opmsec 0.1.0

package/bunfig.toml

@@ -0,0 +1,6 @@
+[install]
+peer = false
+
+[run]
+jsx = "react-jsx"
+jsxImportSource = "react"

package/docker-compose.yml

@@ -0,0 +1,10 @@
+services:
+  redis:
+    image: redis:7-alpine
+    ports:
+      - "6379:6379"
+    volumes:
+      - redis-data:/data
+
+volumes:
+  redis-data:

package/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "opmsec",
+  "version": "0.1.0",
+  "private": false,
+  "bin": {
+    "opm": "packages/cli/src/index.tsx"
+  },
+  "workspaces": [
+    "packages/core",
+    "packages/scanner",
+    "packages/cli"
+  ],
+  "scripts": {
+    "build:contracts": "cd packages/contracts && npx hardhat compile",
+    "deploy:contracts": "cd packages/contracts && npx hardhat run scripts/deploy.ts --network baseSepolia",
+    "test:contracts": "cd packages/contracts && npx hardhat test",
+    "scan": "bun run packages/scanner/src/index.ts"
+  },
+  "dependencies": {
+    "@ensdomains/ensjs": "^4.2.2",
+    "@types/react": "^18.3.28",
+    "chalk": "^5.4.0",
+    "ethers": "^6.13.0",
+    "ink": "^5.2.1",
+    "react": "^18.3.1",
+    "react-devtools-core": "^5.3.2",
+    "terminal-image": "^4.2.0",
+    "viem": "^2.47.2"
+  },
+  "devDependencies": {
+    "bun-types": "latest"
+  },
+  "opm": {
+    "signature": "0x3fadce9e0ec0a721cbff5616e4cd35893ac76ab82108d48fdadd0159f4f5270602518dbdb4d10f7402432dc756f803a56cf6404c21eeb4e1e33e0875e37d38131b",
+    "author": "0x2a3942EbDd8c5ea3E66D3fC4301F56d0F15d4bE2",
+    "ensName": "djpaiethg.eth",
+    "checksum": "0x4e5b5788abbb861fa5a9896b7c41cad069c29d076f5a689325bd659baa8ea57a"
+  }
+}

package/packages/cli/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "opm",
+  "version": "0.1.0",
+  "bin": {
+    "opm": "./src/index.tsx"
+  }
+}

package/packages/cli/src/commands/audit.tsx

@@ -0,0 +1,142 @@
+import React, { useState, useEffect } from 'react';
+import { Box, Text } from 'ink';
+import { HIGH_RISK_THRESHOLD, MEDIUM_RISK_THRESHOLD, truncateAddress, classifyRisk } from '@opm/core';
+import { Header } from '../components/Header';
+import { RiskBadge } from '../components/RiskBadge';
+import { StatusLine } from '../components/StatusLine';
+import { getPackageInfo } from '../services/contract';
+import { checkPackageWithChainPatrol } from '../services/chainpatrol';
+import { queryOSV, getOSVSeverity } from '../services/osv';
+import { resolveVersion } from '../services/version';
+import * as fs from 'fs';
+import * as path from 'path';
+
+interface DepResult {
+  name: string;
+  version: string;
+  score: number | null;
+  author: string;
+  onChain: boolean;
+  chainPatrol?: string;
+  cveCount: number;
+  cveHighCount: number;
+}
+
+export function AuditCommand() {
+  const [status, setStatus] = useState<'running' | 'done'>('running');
+  const [results, setResults] = useState<DepResult[]>([]);
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    runAudit().catch((err) => setError(String(err)));
+  }, []);
+
+  async function runAudit() {
+    const pkgPath = path.resolve('package.json');
+    if (!fs.existsSync(pkgPath)) throw new Error('No package.json found');
+
+    const pkgJson = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+    const deps = { ...pkgJson.dependencies, ...pkgJson.devDependencies };
+    const entries = Object.entries(deps) as [string, string][];
+
+    if (entries.length === 0) {
+      setStatus('done');
+      return;
+    }
+
+    const checked: DepResult[] = [];
+    for (const [name, verRange] of entries) {
+      const rawVersion = String(verRange).replace(/^[\^~]/, '');
+      const version = await resolveVersion(name, rawVersion);
+      const entry: DepResult = { name, version, score: null, author: '', onChain: false, cveCount: 0, cveHighCount: 0 };
+
+      const [infoResult, osvResult] = await Promise.allSettled([
+        getPackageInfo(name, version),
+        queryOSV(name, rawVersion),
+      ]);
+
+      if (infoResult.status === 'fulfilled' && infoResult.value.exists) {
+        entry.onChain = true;
+        entry.score = infoResult.value.aggregateScore;
+        entry.author = infoResult.value.author;
+      } else {
+        const cp = await checkPackageWithChainPatrol(name).catch(() => null);
+        entry.chainPatrol = cp?.status;
+      }
+
+      if (osvResult.status === 'fulfilled') {
+        entry.cveCount = osvResult.value.length;
+        entry.cveHighCount = osvResult.value.filter((v) => {
+          const sev = getOSVSeverity(v);
+          return sev === 'HIGH' || sev === 'CRITICAL';
+        }).length;
+      }
+
+      checked.push(entry);
+      setResults([...checked]);
+    }
+
+    setStatus('done');
+  }
+
+  const high = results.filter((r) => r.score !== null && r.score >= HIGH_RISK_THRESHOLD);
+  const medium = results.filter((r) => r.score !== null && r.score >= MEDIUM_RISK_THRESHOLD && r.score < HIGH_RISK_THRESHOLD);
+  const low = results.filter((r) => r.score !== null && r.score < MEDIUM_RISK_THRESHOLD);
+  const unknown = results.filter((r) => !r.onChain);
+  const totalCves = results.reduce((s, r) => s + r.cveCount, 0);
+
+  return (
+    <Box flexDirection="column">
+      <Header subtitle="audit" />
+      <StatusLine label={`Checking ${results.length} dependencies`} status={status === 'done' ? 'done' : 'running'} />
+      <Text> </Text>
+      {results.map((r) => (
+        <Box key={r.name} marginLeft={2}>
+          <Box width={30}>
+            <Text>{r.name}@{r.version}</Text>
+          </Box>
+          {r.onChain ? (
+            <Box>
+              <RiskBadge level={classifyRisk(r.score!)} score={r.score!} />
+              <Text color="gray">  {truncateAddress(r.author)}</Text>
+            </Box>
+          ) : (
+            <Box>
+              <Text color="gray">not in registry</Text>
+              {r.chainPatrol && (
+                <Text color={r.chainPatrol === 'BLOCKED' ? 'red' : 'gray'}>  ChainPatrol: {r.chainPatrol}</Text>
+              )}
+            </Box>
+          )}
+          {r.cveCount > 0 && (
+            <Text color={r.cveHighCount > 0 ? 'red' : 'yellow'}>  {r.cveCount} CVE{r.cveCount > 1 ? 's' : ''}</Text>
+          )}
+        </Box>
+      ))}
+      {status === 'done' && (
+        <Box flexDirection="column" marginTop={1}>
+          <Text color="gray">────────────────────────────────────────</Text>
+          <Box>
+            <Text color="red" bold>{high.length} high</Text>
+            <Text color="gray"> · </Text>
+            <Text color="yellow" bold>{medium.length} medium</Text>
+            <Text color="gray"> · </Text>
+            <Text color="green" bold>{low.length} low</Text>
+            <Text color="gray"> · </Text>
+            <Text color="gray">{unknown.length} unverified</Text>
+            {totalCves > 0 && (
+              <>
+                <Text color="gray"> · </Text>
+                <Text color="red" bold>{totalCves} CVE{totalCves > 1 ? 's' : ''}</Text>
+              </>
+            )}
+          </Box>
+          {high.length > 0 && (
+            <Text color="red" bold>⚠ {high.length} package(s) above risk threshold!</Text>
+          )}
+        </Box>
+      )}
+      {error && <Text color="red">{error}</Text>}
+    </Box>
+  );
+}

package/packages/cli/src/commands/author-view.tsx

@@ -0,0 +1,247 @@
+import React, { useState, useEffect } from 'react';
+import { Box, Text } from 'ink';
+import { classifyRisk, truncateAddress } from '@opm/core';
+import type { AuthorProfile } from '@opm/core';
+import { Header } from '../components/Header';
+import { StatusLine } from '../components/StatusLine';
+import { RiskBadge } from '../components/RiskBadge';
+import { resolveAddress, getENSTextRecords, type ENSProfile } from '../services/ens';
+import {
+  getAuthorProfile,
+  getPackagesByAuthor, getPackagesByAuthorDirect, type AuthorPackageSummary,
+} from '../services/contract';
+import { renderAvatar } from '../services/avatar';
+
+type StepStatus = 'pending' | 'running' | 'done' | 'error' | 'skip';
+
+interface Steps {
+  resolve: StepStatus;
+  onchain: StepStatus;
+  profile: StepStatus;
+  packages: StepStatus;
+}
+
+interface AuthorViewProps {
+  ensName: string;
+}
+
+export function AuthorViewCommand({ ensName }: AuthorViewProps) {
+  const [steps, setSteps] = useState<Steps>({
+    resolve: 'pending', onchain: 'pending', profile: 'pending', packages: 'pending',
+  });
+  const [address, setAddress] = useState<string | null>(null);
+  const [author, setAuthor] = useState<AuthorProfile | null>(null);
+  const [ensProfile, setEnsProfile] = useState<ENSProfile | null>(null);
+  const [packages, setPackages] = useState<AuthorPackageSummary[]>([]);
+  const [avatarArt, setAvatarArt] = useState<string | null>(null);
+  const [error, setError] = useState<string | null>(null);
+  const [done, setDone] = useState(false);
+
+  const update = (key: keyof Steps, status: StepStatus) =>
+    setSteps((s) => ({ ...s, [key]: status }));
+
+  useEffect(() => {
+    run().catch((err) => setError(String(err)));
+  }, []);
+
+  async function run() {
+    update('resolve', 'running');
+    update('profile', 'running');
+
+    const [addrResult, textResult] = await Promise.allSettled([
+      resolveAddress(ensName),
+      getENSTextRecords(ensName, ['avatar', 'url', 'com.github', 'com.twitter', 'description', 'email']),
+    ]);
+
+    const addr = addrResult.status === 'fulfilled' ? addrResult.value : null;
+    setAddress(addr);
+    update('resolve', addr ? 'done' : 'error');
+
+    const textRecords: Record<string, string> = textResult.status === 'fulfilled'
+      ? textResult.value as Record<string, string> : {};
+    const profile: ENSProfile = {
+      name: ensName,
+      avatar: textRecords['avatar'] || null,
+      url: textRecords['url'] || null,
+      github: textRecords['com.github'] || null,
+      twitter: textRecords['com.twitter'] || null,
+      description: textRecords['description'] || null,
+      email: textRecords['email'] || null,
+    };
+    setEnsProfile(profile);
+    update('profile', 'done');
+
+    update('onchain', 'running');
+    let authorProfile: AuthorProfile | null = null;
+    if (addr) {
+      authorProfile = await getAuthorProfile(addr).catch(() => null);
+    }
+    setAuthor(authorProfile);
+    update('onchain', authorProfile && authorProfile.addr !== '0x0000000000000000000000000000000000000000' ? 'done' : 'error');
+
+    const resolvedAddr = authorProfile?.addr || addr;
+    if (resolvedAddr && resolvedAddr !== '0x0000000000000000000000000000000000000000') {
+      update('packages', 'running');
+      let pkgs: AuthorPackageSummary[] = [];
+      try {
+        pkgs = await getPackagesByAuthor(resolvedAddr);
+      } catch { /* event query failed */ }
+
+      if (pkgs.length === 0 && authorProfile && authorProfile.packagesPublished > 0) {
+        const knownNames = ['opm', 'opmsec'];
+        try {
+          pkgs = await getPackagesByAuthorDirect(resolvedAddr, knownNames);
+        } catch { /* direct query failed */ }
+      }
+
+      setPackages(pkgs);
+      update('packages', 'done');
+    } else {
+      update('packages', 'skip');
+    }
+
+    setDone(true);
+  }
+
+  const riskColor = (score: number) => score >= 70 ? 'red' : score >= 40 ? 'yellow' : 'green';
+
+  return (
+    <Box flexDirection="column">
+      <Header subtitle="view" />
+      <Text color="cyan" bold> {ensName}</Text>
+      <Text> </Text>
+
+      <StatusLine label="Resolve ENS" status={steps.resolve}
+        detail={steps.resolve === 'done' && address ? truncateAddress(address) : undefined} />
+      <StatusLine label="ENS profile" status={steps.profile} />
+      <StatusLine label="On-chain registry" status={steps.onchain}
+        detail={steps.onchain === 'done' ? 'registered author' : steps.onchain === 'error' ? 'not found' : undefined} />
+      <StatusLine label="Fetch packages" status={steps.packages}
+        detail={steps.packages === 'done' ? `${packages.length} package(s)` : undefined} />
+
+      {done && (
+        <Box flexDirection="column" marginTop={1}>
+          <Text color="gray">────────────────────────────────────────</Text>
+          <Text color="white" bold> Identity</Text>
+          <Box marginLeft={2}>
+            {avatarArt && (
+              <Box marginRight={2}>
+                <Text>{avatarArt}</Text>
+              </Box>
+            )}
+            <Box flexDirection="column">
+              <Box>
+                <Text color="gray">ENS:     </Text>
+                <Text color="cyan" bold>{ensName}</Text>
+              </Box>
+              {address && (
+                <Box>
+                  <Text color="gray">Address: </Text>
+                  <Text color="cyan">{address}</Text>
+                </Box>
+              )}
+              {ensProfile?.description && (
+                <Box>
+                  <Text color="gray">Bio:     </Text>
+                  <Text>{ensProfile.description}</Text>
+                </Box>
+              )}
+              {ensProfile?.url && (
+                <Box>
+                  <Text color="gray">URL:     </Text>
+                  <Text color="blue">{ensProfile.url}</Text>
+                </Box>
+              )}
+              {ensProfile?.github && (
+                <Box>
+                  <Text color="gray">GitHub:  </Text>
+                  <Text color="white">@{ensProfile.github}</Text>
+                </Box>
+              )}
+              {ensProfile?.twitter && (
+                <Box>
+                  <Text color="gray">Twitter: </Text>
+                  <Text color="white">@{ensProfile.twitter}</Text>
+                </Box>
+              )}
+              {ensProfile?.email && (
+                <Box>
+                  <Text color="gray">Email:   </Text>
+                  <Text>{ensProfile.email}</Text>
+                </Box>
+              )}
+            </Box>
+          </Box>
+
+          {author && author.addr !== '0x0000000000000000000000000000000000000000' && (
+            <>
+              <Text> </Text>
+              <Text color="white" bold> Author Stats</Text>
+              <Box flexDirection="column" marginLeft={2}>
+                <Box>
+                  <Text color="gray">Packages published: </Text>
+                  <Text color="white" bold>{author.packagesPublished}</Text>
+                </Box>
+                <Box>
+                  <Text color="gray">Avg reputation:     </Text>
+                  <RiskBadge level={classifyRisk(author.reputationScore)} score={author.reputationScore} />
+                </Box>
+              </Box>
+            </>
+          )}
+
+          {packages.length > 0 && (
+            <>
+              <Text> </Text>
+              <Text color="white" bold> Published Packages ({packages.length})</Text>
+              {packages.map((pkg) => {
+                const risk = classifyRisk(pkg.aggregateScore);
+                const sigOk = pkg.signature && pkg.signature !== '0x' && pkg.signature.length > 10;
+                return (
+                  <Box key={`${pkg.name}@${pkg.version}`} flexDirection="column"
+                    borderStyle="round" borderColor={risk === 'HIGH' || risk === 'CRITICAL' ? 'red' : risk === 'MEDIUM' ? 'yellow' : 'green'}
+                    paddingX={1} marginLeft={2} marginBottom={1}>
+                    <Box>
+                      <Text bold color="white">{pkg.name}</Text>
+                      <Text color="gray">@{pkg.version}</Text>
+                      <Text>  </Text>
+                      <RiskBadge level={risk} score={pkg.aggregateScore} />
+                    </Box>
+                    <Box marginTop={0}>
+                      <Text color="gray">Checksum:  </Text>
+                      <Text color="cyan">{truncateAddress(pkg.checksum)}</Text>
+                      <Text>  </Text>
+                      <Text color="gray">Signature: </Text>
+                      <Text color="cyan">{truncateAddress(pkg.signature)}</Text>
+                      <Text color={sigOk ? 'green' : 'red'}> {sigOk ? '✓' : '✗'}</Text>
+                    </Box>
+                    {pkg.reportURI && !pkg.reportURI.startsWith('local://') && (
+                      <Box>
+                        <Text color="gray">Report: </Text>
+                        <Text color="blue">{pkg.reportURI}</Text>
+                      </Box>
+                    )}
+                  </Box>
+                );
+              })}
+            </>
+          )}
+
+          {packages.length === 0 && author && author.addr !== '0x0000000000000000000000000000000000000000' && (
+            <Box marginLeft={2} marginTop={1}>
+              <Text color="gray">Contract reports {author.packagesPublished} package(s) but none could be resolved</Text>
+            </Box>
+          )}
+
+          {!author || author.addr === '0x0000000000000000000000000000000000000000' ? (
+            <Box marginLeft={2} marginTop={1}>
+              <Text color="yellow">{ensName} has not published any packages through OPM</Text>
+            </Box>
+          ) : null}
+        </Box>
+      )}
+
+      {error && <Text color="red">{error}</Text>}
+    </Box>
+  );
+}

package/packages/cli/src/commands/info.tsx

@@ -0,0 +1,109 @@
+import React, { useState, useEffect } from 'react';
+import { Box, Text } from 'ink';
+import { Header } from '../components/Header';
+import { PackageCard } from '../components/PackageCard';
+import { StatusLine } from '../components/StatusLine';
+import { getPackageInfo, getSafestVersion, getVersions } from '../services/contract';
+import { getENSProfile, type ENSProfile } from '../services/ens';
+import { fetchReportFromFileverse } from '../services/fileverse';
+import { queryOSV, type OSVVulnerability } from '../services/osv';
+import { resolveVersion } from '../services/version';
+import type { OnChainPackageInfo, ScanReport as ScanReportType } from '@opm/core';
+
+interface InfoCommandProps {
+  packageName: string;
+  version?: string;
+}
+
+export function InfoCommand({ packageName, version }: InfoCommandProps) {
+  const [status, setStatus] = useState<'running' | 'done'>('running');
+  const [resolvedVer, setResolvedVer] = useState<string>(version || '');
+  const [info, setInfo] = useState<OnChainPackageInfo | null>(null);
+  const [ensProfile, setEnsProfile] = useState<ENSProfile | undefined>();
+  const [report, setReport] = useState<ScanReportType | null>(null);
+  const [versions, setVersions] = useState<string[]>([]);
+  const [safest, setSafest] = useState<string | undefined>();
+  const [cves, setCves] = useState<OSVVulnerability[]>([]);
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    run().catch((err) => setError(String(err)));
+  }, []);
+
+  async function run() {
+    const ver = await resolveVersion(packageName, version || 'latest');
+    setResolvedVer(ver);
+
+    const pkgInfo = await getPackageInfo(packageName, ver);
+    setInfo(pkgInfo);
+
+    if (!pkgInfo.exists) {
+      setStatus('done');
+      return;
+    }
+
+    const [ep, rpt, vers, safe, osvResult] = await Promise.allSettled([
+      getENSProfile(pkgInfo.author),
+      pkgInfo.reportURI ? fetchReportFromFileverse(pkgInfo.reportURI) : Promise.resolve(null),
+      getVersions(packageName),
+      getSafestVersion(packageName),
+      queryOSV(packageName, ver),
+    ]);
+
+    setEnsProfile(ep.status === 'fulfilled' ? ep.value : undefined);
+    setReport(rpt.status === 'fulfilled' ? rpt.value : null);
+    setVersions(vers.status === 'fulfilled' ? vers.value : []);
+    setSafest(safe.status === 'fulfilled' ? safe.value : undefined);
+    setCves(osvResult.status === 'fulfilled' ? osvResult.value : []);
+    setStatus('done');
+  }
+
+  return (
+    <Box flexDirection="column">
+      <Header subtitle="info" />
+      <StatusLine label={`Looking up ${packageName}${resolvedVer ? `@${resolvedVer}` : ''}`} status={status === 'done' ? 'done' : 'running'} />
+      {status === 'done' && info && (
+        info.exists ? (
+          <Box flexDirection="column">
+            <PackageCard
+              name={packageName}
+              version={resolvedVer}
+              info={info}
+              ensProfile={ensProfile}
+              report={report}
+              signatureValid={info.signature !== '0x'}
+            />
+            {cves.length > 0 && (
+              <Box flexDirection="column" marginLeft={2} marginTop={1}>
+                <Text color="red" bold>Known CVEs ({cves.length}):</Text>
+                {cves.slice(0, 5).map((c) => (
+                  <Box key={c.id} marginLeft={2}>
+                    <Text color="yellow">{c.id}</Text>
+                    <Text color="gray"> {c.summary?.slice(0, 60)}</Text>
+                  </Box>
+                ))}
+              </Box>
+            )}
+            {versions.length > 0 && (
+              <Box marginLeft={2} marginTop={1}>
+                <Text color="gray">Versions: </Text>
+                <Text>{versions.join(', ')}</Text>
+              </Box>
+            )}
+            {safest && (
+              <Box marginLeft={2}>
+                <Text color="gray">Safest version: </Text>
+                <Text color="green" bold>{safest}</Text>
+              </Box>
+            )}
+          </Box>
+        ) : (
+          <Box marginLeft={2} marginTop={1}>
+            <Text color="yellow">{packageName} not found in OPM registry</Text>
+          </Box>
+        )
+      )}
+      {error && <Text color="red">{error}</Text>}
+    </Box>
+  );
+}