vibehacker 4.1.0

package/LICENSE

@@ -0,0 +1,30 @@
+MIT License
+
+Copyright (c) 2026 Vibe Security
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+ADDITIONAL NOTICE — DUAL-USE SECURITY TOOL:
+This software is a security research and penetration testing tool. It is
+intended solely for authorized security testing on systems owned by the user
+or for which the user has obtained explicit written permission to test. The
+authors disclaim all liability for any unauthorized, illegal, or unethical
+use. Users are solely responsible for ensuring compliance with all applicable
+laws and for obtaining proper authorization before conducting any security
+testing.

package/README.md

@@ -0,0 +1,77 @@
+# Vibe Hacker
+
+> Terminal AI assistant for cybersecurity professionals. Free models, autonomous agent, multi-provider rotation. No credit card required.
+
+[![npm version](https://img.shields.io/npm/v/vibehacker.svg)](https://www.npmjs.com/package/vibehacker)
+[![license](https://img.shields.io/npm/l/vibehacker.svg)](https://github.com/agentichacker/vibehacker/blob/main/LICENSE)
+[![node](https://img.shields.io/node/v/vibehacker.svg)](https://nodejs.org)
+
+## Install
+
+```bash
+npm install -g vibehacker
+vibehacker
+```
+
+Or zero-install:
+```bash
+npx vibehacker
+```
+
+## Get Started
+
+1. Get a free API key at [vibsecurity.com](https://vibsecurity.com)
+2. Paste your key when prompted
+3. Start hacking
+
+## Features
+
+- **Chat Mode** — Security Q&A, threat intel, vulnerability research
+- **Hunt Mode** — Autonomous agent with file system + shell access for pentesting, code review, exploit development
+- **Multi-Provider** — Add keys for Groq, Gemini, Cerebras, Mistral, OpenAI, Anthropic, DeepSeek, xAI
+- **Silent Auto-Rotation** — Rate limit on one model? Automatically switches to another. Zero downtime
+- **Cross-Platform** — Windows, macOS, Linux, WSL
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `/mode` | Switch between Chat and Hunt |
+| `/addkey` | Add a provider API key |
+| `/providers` | List configured providers |
+| `/clear` | Clear chat and context |
+| `/update` | Self-update to latest version |
+| `/pro` | Upgrade to Pro (unlimited requests) |
+| `/account` | View usage and tier info |
+
+## Keyboard Shortcuts
+
+| Key | Action |
+|-----|--------|
+| `Tab` | Cycle mode |
+| `Ctrl+R` | Retry last message |
+| `Ctrl+C` | Cancel / exit |
+| `/` | Open command menu |
+
+## Pricing
+
+| | Free | Pro |
+|---|---|---|
+| Requests/day | 50 | Unlimited |
+| Models | Free tier | All + frontier |
+| Support | Community | Email |
+| Price | $0 | $19/mo |
+
+## Security
+
+This is a dual-use security tool. Only use on systems you own or have written authorization to test. By using this tool you acknowledge that you are solely responsible for your actions.
+
+## Links
+
+- Website: [vibsecurity.com](https://vibsecurity.com)
+- Issues: [github.com/agentichacker/vibehacker/issues](https://github.com/agentichacker/vibehacker/issues)
+- Pricing: [vibsecurity.com/pricing](https://vibsecurity.com/pricing)
+
+## License
+
+MIT — see [LICENSE](LICENSE)

package/index.js

@@ -0,0 +1,37 @@
+#!/usr/bin/env node
+'use strict';
+
+// WSL / terminal compatibility
+if (!process.env.TERM || process.env.TERM === 'dumb') {
+  process.env.TERM = 'xterm-256color';
+}
+
+let _app = null;
+
+process.on('SIGINT',  () => { if (_app) _app._exit(); else { process.stdout.write('\r\n'); process.exit(0); } });
+process.on('SIGTERM', () => { if (_app) _app._exit(); else process.exit(0); });
+
+process.on('uncaughtException', (err) => {
+  process.stdout.write('\x1b[?25h\x1b[0m\r\n');
+  process.stderr.write(`\n\x1b[31m[Vibe Hacker Fatal]\x1b[0m ${err.message}\n${err.stack}\n`);
+  process.exit(1);
+});
+
+process.on('unhandledRejection', (reason) => {
+  process.stderr.write(`\nUnhandled rejection: ${reason}\n`);
+});
+
+const { HackerCLIApp } = require('./src/app');
+
+async function main() {
+  _app = new HackerCLIApp();
+  try {
+    await _app.start();
+  } catch (err) {
+    process.stdout.write('\x1b[?25h\x1b[0m\r\n');
+    process.stderr.write(`\x1b[31m[Vibe Hacker]\x1b[0m Failed to start: ${err.message}\n`);
+    process.exit(1);
+  }
+}
+
+main();

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "vibehacker",
+  "version": "4.1.0",
+  "description": "Vibe Hacker — Terminal AI cybersecurity assistant. Free models, autonomous agent, multi-provider rotation.",
+  "main": "index.js",
+  "bin": {
+    "vibehacker": "./index.js"
+  },
+  "scripts": {
+    "start": "node index.js"
+  },
+  "keywords": [
+    "ai",
+    "cybersecurity",
+    "hacking",
+    "terminal",
+    "cli",
+    "pentest",
+    "security",
+    "agent",
+    "autonomous",
+    "free",
+    "vibe",
+    "hacker",
+    "groq",
+    "gemini"
+  ],
+  "author": "Vibe Security <hello@vibsecurity.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/agentichacker/vibehacker.git"
+  },
+  "bugs": {
+    "url": "https://github.com/agentichacker/vibehacker/issues"
+  },
+  "homepage": "https://vibsecurity.com",
+  "files": [
+    "index.js",
+    "src/**",
+    "README.md",
+    "LICENSE"
+  ],
+  "dependencies": {
+    "axios": "^1.6.7",
+    "blessed": "^0.1.81"
+  },
+  "engines": {
+    "node": ">=16.0.0"
+  }
+}

package/src/agent.js

@@ -0,0 +1,311 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { streamChat } = require('./api');
+const { parseToolCalls, executeTool, TOOL_DOCS } = require('./tools');
+const config = require('./config');
+
+// ── Modes ────────────────────────────────────────────────────────────────────
+
+const MODES = [
+  { id: 'chat', name: 'Chat', description: 'Security Q&A and threat intel' },
+  { id: 'hunt', name: 'Hunt', description: 'Autonomous coding, security ops & tool use' },
+];
+
+// ── Project Memory ───────────────────────────────────────────────────────────
+// Cached — only reads filesystem once per cwd, refreshes when cwd changes.
+
+let _memCache = { cwd: null, content: null };
+
+function loadProjectMemory(cwd) {
+  if (_memCache.cwd === cwd) return _memCache.content;
+
+  const candidates = [
+    path.join(cwd, 'VIBEHACKER.md'),
+    path.join(cwd, '.vibehacker', 'context.md'),
+    path.join(cwd, '.vibehacker', 'instructions.md'),
+  ];
+  let result = null;
+  for (const f of candidates) {
+    try {
+      const c = fs.readFileSync(f, 'utf8');
+      if (c.trim()) { result = { file: path.relative(cwd, f), content: c.trim() }; break; }
+    } catch (_) {}
+  }
+  _memCache = { cwd, content: result };
+  return result;
+}
+
+// ── System Prompt — Cached, Only Rebuilt When cwd/mode Changes ───────────────
+
+let _promptCache = { mode: null, cwd: null, prompt: null };
+
+function buildSystemPrompt(mode, cwd) {
+  if (_promptCache.mode === mode && _promptCache.cwd === cwd && _promptCache.prompt) {
+    return _promptCache.prompt;
+  }
+
+  const os    = process.platform === 'win32' ? 'Windows' : process.platform === 'darwin' ? 'macOS' : 'Linux';
+  const shell = process.platform === 'win32' ? 'powershell' : 'bash';
+  const date  = new Date().toISOString().split('T')[0];
+
+  const projectMem = loadProjectMemory(cwd);
+  const projectSection = projectMem
+    ? `\n\n# Project Instructions (${projectMem.file})\n${projectMem.content}\n`
+    : '';
+
+  let prompt;
+
+  if (mode === 'hunt') {
+    prompt = `You are Vibe Hacker v${config.version} — an expert autonomous AI agent.
+
+# Environment
+- CWD: ${cwd}
+- OS: ${os} | Shell: ${shell} | Date: ${date}
+${projectSection}
+# HUNT MODE — Autonomous Agent with Tool Access
+
+You have filesystem + shell access via XML tool blocks. DO the work — don't describe it.
+
+${TOOL_DOCS}
+
+# Rules (MANDATORY)
+
+1. USE TOOLS. Don't explain what you'd do — DO IT with tool calls.
+   ✗ "You could run npm install" → ✓ <execute_command><command>npm install</command></execute_command>
+
+2. READ BEFORE EDIT. Always read_file before edit_file. The tool rejects edits on unread files.
+
+3. EDIT > WRITE. Modify existing files with edit_file (surgical replacement). Only write_file for NEW files.
+
+4. EXACT MATCHING. edit_file old_string must match the file exactly — whitespace, indentation, everything.
+   If it fails: read the file again, the content changed. Add more surrounding context if not unique.
+
+5. MULTIPLE TOOLS OK. Use several tools in one response when they're independent.
+
+6. GREP > MANUAL SEARCH. Use grep/glob to find code. Don't read every file looking for something.
+
+7. NON-INTERACTIVE COMMANDS ONLY. No vim, nano, interactive prompts. Use -y/--yes flags. 2 min timeout.
+
+8. COMPLETE CODE. Never write "// ...", "// TODO", "// rest of code". Write the full implementation.
+
+9. VERIFY. After changes: read back files, run tests, fix issues. Don't declare done without checking.
+
+# Error Recovery
+
+- edit_file "not found" → Read file again. Check whitespace. Content may have changed.
+- edit_file "multiple matches" → Add more surrounding lines to old_string.
+- Command failed → Read error. Check dependencies. Try different approach.
+- File not found → Use glob/list_files to find correct path.
+
+# Workflow: EXPLORE → PLAN (1-2 sentences) → EXECUTE → VERIFY
+
+# Style: Direct. No filler. Brief explanations between tools. Summary when done.`;
+
+  } else {
+    prompt = `You are Vibe Hacker v${config.version} — expert AI for cybersecurity and engineering.
+
+# Environment
+- OS: ${os} | Date: ${date}
+${projectSection}
+# CHAT MODE — Expert Answers
+
+Direct, accurate, actionable. No filler. Markdown with language-tagged code blocks.
+For security: include attack vectors + mitigations. For code: working examples, not pseudocode.`;
+  }
+
+  _promptCache = { mode, cwd, prompt };
+  return prompt;
+}
+
+// ── Thinking Extraction ──────────────────────────────────────────────────────
+
+function extractThinking(text) {
+  let visible = text;
+  let thinking = '';
+  // Remove <think>...</think> and <thinking>...</thinking> blocks
+  visible = visible.replace(/<think(?:ing)?>([\s\S]*?)<\/think(?:ing)?>/g, (_, t) => {
+    thinking += t.trim() + '\n';
+    return '';
+  });
+  return { visible: visible.replace(/\n{3,}/g, '\n\n').trim(), thinking: thinking.trim() };
+}
+
+// ── Token Estimation (fast, cached per string length) ────────────────────────
+
+function estimateTokens(text) {
+  if (!text) return 0;
+  // Empirical: ~3.5 chars per token for mixed code/text
+  return Math.ceil(text.length / 3.5);
+}
+
+// ── Context Trimming — Proactive, Prioritized ────────────────────────────────
+
+function trimHistory(messages, maxContextTokens) {
+  // Fast total estimate
+  let total = 0;
+  for (let i = 0; i < messages.length; i++) total += estimateTokens(messages[i].content);
+
+  const budget = Math.floor(maxContextTokens * 0.55); // 45% headroom for response + tool results
+  if (total <= budget) return messages;
+
+  // Phase 1: Strip thinking blocks from old assistant messages
+  let trimmed = messages.map((m, i) => {
+    if (i === 0 || i >= messages.length - 6) return m; // keep system + recent
+    if (m.role === 'assistant' && (m.content.includes('<think>') || m.content.includes('<thinking>'))) {
+      const { visible } = extractThinking(m.content);
+      return { ...m, content: visible };
+    }
+    return m;
+  });
+
+  total = 0;
+  for (const m of trimmed) total += estimateTokens(m.content);
+  if (total <= budget) return trimmed;
+
+  // Phase 2: Compress old tool results to headers only
+  trimmed = trimmed.map((m, i) => {
+    if (i === 0 || i >= trimmed.length - 6) return m;
+    if (m.role === 'user' && m.content.startsWith('[Tool Result:') && m.content.length > 800) {
+      return { ...m, content: m.content.split('\n')[0] + '\n[output trimmed]' };
+    }
+    if (m.role === 'assistant' && m.content.length > 1500 && i < trimmed.length - 8) {
+      return { ...m, content: m.content.substring(0, 400) + '\n[...]\n' + m.content.slice(-300) };
+    }
+    return m;
+  });
+
+  total = 0;
+  for (const m of trimmed) total += estimateTokens(m.content);
+  if (total <= budget) return trimmed;
+
+  // Phase 3: Drop middle messages
+  const keep = Math.min(8, trimmed.length - 2);
+  if (trimmed.length <= keep + 2) return trimmed;
+  const dropped = trimmed.length - keep - 1;
+  return [
+    trimmed[0],
+    { role: 'user', content: `[${dropped} earlier messages trimmed for context]` },
+    ...trimmed.slice(-keep),
+  ];
+}
+
+// ── Agent ────────────────────────────────────────────────────────────────────
+
+class Agent {
+  constructor() {
+    this.history = [];
+    this.mode    = 'chat';
+    this.cwd     = process.cwd();
+  }
+
+  setMode(mode) { this.mode = mode; this.history = []; _promptCache.mode = null; }
+  setCwd(dir)   { this.cwd = dir; _promptCache.cwd = null; _memCache.cwd = null; }
+  clearHistory(){ this.history = []; }
+
+  async run({ userMessage, model, signal, onToken, onDone, onError, onToolCall, onToolResult, beforeToolCall }) {
+    this.history.push({ role: 'user', content: userMessage });
+
+    const maxCtx  = (model && model.contextWindow) || 32768;
+    const maxIter = config.maxToolIterations || 25;
+    let iterations = 0;
+
+    // ── Iterative agent loop ──────────────────────────────────────────
+    while (true) {
+      if (signal && signal.aborted) {
+        onError(Object.assign(new Error('aborted'), { type: 'ABORTED' }));
+        return;
+      }
+
+      iterations++;
+      if (iterations > maxIter) {
+        onDone('[Tool iteration limit reached. Use /retry to continue.]');
+        return;
+      }
+
+      // Build messages with proactive trimming (BEFORE sending)
+      const sysPrompt = buildSystemPrompt(this.mode, this.cwd);
+      let messages = [{ role: 'system', content: sysPrompt }, ...this.history];
+      messages = trimHistory(messages, maxCtx);
+
+      // ── Stream response ─────────────────────────────────────────────
+      let fullResponse = '';
+      let streamError  = null;
+
+      await new Promise((resolve) => {
+        let resolved = false;
+        const done = () => { if (!resolved) { resolved = true; resolve(); } };
+        streamChat({
+          messages, model: model.id, signal,
+          maxTokens: model.maxTokens || config.maxTokens || 8192,
+          onToken: (token, full) => { fullResponse = full; if (onToken) onToken(token, full); },
+          onDone:  (content) => { fullResponse = content || fullResponse; done(); },
+          onError: (errObj) => { streamError = errObj; done(); },
+        });
+      });
+
+      // Rate limit backoff inside tool loop — rotate-first strategy
+      if (streamError && streamError.type === 'RATE_LIMIT' && iterations > 1) {
+        // Don't retry same model. Surface error to app.js for provider rotation.
+        onError(Object.assign(new Error(streamError.msg || 'Rate limited'), streamError));
+        return;
+      }
+      if (streamError) {
+        onError(Object.assign(new Error(streamError.msg || 'error'), streamError));
+        return;
+      }
+      if (signal && signal.aborted) return;
+
+      // Store full response in history (including thinking for continuity)
+      this.history.push({ role: 'assistant', content: fullResponse });
+
+      // Chat mode — done after single response
+      if (this.mode !== 'hunt') {
+        const { visible } = extractThinking(fullResponse);
+        onDone(visible || fullResponse);
+        return;
+      }
+
+      // Hunt mode — parse tool calls
+      const toolCalls = parseToolCalls(fullResponse);
+      if (toolCalls.length === 0) {
+        const { visible } = extractThinking(fullResponse);
+        onDone(visible || fullResponse);
+        return;
+      }
+
+      // Execute all tools
+      for (const tc of toolCalls) {
+        if (signal && signal.aborted) return;
+
+        if (onToolCall) onToolCall(tc);
+
+        if (beforeToolCall) {
+          const decision = await beforeToolCall(tc);
+          if (decision === 'no') {
+            this.history.push({ role: 'user', content: `[Tool Denied: ${tc.name}] User rejected. Try a different approach.` });
+            continue;
+          }
+        }
+
+        let result;
+        const toolStart = Date.now();
+        try {
+          result = await executeTool(tc, this.cwd);
+        } catch (err) {
+          result = `[Error: ${tc.name}] ${err.message}`;
+        }
+
+        if (onToolResult) onToolResult(tc, result);
+        this.history.push({ role: 'user', content: `[Tool Result: ${tc.name}]\n${result}` });
+      }
+
+      // Adaptive throttle based on tool types — minimal delay
+      const hasWrite = toolCalls.some(tc => ['write_file', 'edit_file', 'execute_command', 'delete_file'].includes(tc.name));
+      await new Promise(r => setTimeout(r, hasWrite ? 300 : 100));
+    }
+  }
+}
+
+module.exports = { Agent, MODES };