = process.env.KV_REST_API_URL ?? process.env.UPSTASH_REDIS_REST_URL;
-  const token = process.env.KV_REST_API_TOKEN ?? process.env.UPSTASH_REDIS_REST_TOKEN;
-  return Boolean(url && token);
-}

package/templates/agent/agent/lib/types.ts

@@ -1,63 +0,0 @@
-export type Severity = "critical" | "high" | "medium" | "low" | "info";
-
-export type FindingCategory =
-  | "dependency"
-  | "injection"
-  | "authz"
-  | "ssrf"
-  | "secrets"
-  | "xss"
-  | "deserialization"
-  | "other";
-
-export type Target = {
-  id: string;
-  name: string;
-  /** "owner/name" on GitHub. */
-  repo: string;
-  branch: string;
-  provider: "github";
-  hasToken: boolean;
-  autoRemediate: boolean;
-  createdAt: string;
-  lastScanAt?: string;
-  lastScanStatus?: "ok" | "error";
-  lastScanError?: string;
-};
-
-export type Finding = {
-  id: string;
-  targetId: string;
-  title: string;
-  severity: Severity;
-  category: FindingCategory;
-  packageName?: string;
-  installedVersion?: string;
-  advisoryIds?: string[];
-  location?: { file: string; startLine?: number; endLine?: number; symbol?: string };
-  proof: { status: "proven" | "likely" | "unconfirmed"; evidence?: string; poc?: string };
-  remediation?: { summary: string; fixedVersion?: string; prUrl?: string };
-  status: "open" | "triaged" | "fixed" | "ignored" | "false_positive";
-  references?: string[];
-  firstSeen: string;
-  lastSeen: string;
-};
-
-export type Settings = {
-  /** Gateway model id used by the eve agent for deep analysis. */
-  model: string;
-  autoRemediate: boolean;
-  integrations: {
-    github: { connected: boolean };
-    hackerone: { connected: boolean; handle?: string };
-  };
-};
-
-export const DEFAULT_SETTINGS: Settings = {
-  model: "anthropic/claude-sonnet-4.6",
-  autoRemediate: false,
-  integrations: {
-    github: { connected: false },
-    hackerone: { connected: false },
-  },
-};

package/templates/agent/agent/schedules/daily_audit.ts

@@ -1,20 +0,0 @@
-import { defineSchedule } from "eve/schedules";
-import { runScan } from "../lib/scan";
-import { getStore } from "../lib/store";
-
-// Becomes a Vercel Cron Job on deploy. Vercel evaluates cron in UTC.
-// Deterministically re-scans every configured target's dependencies against OSV,
-// so newly disclosed advisories are caught even when the code has not changed.
-export default defineSchedule({
-  cron: "0 6 * * *",
-  run({ waitUntil }) {
-    waitUntil(
-      (async () => {
-        const targets = await getStore().listTargets();
-        for (const target of targets) {
-          await runScan(target.id);
-        }
-      })(),
-    );
-  },
-});

package/templates/agent/agent/tools/check_advisories.ts

@@ -1,27 +0,0 @@
-import { defineTool } from "eve/tools";
-import { z } from "zod";
-import { queryOsv } from "../lib/osv";
-
-export default defineTool({
-  description:
-    "Check a package against the OSV.dev vulnerability database. Returns known " +
-    "advisories (CVE/GHSA) affecting the given version. Use this to confirm whether " +
-    "a dependency's INSTALLED version is actually vulnerable before reporting it.",
-  inputSchema: z.object({
-    name: z.string().min(1).describe("Package name, e.g. 'next' or 'lodash'."),
-    version: z.string().optional().describe("Installed version, e.g. '14.1.0'."),
-    ecosystem: z
-      .enum(["npm", "PyPI", "Go", "crates.io", "Maven", "RubyGems", "NuGet"])
-      .default("npm"),
-  }),
-  async execute({ name, version, ecosystem }) {
-    const advisories = await queryOsv(name, version, ecosystem);
-    return {
-      package: name,
-      version: version ?? null,
-      ecosystem,
-      advisoryCount: advisories.length,
-      advisories,
-    };
-  },
-});

package/templates/agent/agent/tools/list_targets.ts

@@ -1,21 +0,0 @@
-import { defineTool } from "eve/tools";
-import { z } from "zod";
-import { getStore } from "../lib/store";
-
-export default defineTool({
-  description: "List the repositories (targets) configured for scanning in this OpenHacker instance.",
-  inputSchema: z.object({}),
-  async execute() {
-    const targets = await getStore().listTargets();
-    return {
-      targets: targets.map((t) => ({
-        id: t.id,
-        name: t.name,
-        repo: t.repo,
-        branch: t.branch,
-        autoRemediate: t.autoRemediate,
-        lastScanAt: t.lastScanAt ?? null,
-      })),
-    };
-  },
-});

package/templates/agent/agent/tools/read_repo_file.ts

@@ -1,31 +0,0 @@
-import { defineTool } from "eve/tools";
-import { z } from "zod";
-import { getFile, listDir } from "../lib/github";
-import { getStore } from "../lib/store";
-
-export default defineTool({
-  description:
-    "Read a file or list a directory from a target's repository, for code-level " +
-    "vulnerability analysis. Use directory listings to find route handlers, server " +
-    "actions, and other trust boundaries, then read those files.",
-  inputSchema: z.object({
-    targetId: z.string(),
-    path: z.string().default("").describe("Repo-relative path. Empty string lists the repo root."),
-    mode: z.enum(["file", "list"]).default("file"),
-  }),
-  async execute({ targetId, path, mode }) {
-    const store = getStore();
-    const target = await store.getTarget(targetId);
-    if (!target) return { ok: false as const, error: "Target not found" };
-    const token = await store.getTargetToken(targetId);
-
-    if (mode === "list") {
-      const entries = await listDir(target.repo, path, target.branch, token);
-      return { ok: true as const, mode, path, entries };
-    }
-
-    const content = await getFile(target.repo, path, target.branch, token);
-    if (content == null) return { ok: false as const, error: `File not found: ${path}` };
-    return { ok: true as const, mode, path, content: content.slice(0, 60_000) };
-  },
-});

package/templates/agent/agent/tools/report_finding.ts

@@ -1,59 +0,0 @@
-import { createHash } from "node:crypto";
-import { defineTool } from "eve/tools";
-import { z } from "zod";
-import { getStore } from "../lib/store";
-import type { Finding } from "../lib/types";
-
-export default defineTool({
-  description:
-    "Persist a confirmed code-level vulnerability for a target. Only call this when " +
-    "you have evidence the issue applies to the target's code. Be honest about proof status. " +
-    "Dependency advisories are recorded by run_dependency_scan; use this for code findings.",
-  inputSchema: z.object({
-    targetId: z.string().describe("The target this finding belongs to."),
-    title: z.string().min(1),
-    severity: z.enum(["critical", "high", "medium", "low", "info"]),
-    category: z.enum(["injection", "authz", "ssrf", "secrets", "xss", "deserialization", "other"]),
-    location: z
-      .object({
-        file: z.string(),
-        startLine: z.number().int().optional(),
-        endLine: z.number().int().optional(),
-        symbol: z.string().optional(),
-      })
-      .optional(),
-    proof: z.object({
-      status: z.enum(["proven", "likely", "unconfirmed"]),
-      poc: z.string().optional(),
-      evidence: z.string().optional(),
-    }),
-    remediation: z.object({ summary: z.string(), fixedVersion: z.string().optional() }).optional(),
-  }),
-  async execute(input) {
-    const id = createHash("sha256")
-      .update(`${input.targetId}::${input.category}::${input.location?.file ?? ""}::${input.title}`.toLowerCase())
-      .digest("hex")
-      .slice(0, 16);
-
-    const now = new Date().toISOString();
-    const store = getStore();
-    const existing = (await store.listFindings(input.targetId)).find((f) => f.id === id);
-
-    const finding: Finding = {
-      id,
-      targetId: input.targetId,
-      title: input.title,
-      severity: input.severity,
-      category: input.category,
-      location: input.location,
-      proof: input.proof,
-      remediation: input.remediation,
-      status: existing?.status ?? "open",
-      firstSeen: existing?.firstSeen ?? now,
-      lastSeen: now,
-    };
-
-    await store.upsertFinding(finding);
-    return { id, recorded: true };
-  },
-});

package/templates/agent/agent/tools/run_dependency_scan.ts

@@ -1,16 +0,0 @@
-import { defineTool } from "eve/tools";
-import { z } from "zod";
-import { runScan } from "../lib/scan";
-
-export default defineTool({
-  description:
-    "Run the deterministic dependency vulnerability scan for a target: fetches its " +
-    "manifest/lockfile, checks every dependency against OSV, and persists findings. " +
-    "Run this first, then reason about which findings are actually reachable.",
-  inputSchema: z.object({
-    targetId: z.string().describe("The target to scan."),
-  }),
-  async execute({ targetId }) {
-    return runScan(targetId);
-  },
-});

package/templates/agent/app/_components/ui.tsx

@@ -1,29 +0,0 @@
-import type { Finding, Severity } from "@/agent/lib/types";
-
-const ORDER: Severity[] = ["critical", "high", "medium", "low", "info"];
-
-export function SeverityBadge({ severity }: { severity: Severity }) {
-  return <span className={`badge sev-${severity}`}>{severity}</span>;
-}
-
-export function SeverityCounts({ findings }: { findings: Finding[] }) {
-  const open = findings.filter((f) => f.status === "open" || f.status === "triaged");
-  const counts = ORDER.map((sev) => ({
-    sev,
-    n: open.filter((f) => f.severity === sev).length,
-  })).filter((c) => c.n > 0);
-
-  if (counts.length === 0) {
-    return <span className="mono-sm">no open findings</span>;
-  }
-
-  return (
-    <span className="counts">
-      {counts.map((c) => (
-        <span key={c.sev} className={`badge sev-${c.sev}`}>
-          {c.n} {c.sev}
-        </span>
-      ))}
-    </span>
-  );
-}

package/templates/agent/app/actions.ts

@@ -1,120 +0,0 @@
-"use server";
-
-import { cookies } from "next/headers";
-import { redirect } from "next/navigation";
-import { revalidatePath } from "next/cache";
-import { SESSION_COOKIE, adminPassword, sessionToken } from "@/agent/lib/auth";
-import { checkRepoAccess } from "@/agent/lib/github";
-import { runScan } from "@/agent/lib/scan";
-import { getStore } from "@/agent/lib/store";
-import { DEFAULT_SETTINGS, type Finding, type Target } from "@/agent/lib/types";
-
-function parseRepo(input: string): string | null {
-  const trimmed = input.trim().replace(/\.git$/, "");
-  const url = trimmed.match(/github\.com[/:]([^/]+\/[^/]+)/);
-  const candidate = url ? url[1] : trimmed;
-  return /^[^/\s]+\/[^/\s]+$/.test(candidate) ? candidate : null;
-}
-
-export async function login(formData: FormData): Promise<void> {
-  const password = String(formData.get("password") ?? "");
-  const next = String(formData.get("next") ?? "/") || "/";
-  const expected = adminPassword();
-
-  if (!expected || password !== expected) {
-    redirect(`/login?error=1&next=${encodeURIComponent(next)}`);
-  }
-
-  const jar = await cookies();
-  jar.set(SESSION_COOKIE, await sessionToken(password), {
-    httpOnly: true,
-    sameSite: "lax",
-    secure: process.env.NODE_ENV === "production",
-    path: "/",
-    maxAge: 60 * 60 * 24 * 30,
-  });
-  redirect(next);
-}
-
-export async function logout(): Promise<void> {
-  const jar = await cookies();
-  jar.delete(SESSION_COOKIE);
-  redirect("/login");
-}
-
-export async function addTarget(formData: FormData): Promise<void> {
-  const repo = parseRepo(String(formData.get("repo") ?? ""));
-  if (!repo) redirect("/?error=invalid-repo");
-
-  const name = String(formData.get("name") ?? "").trim() || repo.split("/")[1];
-  const branchInput = String(formData.get("branch") ?? "").trim();
-  const token = String(formData.get("token") ?? "").trim();
-  const autoRemediate = formData.get("autoRemediate") === "on";
-
-  const access = await checkRepoAccess(repo, token || null);
-  const branch = branchInput || access.defaultBranch || "main";
-
-  const target: Target = {
-    id: crypto.randomUUID(),
-    name,
-    repo,
-    branch,
-    provider: "github",
-    hasToken: Boolean(token),
-    autoRemediate,
-    createdAt: new Date().toISOString(),
-  };
-
-  const store = getStore();
-  await store.saveTarget(target);
-  if (token) await store.setTargetToken(target.id, token);
-
-  revalidatePath("/");
-  redirect(`/targets/${target.id}`);
-}
-
-export async function deleteTarget(formData: FormData): Promise<void> {
-  const id = String(formData.get("id") ?? "");
-  if (id) await getStore().deleteTarget(id);
-  revalidatePath("/");
-  redirect("/");
-}
-
-export async function scanTarget(formData: FormData): Promise<void> {
-  const id = String(formData.get("id") ?? "");
-  if (id) await runScan(id);
-  revalidatePath("/");
-  revalidatePath(`/targets/${id}`);
-}
-
-export async function setFindingStatus(formData: FormData): Promise<void> {
-  const targetId = String(formData.get("targetId") ?? "");
-  const findingId = String(formData.get("findingId") ?? "");
-  const status = String(formData.get("status") ?? "open") as Finding["status"];
-
-  const store = getStore();
-  const findings = await store.listFindings(targetId);
-  const match = findings.find((f) => f.id === findingId);
-  if (match) await store.upsertFinding({ ...match, status });
-
-  revalidatePath(`/targets/${targetId}`);
-}
-
-export async function saveSettings(formData: FormData): Promise<void> {
-  const store = getStore();
-  const current = await store.getSettings();
-  await store.saveSettings({
-    ...DEFAULT_SETTINGS,
-    ...current,
-    model: String(formData.get("model") ?? current.model) || DEFAULT_SETTINGS.model,
-    autoRemediate: formData.get("autoRemediate") === "on",
-    integrations: {
-      github: { connected: formData.get("githubConnected") === "on" },
-      hackerone: {
-        connected: formData.get("hackeroneConnected") === "on",
-        handle: String(formData.get("hackeroneHandle") ?? "").trim() || undefined,
-      },
-    },
-  });
-  revalidatePath("/settings");
-}

package/templates/agent/app/api/scan/route.ts

@@ -1,34 +0,0 @@
-import { runScan } from "@/agent/lib/scan";
-import { getStore } from "@/agent/lib/store";
-
-export const runtime = "nodejs";
-
-function authorized(req: Request): boolean {
-  const token = process.env.OPENHACKER_API_TOKEN;
-  if (!token) return true; // no API token configured — allow (dev)
-  const header = req.headers.get("authorization") ?? "";
-  return header === `Bearer ${token}`;
-}
-
-/** Trigger a scan programmatically. Body: { targetId?: string } — omit to scan all. */
-export async function POST(req: Request): Promise<Response> {
-  if (!authorized(req)) {
-    return Response.json({ error: "unauthorized" }, { status: 401 });
-  }
-
-  let targetId: string | undefined;
-  try {
-    const body = (await req.json()) as { targetId?: string };
-    targetId = body.targetId;
-  } catch {
-    // no body — scan all
-  }
-
-  const store = getStore();
-  const targets = targetId ? [targetId] : (await store.listTargets()).map((t) => t.id);
-  const results = await Promise.all(
-    targets.map(async (id) => ({ targetId: id, ...(await runScan(id)) })),
-  );
-
-  return Response.json({ scanned: results.length, results });
-}

package/templates/agent/app/login/page.tsx

@@ -1,40 +0,0 @@
-import { authEnabled } from "@/agent/lib/auth";
-import { login } from "../actions";
-
-export const dynamic = "force-dynamic";
-
-export default async function LoginPage({
-  searchParams,
-}: {
-  searchParams: Promise<{ error?: string; next?: string }>;
-}) {
-  const { error, next } = await searchParams;
-
-  return (
-    <main className="container">
-      <div className="login-wrap">
-        <h1>
-          open<span style={{ color: "var(--accent)" }}>hacker</span>
-        </h1>
-        <p className="sub">Sign in to your instance.</p>
-
-        {!authEnabled() ? (
-          <div className="banner">
-            No admin password is set. The dashboard is currently open — set{" "}
-            <code>OPENHACKER_ADMIN_PASSWORD</code> to require sign-in.
-          </div>
-        ) : null}
-        {error ? <div className="banner">Incorrect password.</div> : null}
-
-        <form action={login} className="panel">
-          <input type="hidden" name="next" value={next ?? "/"} />
-          <label htmlFor="password">Password</label>
-          <input id="password" name="password" type="password" autoFocus required />
-          <button type="submit" style={{ marginTop: 14 }}>
-            Sign in
-          </button>
-        </form>
-      </div>
-    </main>
-  );
-}