opmsec 0.1.0

package/packages/cli/src/commands/push.tsx

@@ -0,0 +1,321 @@
+import React, { useState, useEffect } from 'react';
+import { Box, Text } from 'ink';
+import { getEnvOrThrow, truncateAddress, classifyRisk } from '@opm/core';
+import type { AgentEntry } from '@opm/core';
+import { Header } from '../components/Header';
+import { StatusLine, type Status } from '../components/StatusLine';
+import { RiskBadge } from '../components/RiskBadge';
+import { computeChecksum, signChecksumAsync } from '../services/signature';
+import { resolveENSName } from '../services/ens';
+import { registerPackageOnChain } from '../services/contract';
+import { enqueueScan } from '@opm/scanner';
+import * as fs from 'fs';
+import * as path from 'path';
+import { execSync } from 'child_process';
+
+type StepStatus = Status;
+
+interface Steps {
+  pack: StepStatus;
+  sign: StepStatus;
+  ens: StepStatus;
+  scan: StepStatus;
+  publish: StepStatus;
+  register: StepStatus;
+}
+
+interface PushResult {
+  checksum?: string;
+  signature?: string;
+  address?: string;
+  ensName?: string;
+  npmUrl?: string;
+  npmError?: string;
+  txHash?: string;
+  riskScore?: number;
+  riskLevel?: string;
+  reportURI?: string;
+  agents?: AgentEntry[];
+  blocked?: boolean;
+  blockReason?: string;
+}
+
+interface PushCommandProps {
+  npmToken?: string;
+  otp?: string;
+}
+
+export function PushCommand({ npmToken, otp }: PushCommandProps) {
+  const [steps, setSteps] = useState<Steps>({
+    pack: 'pending', sign: 'pending', ens: 'pending',
+    scan: 'pending', publish: 'pending', register: 'pending',
+  });
+  const [result, setResult] = useState<PushResult>({});
+  const [error, setError] = useState<string | null>(null);
+  const [scanLogs, setScanLogs] = useState<string[]>([]);
+  const [pkgLabel, setPkgLabel] = useState('');
+
+  const updateStep = (key: keyof Steps, status: StepStatus) =>
+    setSteps((prev) => ({ ...prev, [key]: status }));
+
+  useEffect(() => {
+    runPush().catch((err) => setError(String(err)));
+  }, []);
+
+  async function runPush() {
+    const pkgJsonPath = path.resolve('package.json');
+    if (!fs.existsSync(pkgJsonPath)) throw new Error('No package.json found in current directory');
+
+    const pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf-8'));
+    const { name, version } = pkgJson;
+    if (!name || !version) throw new Error('package.json missing name or version');
+    setPkgLabel(`${name}@${version}`);
+
+    const privateKey = getEnvOrThrow('OPM_PRIVATE_KEY');
+
+    updateStep('pack', 'running');
+    const tarball = execSync('npm pack --json 2>/dev/null', { encoding: 'utf-8' });
+    const parsed = JSON.parse(tarball);
+    const tarballFile = Array.isArray(parsed) ? parsed[0].filename : parsed.filename;
+    updateStep('pack', 'done');
+
+    updateStep('sign', 'running');
+    const checksum = computeChecksum(tarballFile);
+    const { signature, address } = await signChecksumAsync(checksum, privateKey);
+    setResult((r) => ({ ...r, checksum, signature, address }));
+    updateStep('sign', 'done');
+
+    updateStep('ens', 'running');
+    const ensName = await resolveENSName(address) || '';
+    setResult((r) => ({ ...r, ensName, address }));
+    updateStep('ens', 'done');
+
+    updateStep('scan', 'running');
+    let scanPassed = false;
+    try {
+      const scanResult = await enqueueScan(name, version, (msg) =>
+        setScanLogs((prev) => [...prev.slice(-8), msg]),
+        { tarballPath: tarballFile, pkgJsonPath },
+      );
+
+      const riskScore = scanResult.report.aggregate_risk_score;
+      const riskLevel = classifyRisk(riskScore);
+
+      setResult((r) => ({
+        ...r,
+        riskScore,
+        riskLevel,
+        reportURI: scanResult.reportURI,
+        agents: scanResult.report.agents,
+      }));
+
+      if (riskLevel === 'CRITICAL' || riskScore >= 80) {
+        setResult((r) => ({
+          ...r,
+          blocked: true,
+          blockReason: `Risk score ${riskScore}/100 (${riskLevel}) — too dangerous to publish`,
+        }));
+        updateStep('scan', 'error');
+        updateStep('publish', 'blocked');
+        updateStep('register', 'blocked');
+        if (fs.existsSync(tarballFile)) fs.unlinkSync(tarballFile);
+        return;
+      }
+
+      scanPassed = true;
+      updateStep('scan', 'done');
+    } catch (err: any) {
+      setScanLogs((prev) => [...prev, `Scan: ${err?.message || 'failed'}`]);
+      scanPassed = true;
+      updateStep('scan', 'error');
+    }
+
+    if (!scanPassed) return;
+
+    const originalPkgJsonContent = fs.readFileSync(pkgJsonPath, 'utf-8');
+    pkgJson.opm = { signature, author: address, ensName, checksum };
+    fs.writeFileSync(pkgJsonPath, JSON.stringify(pkgJson, null, 2));
+
+    updateStep('publish', 'running');
+    const token = npmToken || process.env.NPM_TOKEN;
+    const npmrcPath = path.resolve('.npmrc');
+    const existingNpmrc = fs.existsSync(npmrcPath) ? fs.readFileSync(npmrcPath, 'utf-8') : null;
+
+    let canPublish = false;
+    if (token) {
+      fs.writeFileSync(npmrcPath, `//registry.npmjs.org/:_authToken=${token}\n`);
+      canPublish = true;
+    } else {
+      canPublish = (() => {
+        try { execSync('npm whoami', { encoding: 'utf-8', stdio: 'pipe' }); return true; } catch { return false; }
+      })();
+    }
+
+    if (canPublish) {
+      try {
+        let publishCmd = 'npm publish --access public';
+        if (otp) publishCmd += ` --otp=${otp}`;
+        execSync(publishCmd, { encoding: 'utf-8', stdio: 'pipe' });
+        setResult((r) => ({
+          ...r,
+          npmUrl: `https://www.npmjs.com/package/${name}/v/${version}`,
+        }));
+      } catch (err: any) {
+        const msg = err?.stderr || err?.stdout || err?.message || '';
+        let reason = 'version may already exist';
+        if (msg.includes('Two-factor') || msg.includes('2fa') || msg.includes('EOTP')) {
+          reason = token
+            ? '2FA enforced — your token needs "bypass 2FA" enabled, or use --otp <code>'
+            : '2FA required — use: opm push --otp <code> or --token <automation-token>';
+        } else if (msg.includes('E403')) {
+          reason = 'forbidden — check npm token permissions';
+        } else if (msg.includes('E402')) {
+          reason = 'payment required — scoped packages need npm Pro';
+        } else {
+          const lines = msg.split('\n').filter((l: string) => l.trim().length > 0);
+          const errorLine = lines.find((l: string) =>
+            (l.includes('npm error') || l.includes('ERR!')) && !l.includes('npm notice'),
+          );
+          if (errorLine) reason = errorLine.replace(/^npm\s+(error|ERR!)\s*/i, '').trim();
+        }
+        setResult((r) => ({ ...r, npmError: reason.slice(0, 150) }));
+      }
+    } else {
+      setResult((r) => ({ ...r, npmError: 'not authenticated — use: opm push --token <npm-token>' }));
+    }
+
+    if (token) {
+      if (existingNpmrc !== null) {
+        fs.writeFileSync(npmrcPath, existingNpmrc);
+      } else if (fs.existsSync(npmrcPath)) {
+        fs.unlinkSync(npmrcPath);
+      }
+    }
+    updateStep('publish', 'done');
+
+    fs.writeFileSync(pkgJsonPath, originalPkgJsonContent);
+
+    updateStep('register', 'running');
+    try {
+      const sigBytes = new Uint8Array(Buffer.from(signature.slice(2), 'hex'));
+      const txHash = await registerPackageOnChain(name, version, checksum, sigBytes, ensName);
+      setResult((r) => ({ ...r, txHash }));
+    } catch (err: any) {
+      setScanLogs((prev) => [...prev, `Registration: ${err?.shortMessage || err?.message || 'failed'}`]);
+    }
+    updateStep('register', 'done');
+
+    if (fs.existsSync(tarballFile)) fs.unlinkSync(tarballFile);
+  }
+
+  const riskColor = (score: number) => score >= 70 ? 'red' : score >= 40 ? 'yellow' : 'green';
+
+  return (
+    <Box flexDirection="column">
+      <Header subtitle="push" />
+      {pkgLabel && <Text color="white" bold> {pkgLabel}</Text>}
+      <Text> </Text>
+      <StatusLine label="Pack tarball" status={steps.pack} detail={result.checksum?.slice(0, 16)} />
+      <StatusLine label="Sign checksum" status={steps.sign} detail={result.signature?.slice(0, 16)} />
+      <StatusLine label="Resolve ENS" status={steps.ens} />
+      {steps.ens === 'done' && result.address && (
+        <Box marginLeft={4}>
+          <Text color="cyan">{truncateAddress(result.address)}</Text>
+          {result.ensName ? (
+            <Text> → <Text color="green" bold>{result.ensName}</Text></Text>
+          ) : (
+            <Text color="gray"> (no ENS name)</Text>
+          )}
+        </Box>
+      )}
+      <StatusLine label="Security scan (3 agents)" status={steps.scan} />
+
+      {scanLogs.length > 0 && (
+        <Box flexDirection="column" marginLeft={4}>
+          {scanLogs.map((log, i) => (
+            <Text key={i} color="gray">{log}</Text>
+          ))}
+        </Box>
+      )}
+
+      {result.agents && result.agents.length > 0 && (
+        <Box flexDirection="column" marginTop={1}>
+          <Text color="gray">────────────────────────────────────────</Text>
+          <Text color="white" bold> Agent Results</Text>
+          {result.agents.map((agent) => (
+            <Box key={agent.agent_id} flexDirection="column" marginLeft={2} marginTop={1}>
+              <Box>
+                <Text color="white" bold>{agent.agent_id}</Text>
+                <Text color="gray"> ({agent.model}) </Text>
+                <Text color={riskColor(agent.result.risk_score)} bold>
+                  {agent.result.risk_score}/100
+                </Text>
+                <Text color="gray"> {agent.result.risk_level}</Text>
+              </Box>
+              <Box marginLeft={2}>
+                <Text color="gray" wrap="wrap">{agent.result.reasoning.slice(0, 200)}</Text>
+              </Box>
+              {agent.result.vulnerabilities.length > 0 && (
+                <Box marginLeft={2}>
+                  <Text color="yellow">{agent.result.vulnerabilities.length} vulnerabilities found</Text>
+                </Box>
+              )}
+            </Box>
+          ))}
+        </Box>
+      )}
+
+      {result.riskScore !== undefined && (
+        <Box flexDirection="column" marginTop={1}>
+          <Text color="gray">────────────────────────────────────────</Text>
+          <Box>
+            <Text color="white" bold> Aggregate Risk: </Text>
+            <RiskBadge level={classifyRisk(result.riskScore)} score={result.riskScore} />
+          </Box>
+        </Box>
+      )}
+
+      {result.blocked && (
+        <Box marginLeft={2} marginTop={1}>
+          <Text color="red" bold>✗ BLOCKED: {result.blockReason}</Text>
+        </Box>
+      )}
+
+      {!result.blocked && (
+        <>
+          <StatusLine label="Publish to npm" status={steps.publish} />
+          {steps.publish === 'done' && (
+            <Box marginLeft={4}>
+              {result.npmUrl ? (
+                <Text color="green">✓ <Text color="blue">{result.npmUrl}</Text></Text>
+              ) : result.npmError ? (
+                <Text color="yellow">⚠ {result.npmError}</Text>
+              ) : null}
+            </Box>
+          )}
+          <StatusLine label="Register on-chain" status={steps.register} detail={result.txHash?.slice(0, 16)} />
+        </>
+      )}
+
+      {result.reportURI && (
+        <Box flexDirection="column" marginLeft={1} marginTop={1}>
+          <Box>
+            <Text color="white" bold> Report: </Text>
+            {result.reportURI.startsWith('local://') ? (
+              <Text color="gray">(stored locally)</Text>
+            ) : (
+              <Text color="green">✓ Uploaded to Fileverse</Text>
+            )}
+          </Box>
+          {!result.reportURI.startsWith('local://') && (
+            <Box marginLeft={2}>
+              <Text color="blue">{result.reportURI}</Text>
+            </Box>
+          )}
+        </Box>
+      )}
+
+      {error && <Text color="red">Error: {error}</Text>}
+    </Box>
+  );
+}

package/packages/cli/src/components/AgentScores.tsx

@@ -0,0 +1,32 @@
+import React from 'react';
+import { Box, Text } from 'ink';
+import { classifyRisk } from '@opm/core';
+import type { AgentEntry } from '@opm/core';
+
+const RISK_COLORS = { LOW: 'green', MEDIUM: 'yellow', HIGH: 'red', CRITICAL: 'redBright' } as const;
+
+interface AgentScoresProps {
+  agents: AgentEntry[];
+}
+
+export function AgentScores({ agents }: AgentScoresProps) {
+  return (
+    <Box flexDirection="column" marginLeft={2}>
+      <Text bold color="white"> Agent Scan Results</Text>
+      {agents.map((agent, i) => {
+        const level = classifyRisk(agent.result.risk_score);
+        const color = RISK_COLORS[level];
+        const connector = i === agents.length - 1 ? '└──' : '├──';
+        return (
+          <Box key={agent.agent_id}>
+            <Text color="gray">{connector} </Text>
+            <Text color="cyan">{agent.agent_id}</Text>
+            <Text color="gray"> ({agent.model}): </Text>
+            <Text color={color} bold>{agent.result.risk_score}/100</Text>
+            <Text color="gray"> - {agent.result.recommendation}</Text>
+          </Box>
+        );
+      })}
+    </Box>
+  );
+}

package/packages/cli/src/components/AuthorInfo.tsx

@@ -0,0 +1,45 @@
+import React from 'react';
+import { Box, Text } from 'ink';
+import { truncateAddress } from '@opm/core';
+import type { ENSProfile } from '../services/ens';
+
+interface AuthorInfoProps {
+  address: string;
+  ensName?: string;
+  profile?: ENSProfile;
+}
+
+export function AuthorInfo({ address, ensName, profile }: AuthorInfoProps) {
+  const displayName = ensName || profile?.name;
+  return (
+    <Box flexDirection="column" marginLeft={2}>
+      <Box>
+        <Text color="gray">Author: </Text>
+        {displayName ? (
+          <Text color="magenta" bold>{displayName}</Text>
+        ) : (
+          <Text color="white">{truncateAddress(address)}</Text>
+        )}
+        {displayName && <Text color="gray"> ({truncateAddress(address)})</Text>}
+      </Box>
+      {profile?.github && (
+        <Box>
+          <Text color="gray">  GitHub: </Text>
+          <Text color="blue">{profile.github}</Text>
+        </Box>
+      )}
+      {profile?.twitter && (
+        <Box>
+          <Text color="gray">  Twitter: </Text>
+          <Text color="blue">@{profile.twitter}</Text>
+        </Box>
+      )}
+      {profile?.url && (
+        <Box>
+          <Text color="gray">  Web: </Text>
+          <Text color="blue">{profile.url}</Text>
+        </Box>
+      )}
+    </Box>
+  );
+}

package/packages/cli/src/components/Header.tsx

@@ -0,0 +1,24 @@
+import React from 'react';
+import { Box, Text } from 'ink';
+
+const LOGO = `
+  ██████  ██████  ███    ███
+ ██    ██ ██   ██ ████  ████
+ ██    ██ ██████  ██ ████ ██
+ ██    ██ ██      ██  ██  ██
+  ██████  ██      ██      ██`;
+
+interface HeaderProps {
+  subtitle?: string;
+}
+
+export function Header({ subtitle }: HeaderProps) {
+  return (
+    <Box flexDirection="column" marginBottom={1}>
+      <Text color="cyan" bold>{LOGO}</Text>
+      <Text color="gray"> On-chain Package Manager</Text>
+      {subtitle && <Text color="yellow"> {subtitle}</Text>}
+      <Text color="gray">{'─'.repeat(40)}</Text>
+    </Box>
+  );
+}

package/packages/cli/src/components/PackageCard.tsx

@@ -0,0 +1,48 @@
+import React from 'react';
+import { Box, Text } from 'ink';
+import { classifyRisk, truncateAddress } from '@opm/core';
+import type { OnChainPackageInfo, ScanReport as ScanReportType } from '@opm/core';
+import type { ENSProfile } from '../services/ens';
+import { RiskBadge } from './RiskBadge';
+import { AuthorInfo } from './AuthorInfo';
+import { ScanReport } from './ScanReport';
+
+interface PackageCardProps {
+  name: string;
+  version: string;
+  info: OnChainPackageInfo;
+  ensProfile?: ENSProfile;
+  report?: ScanReportType | null;
+  signatureValid?: boolean;
+}
+
+export function PackageCard({ name, version, info, ensProfile, report, signatureValid }: PackageCardProps) {
+  const level = classifyRisk(info.aggregateScore);
+  return (
+    <Box flexDirection="column" borderStyle="round" borderColor="gray" paddingX={1} marginBottom={1}>
+      <Box>
+        <Text bold color="white">{name}</Text>
+        <Text color="gray">@{version}</Text>
+      </Box>
+      <Box marginTop={1}>
+        <Text color="gray">Risk: </Text>
+        <RiskBadge level={level} score={info.aggregateScore} />
+      </Box>
+      <Box flexDirection="column">
+        <Box>
+          <Text color="gray">Checksum:  </Text>
+          <Text color="cyan">{truncateAddress(info.checksum)}</Text>
+        </Box>
+        <Box>
+          <Text color="gray">Signature: </Text>
+          <Text color="cyan">{truncateAddress(info.signature)}</Text>
+          <Text color={signatureValid ? 'green' : 'red'}>
+            {' '}{signatureValid ? '✓ verified' : '✗ unverified'}
+          </Text>
+        </Box>
+      </Box>
+      <AuthorInfo address={info.author} ensName={info.ensName} profile={ensProfile} />
+      <ScanReport report={report} reportURI={info.reportURI} />
+    </Box>
+  );
+}

package/packages/cli/src/components/RiskBadge.tsx

@@ -0,0 +1,32 @@
+import React from 'react';
+import { Text } from 'ink';
+import type { RiskLevel } from '@opm/core';
+
+const RISK_COLORS: Record<RiskLevel, string> = {
+  LOW: 'green',
+  MEDIUM: 'yellow',
+  HIGH: 'red',
+  CRITICAL: 'redBright',
+};
+
+const RISK_ICONS: Record<RiskLevel, string> = {
+  LOW: '●',
+  MEDIUM: '▲',
+  HIGH: '✖',
+  CRITICAL: '⬤',
+};
+
+interface RiskBadgeProps {
+  level: RiskLevel;
+  score: number;
+}
+
+export function RiskBadge({ level, score }: RiskBadgeProps) {
+  const color = RISK_COLORS[level];
+  return (
+    <Text>
+      <Text color={color} bold>{RISK_ICONS[level]} {level}</Text>
+      <Text color="gray"> ({score}/100)</Text>
+    </Text>
+  );
+}

package/packages/cli/src/components/ScanReport.tsx

@@ -0,0 +1,50 @@
+import React from 'react';
+import { Box, Text } from 'ink';
+import type { ScanReport as ScanReportType } from '@opm/core';
+
+interface ScanReportProps {
+  report?: ScanReportType | null;
+  reportURI?: string;
+}
+
+export function ScanReport({ report, reportURI }: ScanReportProps) {
+  if (!report && !reportURI) return null;
+
+  const totalVulns = report
+    ? report.agents.reduce((sum, a) => sum + a.result.vulnerabilities.length, 0)
+    : 0;
+
+  const hasInstallScripts = report?.agents.some(
+    (a) => a.result.supply_chain_indicators.has_install_scripts,
+  );
+
+  return (
+    <Box flexDirection="column" marginLeft={2}>
+      <Text bold color="white"> Scan Report</Text>
+      {reportURI && (
+        <Box>
+          <Text color="gray">  Link: </Text>
+          <Text color="blue" underline>{reportURI}</Text>
+        </Box>
+      )}
+      {report && (
+        <>
+          <Box>
+            <Text color="gray">  Vulnerabilities found: </Text>
+            <Text color={totalVulns > 0 ? 'yellow' : 'green'}>{totalVulns}</Text>
+          </Box>
+          <Box>
+            <Text color="gray">  Install scripts: </Text>
+            <Text color={hasInstallScripts ? 'red' : 'green'}>
+              {hasInstallScripts ? 'YES' : 'none'}
+            </Text>
+          </Box>
+          <Box>
+            <Text color="gray">  Versions analyzed: </Text>
+            <Text>{report.versions_analyzed.join(', ')}</Text>
+          </Box>
+        </>
+      )}
+    </Box>
+  );
+}

package/packages/cli/src/components/StatusLine.tsx

@@ -0,0 +1,30 @@
+import React from 'react';
+import { Box, Text } from 'ink';
+
+export type Status = 'pending' | 'running' | 'done' | 'error' | 'skip' | 'blocked';
+
+const STATUS_MAP: Record<Status, { icon: string; color: string }> = {
+  pending: { icon: '○', color: 'gray' },
+  running: { icon: '◌', color: 'yellow' },
+  done: { icon: '●', color: 'green' },
+  error: { icon: '✖', color: 'red' },
+  skip: { icon: '─', color: 'gray' },
+  blocked: { icon: '⊘', color: 'red' },
+};
+
+interface StatusLineProps {
+  label: string;
+  status: Status;
+  detail?: string;
+}
+
+export function StatusLine({ label, status, detail }: StatusLineProps) {
+  const { icon, color } = STATUS_MAP[status];
+  return (
+    <Box>
+      <Text color={color}>{icon} </Text>
+      <Text>{label}</Text>
+      {detail && <Text color="gray"> - {detail}</Text>}
+    </Box>
+  );
+}