openhacker 0.1.2 → 0.1.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openhacker",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Scaffold a self-hosted OpenHacker security agent",
   "license": "UNLICENSED",
   "type": "module",
@@ -19,14 +19,16 @@
     "templates",
     "README.md"
   ],
+  "scripts": {
+    "build": "tsc --noEmit && node --check ./bin/openhacker && node --check ./src/index.js && node --check ./scripts/sync-template.js && node --check ./scripts/clean-template.js",
+    "sync-template": "node ./scripts/sync-template.js",
+    "prepack": "pnpm run sync-template",
+    "postpack": "node ./scripts/clean-template.js"
+  },
   "engines": {
     "node": ">=20"
   },
   "devDependencies": {
     "typescript": "6.0.2"
-  },
-  "scripts": {
-    "build": "tsc --noEmit && node --check ./bin/openhacker && node --check ./src/index.js && node --check ./scripts/sync-template.js && node --check ./scripts/clean-template.js",
-    "sync-template": "node ./scripts/sync-template.js"
   }
-}
+}

package/templates/agent/.env.example

@@ -3,11 +3,3 @@
 # For LOCAL runs of the eve agent, provide a gateway key:
 AI_GATEWAY_API_KEY=
 
-# --- Persistent storage ---
-# Add a Vercel KV / Upstash Redis integration. Without these, an in-memory store is
-# used and data does NOT persist across restarts/deploys.
-KV_REST_API_URL=
-KV_REST_API_TOKEN=
-
-# --- Optional: protect POST /api/scan for programmatic triggers ---
-OPENHACKER_API_TOKEN=

package/templates/agent/README.md

@@ -15,13 +15,20 @@ Your self-hosted OpenHacker security agent — a Next.js dashboard with an embed
 
 1. Push this directory to a Git repository.
 2. Import it into Vercel (it deploys as one project — UI + agent + cron).
-3. Add a **KV / Upstash Redis** integration from the Vercel Marketplace so findings persist
-   (`KV_REST_API_URL` / `KV_REST_API_TOKEN` are injected automatically).
+3. Enable Vercel Deployment Protection for the project so only approved users
+   can reach the dashboard and eve routes.
 4. Open the deployment URL and add a target repository.
 
 Inference runs through the Vercel AI Gateway and authenticates automatically via Vercel
 OIDC — no model API key required in production.
 
+The main screen calls the eve channel directly. This is safe only when the
+deployment is protected by Vercel Deployment Protection; without that gate,
+`/eve/v1/*` is a public compute endpoint. The UI validates GitHub repository
+names before it sends the agent message.
+
+This starter intentionally does not configure external persistence yet.
+
 ## Local development
 
 ```bash

package/templates/agent/agent/channels/eve.ts

@@ -1,7 +1,7 @@
 import { eveChannel } from "eve/channels/eve";
 import { none } from "eve/channels/auth";
 
-// Public demo: anyone can call the agent from the browser. Add real auth
-// (e.g. vercelOidc/localDev or your own session check) before exposing
-// anything sensitive.
+// This app is intended to run behind Vercel Deployment Protection. The
+// deployment gate owns user access; the Eve channel accepts requests that reach
+// the protected app.
 export default eveChannel({ auth: [none()] });

package/templates/agent/agent/instructions.md

@@ -4,7 +4,6 @@ You are OpenHacker, an application security agent.
 
 The user gives you a GitHub repository (as `owner/name` or a github.com URL). Analyze it for security vulnerabilities and report your findings.
 
-- Briefly narrate what you are checking as you go (dependencies, auth, input handling, secrets, etc.).
 - Use the shell to clone and explore the repo. Use `ls`/`find` to list directories; only use `read_file` on actual file paths, never on a directory.
 - Call out concrete risks with severity and, where possible, how to fix them.
 - If you cannot access the repository, say so plainly.

package/templates/agent/app/globals.css

@@ -95,13 +95,35 @@ h1 span {
   margin-bottom: 0;
 }
 .reply .reasoning {
-  white-space: pre-wrap;
-  color: var(--muted);
-  font-size: 13px;
   margin: 0 0 12px;
   padding-left: 12px;
   border-left: 2px solid var(--border);
 }
+.reply .reasoning > summary {
+  cursor: pointer;
+  color: var(--muted);
+  font-size: 12px;
+  text-transform: uppercase;
+  letter-spacing: 0.5px;
+  list-style: none;
+  user-select: none;
+}
+.reply .reasoning > summary::-webkit-details-marker {
+  display: none;
+}
+.reply .reasoning > summary::before {
+  content: "› ";
+  display: inline-block;
+}
+.reply .reasoning[open] > summary::before {
+  content: "⌄ ";
+}
+.reply .reasoning > p {
+  white-space: pre-wrap;
+  color: var(--muted);
+  font-size: 13px;
+  margin: 8px 0 0;
+}
 
 .tool {
   display: flex;
@@ -123,6 +145,33 @@ h1 span {
   padding: 0 8px;
 }
 
+.hacking {
+  color: var(--muted);
+  font-size: 13px;
+  margin: 0;
+}
+.reply .text + .hacking {
+  margin-top: 12px;
+}
+.dots::after {
+  content: "";
+  animation: dots 1.2s steps(4, end) infinite;
+}
+@keyframes dots {
+  0% {
+    content: "";
+  }
+  25% {
+    content: ".";
+  }
+  50% {
+    content: "..";
+  }
+  75% {
+    content: "...";
+  }
+}
+
 .cursor {
   display: inline-block;
   width: 8px;

package/templates/agent/app/page.tsx

@@ -1,21 +1,31 @@
 "use client";
 
-import { useState } from "react";
+import { type SyntheticEvent, useState } from "react";
 import { useEveAgent } from "eve/react";
 
+import { validateGitHubRepository } from "@/lib/repository";
+
 export default function Home() {
   const [repo, setRepo] = useState("");
+  const [error, setError] = useState("");
   const agent = useEveAgent();
 
   const busy = agent.status === "submitted" || agent.status === "streaming";
 
-  function onSubmit(e: React.FormEvent) {
+  function onSubmit(e: SyntheticEvent<HTMLFormElement>) {
     e.preventDefault();
-    const value = repo.trim();
-    if (!value || busy) return;
+    if (busy) return;
+
+    const validation = validateGitHubRepository(repo);
+    if (!validation.ok) {
+      setError(validation.error);
+      return;
+    }
+
+    setError("");
     agent.reset();
     agent.send({
-      message: `Analyze the GitHub repository "${value}" for security vulnerabilities. Walk through what you check and report what you find.`,
+      message: `Analyze the GitHub repository ${validation.repository} for security vulnerabilities. Reply with only the final report.`,
     });
   }
 
@@ -23,6 +33,20 @@ export default function Home() {
     .reverse()
     .find((m) => m.role === "assistant");
 
+  const parts = reply?.parts ?? [];
+  const lastStep = parts.reduce<number | undefined>((max, p) => {
+    const idx = "stepIndex" in p ? p.stepIndex : undefined;
+    if (typeof idx !== "number") return max;
+    return max === undefined ? idx : Math.max(max, idx);
+  }, undefined);
+
+  let result = "";
+  for (const p of parts) {
+    if (p.type !== "text") continue;
+    if (lastStep !== undefined && p.stepIndex !== lastStep) continue;
+    result += p.text;
+  }
+
   return (
     <main className="container">
       <h1>
@@ -38,53 +62,28 @@ export default function Home() {
           value={repo}
           onChange={(e) => setRepo(e.target.value)}
           placeholder="owner/name or https://github.com/owner/name"
-          autoFocus
+          aria-label="GitHub repository"
         />
         <button type="submit" disabled={busy || !repo.trim()}>
           {busy ? "Analyzing…" : "Analyze"}
         </button>
       </form>
 
-      {reply ? (
+      {result || busy ? (
         <section className="reply">
-          {reply.parts.map((part, i) => {
-            if (part.type === "reasoning") {
-              return (
-                <p key={i} className="reasoning">
-                  {part.text}
-                </p>
-              );
-            }
-            if (part.type === "text") {
-              return (
-                <p key={i} className="text">
-                  {part.text}
-                </p>
-              );
-            }
-            if (part.type === "dynamic-tool") {
-              return (
-                <div key={i} className="tool">
-                  <span className="tool-name">{part.toolName}</span>
-                  <span className="tool-state">{part.state}</span>
-                </div>
-              );
-            }
-            return null;
-          })}
-          {agent.status === "streaming" ? (
-            <span className="cursor" aria-hidden />
+          {result ? <p className="text">{result}</p> : null}
+          {busy && !result ? (
+            <p className="hacking">
+              hacking
+              <span className="dots" aria-hidden />
+            </p>
           ) : null}
         </section>
-      ) : busy ? (
-        <section className="reply">
-          <span className="cursor" aria-hidden />
-        </section>
       ) : null}
 
-      {agent.status === "error" ? (
+      {error || agent.status === "error" ? (
         <div className="banner">
-          {String(agent.error ?? "Something went wrong.")}
+          {error || String(agent.error ?? "Something went wrong.")}
         </div>
       ) : null}
     </main>

package/templates/agent/lib/repository.ts

@@ -0,0 +1,81 @@
+const OWNER_PATTERN = /^[a-z\d](?:[a-z\d-]{0,37}[a-z\d])?$/i;
+const REPO_PATTERN = /^[a-z\d._-]{1,100}$/i;
+
+export type RepositoryValidationResult =
+  | { ok: true; repository: string }
+  | { ok: false; error: string };
+
+export function validateGitHubRepository(
+  input: string,
+): RepositoryValidationResult {
+  const value = input.trim();
+
+  if (!value) {
+    return { ok: false, error: "Enter a GitHub repository." };
+  }
+
+  if (value.length > 200) {
+    return { ok: false, error: "Repository input is too long." };
+  }
+
+  const path = extractRepositoryPath(value);
+  if (!path) {
+    return {
+      ok: false,
+      error: "Use owner/name or https://github.com/owner/name.",
+    };
+  }
+
+  const normalizedPath = path.endsWith(".git") ? path.slice(0, -4) : path;
+  const parts = normalizedPath.split("/");
+  if (parts.length !== 2) {
+    return {
+      ok: false,
+      error: "Use owner/name or https://github.com/owner/name.",
+    };
+  }
+
+  const [owner, repo] = parts;
+  if (!owner || !repo || !OWNER_PATTERN.test(owner) || !REPO_PATTERN.test(repo)) {
+    return {
+      ok: false,
+      error: "Repository must be a valid GitHub owner/name pair.",
+    };
+  }
+
+  if (repo === "." || repo === "..") {
+    return {
+      ok: false,
+      error: "Repository must be a valid GitHub owner/name pair.",
+    };
+  }
+
+  return { ok: true, repository: `${owner}/${repo}` };
+}
+
+function extractRepositoryPath(value: string): string | null {
+  if (/^https?:\/\//i.test(value)) {
+    try {
+      const url = new URL(value);
+      if (
+        url.hostname.toLowerCase() !== "github.com" ||
+        url.username ||
+        url.password ||
+        url.search ||
+        url.hash
+      ) {
+        return null;
+      }
+
+      return url.pathname.replace(/^\/|\/$/g, "");
+    } catch {
+      return null;
+    }
+  }
+
+  if (value.includes(":") || value.includes("\\") || value.includes("?")) {
+    return null;
+  }
+
+  return value.replace(/^\/|\/$/g, "");
+}

package/templates/agent/next.config.ts

@@ -1,8 +1,45 @@
 import type { NextConfig } from "next";
 import { withEve } from "eve/next";
 
-const nextConfig: NextConfig = {};
+const securityHeaders = [
+  { key: "Content-Security-Policy", value: csp() },
+  { key: "Referrer-Policy", value: "no-referrer" },
+  { key: "X-Content-Type-Options", value: "nosniff" },
+  { key: "X-Frame-Options", value: "DENY" },
+  {
+    key: "Permissions-Policy",
+    value: "camera=(), microphone=(), geolocation=(), payment=()",
+  },
+];
+
+const nextConfig: NextConfig = {
+  async headers() {
+    return [
+      {
+        headers: securityHeaders,
+        source: "/:path*",
+      },
+    ];
+  },
+};
 
 // Mounts the eve agent (agent/) and the dashboard as a single Vercel deployment.
 // Schedules under agent/schedules become Vercel Cron Jobs automatically.
 export default withEve(nextConfig);
+
+function csp() {
+  return [
+    "default-src 'self'",
+    "base-uri 'self'",
+    "connect-src 'self'",
+    "form-action 'self'",
+    "frame-ancestors 'none'",
+    "img-src 'self' data: blob:",
+    "object-src 'none'",
+    "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+    "style-src 'self' 'unsafe-inline'",
+    process.env.NODE_ENV === "production" ? "upgrade-insecure-requests" : "",
+  ]
+    .filter(Boolean)
+    .join("; ");
+}