npm - opmsec - Versions diffs - 0.1.0 → 0.1.4 - Mend

opmsec 0.1.0 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (152) hide show

package/.env.example +23 -13
package/.husky/pre-commit +1 -0
package/README.md +256 -173
package/bun.lock +4 -4
package/docs/architecture/agents.mdx +77 -0
package/docs/architecture/benchmarks.mdx +65 -0
package/docs/architecture/overview.mdx +58 -0
package/docs/architecture/scanner.mdx +53 -0
package/docs/cli/audit.mdx +35 -0
package/docs/cli/check.mdx +44 -0
package/docs/cli/fix.mdx +49 -0
package/docs/cli/info.mdx +44 -0
package/docs/cli/install.mdx +71 -0
package/docs/cli/push.mdx +99 -0
package/docs/cli/register-agent.mdx +80 -0
package/docs/cli/view.mdx +52 -0
package/docs/concepts/multi-agent-consensus.mdx +58 -0
package/docs/concepts/on-chain-registry.mdx +74 -0
package/docs/concepts/security-model.mdx +76 -0
package/docs/concepts/zk-agent-verification.mdx +82 -0
package/docs/configuration.mdx +82 -0
package/docs/contract/deployment.mdx +57 -0
package/docs/contract/events.mdx +115 -0
package/docs/contract/functions.mdx +220 -0
package/docs/contract/overview.mdx +58 -0
package/docs/favicon.svg +5 -0
package/docs/introduction.mdx +43 -0
package/docs/logo/dark.svg +5 -0
package/docs/logo/light.svg +5 -0
package/docs/mint.json +106 -0
package/docs/quickstart.mdx +133 -0
package/package.json +7 -6
package/packages/cli/src/commands/author-view.tsx +9 -1
package/packages/cli/src/commands/check.tsx +318 -0
package/packages/cli/src/commands/fix.tsx +294 -0
package/packages/cli/src/commands/install.tsx +501 -47
package/packages/cli/src/commands/push.tsx +53 -22
package/packages/cli/src/commands/register-agent.tsx +227 -0
package/packages/cli/src/components/AgentScores.tsx +20 -6
package/packages/cli/src/components/Hyperlink.tsx +30 -0
package/packages/cli/src/components/ScanReport.tsx +3 -2
package/packages/cli/src/index.tsx +44 -6
package/packages/cli/src/services/avatar.ts +43 -6
package/packages/cli/src/services/chainpatrol.ts +20 -17
package/packages/cli/src/services/contract.ts +41 -8
package/packages/cli/src/services/ens.ts +3 -5
package/packages/cli/src/services/fileverse.ts +12 -13
package/packages/cli/src/services/typosquat.ts +166 -0
package/packages/cli/src/services/version.ts +156 -5
package/packages/contracts/circuits/accuracy_verifier.circom +101 -0
package/packages/contracts/contracts/OPMRegistry.sol +63 -0
package/packages/contracts/scripts/deploy.ts +22 -3
package/packages/core/src/abi.ts +221 -0
package/packages/core/src/benchmarks.ts +450 -0
package/packages/core/src/constants.ts +20 -0
package/packages/core/src/index.ts +2 -0
package/packages/core/src/model-rankings.ts +115 -0
package/packages/core/src/prompt.ts +58 -0
package/packages/core/src/types.ts +41 -0
package/packages/core/src/utils.ts +142 -3
package/packages/scanner/src/agents/base-agent.ts +13 -3
package/packages/scanner/src/index.ts +5 -2
package/packages/scanner/src/queue/memory-queue.ts +8 -3
package/packages/scanner/src/services/benchmark-runner.ts +114 -0
package/packages/scanner/src/services/contract-writer.ts +2 -3
package/packages/scanner/src/services/fileverse.ts +26 -7
package/packages/scanner/src/services/openrouter.ts +61 -4
package/packages/scanner/src/services/report-formatter.ts +122 -3
package/packages/scanner/src/services/zk-verifier.ts +118 -0
package/packages/web/.next/BUILD_ID +1 -0
package/packages/web/.next/app-build-manifest.json +26 -0
package/packages/web/.next/app-path-routes-manifest.json +4 -0
package/packages/web/.next/build-manifest.json +33 -0
package/packages/web/.next/diagnostics/build-diagnostics.json +6 -0
package/packages/web/.next/diagnostics/framework.json +1 -0
package/packages/web/.next/export-marker.json +6 -0
package/packages/web/.next/images-manifest.json +58 -0
package/packages/web/.next/next-minimal-server.js.nft.json +1 -0
package/packages/web/.next/next-server.js.nft.json +1 -0
package/packages/web/.next/package.json +1 -0
package/packages/web/.next/prerender-manifest.json +61 -0
package/packages/web/.next/react-loadable-manifest.json +1 -0
package/packages/web/.next/required-server-files.json +320 -0
package/packages/web/.next/routes-manifest.json +53 -0
package/packages/web/.next/server/app/_not-found/page.js +2 -0
package/packages/web/.next/server/app/_not-found/page.js.nft.json +1 -0
package/packages/web/.next/server/app/_not-found/page_client-reference-manifest.js +1 -0
package/packages/web/.next/server/app/_not-found.html +1 -0
package/packages/web/.next/server/app/_not-found.meta +8 -0
package/packages/web/.next/server/app/_not-found.rsc +16 -0
package/packages/web/.next/server/app/index.html +1 -0
package/packages/web/.next/server/app/index.meta +7 -0
package/packages/web/.next/server/app/index.rsc +20 -0
package/packages/web/.next/server/app/page.js +2 -0
package/packages/web/.next/server/app/page.js.nft.json +1 -0
package/packages/web/.next/server/app/page_client-reference-manifest.js +1 -0
package/packages/web/.next/server/app-paths-manifest.json +4 -0
package/packages/web/.next/server/chunks/611.js +6 -0
package/packages/web/.next/server/chunks/778.js +30 -0
package/packages/web/.next/server/functions-config-manifest.json +4 -0
package/packages/web/.next/server/interception-route-rewrite-manifest.js +1 -0
package/packages/web/.next/server/middleware-build-manifest.js +1 -0
package/packages/web/.next/server/middleware-manifest.json +6 -0
package/packages/web/.next/server/middleware-react-loadable-manifest.js +1 -0
package/packages/web/.next/server/next-font-manifest.js +1 -0
package/packages/web/.next/server/next-font-manifest.json +1 -0
package/packages/web/.next/server/pages/404.html +1 -0
package/packages/web/.next/server/pages/500.html +1 -0
package/packages/web/.next/server/pages/_app.js +1 -0
package/packages/web/.next/server/pages/_app.js.nft.json +1 -0
package/packages/web/.next/server/pages/_document.js +1 -0
package/packages/web/.next/server/pages/_document.js.nft.json +1 -0
package/packages/web/.next/server/pages/_error.js +19 -0
package/packages/web/.next/server/pages/_error.js.nft.json +1 -0
package/packages/web/.next/server/pages-manifest.json +6 -0
package/packages/web/.next/server/server-reference-manifest.js +1 -0
package/packages/web/.next/server/server-reference-manifest.json +1 -0
package/packages/web/.next/server/webpack-runtime.js +1 -0
package/packages/web/.next/static/2XIFCTTKVZwN_RsNE-Rrr/_buildManifest.js +1 -0
package/packages/web/.next/static/2XIFCTTKVZwN_RsNE-Rrr/_ssgManifest.js +1 -0
package/packages/web/.next/static/chunks/255-0dc49b7a6e8e5c05.js +1 -0
package/packages/web/.next/static/chunks/4bd1b696-382748cc942d8a14.js +1 -0
package/packages/web/.next/static/chunks/app/_not-found/page-0da542be7eb33a64.js +1 -0
package/packages/web/.next/static/chunks/app/layout-28a489fb4398663f.js +1 -0
package/packages/web/.next/static/chunks/app/page-e58ccdb78625bce6.js +1 -0
package/packages/web/.next/static/chunks/framework-ac73abd125e371fe.js +1 -0
package/packages/web/.next/static/chunks/main-app-dd261207182e5a23.js +1 -0
package/packages/web/.next/static/chunks/main-ee293fa6aa18bdd1.js +1 -0
package/packages/web/.next/static/chunks/pages/_app-7d307437aca18ad4.js +1 -0
package/packages/web/.next/static/chunks/pages/_error-cb2a52f75f2162e2.js +1 -0
package/packages/web/.next/static/chunks/polyfills-42372ed130431b0a.js +1 -0
package/packages/web/.next/static/chunks/webpack-e1ae44446e7f7355.js +1 -0
package/packages/web/.next/static/css/21d69157e271f2ab.css +3 -0
package/packages/web/.next/trace +2 -0
package/packages/web/.next/types/app/layout.ts +84 -0
package/packages/web/.next/types/app/page.ts +84 -0
package/packages/web/.next/types/cache-life.d.ts +141 -0
package/packages/web/.next/types/package.json +1 -0
package/packages/web/.next/types/routes.d.ts +57 -0
package/packages/web/.next/types/validator.ts +61 -0
package/packages/web/app/globals.css +75 -0
package/packages/web/app/layout.tsx +26 -0
package/packages/web/app/page.tsx +361 -0
package/packages/web/bun.lock +300 -0
package/packages/web/next-env.d.ts +6 -0
package/packages/web/next.config.ts +5 -0
package/packages/web/package.json +26 -0
package/packages/web/postcss.config.mjs +8 -0
package/packages/web/public/favicon.svg +5 -0
package/packages/web/public/logo.svg +7 -0
package/packages/web/tailwind.config.ts +48 -0
package/packages/web/tsconfig.json +21 -0

package/packages/core/src/constants.ts CHANGED Viewed

@@ -18,6 +18,26 @@ export const OPENAI_API_URL = 'https://api.openai.com/v1/chat/completions';
 export const BASE_SEPOLIA_CHAIN_ID = 84532;
 export const BASE_SEPOLIA_RPC = 'https://sepolia.base.org';
+export const ETH_MAINNET_RPC = 'https://eth.llamarpc.com';
+export const ETH_SEPOLIA_RPC = 'https://ethereum-sepolia-rpc.publicnode.com';
+export const DEFAULT_CONTRACT_ADDRESS = '0x16684391fc9bf48246B08Afe16d1a57BFa181d48';
+export const BASE_SEPOLIA_EXPLORER = 'https://sepolia.basescan.org';
+export function txUrl(hash: string): string {
+  return `${BASE_SEPOLIA_EXPLORER}/tx/${hash}`;
+}
+export function addressUrl(addr: string): string {
+  return `${BASE_SEPOLIA_EXPLORER}/address/${addr}`;
+}
+export function contractUrl(): string {
+  return addressUrl(DEFAULT_CONTRACT_ADDRESS);
+}
+export const FILEVERSE_DEFAULT_URL = 'http://localhost:8001';
 export const NPM_REGISTRY_URL = 'https://registry.npmjs.org';

package/packages/core/src/index.ts CHANGED Viewed

@@ -2,4 +2,6 @@ export * from './types';
 export * from './constants';
 export * from './utils';
 export * from './prompt';
+export * from './model-rankings';
+export * from './benchmarks';
 export { OPM_REGISTRY_ABI } from './abi';

package/packages/core/src/model-rankings.ts ADDED Viewed

@@ -0,0 +1,115 @@
+const ARTIFICIAL_ANALYSIS_API = 'https://artificialanalysis.ai/api/v2/data/llms/models';
+export interface ModelRanking {
+  id: string;
+  name: string;
+  slug: string;
+  intelligenceIndex: number;
+  codingIndex: number;
+}
+interface AAModelResponse {
+  id: string;
+  name: string;
+  slug: string;
+  evaluations?: {
+    artificial_analysis_intelligence_index?: number;
+    artificial_analysis_coding_index?: number;
+  };
+}
+let cachedRankings: ModelRanking[] | null = null;
+let cacheTimestamp = 0;
+const CACHE_DURATION = 60 * 60 * 1000;
+export async function fetchModelRankings(): Promise<ModelRanking[]> {
+  if (cachedRankings && Date.now() - cacheTimestamp < CACHE_DURATION) {
+    return cachedRankings;
+  }
+  const apiKey = process.env.ARTIFICIAL_ANALYSIS_API_KEY || '';
+  if (!apiKey) return getDefaultRankings();
+  try {
+    const res = await fetch(ARTIFICIAL_ANALYSIS_API, {
+      headers: { 'x-api-key': apiKey },
+    });
+    if (!res.ok) throw new Error(`API ${res.status}`);
+    const data: { data: AAModelResponse[] } = await res.json();
+    cachedRankings = data.data.map((m) => ({
+      id: String(m.id),
+      name: m.name,
+      slug: m.slug,
+      intelligenceIndex: m.evaluations?.artificial_analysis_intelligence_index || 0,
+      codingIndex: m.evaluations?.artificial_analysis_coding_index || 0,
+    }));
+    cacheTimestamp = Date.now();
+    return cachedRankings;
+  } catch {
+    return getDefaultRankings();
+  }
+}
+export function getDefaultRankings(): ModelRanking[] {
+  return [
+    { id: '1', name: 'Claude Sonnet 4', slug: 'claude-sonnet-4', intelligenceIndex: 55, codingIndex: 52 },
+    { id: '2', name: 'GPT-4.1', slug: 'gpt-4.1', intelligenceIndex: 50, codingIndex: 48 },
+    { id: '3', name: 'Gemini 2.5 Flash', slug: 'gemini-2.5-flash', intelligenceIndex: 52, codingIndex: 45 },
+    { id: '4', name: 'DeepSeek Chat', slug: 'deepseek-chat', intelligenceIndex: 42, codingIndex: 40 },
+    { id: '5', name: 'GPT-4.1-mini', slug: 'gpt-4.1-mini', intelligenceIndex: 40, codingIndex: 38 },
+    { id: '6', name: 'GPT-4.1-nano', slug: 'gpt-4.1-nano', intelligenceIndex: 35, codingIndex: 32 },
+  ];
+}
+const MODEL_SLUGS: Record<string, string> = {
+  'anthropic/claude-sonnet-4-20250514': 'claude-sonnet-4',
+  'anthropic/claude-sonnet-4': 'claude-sonnet-4',
+  'google/gemini-2.5-flash': 'gemini-2.5-flash',
+  'deepseek/deepseek-chat': 'deepseek-chat',
+  'openai/gpt-4.1': 'gpt-4.1',
+  'gpt-4.1': 'gpt-4.1',
+  'openai/gpt-4.1-mini': 'gpt-4.1-mini',
+  'gpt-4.1-mini': 'gpt-4.1-mini',
+  'openai/gpt-4.1-nano': 'gpt-4.1-nano',
+  'gpt-4.1-nano': 'gpt-4.1-nano',
+};
+function findModel(rankings: ModelRanking[], modelSlug: string): ModelRanking | undefined {
+  const normalizedSlug = MODEL_SLUGS[modelSlug] || modelSlug.toLowerCase();
+  return rankings.find(m => m.slug.toLowerCase() === normalizedSlug)
+    || rankings.find(m => m.name.toLowerCase() === normalizedSlug)
+    || rankings.find(m => m.name.toLowerCase().includes(normalizedSlug));
+}
+export async function getModelWeight(modelSlug: string): Promise<number> {
+  const model = findModel(await fetchModelRankings(), modelSlug);
+  if (!model) return 50;
+  return Math.round((model.intelligenceIndex + model.codingIndex) / 2);
+}
+export async function getModelIntelligence(modelSlug: string): Promise<number> {
+  const model = findModel(await fetchModelRankings(), modelSlug);
+  return model?.intelligenceIndex || 50;
+}
+export async function getModelRankingFor(modelSlug: string): Promise<{ intelligence: number; coding: number; weight: number }> {
+  const model = findModel(await fetchModelRankings(), modelSlug);
+  const intelligence = model?.intelligenceIndex || 50;
+  const coding = model?.codingIndex || 50;
+  return { intelligence, coding, weight: Math.round((intelligence + coding) / 2) };
+}
+export function calculateWeightedScore(
+  scores: { score: number; weight: number }[]
+): number {
+  if (scores.length === 0) return 0;
+  const totalWeight = scores.reduce((sum, s) => sum + s.weight, 0);
+  if (totalWeight === 0) {
+    return Math.round(scores.reduce((sum, s) => sum + s.score, 0) / scores.length);
+  }
+  const weightedSum = scores.reduce((sum, s) => sum + s.score * s.weight, 0);
+  return Math.round(weightedSum / totalWeight);
+}

package/packages/core/src/prompt.ts CHANGED Viewed

@@ -109,3 +109,61 @@ ${codeStr || 'No source files found.'}
 Analyze this package thoroughly and respond with the JSON schema specified in your system instructions.`;
 }
+export const CHECK_SYSTEM_PROMPT = `You are a dependency security auditor. You analyze a project's full dependency list for typosquatting, supply chain risks, and suspicious patterns.
+You MUST respond with a valid JSON object matching this exact schema -- no markdown, no explanation outside the JSON:
+{
+  "findings": [
+    {
+      "package": "<string: package name>",
+      "version": "<string: version>",
+      "issue": "<typosquat | malicious_pattern | suspicious_metadata | dependency_confusion | safe>",
+      "severity": "<CRITICAL | HIGH | MEDIUM | LOW | NONE>",
+      "explanation": "<string: why this is flagged>",
+      "suggested_replacement": "<string | null: correct package name if typosquat, or null>",
+      "suggested_version": "<string | null: safer version if applicable, or null>"
+    }
+  ],
+  "overall_assessment": "<string: 2-3 sentence summary of the dependency tree health>",
+  "risk_score": <number 0-100>
+}
+Focus on:
+1. TYPOSQUATTING: Names suspiciously similar to popular packages (missing/extra/swapped chars, separator tricks like _ vs -)
+2. MALICIOUS PATTERNS: Known malicious package names, suspicious scopes, exfiltration-oriented package descriptions
+3. DEPENDENCY CONFUSION: Public packages that shadow internal/scoped packages
+4. SUSPICIOUS METADATA: Very new packages with no downloads claiming to be utilities, packages with copy-pasted descriptions from popular packages
+5. VERSION RISKS: Packages pinned to pre-release or yanked versions
+Only flag packages you have genuine concern about. Do not flag well-known legitimate packages.`;
+export interface DepEntry {
+  name: string;
+  version: string;
+  downloads?: number;
+  description?: string;
+  author?: string;
+  created?: string;
+}
+export function buildCheckPrompt(deps: DepEntry[], devDeps: DepEntry[]): string {
+  const fmtDep = (d: DepEntry) => {
+    const meta = [d.downloads !== undefined ? `downloads: ${d.downloads}/wk` : ''];
+    if (d.description) meta.push(`desc: "${d.description}"`);
+    if (d.author) meta.push(`author: ${d.author}`);
+    if (d.created) meta.push(`created: ${d.created}`);
+    return `- ${d.name}@${d.version} (${meta.filter(Boolean).join(', ')})`;
+  };
+  return `Analyze this project's dependencies for security risks.
+## Dependencies (${deps.length})
+${deps.map(fmtDep).join('\n') || 'none'}
+## Dev Dependencies (${devDeps.length})
+${devDeps.map(fmtDep).join('\n') || 'none'}
+Analyze each dependency and respond with the JSON schema from your system instructions. Flag any typosquatting, suspicious packages, or risky patterns.`;
+}

package/packages/core/src/types.ts CHANGED Viewed

@@ -42,6 +42,10 @@ export interface AgentScanResult {
 export interface AgentEntry {
   agent_id: string;
   model: string;
+  model_intelligence?: number;
+  model_coding?: number;
+  model_weight?: number;
+  score_tx_hash?: string;
   result: AgentScanResult;
 }
@@ -102,3 +106,40 @@ export interface ChainPatrolResult {
   status: 'UNKNOWN' | 'ALLOWED' | 'BLOCKED';
   source: string;
 }
+export interface CheckDepResult {
+  name: string;
+  version: string;
+  typosquat: { likelyTarget: string; confidence: string; reason: string } | null;
+  cveCount: number;
+  cveCritical: number;
+  cveHigh: number;
+  cveIds: string[];
+  fixVersion: string | null;
+  onChainScore: number | null;
+}
+export interface CheckAgentResult {
+  agentId: string;
+  model: string;
+  intelligence: number;
+  coding: number;
+  findings: Array<{
+    package: string;
+    issue: string;
+    severity: string;
+    explanation: string;
+    suggested_replacement: string | null;
+    suggested_version: string | null;
+  }>;
+  overall: string;
+  riskScore: number;
+}
+export interface CheckReport {
+  project: string;
+  timestamp: string;
+  totalDeps: number;
+  deps: CheckDepResult[];
+  agents: CheckAgentResult[];
+}

package/packages/core/src/utils.ts CHANGED Viewed

@@ -17,10 +17,14 @@ export function truncateAddress(addr: string): string {
   return `${addr.slice(0, 6)}...${addr.slice(-4)}`;
 }
-export function getEnvOrThrow(key: string): string {
+export function getEnvOrThrow(key: string, ...fallbackKeys: string[]): string {
   const val = process.env[key];
-  if (!val) throw new Error(`Missing required env var: ${key}`);
-  return val;
+  if (val) return val;
+  for (const fk of fallbackKeys) {
+    const fv = process.env[fk];
+    if (fv) return fv;
+  }
+  throw new Error(`Missing required env var: ${key}`);
 }
 export function getEnvOrDefault(key: string, fallback: string): string {
@@ -41,6 +45,141 @@ export function validateScanResult(obj: unknown): obj is AgentScanResult {
   );
 }
+const VALID_RISK_LEVELS = ['LOW', 'MEDIUM', 'HIGH', 'CRITICAL'] as const;
+const VALID_RECOMMENDATIONS = ['SAFE', 'CAUTION', 'WARN', 'BLOCK'] as const;
+const SCORE_KEYS = ['risk_score', 'score', 'riskScore', 'risk_rating'];
+const LEVEL_KEYS = ['risk_level', 'riskLevel', 'level', 'severity', 'verdict', 'rating'];
+const TEXT_KEYS = ['reasoning', 'summary', 'explanation', 'description', 'analysis', 'one_line_summary', 'one_liner'];
+function deepFind(obj: Record<string, any>, keys: string[], type: 'number' | 'string', depth = 0): any {
+  if (depth > 4 || !obj || typeof obj !== 'object') return undefined;
+  for (const key of keys) {
+    const val = obj[key];
+    if (val !== undefined && val !== null) {
+      if (type === 'number') {
+        if (typeof val === 'number') return val;
+        if (typeof val === 'string' && !isNaN(parseFloat(val))) return parseFloat(val);
+      } else if (type === 'string' && typeof val === 'string' && val.length > 0) {
+        return val;
+      }
+    }
+  }
+  for (const key of Object.keys(obj)) {
+    const val = obj[key];
+    if (val && typeof val === 'object' && !Array.isArray(val)) {
+      const found = deepFind(val, keys, type, depth + 1);
+      if (found !== undefined) return found;
+    }
+  }
+  return undefined;
+}
+function deepFindArray(obj: Record<string, any>, keys: string[], depth = 0): any[] | undefined {
+  if (depth > 4 || !obj || typeof obj !== 'object') return undefined;
+  for (const key of keys) {
+    if (Array.isArray(obj[key])) return obj[key];
+  }
+  for (const key of Object.keys(obj)) {
+    const val = obj[key];
+    if (val && typeof val === 'object' && !Array.isArray(val)) {
+      const found = deepFindArray(val, keys, depth + 1);
+      if (found) return found;
+    }
+  }
+  return undefined;
+}
+function deepFindObj(obj: Record<string, any>, keys: string[], depth = 0): Record<string, any> | undefined {
+  if (depth > 3 || !obj || typeof obj !== 'object') return undefined;
+  for (const key of keys) {
+    const val = obj[key];
+    if (val && typeof val === 'object' && !Array.isArray(val)) return val;
+  }
+  return undefined;
+}
+function normalizeRiskLevel(val: unknown): RiskLevel {
+  if (typeof val !== 'string') return 'MEDIUM';
+  const upper = val.toUpperCase().trim();
+  if (VALID_RISK_LEVELS.includes(upper as RiskLevel)) return upper as RiskLevel;
+  if (upper === 'SAFE' || upper === 'NONE' || upper === 'INFO') return 'LOW';
+  if (upper === 'MODERATE' || upper === 'SUSPICIOUS') return 'MEDIUM';
+  if (upper === 'DANGEROUS' || upper === 'SEVERE') return 'CRITICAL';
+  return 'MEDIUM';
+}
+function normalizeRecommendation(val: unknown, riskLevel: RiskLevel): string {
+  if (typeof val === 'string') {
+    const upper = val.toUpperCase().trim();
+    if (VALID_RECOMMENDATIONS.includes(upper as any)) return upper;
+  }
+  const map: Record<RiskLevel, string> = { LOW: 'SAFE', MEDIUM: 'CAUTION', HIGH: 'WARN', CRITICAL: 'BLOCK' };
+  return map[riskLevel] || 'CAUTION';
+}
+/**
+ * Recursively searches an arbitrarily-shaped LLM response for risk_score,
+ * risk_level, reasoning, etc. and assembles a valid AgentScanResult.
+ */
+export function normalizeScanResult(raw: unknown): AgentScanResult | null {
+  if (!raw || typeof raw !== 'object') return null;
+  const o = raw as Record<string, any>;
+  const riskScore = deepFind(o, SCORE_KEYS, 'number');
+  if (riskScore === undefined || isNaN(riskScore)) return null;
+  const rawLevel = deepFind(o, LEVEL_KEYS, 'string');
+  const riskLevel = normalizeRiskLevel(rawLevel);
+  const reasoning = deepFind(o, TEXT_KEYS, 'string') ?? `Risk score: ${riskScore}`;
+  const rawVulns = deepFindArray(o, ['vulnerabilities', 'findings', 'issues', 'alerts', 'concerns']);
+  const vulnerabilities = rawVulns
+    ? rawVulns.map((f: any) => ({
+        severity: normalizeRiskLevel(f.severity ?? f.level ?? f.risk_level),
+        category: f.category || f.type || f.issue || 'unknown',
+        description: f.description || f.message || f.detail || f.title || '',
+        file: f.file || f.location || f.path || '',
+        evidence: f.evidence || f.code || f.snippet || '',
+      }))
+    : [];
+  const sci = deepFindObj(o, ['supply_chain_indicators', 'supplyChainIndicators', 'indicators']);
+  const supply_chain_indicators = sci ?? {
+    has_install_scripts: false,
+    has_native_bindings: false,
+    has_obfuscated_code: false,
+    has_network_calls: false,
+    has_filesystem_access: false,
+    has_process_spawn: false,
+    has_eval_usage: false,
+    accesses_env_variables: false,
+  };
+  const va = deepFindObj(o, ['version_analysis', 'versionAnalysis']);
+  const version_analysis = va ?? {
+    version_reviewed: deepFind(o, ['version', 'version_reviewed'], 'string') ?? '',
+    previous_versions_reviewed: [],
+    changelog_risk: 'NONE',
+    changelog_reasoning: '',
+  };
+  const recommendation = normalizeRecommendation(
+    deepFind(o, ['recommendation', 'action', 'verdict'], 'string'),
+    riskLevel,
+  );
+  return {
+    risk_score: Math.max(0, Math.min(100, Math.round(riskScore))),
+    risk_level: riskLevel,
+    reasoning,
+    vulnerabilities,
+    supply_chain_indicators,
+    version_analysis,
+    recommendation: recommendation as any,
+  };
+}
 export function safeJsonParse<T>(raw: string): T | null {
   try {
     return JSON.parse(raw) as T;

package/packages/scanner/src/agents/base-agent.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { SYSTEM_PROMPT, buildUserPrompt } from '@opm/core';
+import { SYSTEM_PROMPT, buildUserPrompt, getModelRankingFor } from '@opm/core';
 import type { AgentEntry, KnownCVE } from '@opm/core';
 import {
   fetchPackageData, buildLocalPackageData, extractMetadata,
@@ -59,10 +59,16 @@ export async function runAgent(
   const userPrompt = buildUserPrompt(meta, history, sourceFiles, knownCVEs);
   const result = await callLLM(config.model, SYSTEM_PROMPT, userPrompt);
+  log(`[${config.agentId}] Fetching model intelligence ranking...`);
+  const { intelligence, coding, weight } = await getModelRankingFor(config.model);
+  log(`[${config.agentId}] ${config.model} — intelligence: ${intelligence}, coding: ${coding}, weight: ${weight}`);
   log(`[${config.agentId}] Submitting score (${result.risk_score}) to contract...`);
+  let scoreTxHash: string | undefined;
   try {
-    await submitScoreOnChain(packageName, version, result.risk_score, result.reasoning);
-    log(`[${config.agentId}] Score submitted on-chain`);
+    scoreTxHash = await submitScoreOnChain(packageName, version, result.risk_score, result.reasoning);
+    log(`[${config.agentId}] Score submitted on-chain ✓`);
   } catch (err: any) {
     log(`[${config.agentId}] On-chain: ${err?.shortMessage || err?.message || 'failed'}`);
   }
@@ -70,6 +76,10 @@ export async function runAgent(
   return {
     agent_id: config.agentId,
     model: config.model,
+    model_intelligence: intelligence,
+    model_coding: coding,
+    model_weight: weight,
+    score_tx_hash: scoreTxHash,
     result,
   };
 }

package/packages/scanner/src/index.ts CHANGED Viewed

@@ -4,10 +4,13 @@ export { enqueueScan } from './queue/memory-queue';
 export type { LocalScanContext } from './agents/base-agent';
 export { runAgent } from './agents/base-agent';
 export { getAgentConfigs } from './agents/agent-configs';
-export { callLLM, getLLMProvider } from './services/openrouter';
+export { callLLM, callLLMRaw, getLLMProvider } from './services/openrouter';
 export { fetchPackageData, extractMetadata, buildVersionHistory, fetchSourceFiles, extractLocalSourceFiles, buildLocalPackageData } from './services/npm-registry';
 export { submitScoreOnChain, setReportURIOnChain } from './services/contract-writer';
-export { uploadReportToFileverse, fetchReportFromFileverse } from './services/fileverse';
+export { uploadReportToFileverse, uploadCheckReportToFileverse, fetchReportFromFileverse } from './services/fileverse';
+export { formatCheckReportAsMarkdown } from './services/report-formatter';
+export { runBenchmarkSuite, type AgentCandidate, type BenchmarkRunResult } from './services/benchmark-runner';
+export { generateProof, verifyProof, generateCommitment, proofToOnChainBytes, type ZKProof } from './services/zk-verifier';
 if (import.meta.main) {
   const [pkg, ver] = process.argv.slice(2);

package/packages/scanner/src/queue/memory-queue.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import type { ScanReport, AgentEntry } from '@opm/core';
-import { averageScores, classifyRisk } from '@opm/core';
+import { classifyRisk, getModelWeight, calculateWeightedScore } from '@opm/core';
 import { runAgent, type LocalScanContext } from '../agents/base-agent';
 import { getAgentConfigs } from '../agents/agent-configs';
 import { setReportURIOnChain } from '../services/contract-writer';
@@ -57,8 +57,13 @@ async function executeScan(
   if (agents.length === 0) throw new Error('All agents failed');
-  const scores = agents.map((a) => a.result.risk_score);
-  const aggScore = averageScores(scores);
+  const weights = await Promise.all(agents.map(a => getModelWeight(a.model)));
+  const weightedScores = agents.map((a, i) => ({
+    score: a.result.risk_score,
+    weight: weights[i],
+  }));
+  const aggScore = calculateWeightedScore(weightedScores);
   const report: ScanReport = {
     package: packageName,

package/packages/scanner/src/services/benchmark-runner.ts ADDED Viewed

@@ -0,0 +1,114 @@
+import {
+  generateBenchmarkDataset,
+  buildBenchmarkPrompt,
+  evaluateBenchmark,
+  SYSTEM_PROMPT,
+  type BenchmarkCase,
+  type BenchmarkResult,
+} from '@opm/core';
+import { callLLM } from './openrouter';
+import {
+  generateCommitment,
+  generateProof,
+  verifyProof,
+  type ZKProof,
+} from './zk-verifier';
+export interface AgentCandidate {
+  name: string;
+  model: string;
+  systemPrompt?: string;
+}
+export interface BenchmarkRunResult {
+  candidate: AgentCandidate;
+  results: BenchmarkResult[];
+  passed: number;
+  failed: number;
+  total: number;
+  accuracyPct: number;
+  zkProof: ZKProof;
+  verified: boolean;
+  failureReasons: string[];
+}
+export async function runBenchmarkSuite(
+  candidate: AgentCandidate,
+  onStatus?: (msg: string) => void,
+): Promise<BenchmarkRunResult> {
+  const log = onStatus || console.log;
+  const benchmarks = generateBenchmarkDataset();
+  const systemPrompt = candidate.systemPrompt || SYSTEM_PROMPT;
+  log(`Generating benchmark commitment for ${benchmarks.length} test cases...`);
+  const expectedVerdicts = benchmarks.map((b) => {
+    const levelMap: Record<string, number> = { LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 3 };
+    return levelMap[b.expected.risk_level] ?? 0;
+  });
+  const commitment = generateCommitment(expectedVerdicts);
+  log(`Commitment generated: ${commitment.expectedHash.slice(0, 16)}...`);
+  const results: BenchmarkResult[] = [];
+  const actualVerdicts: number[] = [];
+  for (let i = 0; i < benchmarks.length; i++) {
+    const bench = benchmarks[i];
+    log(`[${i + 1}/${benchmarks.length}] ${bench.description}...`);
+    try {
+      const userPrompt = buildBenchmarkPrompt(bench);
+      const agentResult = await callLLM(candidate.model, systemPrompt, userPrompt);
+      const evaluation = evaluateBenchmark(bench, agentResult.risk_level, agentResult.risk_score);
+      results.push(evaluation);
+      const levelMap: Record<string, number> = { LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 3 };
+      actualVerdicts.push(evaluation.verdict === 'PASS'
+        ? (levelMap[bench.expected.risk_level] ?? 0)
+        : (levelMap[agentResult.risk_level] ?? 0));
+      const icon = evaluation.verdict === 'PASS' ? '✓' : '✗';
+      log(`[${i + 1}/${benchmarks.length}] ${icon} ${bench.category}: score=${agentResult.risk_score} level=${agentResult.risk_level} (expected ${bench.expected.risk_level})`);
+    } catch (err: any) {
+      log(`[${i + 1}/${benchmarks.length}] ✗ Error: ${err?.message || 'failed'}`);
+      results.push({
+        caseId: bench.id,
+        category: bench.category,
+        expectedLevel: bench.expected.risk_level,
+        actualLevel: 'ERROR',
+        expectedScoreRange: [bench.expected.min_risk_score, bench.expected.max_risk_score],
+        actualScore: -1,
+        verdict: 'FAIL',
+        reason: `Agent error: ${err?.message || 'unknown'}`,
+      });
+      actualVerdicts.push(-1);
+    }
+  }
+  log('Generating ZK proof of accuracy...');
+  const zkProof = generateProof(commitment, expectedVerdicts, actualVerdicts);
+  const verified = verifyProof(zkProof);
+  const passed = results.filter((r) => r.verdict === 'PASS').length;
+  const failed = results.filter((r) => r.verdict === 'FAIL').length;
+  const failureReasons = results
+    .filter((r) => r.verdict === 'FAIL')
+    .map((r) => `${r.caseId} (${r.category}): ${r.reason}`);
+  log(`ZK proof ${verified ? 'verified ✓' : 'INVALID ✗'}`);
+  log(`Accuracy: ${passed}/${results.length} (${Math.round((passed / results.length) * 100)}%)`);
+  return {
+    candidate,
+    results,
+    passed,
+    failed,
+    total: results.length,
+    accuracyPct: Math.round((passed / results.length) * 100),
+    zkProof,
+    verified,
+    failureReasons,
+  };
+}

package/packages/scanner/src/services/contract-writer.ts CHANGED Viewed

@@ -1,12 +1,11 @@
 import { ethers } from 'ethers';
-import { OPM_REGISTRY_ABI, getEnvOrThrow, getEnvOrDefault, BASE_SEPOLIA_RPC } from '@opm/core';
+import { OPM_REGISTRY_ABI, getEnvOrThrow, getEnvOrDefault, BASE_SEPOLIA_RPC, DEFAULT_CONTRACT_ADDRESS } from '@opm/core';
 function getContract() {
   const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
   const provider = new ethers.JsonRpcProvider(rpc);
   const wallet = new ethers.Wallet(getEnvOrThrow('AGENT_PRIVATE_KEY'), provider);
-  const address = getEnvOrThrow('CONTRACT_ADDRESS');
-  return new ethers.Contract(address, OPM_REGISTRY_ABI, wallet);
+  return new ethers.Contract(getEnvOrDefault('CONTRACT_ADDRESS', DEFAULT_CONTRACT_ADDRESS), OPM_REGISTRY_ABI, wallet);
 }
 export async function submitScoreOnChain(