npm - opmsec - Versions diffs - 0.1.0 → 0.1.3 - Mend

opmsec 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (124) hide show

package/.env.example +23 -13
package/README.md +256 -173
package/docs/architecture/agents.mdx +77 -0
package/docs/architecture/benchmarks.mdx +65 -0
package/docs/architecture/overview.mdx +58 -0
package/docs/architecture/scanner.mdx +53 -0
package/docs/cli/audit.mdx +35 -0
package/docs/cli/check.mdx +44 -0
package/docs/cli/fix.mdx +49 -0
package/docs/cli/info.mdx +44 -0
package/docs/cli/install.mdx +71 -0
package/docs/cli/push.mdx +99 -0
package/docs/cli/register-agent.mdx +80 -0
package/docs/cli/view.mdx +52 -0
package/docs/concepts/multi-agent-consensus.mdx +58 -0
package/docs/concepts/on-chain-registry.mdx +74 -0
package/docs/concepts/security-model.mdx +76 -0
package/docs/concepts/zk-agent-verification.mdx +82 -0
package/docs/configuration.mdx +82 -0
package/docs/contract/deployment.mdx +57 -0
package/docs/contract/events.mdx +115 -0
package/docs/contract/functions.mdx +220 -0
package/docs/contract/overview.mdx +58 -0
package/docs/favicon.svg +5 -0
package/docs/introduction.mdx +43 -0
package/docs/logo/dark.svg +5 -0
package/docs/logo/light.svg +5 -0
package/docs/mint.json +106 -0
package/docs/quickstart.mdx +133 -0
package/package.json +3 -3
package/packages/cli/src/commands/author-view.tsx +9 -1
package/packages/cli/src/commands/check.tsx +318 -0
package/packages/cli/src/commands/fix.tsx +294 -0
package/packages/cli/src/commands/install.tsx +229 -33
package/packages/cli/src/commands/push.tsx +53 -22
package/packages/cli/src/commands/register-agent.tsx +227 -0
package/packages/cli/src/components/AgentScores.tsx +20 -6
package/packages/cli/src/components/Hyperlink.tsx +30 -0
package/packages/cli/src/components/ScanReport.tsx +3 -2
package/packages/cli/src/index.tsx +41 -5
package/packages/cli/src/services/avatar.ts +43 -6
package/packages/cli/src/services/chainpatrol.ts +20 -17
package/packages/cli/src/services/contract.ts +41 -8
package/packages/cli/src/services/ens.ts +3 -5
package/packages/cli/src/services/fileverse.ts +12 -13
package/packages/cli/src/services/typosquat.ts +166 -0
package/packages/contracts/circuits/accuracy_verifier.circom +101 -0
package/packages/contracts/contracts/OPMRegistry.sol +63 -0
package/packages/contracts/scripts/deploy.ts +22 -3
package/packages/core/src/abi.ts +221 -0
package/packages/core/src/benchmarks.ts +450 -0
package/packages/core/src/constants.ts +20 -0
package/packages/core/src/index.ts +2 -0
package/packages/core/src/model-rankings.ts +115 -0
package/packages/core/src/prompt.ts +58 -0
package/packages/core/src/types.ts +41 -0
package/packages/core/src/utils.ts +7 -3
package/packages/scanner/src/agents/base-agent.ts +13 -3
package/packages/scanner/src/index.ts +5 -2
package/packages/scanner/src/queue/memory-queue.ts +8 -3
package/packages/scanner/src/services/benchmark-runner.ts +114 -0
package/packages/scanner/src/services/contract-writer.ts +2 -3
package/packages/scanner/src/services/fileverse.ts +26 -7
package/packages/scanner/src/services/openrouter.ts +46 -0
package/packages/scanner/src/services/report-formatter.ts +122 -3
package/packages/scanner/src/services/zk-verifier.ts +118 -0
package/packages/web/.next/app-build-manifest.json +15 -0
package/packages/web/.next/build-manifest.json +20 -0
package/packages/web/.next/package.json +1 -0
package/packages/web/.next/prerender-manifest.json +11 -0
package/packages/web/.next/react-loadable-manifest.json +1 -0
package/packages/web/.next/routes-manifest.json +1 -0
package/packages/web/.next/server/app/page.js +272 -0
package/packages/web/.next/server/app/page_client-reference-manifest.js +1 -0
package/packages/web/.next/server/app-paths-manifest.json +3 -0
package/packages/web/.next/server/interception-route-rewrite-manifest.js +1 -0
package/packages/web/.next/server/middleware-build-manifest.js +22 -0
package/packages/web/.next/server/middleware-manifest.json +6 -0
package/packages/web/.next/server/middleware-react-loadable-manifest.js +1 -0
package/packages/web/.next/server/next-font-manifest.js +1 -0
package/packages/web/.next/server/next-font-manifest.json +1 -0
package/packages/web/.next/server/pages-manifest.json +1 -0
package/packages/web/.next/server/server-reference-manifest.js +1 -0
package/packages/web/.next/server/server-reference-manifest.json +5 -0
package/packages/web/.next/server/vendor-chunks/@swc.js +55 -0
package/packages/web/.next/server/vendor-chunks/next.js +3010 -0
package/packages/web/.next/server/webpack-runtime.js +209 -0
package/packages/web/.next/static/chunks/app/layout.js +39 -0
package/packages/web/.next/static/chunks/app/page.js +61 -0
package/packages/web/.next/static/chunks/app-pages-internals.js +182 -0
package/packages/web/.next/static/chunks/main-app.js +1882 -0
package/packages/web/.next/static/chunks/polyfills.js +1 -0
package/packages/web/.next/static/chunks/webpack.js +1393 -0
package/packages/web/.next/static/css/app/layout.css +1237 -0
package/packages/web/.next/static/development/_buildManifest.js +1 -0
package/packages/web/.next/static/development/_ssgManifest.js +1 -0
package/packages/web/.next/static/webpack/633457081244afec._.hot-update.json +1 -0
package/packages/web/.next/static/webpack/6fee6306e0f98869.webpack.hot-update.json +1 -0
package/packages/web/.next/static/webpack/73e341375c8d429e.webpack.hot-update.json +1 -0
package/packages/web/.next/static/webpack/app/layout.6fee6306e0f98869.hot-update.js +22 -0
package/packages/web/.next/static/webpack/app/layout.73e341375c8d429e.hot-update.js +22 -0
package/packages/web/.next/static/webpack/app/page.6fee6306e0f98869.hot-update.js +22 -0
package/packages/web/.next/static/webpack/app/page.73e341375c8d429e.hot-update.js +22 -0
package/packages/web/.next/static/webpack/webpack.6fee6306e0f98869.hot-update.js +12 -0
package/packages/web/.next/static/webpack/webpack.73e341375c8d429e.hot-update.js +12 -0
package/packages/web/.next/trace +5 -0
package/packages/web/.next/types/app/layout.ts +84 -0
package/packages/web/.next/types/app/page.ts +84 -0
package/packages/web/.next/types/cache-life.d.ts +141 -0
package/packages/web/.next/types/package.json +1 -0
package/packages/web/.next/types/routes.d.ts +57 -0
package/packages/web/.next/types/validator.ts +61 -0
package/packages/web/app/globals.css +75 -0
package/packages/web/app/layout.tsx +26 -0
package/packages/web/app/page.tsx +358 -0
package/packages/web/bun.lock +300 -0
package/packages/web/next-env.d.ts +6 -0
package/packages/web/next.config.ts +5 -0
package/packages/web/package.json +26 -0
package/packages/web/postcss.config.mjs +8 -0
package/packages/web/public/favicon.svg +5 -0
package/packages/web/public/logo.svg +7 -0
package/packages/web/tailwind.config.ts +48 -0
package/packages/web/tsconfig.json +21 -0

package/packages/core/src/types.ts CHANGED Viewed

@@ -42,6 +42,10 @@ export interface AgentScanResult {
 export interface AgentEntry {
   agent_id: string;
   model: string;
+  model_intelligence?: number;
+  model_coding?: number;
+  model_weight?: number;
+  score_tx_hash?: string;
   result: AgentScanResult;
 }
@@ -102,3 +106,40 @@ export interface ChainPatrolResult {
   status: 'UNKNOWN' | 'ALLOWED' | 'BLOCKED';
   source: string;
 }
+export interface CheckDepResult {
+  name: string;
+  version: string;
+  typosquat: { likelyTarget: string; confidence: string; reason: string } | null;
+  cveCount: number;
+  cveCritical: number;
+  cveHigh: number;
+  cveIds: string[];
+  fixVersion: string | null;
+  onChainScore: number | null;
+}
+export interface CheckAgentResult {
+  agentId: string;
+  model: string;
+  intelligence: number;
+  coding: number;
+  findings: Array<{
+    package: string;
+    issue: string;
+    severity: string;
+    explanation: string;
+    suggested_replacement: string | null;
+    suggested_version: string | null;
+  }>;
+  overall: string;
+  riskScore: number;
+}
+export interface CheckReport {
+  project: string;
+  timestamp: string;
+  totalDeps: number;
+  deps: CheckDepResult[];
+  agents: CheckAgentResult[];
+}

package/packages/core/src/utils.ts CHANGED Viewed

@@ -17,10 +17,14 @@ export function truncateAddress(addr: string): string {
   return `${addr.slice(0, 6)}...${addr.slice(-4)}`;
 }
-export function getEnvOrThrow(key: string): string {
+export function getEnvOrThrow(key: string, ...fallbackKeys: string[]): string {
   const val = process.env[key];
-  if (!val) throw new Error(`Missing required env var: ${key}`);
-  return val;
+  if (val) return val;
+  for (const fk of fallbackKeys) {
+    const fv = process.env[fk];
+    if (fv) return fv;
+  }
+  throw new Error(`Missing required env var: ${key}`);
 }
 export function getEnvOrDefault(key: string, fallback: string): string {

package/packages/scanner/src/agents/base-agent.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { SYSTEM_PROMPT, buildUserPrompt } from '@opm/core';
+import { SYSTEM_PROMPT, buildUserPrompt, getModelRankingFor } from '@opm/core';
 import type { AgentEntry, KnownCVE } from '@opm/core';
 import {
   fetchPackageData, buildLocalPackageData, extractMetadata,
@@ -59,10 +59,16 @@ export async function runAgent(
   const userPrompt = buildUserPrompt(meta, history, sourceFiles, knownCVEs);
   const result = await callLLM(config.model, SYSTEM_PROMPT, userPrompt);
+  log(`[${config.agentId}] Fetching model intelligence ranking...`);
+  const { intelligence, coding, weight } = await getModelRankingFor(config.model);
+  log(`[${config.agentId}] ${config.model} — intelligence: ${intelligence}, coding: ${coding}, weight: ${weight}`);
   log(`[${config.agentId}] Submitting score (${result.risk_score}) to contract...`);
+  let scoreTxHash: string | undefined;
   try {
-    await submitScoreOnChain(packageName, version, result.risk_score, result.reasoning);
-    log(`[${config.agentId}] Score submitted on-chain`);
+    scoreTxHash = await submitScoreOnChain(packageName, version, result.risk_score, result.reasoning);
+    log(`[${config.agentId}] Score submitted on-chain ✓`);
   } catch (err: any) {
     log(`[${config.agentId}] On-chain: ${err?.shortMessage || err?.message || 'failed'}`);
   }
@@ -70,6 +76,10 @@ export async function runAgent(
   return {
     agent_id: config.agentId,
     model: config.model,
+    model_intelligence: intelligence,
+    model_coding: coding,
+    model_weight: weight,
+    score_tx_hash: scoreTxHash,
     result,
   };
 }

package/packages/scanner/src/index.ts CHANGED Viewed

@@ -4,10 +4,13 @@ export { enqueueScan } from './queue/memory-queue';
 export type { LocalScanContext } from './agents/base-agent';
 export { runAgent } from './agents/base-agent';
 export { getAgentConfigs } from './agents/agent-configs';
-export { callLLM, getLLMProvider } from './services/openrouter';
+export { callLLM, callLLMRaw, getLLMProvider } from './services/openrouter';
 export { fetchPackageData, extractMetadata, buildVersionHistory, fetchSourceFiles, extractLocalSourceFiles, buildLocalPackageData } from './services/npm-registry';
 export { submitScoreOnChain, setReportURIOnChain } from './services/contract-writer';
-export { uploadReportToFileverse, fetchReportFromFileverse } from './services/fileverse';
+export { uploadReportToFileverse, uploadCheckReportToFileverse, fetchReportFromFileverse } from './services/fileverse';
+export { formatCheckReportAsMarkdown } from './services/report-formatter';
+export { runBenchmarkSuite, type AgentCandidate, type BenchmarkRunResult } from './services/benchmark-runner';
+export { generateProof, verifyProof, generateCommitment, proofToOnChainBytes, type ZKProof } from './services/zk-verifier';
 if (import.meta.main) {
   const [pkg, ver] = process.argv.slice(2);

package/packages/scanner/src/queue/memory-queue.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import type { ScanReport, AgentEntry } from '@opm/core';
-import { averageScores, classifyRisk } from '@opm/core';
+import { classifyRisk, getModelWeight, calculateWeightedScore } from '@opm/core';
 import { runAgent, type LocalScanContext } from '../agents/base-agent';
 import { getAgentConfigs } from '../agents/agent-configs';
 import { setReportURIOnChain } from '../services/contract-writer';
@@ -57,8 +57,13 @@ async function executeScan(
   if (agents.length === 0) throw new Error('All agents failed');
-  const scores = agents.map((a) => a.result.risk_score);
-  const aggScore = averageScores(scores);
+  const weights = await Promise.all(agents.map(a => getModelWeight(a.model)));
+  const weightedScores = agents.map((a, i) => ({
+    score: a.result.risk_score,
+    weight: weights[i],
+  }));
+  const aggScore = calculateWeightedScore(weightedScores);
   const report: ScanReport = {
     package: packageName,

package/packages/scanner/src/services/benchmark-runner.ts ADDED Viewed

@@ -0,0 +1,114 @@
+import {
+  generateBenchmarkDataset,
+  buildBenchmarkPrompt,
+  evaluateBenchmark,
+  SYSTEM_PROMPT,
+  type BenchmarkCase,
+  type BenchmarkResult,
+} from '@opm/core';
+import { callLLM } from './openrouter';
+import {
+  generateCommitment,
+  generateProof,
+  verifyProof,
+  type ZKProof,
+} from './zk-verifier';
+export interface AgentCandidate {
+  name: string;
+  model: string;
+  systemPrompt?: string;
+}
+export interface BenchmarkRunResult {
+  candidate: AgentCandidate;
+  results: BenchmarkResult[];
+  passed: number;
+  failed: number;
+  total: number;
+  accuracyPct: number;
+  zkProof: ZKProof;
+  verified: boolean;
+  failureReasons: string[];
+}
+export async function runBenchmarkSuite(
+  candidate: AgentCandidate,
+  onStatus?: (msg: string) => void,
+): Promise<BenchmarkRunResult> {
+  const log = onStatus || console.log;
+  const benchmarks = generateBenchmarkDataset();
+  const systemPrompt = candidate.systemPrompt || SYSTEM_PROMPT;
+  log(`Generating benchmark commitment for ${benchmarks.length} test cases...`);
+  const expectedVerdicts = benchmarks.map((b) => {
+    const levelMap: Record<string, number> = { LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 3 };
+    return levelMap[b.expected.risk_level] ?? 0;
+  });
+  const commitment = generateCommitment(expectedVerdicts);
+  log(`Commitment generated: ${commitment.expectedHash.slice(0, 16)}...`);
+  const results: BenchmarkResult[] = [];
+  const actualVerdicts: number[] = [];
+  for (let i = 0; i < benchmarks.length; i++) {
+    const bench = benchmarks[i];
+    log(`[${i + 1}/${benchmarks.length}] ${bench.description}...`);
+    try {
+      const userPrompt = buildBenchmarkPrompt(bench);
+      const agentResult = await callLLM(candidate.model, systemPrompt, userPrompt);
+      const evaluation = evaluateBenchmark(bench, agentResult.risk_level, agentResult.risk_score);
+      results.push(evaluation);
+      const levelMap: Record<string, number> = { LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 3 };
+      actualVerdicts.push(evaluation.verdict === 'PASS'
+        ? (levelMap[bench.expected.risk_level] ?? 0)
+        : (levelMap[agentResult.risk_level] ?? 0));
+      const icon = evaluation.verdict === 'PASS' ? '✓' : '✗';
+      log(`[${i + 1}/${benchmarks.length}] ${icon} ${bench.category}: score=${agentResult.risk_score} level=${agentResult.risk_level} (expected ${bench.expected.risk_level})`);
+    } catch (err: any) {
+      log(`[${i + 1}/${benchmarks.length}] ✗ Error: ${err?.message || 'failed'}`);
+      results.push({
+        caseId: bench.id,
+        category: bench.category,
+        expectedLevel: bench.expected.risk_level,
+        actualLevel: 'ERROR',
+        expectedScoreRange: [bench.expected.min_risk_score, bench.expected.max_risk_score],
+        actualScore: -1,
+        verdict: 'FAIL',
+        reason: `Agent error: ${err?.message || 'unknown'}`,
+      });
+      actualVerdicts.push(-1);
+    }
+  }
+  log('Generating ZK proof of accuracy...');
+  const zkProof = generateProof(commitment, expectedVerdicts, actualVerdicts);
+  const verified = verifyProof(zkProof);
+  const passed = results.filter((r) => r.verdict === 'PASS').length;
+  const failed = results.filter((r) => r.verdict === 'FAIL').length;
+  const failureReasons = results
+    .filter((r) => r.verdict === 'FAIL')
+    .map((r) => `${r.caseId} (${r.category}): ${r.reason}`);
+  log(`ZK proof ${verified ? 'verified ✓' : 'INVALID ✗'}`);
+  log(`Accuracy: ${passed}/${results.length} (${Math.round((passed / results.length) * 100)}%)`);
+  return {
+    candidate,
+    results,
+    passed,
+    failed,
+    total: results.length,
+    accuracyPct: Math.round((passed / results.length) * 100),
+    zkProof,
+    verified,
+    failureReasons,
+  };
+}

package/packages/scanner/src/services/contract-writer.ts CHANGED Viewed

@@ -1,12 +1,11 @@
 import { ethers } from 'ethers';
-import { OPM_REGISTRY_ABI, getEnvOrThrow, getEnvOrDefault, BASE_SEPOLIA_RPC } from '@opm/core';
+import { OPM_REGISTRY_ABI, getEnvOrThrow, getEnvOrDefault, BASE_SEPOLIA_RPC, DEFAULT_CONTRACT_ADDRESS } from '@opm/core';
 function getContract() {
   const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
   const provider = new ethers.JsonRpcProvider(rpc);
   const wallet = new ethers.Wallet(getEnvOrThrow('AGENT_PRIVATE_KEY'), provider);
-  const address = getEnvOrThrow('CONTRACT_ADDRESS');
-  return new ethers.Contract(address, OPM_REGISTRY_ABI, wallet);
+  return new ethers.Contract(getEnvOrDefault('CONTRACT_ADDRESS', DEFAULT_CONTRACT_ADDRESS), OPM_REGISTRY_ABI, wallet);
 }
 export async function submitScoreOnChain(

package/packages/scanner/src/services/fileverse.ts CHANGED Viewed

@@ -1,13 +1,11 @@
-import type { ScanReport } from '@opm/core';
-import { getEnvOrDefault } from '@opm/core';
-import { formatReportAsMarkdown } from './report-formatter';
-const DEFAULT_API_URL = 'http://localhost:8001';
+import type { ScanReport, CheckReport } from '@opm/core';
+import { getEnvOrDefault, FILEVERSE_DEFAULT_URL } from '@opm/core';
+import { formatReportAsMarkdown, formatCheckReportAsMarkdown } from './report-formatter';
 const POLL_INTERVAL_MS = 3000;
 const POLL_TIMEOUT_MS = 60_000;
 function getApiConfig() {
-  const apiUrl = getEnvOrDefault('FILEVERSE_API_URL', DEFAULT_API_URL);
+  const apiUrl = getEnvOrDefault('FILEVERSE_API_URL', FILEVERSE_DEFAULT_URL);
   const apiKey = process.env.FILEVERSE_API_KEY;
   if (!apiKey) throw new Error('FILEVERSE_API_KEY is required (generate at ddocs.new → Settings → Developer Mode)');
   return { apiUrl, apiKey };
@@ -56,11 +54,32 @@ async function pollForSync(apiUrl: string, apiKey: string, ddocId: string): Prom
   return `https://ddocs.new/pending/${ddocId}`;
 }
+export async function uploadCheckReportToFileverse(report: CheckReport): Promise<string> {
+  const { apiUrl, apiKey } = getApiConfig();
+  const title = `OPM Check Report: ${report.project} (${report.totalDeps} deps)`;
+  const content = formatCheckReportAsMarkdown(report);
+  const res = await fetch(`${apiUrl}/api/ddocs?apiKey=${encodeURIComponent(apiKey)}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ title, content }),
+  });
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Fileverse create failed (${res.status}): ${body}`);
+  }
+  const { data } = await res.json() as { data: { ddocId: string; syncStatus: string; link?: string } };
+  if (data.syncStatus === 'synced' && data.link) return data.link;
+  return pollForSync(apiUrl, apiKey, data.ddocId);
+}
 export async function fetchReportFromFileverse(reportURI: string): Promise<ScanReport | null> {
   if (!reportURI || reportURI.startsWith('local://')) return null;
   const apiKey = process.env.FILEVERSE_API_KEY;
-  const apiUrl = getEnvOrDefault('FILEVERSE_API_URL', DEFAULT_API_URL);
+  const apiUrl = getEnvOrDefault('FILEVERSE_API_URL', FILEVERSE_DEFAULT_URL);
   const ddocId = extractDdocId(reportURI);
   if (ddocId && apiKey) {

package/packages/scanner/src/services/openrouter.ts CHANGED Viewed

@@ -84,3 +84,49 @@ export async function callLLM(
   return parsed;
 }
+export async function callLLMRaw<T = unknown>(
+  model: string,
+  systemPrompt: string,
+  userPrompt: string,
+): Promise<T> {
+  const { apiUrl, apiKey, kind } = getProvider();
+  const headers: Record<string, string> = {
+    'Authorization': `Bearer ${apiKey}`,
+    'Content-Type': 'application/json',
+  };
+  if (kind === 'openrouter') {
+    headers['HTTP-Referer'] = 'https://opm.dev';
+    headers['X-Title'] = 'OPM Security Scanner';
+  }
+  const res = await fetch(apiUrl, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({
+      model,
+      messages: [
+        { role: 'system', content: systemPrompt },
+        { role: 'user', content: userPrompt },
+      ],
+      response_format: { type: 'json_object' },
+      temperature: 0.1,
+      max_tokens: 4096,
+    }),
+  });
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`${kind} ${res.status}: ${body}`);
+  }
+  const data = await res.json() as { choices: Array<{ message: { content: string } }> };
+  const raw = data.choices?.[0]?.message?.content;
+  if (!raw) throw new Error(`Empty response from ${kind}/${model}`);
+  const parsed = safeJsonParse<T>(raw);
+  if (!parsed) throw new Error(`Invalid JSON from ${model}: ${raw.slice(0, 200)}`);
+  return parsed;
+}

package/packages/scanner/src/services/report-formatter.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import type { ScanReport, AgentEntry, Vulnerability, SupplyChainIndicators } from '@opm/core';
+import type { ScanReport, AgentEntry, Vulnerability, SupplyChainIndicators, CheckReport } from '@opm/core';
 function riskEmoji(score: number): string {
   if (score >= 70) return '🔴';
@@ -49,10 +49,15 @@ function formatAgent(agent: AgentEntry, index: number): string {
   const { result } = agent;
   const emoji = riskEmoji(result.risk_score);
+  const modelLines = [`- **Model:** \`${agent.model}\``];
+  if (agent.model_intelligence || agent.model_coding) {
+    modelLines.push(`- **AI Intelligence Index:** ${agent.model_intelligence || '—'}/100 | **Coding Index:** ${agent.model_coding || '—'}/100 | **Weight:** ${agent.model_weight || '—'}`);
+  }
   return [
     `### Agent ${index + 1}: \`${agent.agent_id}\``,
     '',
-    `- **Model:** \`${agent.model}\``,
+    ...modelLines,
     `- **Risk Score:** ${emoji} **${result.risk_score}/100** (${result.risk_level})`,
     `- **Recommendation:** ${result.recommendation}`,
     '',
@@ -101,10 +106,12 @@ export function formatReportAsMarkdown(report: ScanReport): string {
     '',
     '---',
     '',
-    '## Aggregate Risk',
+    '## Aggregate Risk (Intelligence-Weighted)',
     '',
     `\`${riskBar(report.aggregate_risk_score)}\` **${report.aggregate_risk_score}/100** — ${report.consensus}`,
     '',
+    `> Scores are weighted by each model's AI Intelligence and Coding indices from [Artificial Analysis](https://artificialanalysis.ai).`,
+    '',
     report.aggregate_risk_score < 40
       ? '> ✅ This package appears safe based on multi-agent consensus.'
       : report.aggregate_risk_score < 70
@@ -132,3 +139,115 @@ export function formatReportAsMarkdown(report: ScanReport): string {
   return sections.join('\n');
 }
+export function formatCheckReportAsMarkdown(report: CheckReport): string {
+  const timestamp = new Date(report.timestamp).toLocaleString('en-US', {
+    dateStyle: 'long', timeStyle: 'short',
+  });
+  const typosquats = report.deps.filter((d) => d.typosquat);
+  const cveBlocked = report.deps.filter((d) => d.cveCritical > 0);
+  const cveWarned = report.deps.filter((d) => d.cveCount > 0 && d.cveCritical === 0);
+  const highRisk = report.deps.filter((d) => d.onChainScore !== null && d.onChainScore >= 70);
+  const safeCount = report.totalDeps - typosquats.length - cveBlocked.length - cveWarned.length - highRisk.length;
+  const sections: string[] = [
+    `# OPM Dependency Check Report`,
+    '',
+    `- **Project:** ${report.project}`,
+    `- **Scanned:** ${timestamp}`,
+    `- **Total dependencies:** ${report.totalDeps}`,
+    '',
+    '---',
+    '',
+    '## Summary',
+    '',
+    `| Category | Count |`,
+    `|---|---|`,
+    `| ${typosquats.length > 0 ? '🔴' : '🟢'} Typosquats | ${typosquats.length} |`,
+    `| ${cveBlocked.length > 0 ? '🔴' : '🟢'} Critical CVEs | ${cveBlocked.length} |`,
+    `| ${cveWarned.length > 0 ? '🟡' : '🟢'} CVE Warnings | ${cveWarned.length} |`,
+    `| ${highRisk.length > 0 ? '🔴' : '🟢'} High On-chain Risk | ${highRisk.length} |`,
+    `| 🟢 Safe | ${Math.max(0, safeCount)} |`,
+    '',
+  ];
+  if (typosquats.length > 0) {
+    sections.push('---', '', '## Typosquat Risks', '');
+    for (const d of typosquats) {
+      sections.push(
+        `### \`${d.name}\`@${d.version}`,
+        '',
+        `- **Likely intended package:** \`${d.typosquat!.likelyTarget}\``,
+        `- **Confidence:** ${d.typosquat!.confidence}`,
+        `- **Reason:** ${d.typosquat!.reason}`,
+        '',
+      );
+    }
+  }
+  if (cveBlocked.length > 0) {
+    sections.push('---', '', '## Critical Vulnerabilities', '');
+    for (const d of cveBlocked) {
+      sections.push(
+        `### \`${d.name}\`@${d.version}`,
+        '',
+        `- **Critical:** ${d.cveCritical} | **High:** ${d.cveHigh}`,
+        `- **CVEs:** ${d.cveIds.join(', ')}`,
+        d.fixVersion ? `- **Fix:** upgrade to \`${d.fixVersion}\`` : '',
+        '',
+      );
+    }
+  }
+  if (cveWarned.length > 0) {
+    sections.push('---', '', '## CVE Warnings', '');
+    for (const d of cveWarned) {
+      sections.push(
+        `- \`${d.name}\`@${d.version} — ${d.cveCount} CVE(s)${d.fixVersion ? ` → \`${d.fixVersion}\`` : ''}`,
+      );
+    }
+    sections.push('');
+  }
+  if (highRisk.length > 0) {
+    sections.push('---', '', '## High On-chain Risk', '');
+    for (const d of highRisk) {
+      sections.push(`- \`${d.name}\`@${d.version} — risk score **${d.onChainScore}/100**`);
+    }
+    sections.push('');
+  }
+  if (report.agents.length > 0) {
+    sections.push('---', '', '## AI Agent Analysis', '');
+    for (const a of report.agents) {
+      const flags = a.findings.filter((f) => f.issue !== 'safe' && f.severity !== 'NONE');
+      sections.push(
+        `### \`${a.agentId}\` — ${a.model}`,
+        '',
+        `- **AI Intelligence:** ${a.intelligence}/100 | **Coding:** ${a.coding}/100`,
+        `- **Risk Score:** ${a.riskScore}/100`,
+        '',
+      );
+      if (flags.length > 0) {
+        for (const f of flags) {
+          sections.push(
+            `- **[${f.severity}]** \`${f.package}\` — ${f.issue}: ${f.explanation}` +
+            (f.suggested_replacement ? ` → \`${f.suggested_replacement}\`` : ''),
+          );
+        }
+      } else {
+        sections.push(`- ✅ No issues found`);
+      }
+      sections.push('', `> ${a.overall}`, '');
+    }
+  }
+  sections.push(
+    '---',
+    '',
+    `*Report generated by [OPM](https://github.com/dhananjaypai08/opm) — On-chain Package Manager*`,
+  );
+  return sections.filter((l) => l !== undefined).join('\n');
+}

package/packages/scanner/src/services/zk-verifier.ts ADDED Viewed

@@ -0,0 +1,118 @@
+import { createHash, randomBytes } from 'crypto';
+/**
+ * Zero-knowledge accuracy verification via hash commitments.
+ *
+ * The scheme works as follows:
+ * 1. A trusted authority generates benchmark test cases with expected outputs
+ * 2. Expected outputs are hashed with a secret salt → commitment
+ * 3. The candidate agent runs against the benchmarks
+ * 4. Actual outputs are hashed with the same salt
+ * 5. A proof is generated: hash(commitment || result_hashes || accuracy_flag)
+ * 6. The verifier checks the proof without seeing individual test results
+ *
+ * This ensures:
+ * - Test cases remain private (can't be gamed)
+ * - Individual results aren't disclosed
+ * - Only a binary pass/fail is revealed
+ * - The proof is deterministic and verifiable
+ */
+export interface ZKCommitment {
+  salt: string;
+  expectedHash: string;
+  caseCount: number;
+}
+export interface ZKProof {
+  commitment: ZKCommitment;
+  resultHash: string;
+  accuracyProof: string;
+  passed: boolean;
+  timestamp: number;
+}
+export interface AccuracyWitness {
+  expectedVerdicts: number[];
+  actualVerdicts: number[];
+  salt: string;
+}
+function poseidonHash(...inputs: string[]): string {
+  const h = createHash('sha256');
+  for (const input of inputs) {
+    h.update(input);
+  }
+  return h.digest('hex');
+}
+export function generateCommitment(expectedVerdicts: number[]): ZKCommitment {
+  const salt = randomBytes(32).toString('hex');
+  const verdictStr = expectedVerdicts.join(',');
+  const expectedHash = poseidonHash(salt, verdictStr);
+  return {
+    salt,
+    expectedHash,
+    caseCount: expectedVerdicts.length,
+  };
+}
+export function generateProof(
+  commitment: ZKCommitment,
+  expectedVerdicts: number[],
+  actualVerdicts: number[],
+): ZKProof {
+  if (expectedVerdicts.length !== actualVerdicts.length) {
+    throw new Error('Verdict arrays must have equal length');
+  }
+  const expectedStr = expectedVerdicts.join(',');
+  const commitmentCheck = poseidonHash(commitment.salt, expectedStr);
+  if (commitmentCheck !== commitment.expectedHash) {
+    throw new Error('Commitment verification failed — expected verdicts do not match');
+  }
+  const actualStr = actualVerdicts.join(',');
+  const resultHash = poseidonHash(commitment.salt, actualStr);
+  const allMatch = expectedVerdicts.every((e, i) => e === actualVerdicts[i]);
+  const accuracyProof = poseidonHash(
+    commitment.expectedHash,
+    resultHash,
+    allMatch ? '1' : '0',
+    commitment.salt,
+  );
+  return {
+    commitment,
+    resultHash,
+    accuracyProof,
+    passed: allMatch,
+    timestamp: Date.now(),
+  };
+}
+export function verifyProof(proof: ZKProof): boolean {
+  const recomputedProof = poseidonHash(
+    proof.commitment.expectedHash,
+    proof.resultHash,
+    proof.passed ? '1' : '0',
+    proof.commitment.salt,
+  );
+  return recomputedProof === proof.accuracyProof;
+}
+export function proofToOnChainBytes(proof: ZKProof): string {
+  const payload = JSON.stringify({
+    commitment: proof.commitment.expectedHash,
+    resultHash: proof.resultHash,
+    accuracyProof: proof.accuracyProof,
+    passed: proof.passed,
+    timestamp: proof.timestamp,
+    caseCount: proof.commitment.caseCount,
+  });
+  return '0x' + Buffer.from(payload).toString('hex');
+}

package/packages/web/.next/app-build-manifest.json ADDED Viewed

@@ -0,0 +1,15 @@
+{
+  "pages": {
+    "/layout": [
+      "static/chunks/webpack.js",
+      "static/chunks/main-app.js",
+      "static/css/app/layout.css",
+      "static/chunks/app/layout.js"
+    ],
+    "/page": [
+      "static/chunks/webpack.js",
+      "static/chunks/main-app.js",
+      "static/chunks/app/page.js"
+    ]
+  }
+}

package/packages/web/.next/build-manifest.json ADDED Viewed

@@ -0,0 +1,20 @@
+{
+  "polyfillFiles": [
+    "static/chunks/polyfills.js"
+  ],
+  "devFiles": [],
+  "ampDevFiles": [],
+  "lowPriorityFiles": [
+    "static/development/_buildManifest.js",
+    "static/development/_ssgManifest.js"
+  ],
+  "rootMainFiles": [
+    "static/chunks/webpack.js",
+    "static/chunks/main-app.js"
+  ],
+  "rootMainFilesTree": {},
+  "pages": {
+    "/_app": []
+  },
+  "ampFirstPages": []
+}