npm - opmsec - Versions diffs - 0.1.3 → 0.1.5 - Mend

opmsec 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (166) hide show

package/packages/cli/src/commands/push.tsx CHANGED Viewed

@@ -9,6 +9,7 @@ import { Hyperlink } from '../components/Hyperlink';
 import { computeChecksum, signChecksumAsync } from '../services/signature';
 import { resolveENSName } from '../services/ens';
 import { registerPackageOnChain } from '../services/contract';
+import { writeENSRecords, buildOPMRecords, readOPMRecords, createPackageSubname, setENSContenthash, parseFileverseLink, readFileverseContentHash } from '../services/ens-records';
 import { enqueueScan } from '@opm/scanner';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -23,6 +24,7 @@ interface Steps {
   scan: StepStatus;
   publish: StepStatus;
   register: StepStatus;
+  ensRecords: StepStatus;
 }
 interface PushResult {
@@ -39,6 +41,11 @@ interface PushResult {
   agents?: AgentEntry[];
   blocked?: boolean;
   blockReason?: string;
+  ensRecordsTx?: string;
+  ensRecordsChain?: string;
+  ensRecordsCount?: number;
+  ensSubname?: string;
+  ipfsContenthash?: string;
 }
 interface PushCommandProps {
@@ -50,10 +57,12 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
   const [steps, setSteps] = useState<Steps>({
     pack: 'pending', sign: 'pending', ens: 'pending',
     scan: 'pending', publish: 'pending', register: 'pending',
+    ensRecords: 'pending',
   });
   const [result, setResult] = useState<PushResult>({});
   const [error, setError] = useState<string | null>(null);
   const [scanLogs, setScanLogs] = useState<string[]>([]);
+  const [ensRecordLogs, setEnsRecordLogs] = useState<string[]>([]);
   const [pkgLabel, setPkgLabel] = useState('');
   const updateStep = (key: keyof Steps, status: StepStatus) =>
@@ -93,6 +102,9 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
     updateStep('scan', 'running');
     let scanPassed = false;
+    let finalReportURI: string | undefined;
+    let finalRiskScore: number | undefined;
+    let finalIpfsHash: string | undefined;
     try {
       const scanResult = await enqueueScan(name, version, (msg) =>
         setScanLogs((prev) => [...prev.slice(-8), msg]),
@@ -101,6 +113,9 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
       const riskScore = scanResult.report.aggregate_risk_score;
       const riskLevel = classifyRisk(riskScore);
+      finalReportURI = scanResult.reportURI;
+      finalRiskScore = riskScore;
+      finalIpfsHash = scanResult.ipfsHash;
       setResult((r) => ({
         ...r,
@@ -206,6 +221,74 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
     }
     updateStep('register', 'done');
+    // ── Write package metadata to ENS text records ──
+    if (ensName) {
+      updateStep('ensRecords', 'running');
+      const ensLog = (msg: string) => setEnsRecordLogs((prev) => [...prev, msg]);
+      try {
+        ensLog(`Reading existing records from ${ensName}...`);
+        const existingRecords = await readOPMRecords(ensName);
+        const records = buildOPMRecords({
+          packageName: name,
+          version,
+          checksum,
+          signature,
+          reportURI: finalReportURI,
+          riskScore: finalRiskScore,
+          existingPackages: existingRecords.packages,
+        });
+        const writeResult = await writeENSRecords(
+          ensName,
+          privateKey,
+          records,
+          ensLog,
+        );
+        if (writeResult) {
+          setResult((r) => ({
+            ...r,
+            ensRecordsTx: writeResult.txHash,
+            ensRecordsChain: writeResult.chain,
+            ensRecordsCount: writeResult.recordCount,
+          }));
+        } else {
+          ensLog(`Hint: signer needs ETH on Ethereum (Sepolia or Mainnet) for gas, and must be the manager of ${ensName}`);
+        }
+        let ipfsCid = finalIpfsHash;
+        if (!ipfsCid && finalReportURI) {
+          const fvLink = parseFileverseLink(finalReportURI);
+          if (fvLink) {
+            ensLog(`Reading IPFS hash from Fileverse contract ${fvLink.portalAddress.slice(0, 10)}... file #${fvLink.fileId}`);
+            ipfsCid = (await readFileverseContentHash(fvLink.portalAddress, fvLink.fileId, ensLog)) ?? undefined;
+          }
+        }
+        if (ipfsCid) {
+          const chResult = await setENSContenthash(ensName, privateKey, ipfsCid, ensLog);
+          if (chResult) {
+            setResult((r) => ({ ...r, ipfsContenthash: ipfsCid }));
+          }
+        }
+        const subResult = await createPackageSubname(
+          ensName,
+          name,
+          privateKey,
+          records,
+          ensLog,
+        );
+        if (subResult) {
+          setResult((r) => ({ ...r, ensSubname: subResult.subname }));
+        }
+      } catch (err: any) {
+        ensLog(`Error: ${err?.message || 'unknown'}`);
+      }
+      updateStep('ensRecords', 'done');
+    } else {
+      updateStep('ensRecords', 'skip');
+    }
     if (fs.existsSync(tarballFile)) fs.unlinkSync(tarballFile);
   }
@@ -325,6 +408,35 @@ export function PushCommand({ npmToken, otp }: PushCommandProps) {
               </Box>
             </Box>
           )}
+          <StatusLine label="Write ENS records" status={steps.ensRecords}
+            detail={steps.ensRecords === 'skip' ? 'no ENS name' : steps.ensRecords === 'done' && result.ensRecordsCount ? `${result.ensRecordsCount} records` : undefined} />
+          {steps.ensRecords === 'done' && result.ensRecordsTx && (
+            <Box flexDirection="column" marginLeft={4}>
+              <Box>
+                <Text color="gray">Chain: </Text>
+                <Text color="cyan">{result.ensRecordsChain}</Text>
+                <Text color="gray"> | </Text>
+                <Hyperlink url={`https://${result.ensRecordsChain === 'sepolia' ? 'sepolia.' : ''}etherscan.io/tx/${result.ensRecordsTx}`} label={`tx ${result.ensRecordsTx.slice(0, 10)}...`} color="green" />
+              </Box>
+              <Box>
+                <Text color="gray">Records: </Text>
+                <Text color="white">url, opm.version, opm.checksum, opm.fileverse, opm.risk_score{result.ipfsContenthash ? ', contenthash' : ''}</Text>
+              </Box>
+              {result.ensSubname && (
+                <Box>
+                  <Text color="gray">Subname: </Text>
+                  <Text color="cyan" bold>{result.ensSubname}</Text>
+                </Box>
+              )}
+            </Box>
+          )}
+          {ensRecordLogs.length > 0 && (
+            <Box flexDirection="column" marginLeft={4}>
+              {ensRecordLogs.map((log, i) => (
+                <Text key={i} color={log.startsWith('Hint:') || log.startsWith('Error:') ? 'yellow' : 'gray'}>{log}</Text>
+              ))}
+            </Box>
+          )}
         </>
       )}

package/packages/cli/src/commands/register-agent.tsx CHANGED Viewed

@@ -1,11 +1,12 @@
 import React, { useState, useEffect } from 'react';
 import { Box, Text } from 'ink';
+import { ethers } from 'ethers';
 import { txUrl, contractUrl, addressUrl } from '@opm/core';
 import { Header } from '../components/Header';
 import { StatusLine, type Status } from '../components/StatusLine';
 import { Hyperlink } from '../components/Hyperlink';
 import { registerAgentOnChain } from '../services/contract';
-import { runBenchmarkSuite, type BenchmarkRunResult } from '@opm/scanner';
+import { runBatchBenchmarkSuite, type BatchBenchmarkRunResult } from '@opm/scanner';
 type StepStatus = Status;
@@ -19,9 +20,12 @@ interface Steps {
 interface RegisterResult {
   agentName?: string;
   model?: string;
-  benchmarkResult?: BenchmarkRunResult;
-  txHash?: string;
   agentAddress?: string;
+  benchmarkResult?: BatchBenchmarkRunResult;
+  txHash?: string;
+  onChainProofHash?: string;
+  onChainPromptHash?: string;
+  alreadyRegistered?: boolean;
   rejected?: boolean;
   rejectReason?: string;
 }
@@ -69,10 +73,16 @@ export function RegisterAgentCommand({ agentName, model, systemPrompt }: Registe
       throw new Error('OPENROUTER_API_KEY or OPENAI_API_KEY required to run benchmarks');
     }
+    // Derive agent wallet address from private key
+    const agentWallet = new ethers.Wallet(process.env.AGENT_PRIVATE_KEY);
+    setResult((r) => ({ ...r, agentAddress: agentWallet.address }));
     updateStep('validate', 'done');
+    // Single-call batch benchmark: sends all 10 cases at once,
+    // gets back 10 flagged/safe answers, compares to ground truth.
     updateStep('benchmark', 'running');
-    const benchResult = await runBenchmarkSuite(
+    const benchResult = await runBatchBenchmarkSuite(
       { name: agentName, model, systemPrompt },
       (msg) => setLogs((prev) => [...prev.slice(-12), msg]),
     );
@@ -82,11 +92,15 @@ export function RegisterAgentCommand({ agentName, model, systemPrompt }: Registe
       updateStep('benchmark', 'error');
       updateStep('zkproof', 'error');
       updateStep('register', 'blocked');
+      const failedCases = benchResult.results
+        .filter((r) => !r.passed)
+        .map((r) => `${r.caseId} (${r.category}): answered ${r.actualFlagged ? 'FLAGGED' : 'SAFE'}, expected ${r.expectedFlagged ? 'FLAGGED' : 'SAFE'}`);
       setResult((r) => ({
         ...r,
         rejected: true,
         rejectReason: `Agent achieved ${benchResult.accuracyPct}% accuracy (100% required). ` +
-          `Failed ${benchResult.failed}/${benchResult.total} benchmark cases.`,
+          `Failed ${benchResult.failed}/${benchResult.total} cases.\n` +
+          failedCases.join('\n'),
       }));
       return;
     }
@@ -103,13 +117,19 @@ export function RegisterAgentCommand({ agentName, model, systemPrompt }: Registe
       }));
       return;
     }
+    // Compute the on-chain hashes (same as registerAgentOnChain does)
+    const proofStr = benchResult.zkProof.accuracyProof;
+    const promptStr = systemPrompt || 'default-opm-security-prompt';
+    const onChainProofHash = ethers.keccak256(ethers.toUtf8Bytes(proofStr));
+    const onChainPromptHash = ethers.keccak256(ethers.toUtf8Bytes(promptStr));
+    setResult((r) => ({ ...r, onChainProofHash, onChainPromptHash }));
     setLogs((prev) => [...prev, `ZK proof hash: ${benchResult.zkProof.accuracyProof.slice(0, 24)}…`]);
     updateStep('zkproof', 'done');
     updateStep('register', 'running');
     try {
-      const proofStr = benchResult.zkProof.accuracyProof;
-      const promptStr = systemPrompt || 'default-opm-security-prompt';
       const txHash = await registerAgentOnChain(agentName, model, promptStr, proofStr);
       setResult((r) => ({ ...r, txHash }));
       setLogs((prev) => [...prev, `Agent registered on-chain ✓`]);
@@ -117,25 +137,29 @@ export function RegisterAgentCommand({ agentName, model, systemPrompt }: Registe
       const msg = err?.shortMessage || err?.message || 'failed';
       setLogs((prev) => [...prev, `Registration: ${msg}`]);
       if (msg.includes('already')) {
-        setResult((r) => ({ ...r, rejected: true, rejectReason: 'Agent wallet is already registered' }));
-        updateStep('register', 'error');
+        setResult((r) => ({ ...r, alreadyRegistered: true }));
+        updateStep('register', 'done');
         return;
       }
     }
     updateStep('register', 'done');
   }
-  const riskColor = (pct: number) => (pct >= 100 ? 'green' : pct >= 70 ? 'yellow' : 'red');
   return (
     <Box flexDirection="column">
       <Header subtitle="register-agent" />
       <Text color="white" bold> Registering agent: {agentName}</Text>
       <Text color="gray"> Model: {model}</Text>
+      {result.agentAddress && (
+        <Box>
+          <Text color="gray"> Wallet: </Text>
+          <Hyperlink url={addressUrl(result.agentAddress)} label={result.agentAddress} color="cyan" />
+        </Box>
+      )}
       <Text> </Text>
       <StatusLine label="Validate configuration" status={steps.validate} />
-      <StatusLine label="Run benchmark suite (10 cases)" status={steps.benchmark} />
+      <StatusLine label="Batch benchmark (10 cases, single call)" status={steps.benchmark} />
       {logs.length > 0 && (
         <Box flexDirection="column" marginLeft={4}>
@@ -148,21 +172,23 @@ export function RegisterAgentCommand({ agentName, model, systemPrompt }: Registe
       {result.benchmarkResult && (
         <Box flexDirection="column" marginTop={1}>
           <Text color="gray">────────────────────────────────────────</Text>
-          <Text color="white" bold> Benchmark Results</Text>
+          <Text color="white" bold> Benchmark Results (flagged/safe)</Text>
           <Box flexDirection="column" marginLeft={2} marginTop={1}>
-            {result.benchmarkResult.results.map((r) => (
+            {result.benchmarkResult.results.map((r, i) => (
               <Box key={r.caseId}>
-                <Text color={r.verdict === 'PASS' ? 'green' : 'red'}>
-                  {r.verdict === 'PASS' ? '✓' : '✗'}{' '}
+                <Text color={r.passed ? 'green' : 'red'}>
+                  {r.passed ? '✓' : '✗'}{' '}
                 </Text>
-                <Text color="white">{r.category}</Text>
-                <Text color="gray"> — expected {r.expectedLevel}, got {r.actualLevel}</Text>
-                <Text color="gray"> (score: {r.actualScore})</Text>
+                <Text color="white">Case {i + 1} ({r.category})</Text>
+                <Text color="gray"> — {r.actualFlagged ? 'FLAGGED' : 'SAFE'}</Text>
+                {!r.passed && (
+                  <Text color="red"> (expected {r.expectedFlagged ? 'FLAGGED' : 'SAFE'})</Text>
+                )}
               </Box>
             ))}
           </Box>
           <Box marginLeft={2} marginTop={1}>
-            <Text color={riskColor(result.benchmarkResult.accuracyPct)} bold>
+            <Text color={result.benchmarkResult.accuracyPct >= 100 ? 'green' : 'red'} bold>
               Accuracy: {result.benchmarkResult.passed}/{result.benchmarkResult.total}{' '}
               ({result.benchmarkResult.accuracyPct}%)
             </Text>
@@ -174,8 +200,14 @@ export function RegisterAgentCommand({ agentName, model, systemPrompt }: Registe
       <StatusLine label="ZK proof verification" status={steps.zkproof} />
       {result.benchmarkResult?.zkProof && steps.zkproof === 'done' && (
         <Box flexDirection="column" marginLeft={4}>
-          <Text color="gray">Commitment: {result.benchmarkResult.zkProof.commitment.expectedHash.slice(0, 24)}…</Text>
-          <Text color="gray">Proof:      {result.benchmarkResult.zkProof.accuracyProof.slice(0, 24)}…</Text>
+          <Text color="gray">Commitment:       {result.benchmarkResult.zkProof.commitment.expectedHash.slice(0, 24)}…</Text>
+          <Text color="gray">Proof:            {result.benchmarkResult.zkProof.accuracyProof.slice(0, 24)}…</Text>
+          {result.onChainProofHash && (
+            <Text color="gray">On-chain proof:   {result.onChainProofHash.slice(0, 24)}…</Text>
+          )}
+          {result.onChainPromptHash && (
+            <Text color="gray">Prompt hash:      {result.onChainPromptHash.slice(0, 24)}…</Text>
+          )}
           <Text color="green">✓ Zero-knowledge proof verified — accuracy proven without revealing test data</Text>
         </Box>
       )}
@@ -187,6 +219,9 @@ export function RegisterAgentCommand({ agentName, model, systemPrompt }: Registe
             <Text color="gray">⛓  </Text>
             <Hyperlink url={txUrl(result.txHash)} label={`tx ${result.txHash.slice(0, 10)}…`} color="green" />
           </Box>
+          {result.onChainProofHash && (
+            <Text color="gray">    ZK proof stored: {result.onChainProofHash.slice(0, 18)}…</Text>
+          )}
           <Box>
             <Text color="gray">📋 </Text>
             <Hyperlink url={contractUrl()} label="OPM Registry Contract" color="cyan" />
@@ -194,6 +229,20 @@ export function RegisterAgentCommand({ agentName, model, systemPrompt }: Registe
         </Box>
       )}
+      {result.alreadyRegistered && !result.rejected && (
+        <Box flexDirection="column" marginLeft={4}>
+          <Text color="yellow">⚠ Agent wallet is already registered on-chain</Text>
+          {result.agentAddress && (
+            <Box>
+              <Text color="gray">  Agent: </Text>
+              <Hyperlink url={addressUrl(result.agentAddress)} label={result.agentAddress.slice(0, 10) + '…'} color="cyan" />
+            </Box>
+          )}
+          <Text color="gray">  Benchmark passed ✓ — ZK proof valid ✓</Text>
+          <Text color="gray">  Use a different AGENT_PRIVATE_KEY to register a new agent.</Text>
+        </Box>
+      )}
       {result.rejected && (
         <Box flexDirection="column" marginTop={1}>
           <Text color="gray">────────────────────────────────────────</Text>
@@ -201,18 +250,10 @@ export function RegisterAgentCommand({ agentName, model, systemPrompt }: Registe
           <Box marginLeft={2}>
             <Text color="red" wrap="wrap">{result.rejectReason}</Text>
           </Box>
-          {result.benchmarkResult && result.benchmarkResult.failureReasons.length > 0 && (
-            <Box flexDirection="column" marginLeft={2} marginTop={1}>
-              <Text color="yellow" bold>Failure details:</Text>
-              {result.benchmarkResult.failureReasons.map((reason, i) => (
-                <Text key={i} color="yellow" wrap="wrap">  • {reason}</Text>
-              ))}
-            </Box>
-          )}
         </Box>
       )}
-      {!result.rejected && steps.register === 'done' && (
+      {!result.rejected && !result.alreadyRegistered && steps.register === 'done' && (
         <Box flexDirection="column" marginTop={1}>
           <Text color="gray">────────────────────────────────────────</Text>
           <Text color="green" bold>✓ Agent "{agentName}" registered successfully</Text>

package/packages/cli/src/index.tsx CHANGED Viewed

@@ -105,13 +105,14 @@ function Help() {
       <Header />
       <Box flexDirection="column" marginLeft={2}>
         <Text color="cyan" bold>Security commands:</Text>
-        <Text>  opm push [--token t] [--otp c]  Sign, scan, publish, register</Text>
-        <Text>  opm install [pkg]       Install with on-chain security verification</Text>
+        <Text>  opm push [--token t] [--otp c]  Sign, scan, publish, register + ENS records</Text>
+        <Text>  opm install [pkg[@ver]] Install with on-chain security verification</Text>
+        <Text>  opm install pkg@ens.eth Install safest version by ENS author</Text>
         <Text>  opm check               Scan all deps: typosquats, CVEs, AI analysis</Text>
         <Text>  opm fix                 Auto-fix typosquats and vulnerable versions</Text>
         <Text>  opm audit               Scan all deps against on-chain security data</Text>
-        <Text>  opm info {'<pkg>'}            Show on-chain security info for a package</Text>
-        <Text>  opm view {'<name.eth>'}      Show author profile, packages, and risk scores</Text>
+        <Text>  opm info {'<pkg>'}            Show on-chain + ENS record data for a package</Text>
+        <Text>  opm view {'<name.eth>'}      Author profile, OPM records, packages</Text>
         <Text>  opm whois {'<name>'}          Look up an ENS identity on OPM</Text>
         <Text> </Text>
         <Text color="cyan" bold>Agent commands:</Text>
@@ -134,7 +135,8 @@ function Help() {
         <Text>  opm pack                 Create a tarball</Text>
         <Text> </Text>
         <Text color="gray">Aliases:  i/add → install, rm → uninstall, ls → list</Text>
-        <Text color="gray">          view name.eth → author profile, view pkg → info</Text>
+        <Text color="gray">          view name.eth → author profile + OPM ENS records</Text>
+        <Text color="gray">          pkg@name.eth → ENS-resolved safest version by author</Text>
         <Text> </Text>
         <Text color="cyan" bold>Environment (install/audit/info/view need no config):</Text>
         <Text>  OPM_SIGNING_KEY        Author signing key (for push only)</Text>