Skip to main content

OSE Auditor: a financial-logic security scanner for Node.js/TypeScript projects.

Project description

OSE Auditor

OSE Auditor is an autonomous financial and logic exploit detection engine for Node.js and TypeScript backends. It uses deterministic code analysis combined with AI-powered remediation to surface money-losing vulnerabilities before they reach production.

It catches what generic AI models and traditional SAST tools miss: broken authorization gates on financial mutations, double-spend race conditions, unchecked external payment calls, privilege escalation via user-controlled roles, invalid order lifecycle transitions, and more.


Why OSE Auditor?

Most SAST tools find injection and XSS. OSE Auditor finds the bugs that drain your users' money:

  • A payment route that processes charges without verifying the caller is authenticated
  • A withdrawal endpoint where two concurrent requests can both read the same pre-deducted balance
  • A Stripe call whose result is never checked before balance is decremented
  • An order marked completed before payment has confirmed
  • A role check that reads req.body.role — set by the attacker

These bugs are invisible to linters, missed by code review, and never caught in unit tests because they require reasoning about ordering, ownership, and financial semantics across an entire function's control flow.


Quick Start

# Install (pipx recommended — isolated, no PEP 668 conflicts)
pipx install ose-auditor

# Create a free account
ose signup

# Audit your project
ose audit ./your-nodejs-project

# Buy more credits when you need them
ose buy

Or with npm/npx — zero Python setup required:

npm install -g ose-auditor
ose audit ./your-nodejs-project

# or without installing
npx ose-auditor audit ./your-nodejs-project

How It Works

OSE Auditor runs a three-stage pipeline entirely on your machine before any data leaves:

  1. Parser — walks your project, strips comments, computes hashes, assembles a normalized source index (Contract A). Open-source, stdlib-only, no network I/O.

  2. Financial Semantic Analyzer (FSA) — parses every JavaScript/TypeScript file into an AST using tree-sitter, builds a per-function state transition graph (validation nodes, external-call nodes, state-mutation nodes, in source order), then applies deterministic vulnerability signatures. No AI, no false-positive lottery — rules are hardcoded and auditable. The FSA core is compiled and proprietary; the client layer that calls it is MIT-licensed.

  3. Patch Generation (OSE Server) — if the FSA finds vulnerabilities, the manifest is sent to the OSE Server, which calls a configurable LLM (Claude, GPT-4, or Groq) with track-specific few-shot prompts to generate production-ready code patches. This step consumes one credit. Scans that produce no findings are always free.


Authentication & Credits

ose signup          # create a free account
ose login           # log in (saves API key to ~/.ose/config.json)
ose whoami          # confirm your identity and credit balance
ose logout          # remove locally saved credentials
ose buy             # interactive credit pack purchase

For CI/CD, skip the login flow:

export OSE_API_KEY=ose_sk_your_key_here
ose audit ./project

Credit Tiers

Tier Credits Resets
Free 5 Every 7 days
Starter 50 Never expire
Pro Hacker 300 Never expire
Enterprise 1500 Never expire

Audits with no findings do not consume credits.


Installation Options

Method Command Notes
pipx pipx install ose-auditor Recommended — isolated env
npm global npm install -g ose-auditor Good for Node-first teams
npx npx ose-auditor audit . Zero install, auto-installs on first run
pip pip install ose-auditor Use inside a venv

Requires Python 3.9+ and a Node.js/TypeScript project to audit.


Exit Codes

Code Meaning
0 Success (including no findings)
1 General error (bad path, auth failure, network)
2 Audit ran but the server reported a failure

License

MIT — client layer, parser, MCP server, and contracts. The FSA detection core (ose-auditor-fsa) is proprietary and distributed as compiled wheels only.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ose_auditor-1.1.7.tar.gz (53.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ose_auditor-1.1.7-py3-none-any.whl (54.4 kB view details)

Uploaded Python 3

File details

Details for the file ose_auditor-1.1.7.tar.gz.

File metadata

  • Download URL: ose_auditor-1.1.7.tar.gz
  • Upload date:
  • Size: 53.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.0

File hashes

Hashes for ose_auditor-1.1.7.tar.gz
Algorithm Hash digest
SHA256 9aa8ba87546584077c8f56e1b91a180d563aa8be03e8751d5a772e072d805e97
MD5 767a6db71c012f32b6a4dc7b3c261a7b
BLAKE2b-256 3e253de4ba8447ed54b8a9aa489afbbe2d5a8fe2310c732ec2c22a7cd22aafd9

See more details on using hashes here.

File details

Details for the file ose_auditor-1.1.7-py3-none-any.whl.

File metadata

  • Download URL: ose_auditor-1.1.7-py3-none-any.whl
  • Upload date:
  • Size: 54.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.0

File hashes

Hashes for ose_auditor-1.1.7-py3-none-any.whl
Algorithm Hash digest
SHA256 a34ef0374434e1c25a487acdd1551b645edbec1cd915bc99b2963fc5ad81bb05
MD5 a78333f7cec17f30767e53db25644ab4
BLAKE2b-256 459ceb7afe4aad632cff833db53a86b94234c3f5169641fcb2bc00408e993d3d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page