opmsec 0.1.0

package/packages/scanner/src/services/npm-registry.ts

@@ -0,0 +1,159 @@
+import { NPM_REGISTRY_URL, SCANNABLE_EXTENSIONS, MAX_FILE_SIZE_BYTES, MAX_TOTAL_CODE_CHARS, VERSION_LOOKBACK } from '@opm/core';
+import type { PackageMetadata, VersionHistoryEntry, SourceFile } from '@opm/core';
+import * as path from 'path';
+import * as fs from 'fs';
+import { execSync } from 'child_process';
+import { randomUUID } from 'crypto';
+import * as os from 'os';
+
+export interface NpmPackageData {
+  name: string;
+  versions: Record<string, {
+    version: string;
+    description?: string;
+    author?: string | { name?: string };
+    license?: string;
+    dependencies?: Record<string, string>;
+    scripts?: Record<string, string>;
+    dist: { tarball: string; fileCount?: number; unpackedSize?: number };
+    _npmUser?: { name: string };
+  }>;
+  time: Record<string, string>;
+  'dist-tags': Record<string, string>;
+}
+
+export async function fetchPackageData(packageName: string): Promise<NpmPackageData> {
+  const res = await fetch(`${NPM_REGISTRY_URL}/${encodeURIComponent(packageName)}`);
+  if (!res.ok) throw new Error(`npm registry ${res.status} for ${packageName}`);
+  return res.json() as Promise<NpmPackageData>;
+}
+
+export function buildLocalPackageData(pkgJsonPath: string): NpmPackageData {
+  const raw = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf-8'));
+  const version = raw.version || '0.0.0';
+  return {
+    name: raw.name || 'unknown',
+    'dist-tags': { latest: version },
+    time: { [version]: new Date().toISOString() },
+    versions: {
+      [version]: {
+        version,
+        description: raw.description || '',
+        author: raw.author || '',
+        license: raw.license || '',
+        dependencies: raw.dependencies || {},
+        scripts: raw.scripts || {},
+        dist: { tarball: '', fileCount: 0, unpackedSize: 0 },
+      },
+    },
+  };
+}
+
+export function extractMetadata(data: NpmPackageData, version: string): PackageMetadata {
+  const v = data.versions[version];
+  if (!v) throw new Error(`Version ${version} not found for ${data.name}`);
+  const authorStr = typeof v.author === 'string' ? v.author : v.author?.name || '';
+  return {
+    name: data.name,
+    version: v.version,
+    description: v.description || '',
+    author: authorStr,
+    license: v.license || '',
+    dependencies: v.dependencies || {},
+    scripts: v.scripts || {},
+  };
+}
+
+export function buildVersionHistory(data: NpmPackageData, currentVersion: string): VersionHistoryEntry[] {
+  const allVersions = Object.keys(data.versions);
+  const currentIdx = allVersions.indexOf(currentVersion);
+  if (currentIdx === -1) return [];
+
+  const start = Math.max(0, currentIdx - VERSION_LOOKBACK);
+  const slice = allVersions.slice(start, currentIdx + 1);
+
+  return slice.map((ver, i) => {
+    const v = data.versions[ver];
+    const prev = i > 0 ? data.versions[slice[i - 1]] : null;
+    const prevDeps = prev?.dependencies || {};
+    const curDeps = v.dependencies || {};
+    const depsChanged = Object.keys(curDeps)
+      .filter((d) => prevDeps[d] !== curDeps[d])
+      .join(', ') || 'none';
+
+    const prevSize = prev?.dist?.unpackedSize || 0;
+    const curSize = v.dist?.unpackedSize || 0;
+    const sizeDelta = prev ? `${curSize - prevSize} bytes` : 'N/A';
+
+    const prevMaintainer = prev?._npmUser?.name || '';
+    const curMaintainer = v._npmUser?.name || '';
+
+    return {
+      version: ver,
+      published: data.time[ver] || 'unknown',
+      depsChanged,
+      filesChanged: prev ? `~${Math.abs((v.dist?.fileCount || 0) - (prev.dist?.fileCount || 0))} files` : 'N/A',
+      sizeDelta,
+      newMaintainer: prev ? curMaintainer !== prevMaintainer : false,
+    };
+  });
+}
+
+function extractFilesFromTarball(tarballPath: string): SourceFile[] {
+  const tmpDir = path.join(os.tmpdir(), `opm-extract-${randomUUID()}`);
+  fs.mkdirSync(tmpDir, { recursive: true });
+
+  try {
+    execSync(`tar -xzf "${tarballPath}" -C "${tmpDir}"`, { stdio: 'pipe' });
+    return walkAndCollect(tmpDir, tmpDir);
+  } finally {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  }
+}
+
+function walkAndCollect(dir: string, root: string): SourceFile[] {
+  const files: SourceFile[] = [];
+  let totalChars = 0;
+
+  function walk(current: string) {
+    for (const entry of fs.readdirSync(current, { withFileTypes: true })) {
+      if (totalChars >= MAX_TOTAL_CODE_CHARS) return;
+      const fullPath = path.join(current, entry.name);
+
+      if (entry.isDirectory()) {
+        if (entry.name === 'node_modules' || entry.name === '.git') continue;
+        walk(fullPath);
+      } else if (SCANNABLE_EXTENSIONS.includes(path.extname(entry.name))) {
+        const stat = fs.statSync(fullPath);
+        if (stat.size > MAX_FILE_SIZE_BYTES) continue;
+
+        const content = fs.readFileSync(fullPath, 'utf-8');
+        if (totalChars + content.length > MAX_TOTAL_CODE_CHARS) continue;
+        totalChars += content.length;
+
+        const relPath = path.relative(root, fullPath).replace(/^package\//, '');
+        files.push({ path: relPath, size: content.length, content });
+      }
+    }
+  }
+
+  walk(dir);
+  return files;
+}
+
+export async function fetchSourceFiles(_packageName: string, _version: string, tarballUrl: string): Promise<SourceFile[]> {
+  const res = await fetch(tarballUrl);
+  if (!res.ok) throw new Error(`Failed to fetch tarball: ${res.status}`);
+
+  const tmpFile = path.join(os.tmpdir(), `opm-dl-${randomUUID()}.tgz`);
+  try {
+    fs.writeFileSync(tmpFile, Buffer.from(await res.arrayBuffer()));
+    return extractFilesFromTarball(tmpFile);
+  } finally {
+    if (fs.existsSync(tmpFile)) fs.unlinkSync(tmpFile);
+  }
+}
+
+export async function extractLocalSourceFiles(tarballPath: string): Promise<SourceFile[]> {
+  return extractFilesFromTarball(tarballPath);
+}

package/packages/scanner/src/services/openrouter.ts

@@ -0,0 +1,86 @@
+import { OPENROUTER_API_URL, OPENAI_API_URL } from '@opm/core';
+import type { AgentScanResult } from '@opm/core';
+import { validateScanResult, safeJsonParse } from '@opm/core';
+
+function getProvider(): { apiUrl: string; apiKey: string; kind: 'openai' | 'openrouter' } {
+  const forcedProvider = process.env.LLM_PROVIDER;
+  
+  if (forcedProvider === 'openrouter') {
+    const orKey = process.env.OPENROUTER_API_KEY;
+    if (!orKey) throw new Error('OPENROUTER_API_KEY required when LLM_PROVIDER=openrouter');
+    return { apiUrl: OPENROUTER_API_URL, apiKey: orKey, kind: 'openrouter' };
+  }
+  
+  if (forcedProvider === 'openai') {
+    const openaiKey = process.env.OPENAI_API_KEY;
+    if (!openaiKey) throw new Error('OPENAI_API_KEY required when LLM_PROVIDER=openai');
+    return { apiUrl: OPENAI_API_URL, apiKey: openaiKey, kind: 'openai' };
+  }
+
+  const orKey = process.env.OPENROUTER_API_KEY;
+  if (orKey) return { apiUrl: OPENROUTER_API_URL, apiKey: orKey, kind: 'openrouter' };
+
+  const openaiKey = process.env.OPENAI_API_KEY;
+  if (openaiKey) return { apiUrl: OPENAI_API_URL, apiKey: openaiKey, kind: 'openai' };
+
+  throw new Error('Set OPENROUTER_API_KEY (for diverse models) or OPENAI_API_KEY');
+}
+
+export function getLLMProvider(): 'openai' | 'openrouter' {
+  const forcedProvider = process.env.LLM_PROVIDER;
+  if (forcedProvider === 'openrouter') return 'openrouter';
+  if (forcedProvider === 'openai') return 'openai';
+  
+  if (process.env.OPENROUTER_API_KEY) return 'openrouter';
+  if (process.env.OPENAI_API_KEY) return 'openai';
+  throw new Error('Set OPENROUTER_API_KEY (for diverse models) or OPENAI_API_KEY');
+}
+
+export async function callLLM(
+  model: string,
+  systemPrompt: string,
+  userPrompt: string,
+): Promise<AgentScanResult> {
+  const { apiUrl, apiKey, kind } = getProvider();
+
+  const headers: Record<string, string> = {
+    'Authorization': `Bearer ${apiKey}`,
+    'Content-Type': 'application/json',
+  };
+
+  if (kind === 'openrouter') {
+    headers['HTTP-Referer'] = 'https://opm.dev';
+    headers['X-Title'] = 'OPM Security Scanner';
+  }
+
+  const res = await fetch(apiUrl, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({
+      model,
+      messages: [
+        { role: 'system', content: systemPrompt },
+        { role: 'user', content: userPrompt },
+      ],
+      response_format: { type: 'json_object' },
+      temperature: 0.1,
+      max_tokens: 4096,
+    }),
+  });
+
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`${kind} ${res.status}: ${body}`);
+  }
+
+  const data = await res.json() as { choices: Array<{ message: { content: string } }> };
+  const raw = data.choices?.[0]?.message?.content;
+  if (!raw) throw new Error(`Empty response from ${kind}/${model}`);
+
+  const parsed = safeJsonParse<AgentScanResult>(raw);
+  if (!parsed || !validateScanResult(parsed)) {
+    throw new Error(`Invalid scan result JSON from ${model}: ${raw.slice(0, 200)}`);
+  }
+
+  return parsed;
+}

package/packages/scanner/src/services/osv.ts

@@ -0,0 +1,87 @@
+const OSV_API = 'https://api.osv.dev/v1/query';
+
+export interface OSVAffectedRange {
+  type: string;
+  events: Array<{ introduced?: string; fixed?: string }>;
+}
+
+export interface OSVAffected {
+  ranges?: OSVAffectedRange[];
+}
+
+export interface OSVVulnerability {
+  id: string;
+  summary: string;
+  details: string;
+  severity: Array<{ type: string; score: string }>;
+  references: Array<{ type: string; url: string }>;
+  database_specific?: { severity?: string; [key: string]: unknown };
+  affected?: OSVAffected[];
+}
+
+function parseVersion(v: string): number[] {
+  return v.replace(/^v/, '').split('.').map((p) => {
+    const num = parseInt(p, 10);
+    return isNaN(num) ? 0 : num;
+  });
+}
+
+function compareVersions(v1: string, v2: string): number {
+  const p1 = parseVersion(v1);
+  const p2 = parseVersion(v2);
+  const len = Math.max(p1.length, p2.length);
+  for (let i = 0; i < len; i++) {
+    const n1 = p1[i] ?? 0;
+    const n2 = p2[i] ?? 0;
+    if (n1 !== n2) return n1 - n2;
+  }
+  return 0;
+}
+
+function isFixedInVersionOrBefore(vuln: OSVVulnerability, currentVersion: string): boolean {
+  const affected = vuln.affected;
+  if (!affected || affected.length === 0) return false;
+
+  for (const entry of affected) {
+    const ranges = entry.ranges;
+    if (!ranges || ranges.length === 0) continue;
+
+    for (const range of ranges) {
+      const events = range.events;
+      if (!events) continue;
+
+      for (const event of events) {
+        if (event.fixed) {
+          const fixedVersion = event.fixed;
+          if (compareVersions(currentVersion, fixedVersion) >= 0) {
+            return true;
+          }
+        }
+      }
+    }
+  }
+  return false;
+}
+
+export async function queryOSV(packageName: string, version: string): Promise<OSVVulnerability[]> {
+  if (!version || version === 'latest') return [];
+
+  try {
+    const res = await fetch(OSV_API, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        package: { name: packageName, ecosystem: 'npm' },
+        version,
+      }),
+    });
+    if (!res.ok) return [];
+    const data = await res.json() as { vulns?: OSVVulnerability[] };
+    const vulns = data.vulns || [];
+    
+    const unfixedVulns = vulns.filter((v) => !isFixedInVersionOrBefore(v, version));
+    return unfixedVulns;
+  } catch {
+    return [];
+  }
+}

package/packages/scanner/src/services/report-formatter.ts

@@ -0,0 +1,134 @@
+import type { ScanReport, AgentEntry, Vulnerability, SupplyChainIndicators } from '@opm/core';
+
+function riskEmoji(score: number): string {
+  if (score >= 70) return '🔴';
+  if (score >= 40) return '🟡';
+  return '🟢';
+}
+
+function riskBar(score: number): string {
+  const filled = Math.round(score / 5);
+  const empty = 20 - filled;
+  return `${'█'.repeat(filled)}${'░'.repeat(empty)}`;
+}
+
+function formatIndicators(indicators: SupplyChainIndicators): string {
+  const checks: Array<[keyof SupplyChainIndicators, string]> = [
+    ['has_install_scripts', 'Install scripts'],
+    ['has_native_bindings', 'Native bindings'],
+    ['has_obfuscated_code', 'Obfuscated code'],
+    ['has_network_calls', 'Network calls'],
+    ['has_filesystem_access', 'Filesystem access'],
+    ['has_process_spawn', 'Process spawning'],
+    ['has_eval_usage', 'eval() usage'],
+    ['accesses_env_variables', 'Environment variable access'],
+  ];
+
+  return checks
+    .map(([key, label]) => `- ${indicators[key] ? '⚠️' : '✅'} ${label}`)
+    .join('\n');
+}
+
+function formatVulnerabilities(vulns: Vulnerability[]): string {
+  if (vulns.length === 0) return '*No vulnerabilities detected.*\n';
+
+  return vulns.map((v, i) => {
+    const sev = v.severity === 'HIGH' || v.severity === 'CRITICAL' ? '🔴' : v.severity === 'MEDIUM' ? '🟡' : '🟢';
+    return [
+      `**${sev} ${i + 1}. ${v.category}** (${v.severity})`,
+      '',
+      `> ${v.description}`,
+      '',
+      `- **File:** \`${v.file}\``,
+      v.evidence ? `- **Evidence:** \`${v.evidence}\`` : '',
+    ].filter(Boolean).join('\n');
+  }).join('\n\n');
+}
+
+function formatAgent(agent: AgentEntry, index: number): string {
+  const { result } = agent;
+  const emoji = riskEmoji(result.risk_score);
+
+  return [
+    `### Agent ${index + 1}: \`${agent.agent_id}\``,
+    '',
+    `- **Model:** \`${agent.model}\``,
+    `- **Risk Score:** ${emoji} **${result.risk_score}/100** (${result.risk_level})`,
+    `- **Recommendation:** ${result.recommendation}`,
+    '',
+    '#### Analysis',
+    '',
+    result.reasoning,
+    '',
+    '#### Supply Chain Indicators',
+    '',
+    formatIndicators(result.supply_chain_indicators),
+    '',
+    '#### Vulnerabilities',
+    '',
+    formatVulnerabilities(result.vulnerabilities),
+    '',
+    '#### Version Analysis',
+    '',
+    `- **Version reviewed:** ${result.version_analysis.version_reviewed}`,
+    result.version_analysis.previous_versions_reviewed.length > 0
+      ? `- **Previous versions:** ${result.version_analysis.previous_versions_reviewed.join(', ')}`
+      : '',
+    `- **Changelog risk:** ${result.version_analysis.changelog_risk}`,
+    result.version_analysis.changelog_reasoning
+      ? `- ${result.version_analysis.changelog_reasoning}`
+      : '',
+  ].filter(Boolean).join('\n');
+}
+
+export function formatReportAsMarkdown(report: ScanReport): string {
+  const emoji = riskEmoji(report.aggregate_risk_score);
+  const timestamp = new Date(report.scan_timestamp).toLocaleString('en-US', {
+    dateStyle: 'long',
+    timeStyle: 'short',
+  });
+
+  const sections = [
+    `# ${emoji} OPM Security Report`,
+    '',
+    `## ${report.package}@${report.version}`,
+    '',
+    `- **Package:** ${report.package}`,
+    `- **Version:** ${report.version}`,
+    `- **Scanned:** ${timestamp}`,
+    `- **Versions analyzed:** ${report.versions_analyzed.join(', ')}`,
+    `- **Agents:** ${report.agents.length}`,
+    '',
+    '---',
+    '',
+    '## Aggregate Risk',
+    '',
+    `\`${riskBar(report.aggregate_risk_score)}\` **${report.aggregate_risk_score}/100** — ${report.consensus}`,
+    '',
+    report.aggregate_risk_score < 40
+      ? '> ✅ This package appears safe based on multi-agent consensus.'
+      : report.aggregate_risk_score < 70
+        ? '> ⚠️ This package has medium risk indicators. Review the agent findings below.'
+        : '> 🚨 This package has HIGH risk. Installation is not recommended.',
+    '',
+    '---',
+    '',
+    '## Agent Reports',
+    '',
+    ...report.agents.map((agent, i) => formatAgent(agent, i)),
+    '',
+    '---',
+    '',
+    '## Raw JSON',
+    '',
+    '```json',
+    JSON.stringify(report, null, 2),
+    '```',
+    '',
+    '---',
+    '',
+    `*Report generated by [OPM](https://github.com/dhananjaypai08/opm) — On-chain Package Manager*`,
+  ];
+
+  return sections.join('\n');
+}

package/tsconfig.json

@@ -0,0 +1,23 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "sourceMap": true,
+    "outDir": "dist",
+    "jsx": "react-jsx",
+    "types": ["bun-types"],
+    "paths": {
+      "@opm/core": ["./packages/core/src/index.ts"],
+      "@opm/scanner": ["./packages/scanner/src/index.ts"]
+    },
+    "baseUrl": "."
+  },
+  "exclude": ["node_modules", "dist", "packages/contracts"]
+}