50c 3.9.1 → 3.9.3

package/bin/50c.js

@@ -1012,7 +1012,7 @@ const LOCAL_TOOLS = [
   
   // 50c Team utilities - for power users who want granular control
   { name: "team_http", description: "50c Team: HTTP/HTTPS fetch. Bypasses IDE restrictions. FREE.", inputSchema: { type: "object", properties: { url: { type: "string", description: "Full URL to fetch" }, method: { type: "string", description: "HTTP method (default GET)" }, headers: { type: "object", description: "Request headers" }, body: { type: "string", description: "Request body for POST/PUT" }, timeout: { type: "number", description: "Timeout in ms (default 30000)" } }, required: ["url"] } },
-  { name: "team_ssh", description: "50c Team: SSH remote command. Known servers: nj, zurich, chicago. FREE.", inputSchema: { type: "object", properties: { server: { type: "string", description: "Server alias (nj/zurich/chicago) or {host,user,port}" }, command: { type: "string", description: "Command to execute on remote server" }, timeout: { type: "number", description: "Timeout in ms (default 30000)" } }, required: ["server", "command"] } },
+  { name: "team_ssh", description: "50c Team: SSH remote command. Configure servers in ~/.50c/servers.json. FREE.", inputSchema: { type: "object", properties: { server: { type: "string", description: "Server alias (nj/zurich/chicago) or {host,user,port}" }, command: { type: "string", description: "Command to execute on remote server" }, timeout: { type: "number", description: "Timeout in ms (default 30000)" } }, required: ["server", "command"] } },
   { name: "team_exec", description: "50c Team: Local command execution. Bypasses shell restrictions. FREE.", inputSchema: { type: "object", properties: { command: { type: "string", description: "Command to execute locally" }, cwd: { type: "string", description: "Working directory" }, timeout: { type: "number", description: "Timeout in ms (default 30000)" } }, required: ["command"] } },
   { name: "team_multi", description: "50c Team: Execute multiple tasks in parallel. FREE.", inputSchema: { type: "object", properties: { tasks: { type: "array", description: "Array of task objects [{type, ...params}]", items: { type: "object" } } }, required: ["tasks"] } },
   { name: "team_servers", description: "50c Team: List known SSH servers. FREE.", inputSchema: { type: "object", properties: {} } },
@@ -1020,6 +1020,9 @@ const LOCAL_TOOLS = [
   { name: "team_chain", description: "50c Team: Chain multiple tools together. Output flows via $prev placeholder.", inputSchema: { type: "object", properties: { steps: { type: "array", description: "Array of {tool, args} - use $prev for previous result", items: { type: "object" } }, input: { type: "string", description: "Initial input (optional)" } }, required: ["steps"] } },
   { name: "pre_publish", description: "Pre-publish verification. Thorough checks before npm/github/arxiv/medical publish. Profiles: npm, github, arxiv, medical, science, math. Uses AI tools (bCalc, genius+, web_search) for academic verification. FREE.", inputSchema: { type: "object", properties: { profile: { type: "string", description: "Verification profile: npm, github, arxiv, medical, science, math", enum: ["npm", "github", "arxiv", "medical", "science", "math"] }, cwd: { type: "string", description: "Directory to check (default: current)" }, save_receipt: { type: "boolean", description: "Save receipt as markdown file" } } } },
   
+  // Security audit tool - runs locally, FREE
+  { name: "backdoor_check", description: "Security audit: check for backdoors, unauthorized RDP/SSH, persistence, suspicious connections. Geo-IP tags foreign IPs. Cross-platform. FREE.", inputSchema: { type: "object", properties: { skipGeo: { type: "boolean", description: "Skip geo-IP lookups (faster, offline)" } } } },
+
   // ENTERPRISE PRESET - Auto-Invent Swarm Pipeline ($2.00)
   { name: "auto_invent", description: "ENTERPRISE ($2.00): Full invention pipeline. Chains mind_opener → idea_fold → bcalc → genius_plus → compute → cvi_verify. Produces provable, verified solutions. Requires Enterprise tier.", inputSchema: { type: "object", properties: { problem: { type: "string", description: "Problem or hypothesis to solve/prove" }, constraints: { type: "array", items: { type: "string" }, description: "Hard constraints the solution must satisfy" }, domain: { type: "string", description: "Domain hint: math, physics, engineering, business, code", enum: ["math", "physics", "engineering", "business", "code"] }, rigor: { type: "string", description: "Rigor level: fast, standard, deep, exhaustive (all $2.00)", enum: ["fast", "standard", "deep", "exhaustive"], default: "deep" } }, required: ["problem"] } },
   
@@ -1796,6 +1799,17 @@ async function handleLocalTools(request) {
     if (name === 'team_servers') {
       return mcpResult(id, { ok: true, servers: KNOWN_SERVERS });
     }
+
+    if (name === 'backdoor_check') {
+      try {
+        const { runAudit } = require('../lib/backdoor-checker.js');
+        const result = await runAudit({ skipGeo: args.skipGeo });
+        return mcpResult(id, result);
+      } catch (e) {
+        return mcpResult(id, { ok: false, error: e.message });
+      }
+    }
+
     
     // Pre-publish verification - thorough checks before npm/arxiv/github/medical publish
     if (name === 'pre_publish') {

package/lib/backdoor-checker.js

@@ -0,0 +1,736 @@
+/**
+ * 50c Backdoor Checker - Local security audit tool
+ * Runs entirely on the user's machine. FREE.
+ *
+ * Detects:
+ * - Unauthorized RDP/SSH logins (with geo-IP)
+ * - Persistence mechanisms (scheduled tasks, startup, registry, services)
+ * - Suspicious network connections to foreign IPs
+ * - Rogue certificates and proxy settings
+ * - IDE artifacts (Verdant, etc.)
+ * - Unauthorized user accounts
+ * - SSH authorized_keys anomalies
+ *
+ * Cross-platform: Windows (PowerShell), Linux (bash), macOS (bash)
+ */
+
+const { exec, execSync } = require('child_process');
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+
+const PLATFORM = os.platform(); // win32, linux, darwin
+const HOME = os.homedir();
+
+// Suspicious country indicators in IP geolocation
+const SUSPICIOUS_GEOS = ['CN', 'RU', 'KP', 'IR'];
+
+// Known suspicious IDE directories
+const SUSPICIOUS_IDE_DIRS = [
+  '.verdent', '.verdant', '.verd',
+  '.trae',  // ByteDance IDE
+];
+
+// Known suspicious process names
+const SUSPICIOUS_PROCESSES = [
+  'cryptominer', 'xmrig', 'minerd', 'cgminer',
+  'nc.exe', 'ncat', 'netcat',
+  'mimikatz', 'lazagne', 'procdump',
+  'psexec', 'wmic', // lateral movement
+];
+
+/**
+ * Run a command and return stdout (or error message)
+ */
+function run(cmd, timeout = 30000) {
+  try {
+    return execSync(cmd, {
+      timeout,
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+      windowsHide: true,
+      maxBuffer: 10 * 1024 * 1024
+    }).trim();
+  } catch (e) {
+    return `[ERROR] ${e.message}`;
+  }
+}
+
+/**
+ * Run PowerShell command (Windows)
+ */
+function ps(script, timeout = 30000) {
+  const escaped = script.replace(/"/g, '\\"');
+  return run(`powershell -NoProfile -ExecutionPolicy Bypass -Command "${escaped}"`, timeout);
+}
+
+/**
+ * Geo-IP lookup using free API (ip-api.com)
+ * Returns { country, countryCode, city, isp, org }
+ */
+async function geoIP(ip) {
+  try {
+    const http = require('http');
+    return new Promise((resolve, reject) => {
+      const req = http.get(`http://ip-api.com/json/${ip}?fields=country,countryCode,city,isp,org`, { timeout: 5000 }, (res) => {
+        let data = '';
+        res.on('data', c => data += c);
+        res.on('end', () => {
+          try { resolve(JSON.parse(data)); }
+          catch { resolve({ country: 'unknown', countryCode: '??' }); }
+        });
+      });
+      req.on('error', () => resolve({ country: 'unknown', countryCode: '??' }));
+      req.on('timeout', () => { req.destroy(); resolve({ country: 'unknown', countryCode: '??' }); });
+    });
+  } catch {
+    return { country: 'unknown', countryCode: '??' };
+  }
+}
+
+/**
+ * Batch geo-IP lookup (ip-api.com supports batch of up to 100)
+ */
+async function batchGeoIP(ips) {
+  if (ips.length === 0) return {};
+  const uniqueIPs = [...new Set(ips)].slice(0, 100);
+
+  try {
+    const http = require('http');
+    const body = JSON.stringify(uniqueIPs.map(ip => ({ query: ip, fields: 'query,country,countryCode,city,isp,org' })));
+
+    return new Promise((resolve) => {
+      const req = http.request({
+        hostname: 'ip-api.com',
+        path: '/batch',
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) },
+        timeout: 10000
+      }, (res) => {
+        let data = '';
+        res.on('data', c => data += c);
+        res.on('end', () => {
+          try {
+            const results = JSON.parse(data);
+            const map = {};
+            for (const r of results) { map[r.query] = r; }
+            resolve(map);
+          } catch { resolve({}); }
+        });
+      });
+      req.on('error', () => resolve({}));
+      req.on('timeout', () => { req.destroy(); resolve({}); });
+      req.write(body);
+      req.end();
+    });
+  } catch {
+    return {};
+  }
+}
+
+// ============================================
+// WINDOWS CHECKS
+// ============================================
+
+function windowsChecks() {
+  const findings = [];
+
+  // 1. RDP Login History (Event ID 4624 Type 10 = RemoteInteractive)
+  findings.push({ check: 'RDP Login History', data: getRDPLogins() });
+
+  // 2. Failed RDP attempts (Event ID 4625)
+  findings.push({ check: 'Failed Login Attempts', data: getFailedLogins() });
+
+  // 3. Local user accounts
+  findings.push({ check: 'Local User Accounts', data: getLocalUsers() });
+
+  // 4. Scheduled tasks (persistence)
+  findings.push({ check: 'Scheduled Tasks', data: getScheduledTasks() });
+
+  // 5. Startup programs (registry Run keys)
+  findings.push({ check: 'Startup Registry Keys', data: getStartupKeys() });
+
+  // 6. Running services (unusual ones)
+  findings.push({ check: 'Services', data: getServices() });
+
+  // 7. Active network connections
+  findings.push({ check: 'Active Network Connections', data: getNetConnections() });
+
+  // 8. Firewall rules
+  findings.push({ check: 'Firewall Rules', data: getFirewallRules() });
+
+  // 9. Certificates
+  findings.push({ check: 'Root Certificates', data: getCertificates() });
+
+  // 10. Proxy settings
+  findings.push({ check: 'Proxy Settings', data: getProxySettings() });
+
+  // 11. WinRM / Remote Management
+  findings.push({ check: 'Remote Management (WinRM)', data: getWinRM() });
+
+  // 12. SSH authorized_keys
+  findings.push({ check: 'SSH Authorized Keys', data: getSSHKeys() });
+
+  // 13. Suspicious IDE artifacts
+  findings.push({ check: 'Suspicious IDE Artifacts', data: getIDEArtifacts() });
+
+  // 14. PowerShell history (may reveal attacker commands)
+  findings.push({ check: 'PowerShell History', data: getPSHistory() });
+
+  // 15. DNS cache (suspicious domains)
+  findings.push({ check: 'DNS Cache', data: getDNSCache() });
+
+  // 16. Recently installed programs
+  findings.push({ check: 'Recently Installed Programs', data: getRecentInstalls() });
+
+  // 17. Hidden/suspicious processes
+  findings.push({ check: 'Suspicious Processes', data: getSuspiciousProcesses() });
+
+  return findings;
+}
+
+function getRDPLogins() {
+  const result = ps(`
+    try {
+      $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 200 -ErrorAction Stop |
+        Where-Object { $_.Properties[8].Value -eq 10 } |
+        Select-Object -First 50 |
+        ForEach-Object {
+          $ip = $_.Properties[18].Value
+          $user = $_.Properties[5].Value
+          $domain = $_.Properties[6].Value
+          $time = $_.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss')
+          "$time | $domain\\\\$user | $ip"
+        }
+      if ($events) { $events -join '\\n' } else { 'No RDP logins found in Security log' }
+    } catch { 'Access denied or Security log unavailable - run as Administrator' }
+  `, 60000);
+  return result;
+}
+
+function getFailedLogins() {
+  const result = ps(`
+    try {
+      $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 100 -ErrorAction Stop |
+        Select-Object -First 30 |
+        ForEach-Object {
+          $ip = $_.Properties[19].Value
+          $user = $_.Properties[5].Value
+          $time = $_.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss')
+          "$time | $user | $ip"
+        }
+      if ($events) { $events -join '\\n' } else { 'No failed login attempts found' }
+    } catch { 'Access denied or Security log unavailable - run as Administrator' }
+  `, 60000);
+  return result;
+}
+
+function getLocalUsers() {
+  return ps(`
+    Get-LocalUser | ForEach-Object {
+      $name = $_.Name
+      $enabled = $_.Enabled
+      $lastLogon = $_.LastLogon
+      $desc = $_.Description
+      "$name | Enabled=$enabled | LastLogon=$lastLogon | $desc"
+    } | Out-String
+  `);
+}
+
+function getScheduledTasks() {
+  return ps(`
+    Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' -and $_.TaskPath -notlike '\\\\Microsoft\\\\*' } |
+      ForEach-Object {
+        $name = $_.TaskName
+        $path = $_.TaskPath
+        $actions = ($_.Actions | ForEach-Object { $_.Execute + ' ' + $_.Arguments }) -join '; '
+        "$path$name | $actions"
+      } | Out-String
+  `, 60000);
+}
+
+function getStartupKeys() {
+  const keys = [
+    'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run',
+    'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce',
+    'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run',
+    'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce',
+    'HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run',
+  ];
+
+  return ps(`
+    $keys = @(${keys.map(k => `'${k}'`).join(',')})
+    foreach ($key in $keys) {
+      if (Test-Path $key) {
+        "=== $key ==="
+        Get-ItemProperty $key -ErrorAction SilentlyContinue |
+          ForEach-Object { $_.PSObject.Properties | Where-Object { $_.Name -notlike 'PS*' } |
+            ForEach-Object { "  $($_.Name) = $($_.Value)" }
+          }
+      }
+    }
+  `);
+}
+
+function getServices() {
+  return ps(`
+    Get-Service | Where-Object { $_.Status -eq 'Running' -and $_.StartType -eq 'Automatic' } |
+      Where-Object { $_.DisplayName -notlike 'Windows*' -and $_.DisplayName -notlike 'Microsoft*' -and $_.DisplayName -notlike 'DCOM*' -and $_.DisplayName -notlike 'Plug*' } |
+      Select-Object Name, DisplayName, StartType |
+      Format-Table -AutoSize | Out-String
+  `);
+}
+
+function getNetConnections() {
+  return ps(`
+    Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue |
+      Where-Object { $_.RemoteAddress -ne '127.0.0.1' -and $_.RemoteAddress -ne '::1' -and $_.RemoteAddress -ne '0.0.0.0' } |
+      Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess,
+        @{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}} |
+      Sort-Object RemoteAddress |
+      Format-Table -AutoSize | Out-String
+  `);
+}
+
+function getFirewallRules() {
+  return ps(`
+    Get-NetFirewallRule -Enabled True -Direction Inbound -Action Allow -ErrorAction SilentlyContinue |
+      Where-Object { $_.DisplayName -notlike 'Core Networking*' -and $_.DisplayName -notlike 'Windows*' } |
+      Select-Object -First 30 DisplayName, Profile, Direction |
+      Format-Table -AutoSize | Out-String
+  `);
+}
+
+function getCertificates() {
+  return ps(`
+    Get-ChildItem Cert:\\LocalMachine\\Root |
+      Where-Object { $_.NotAfter -gt (Get-Date) } |
+      Select-Object Subject, Issuer, NotAfter, Thumbprint |
+      Format-Table -AutoSize -Wrap | Out-String
+  `);
+}
+
+function getProxySettings() {
+  return ps(`
+    $proxy = Get-ItemProperty 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings' -ErrorAction SilentlyContinue
+    "ProxyEnable: $($proxy.ProxyEnable)"
+    "ProxyServer: $($proxy.ProxyServer)"
+    "ProxyOverride: $($proxy.ProxyOverride)"
+    "AutoConfigURL: $($proxy.AutoConfigURL)"
+    ""
+    "Environment:"
+    "HTTP_PROXY: $env:HTTP_PROXY"
+    "HTTPS_PROXY: $env:HTTPS_PROXY"
+    "ALL_PROXY: $env:ALL_PROXY"
+  `);
+}
+
+function getWinRM() {
+  return ps(`
+    try {
+      $status = Get-Service WinRM -ErrorAction Stop
+      "WinRM Status: $($status.Status)"
+      if ($status.Status -eq 'Running') {
+        "WARNING: WinRM is running - remote management is enabled"
+        winrm get winrm/config/client 2>$null
+      }
+    } catch {
+      "WinRM: Not found or access denied"
+    }
+  `);
+}
+
+function getSSHKeys() {
+  const results = [];
+  const sshDir = path.join(HOME, '.ssh');
+
+  if (fs.existsSync(sshDir)) {
+    const authKeys = path.join(sshDir, 'authorized_keys');
+    if (fs.existsSync(authKeys)) {
+      results.push('=== authorized_keys ===');
+      const content = fs.readFileSync(authKeys, 'utf8');
+      const keys = content.split('\n').filter(l => l.trim() && !l.startsWith('#'));
+      for (const key of keys) {
+        const parts = key.trim().split(/\s+/);
+        const comment = parts.length >= 3 ? parts.slice(2).join(' ') : 'no-comment';
+        const type = parts[0];
+        results.push(`  ${type} ... ${comment}`);
+      }
+    } else {
+      results.push('No authorized_keys file found');
+    }
+
+    // Check for unusual files in .ssh
+    const files = fs.readdirSync(sshDir);
+    const unusual = files.filter(f => !['authorized_keys', 'known_hosts', 'config', 'id_rsa', 'id_rsa.pub', 'id_ed25519', 'id_ed25519.pub', 'id_ecdsa', 'id_ecdsa.pub', 'id_ed25519_automation', 'id_ed25519_automation.pub'].includes(f));
+    if (unusual.length > 0) {
+      results.push(`\nUnusual files in .ssh/: ${unusual.join(', ')}`);
+    }
+  } else {
+    results.push('No .ssh directory found');
+  }
+
+  return results.join('\n');
+}
+
+function getIDEArtifacts() {
+  const results = [];
+
+  for (const dir of SUSPICIOUS_IDE_DIRS) {
+    const fullPath = path.join(HOME, dir);
+    if (fs.existsSync(fullPath)) {
+      results.push(`[!] FOUND: ${fullPath}`);
+      try {
+        const files = fs.readdirSync(fullPath);
+        results.push(`    Contents: ${files.slice(0, 20).join(', ')}`);
+
+        // Check for MCP config with embedded secrets
+        const mcpPath = path.join(fullPath, 'mcp.json');
+        if (fs.existsSync(mcpPath)) {
+          results.push(`    [!!] MCP config found: ${mcpPath}`);
+          try {
+            const mcp = JSON.parse(fs.readFileSync(mcpPath, 'utf8'));
+            const servers = Object.keys(mcp.mcpServers || {});
+            results.push(`    MCP servers configured: ${servers.join(', ')}`);
+            // Check for embedded API keys
+            for (const [name, srv] of Object.entries(mcp.mcpServers || {})) {
+              if (srv.env) {
+                const envKeys = Object.keys(srv.env);
+                results.push(`    [!] ${name} has env vars: ${envKeys.join(', ')}`);
+              }
+            }
+          } catch {}
+        }
+      } catch {}
+    }
+  }
+
+  // Also check AppData for Verdant
+  const appDataPaths = [
+    path.join(process.env.APPDATA || '', 'Verdent'),
+    path.join(process.env.APPDATA || '', 'Verdant'),
+    path.join(process.env.LOCALAPPDATA || '', 'Verdent'),
+    path.join(process.env.LOCALAPPDATA || '', 'Verdant'),
+  ];
+
+  for (const p of appDataPaths) {
+    if (p && fs.existsSync(p)) {
+      results.push(`[!] FOUND AppData: ${p}`);
+      try {
+        const files = fs.readdirSync(p);
+        results.push(`    Contents: ${files.slice(0, 20).join(', ')}`);
+      } catch {}
+    }
+  }
+
+  if (results.length === 0) {
+    results.push('No suspicious IDE artifacts found');
+  }
+
+  return results.join('\n');
+}
+
+function getPSHistory() {
+  const histPath = path.join(HOME, 'AppData', 'Roaming', 'Microsoft', 'Windows', 'PowerShell', 'PSReadLine', 'ConsoleHost_history.txt');
+  if (fs.existsSync(histPath)) {
+    try {
+      const content = fs.readFileSync(histPath, 'utf8');
+      const lines = content.split('\n').slice(-100); // last 100 commands
+      const suspicious = lines.filter(l => {
+        const lower = l.toLowerCase();
+        return lower.includes('invoke-webrequest') || lower.includes('downloadstring') ||
+               lower.includes('downloadfile') || lower.includes('net.webclient') ||
+               lower.includes('iex') || lower.includes('invoke-expression') ||
+               lower.includes('bypass') || lower.includes('hidden') ||
+               lower.includes('-enc ') || lower.includes('encodedcommand') ||
+               lower.includes('certutil') || lower.includes('bitsadmin');
+      });
+      if (suspicious.length > 0) {
+        return `[!] Suspicious PowerShell commands found:\n${suspicious.join('\n')}`;
+      }
+      return `Last 100 commands checked - no suspicious patterns found (${lines.length} total lines in history)`;
+    } catch {
+      return 'Could not read PowerShell history';
+    }
+  }
+  return 'No PowerShell history file found';
+}
+
+function getDNSCache() {
+  return ps(`
+    $cache = Get-DnsClientCache -ErrorAction SilentlyContinue |
+      Select-Object -First 100 Entry, Data |
+      Where-Object { $_.Entry -match '\\.(cn|ru|ir|kp)$' -or $_.Entry -match '(baidu|qq|163|aliyun|tencent|weibo|bytedance|douyin)' }
+    if ($cache) {
+      "Suspicious DNS entries found:"
+      $cache | Format-Table -AutoSize | Out-String
+    } else {
+      "No suspicious DNS entries (.cn/.ru/.ir/.kp or known Chinese services)"
+    }
+  `);
+}
+
+function getRecentInstalls() {
+  return ps(`
+    Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |
+      Where-Object { $_.InstallDate -and $_.InstallDate -gt (Get-Date).AddDays(-90).ToString('yyyyMMdd') } |
+      Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
+      Sort-Object InstallDate -Descending |
+      Format-Table -AutoSize | Out-String
+  `);
+}
+
+function getSuspiciousProcesses() {
+  return ps(`
+    $procs = Get-Process -ErrorAction SilentlyContinue |
+      Select-Object Name, Id, Path, Company |
+      Where-Object {
+        $suspicious = @(${SUSPICIOUS_PROCESSES.map(p => `'${p}'`).join(',')})
+        $_.Name -in $suspicious -or
+        ($_.Path -and ($_.Path -match '\\\\Temp\\\\' -or $_.Path -match '\\\\tmp\\\\' -or $_.Path -match '\\\\Downloads\\\\'))
+      }
+    if ($procs) {
+      "[!] Suspicious processes found:"
+      $procs | Format-Table -AutoSize | Out-String
+    } else {
+      "No known suspicious processes found"
+    }
+  `);
+}
+
+// ============================================
+// LINUX CHECKS
+// ============================================
+
+function linuxChecks() {
+  const findings = [];
+
+  findings.push({ check: 'SSH Login History', data: run('last -50 2>/dev/null || echo "last command not available"') });
+  findings.push({ check: 'Failed SSH Attempts', data: run('grep "Failed password" /var/log/auth.log 2>/dev/null | tail -30 || grep "Failed password" /var/log/secure 2>/dev/null | tail -30 || journalctl -u sshd --no-pager -n 30 2>/dev/null | grep -i "failed" || echo "No auth logs accessible"') });
+  findings.push({ check: 'User Accounts', data: run('cat /etc/passwd | grep -v nologin | grep -v /false') });
+  findings.push({ check: 'Sudoers', data: run('cat /etc/sudoers 2>/dev/null; ls -la /etc/sudoers.d/ 2>/dev/null') });
+  findings.push({ check: 'Crontabs', data: run('for user in $(cut -f1 -d: /etc/passwd); do crontab -l -u $user 2>/dev/null && echo "=== $user ==="; done; cat /etc/crontab 2>/dev/null; ls -la /etc/cron.d/ 2>/dev/null') });
+  findings.push({ check: 'SSH Authorized Keys', data: getSSHKeys() });
+  findings.push({ check: 'Active Connections', data: run('ss -tunp 2>/dev/null || netstat -tunp 2>/dev/null') });
+  findings.push({ check: 'Listening Ports', data: run('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null') });
+  findings.push({ check: 'Running Services', data: run('systemctl list-units --type=service --state=running 2>/dev/null | head -40') });
+  findings.push({ check: 'Suspicious IDE Artifacts', data: getIDEArtifacts() });
+  findings.push({ check: 'Unusual SUID Binaries', data: run('find / -perm -4000 -type f 2>/dev/null | grep -v -E "(sudo|passwd|ping|mount|su|chsh|chfn|newgrp|gpasswd|pkexec)" | head -20') });
+  findings.push({ check: 'Startup Scripts', data: run('ls -la /etc/init.d/ 2>/dev/null; ls -la /etc/rc.local 2>/dev/null; systemctl list-unit-files --state=enabled 2>/dev/null | head -30') });
+  findings.push({ check: 'Bash History (suspicious)', data: run('grep -E "curl.*\\|.*sh|wget.*\\|.*sh|python.*-c.*import|nc\\s+-|/dev/tcp|base64.*-d" ~/.bash_history 2>/dev/null | tail -20 || echo "No suspicious bash history patterns"') });
+
+  return findings;
+}
+
+// ============================================
+// macOS CHECKS
+// ============================================
+
+function macChecks() {
+  const findings = [];
+
+  // 1. Login history (last works on macOS)
+  findings.push({ check: 'Login History', data: run('last -50 2>/dev/null || echo "last command not available"') });
+
+  // 2. Failed SSH/login attempts via unified log
+  findings.push({ check: 'Failed Login Attempts', data: run('log show --predicate \'eventMessage contains "failed" AND eventMessage contains "ssh"\' --style syslog --last 7d 2>/dev/null | tail -30 || echo "No failed SSH in unified log"', 60000) });
+
+  // 3. Remote login (SSH) status
+  findings.push({ check: 'Remote Login (SSH) Status', data: run('systemsetup -getremotelogin 2>/dev/null || echo "Cannot check remote login status"') });
+
+  // 4. Screen sharing / VNC / ARD
+  findings.push({ check: 'Screen Sharing / VNC / ARD', data: run('launchctl list 2>/dev/null | grep -iE "vnc|screensharing|ARD|remote" || echo "No screen sharing services found"') });
+
+  // 5. User accounts
+  findings.push({ check: 'User Accounts', data: run('dscl . list /Users | grep -v "^_" | grep -v daemon | grep -v nobody') });
+
+  // 6. Admin users
+  findings.push({ check: 'Admin Users', data: run('dscl . -read /Groups/admin GroupMembership 2>/dev/null || echo "Cannot read admin group"') });
+
+  // 7. LaunchAgents (user-level persistence - PRIMARY backdoor vector on macOS)
+  findings.push({ check: 'User LaunchAgents', data: getMacLaunchItems(path.join(HOME, 'Library', 'LaunchAgents')) });
+
+  // 8. System LaunchAgents
+  findings.push({ check: 'System LaunchAgents', data: getMacLaunchItems('/Library/LaunchAgents') });
+
+  // 9. LaunchDaemons (root-level persistence)
+  findings.push({ check: 'LaunchDaemons', data: getMacLaunchItems('/Library/LaunchDaemons') });
+
+  // 10. Login Items (GUI persistence)
+  findings.push({ check: 'Login Items', data: run('osascript -e \'tell application "System Events" to get the name of every login item\' 2>/dev/null || echo "Cannot read login items"') });
+
+  // 11. Crontabs
+  findings.push({ check: 'Crontabs', data: run('crontab -l 2>/dev/null || echo "No user crontab"; echo "---"; cat /etc/crontab 2>/dev/null || echo "No /etc/crontab"') });
+
+  // 12. SSH authorized_keys
+  findings.push({ check: 'SSH Authorized Keys', data: getSSHKeys() });
+
+  // 13. Active connections
+  findings.push({ check: 'Active Connections', data: run('netstat -an 2>/dev/null | grep ESTABLISHED | head -40 || lsof -i -P -n 2>/dev/null | grep ESTABLISHED | head -40') });
+
+  // 14. Listening ports
+  findings.push({ check: 'Listening Ports', data: run('lsof -i -P -n 2>/dev/null | grep LISTEN | head -30') });
+
+  // 15. Profiles (MDM / configuration profiles - can enforce proxy, certs, etc.)
+  findings.push({ check: 'Configuration Profiles (MDM)', data: run('profiles list 2>/dev/null || profiles -L 2>/dev/null || echo "No profiles command or no profiles installed"') });
+
+  // 16. Keychain - look for suspicious root certs
+  findings.push({ check: 'Custom Root Certificates', data: run('security find-certificate -a -p /Library/Keychains/System.keychain 2>/dev/null | openssl x509 -noout -subject -issuer 2>/dev/null | head -20 || echo "Cannot enumerate system keychain"') });
+
+  // 17. Proxy settings
+  findings.push({ check: 'Proxy Settings', data: run('networksetup -getwebproxy Wi-Fi 2>/dev/null; networksetup -getsecurewebproxy Wi-Fi 2>/dev/null; networksetup -getautoproxyurl Wi-Fi 2>/dev/null; echo "HTTP_PROXY=$HTTP_PROXY"; echo "HTTPS_PROXY=$HTTPS_PROXY"') });
+
+  // 18. Firewall status
+  findings.push({ check: 'Firewall Status', data: run('/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2>/dev/null || echo "Cannot check firewall"') });
+
+  // 19. Suspicious IDE artifacts
+  findings.push({ check: 'Suspicious IDE Artifacts', data: getIDEArtifacts() });
+
+  // 20. Shell history (suspicious patterns)
+  findings.push({ check: 'Shell History (suspicious)', data: run('grep -hE "curl.*\\|.*sh|wget.*\\|.*sh|python.*-c.*import|nc\\s+-|/dev/tcp|base64.*-d|osascript.*-e" ~/.bash_history ~/.zsh_history 2>/dev/null | tail -20 || echo "No suspicious shell history patterns"') });
+
+  // 21. Gatekeeper and SIP status
+  findings.push({ check: 'Gatekeeper & SIP Status', data: run('spctl --status 2>/dev/null; csrutil status 2>/dev/null') });
+
+  // 22. TCC (privacy permissions) - what apps have accessibility/screen recording/etc.
+  findings.push({ check: 'Privacy Permissions (TCC)', data: run('sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "SELECT client,service,auth_value FROM access WHERE auth_value=2" 2>/dev/null || echo "Cannot read TCC database (may need Full Disk Access)"') });
+
+  return findings;
+}
+
+/**
+ * Read macOS LaunchAgent/LaunchDaemon plist files for suspicious entries
+ */
+function getMacLaunchItems(dirPath) {
+  const results = [];
+  try {
+    if (!fs.existsSync(dirPath)) {
+      return `Directory not found: ${dirPath}`;
+    }
+    const files = fs.readdirSync(dirPath).filter(f => f.endsWith('.plist'));
+    if (files.length === 0) {
+      return `No plist files in ${dirPath}`;
+    }
+
+    for (const file of files) {
+      const fullPath = path.join(dirPath, file);
+      // Use plutil to convert plist to readable format
+      const content = run(`plutil -p "${fullPath}" 2>/dev/null`);
+
+      // Flag non-Apple items
+      const isApple = file.startsWith('com.apple.') || file.startsWith('com.openssh.');
+      const label = isApple ? '  ' : '[!] ';
+
+      // Extract program/command from plist output
+      const programMatch = content.match(/"Program(?:Arguments)?" => (?:\[[\s\S]*?\]|"[^"]*")/);
+      const program = programMatch ? programMatch[0].substring(0, 120) : '';
+
+      results.push(`${label}${file}`);
+      if (program) results.push(`     ${program}`);
+    }
+  } catch (e) {
+    results.push(`[ERROR] Cannot read ${dirPath}: ${e.message}`);
+  }
+  return results.join('\n');
+}
+
+// ============================================
+// MAIN AUDIT FUNCTION
+// ============================================
+
+async function runAudit(options = {}) {
+  const startTime = Date.now();
+  const result = {
+    ok: true,
+    platform: PLATFORM,
+    hostname: os.hostname(),
+    timestamp: new Date().toISOString(),
+    user: os.userInfo().username,
+    findings: [],
+    alerts: [],
+    summary: {}
+  };
+
+  // Run platform-specific checks
+  if (PLATFORM === 'win32') {
+    result.findings = windowsChecks();
+  } else if (PLATFORM === 'darwin') {
+    result.findings = macChecks();
+  } else {
+    result.findings = linuxChecks();
+  }
+
+  // Extract unique IPs from findings for geo-lookup
+  const allIPs = new Set();
+  for (const f of result.findings) {
+    if (typeof f.data === 'string') {
+      const ipMatches = f.data.match(/\b(?:\d{1,3}\.){3}\d{1,3}\b/g) || [];
+      for (const ip of ipMatches) {
+        if (!ip.startsWith('127.') && !ip.startsWith('0.') && !ip.startsWith('10.') &&
+            !ip.startsWith('192.168.') && !ip.startsWith('169.254.') &&
+            !ip.match(/^172\.(1[6-9]|2\d|3[01])\./)) {
+          allIPs.add(ip);
+        }
+      }
+    }
+  }
+
+  // Batch geo-IP lookup
+  if (allIPs.size > 0 && !options.skipGeo) {
+    const geoResults = await batchGeoIP([...allIPs]);
+    result.geoIP = {};
+
+    for (const [ip, geo] of Object.entries(geoResults)) {
+      result.geoIP[ip] = {
+        country: geo.country,
+        countryCode: geo.countryCode,
+        city: geo.city,
+        isp: geo.isp,
+        org: geo.org
+      };
+
+      // Flag suspicious countries
+      if (SUSPICIOUS_GEOS.includes(geo.countryCode)) {
+        result.alerts.push({
+          severity: 'HIGH',
+          message: `Connection from suspicious country: ${ip} → ${geo.country} (${geo.city}) [${geo.isp}]`,
+          ip,
+          geo
+        });
+      }
+    }
+  }
+
+  // Analyze findings for alerts
+  for (const f of result.findings) {
+    if (typeof f.data === 'string') {
+      if (f.data.includes('[!]') || f.data.includes('[!!]')) {
+        result.alerts.push({
+          severity: f.data.includes('[!!]') ? 'HIGH' : 'MEDIUM',
+          message: `${f.check}: ${f.data.split('\n').find(l => l.includes('[!]')) || f.data.substring(0, 200)}`
+        });
+      }
+    }
+  }
+
+  // Summary
+  result.summary = {
+    totalChecks: result.findings.length,
+    alerts: result.alerts.length,
+    highSeverity: result.alerts.filter(a => a.severity === 'HIGH').length,
+    mediumSeverity: result.alerts.filter(a => a.severity === 'MEDIUM').length,
+    uniqueExternalIPs: allIPs.size,
+    suspiciousGeoIPs: result.alerts.filter(a => a.ip).length,
+    duration: Date.now() - startTime
+  };
+
+  result.verdict = result.summary.highSeverity > 0
+    ? 'INVESTIGATE - High severity alerts found'
+    : result.summary.mediumSeverity > 0
+      ? 'REVIEW - Medium severity items found'
+      : 'CLEAN - No suspicious findings';
+
+  return result;
+}
+
+module.exports = { runAudit, windowsChecks, linuxChecks, macChecks, batchGeoIP, geoIP };

package/lib/subagent.js

@@ -16,12 +16,18 @@ const http = require('http');
 const fs = require('fs');
 const path = require('path');
 
-// Known servers (can be extended via config)
-const KNOWN_SERVERS = {
-  'nj': { host: '172.93.101.193', user: 'root', name: 'NJ Production' },
-  'zurich': { host: '89.21.66.24', user: 'root', name: 'Zurich' },
-  'chicago': { host: 'chicago.50c.ai', user: 'root', name: 'Chicago' }
-};
+// User-configured servers loaded from ~/.50c/servers.json
+// Run: 50c servers add <alias> <host> <user> to configure
+function loadUserServers() {
+  try {
+    const serversPath = path.join(require('os').homedir(), '.50c', 'servers.json');
+    if (fs.existsSync(serversPath)) {
+      return JSON.parse(fs.readFileSync(serversPath, 'utf8'));
+    }
+  } catch (e) {}
+  return {};
+}
+const KNOWN_SERVERS = loadUserServers();
 
 /**
  * HTTP/HTTPS fetch - no shell, pure Node
@@ -43,7 +49,7 @@ async function httpFetch(url, options = {}) {
         ...(bodyData ? { 'Content-Length': Buffer.byteLength(bodyData) } : {})
       },
       timeout: options.timeout || 30000,
-      rejectUnauthorized: false // Allow self-signed certs
+      // TLS certificate validation enabled for security
     };
 
     const req = lib.request(reqOptions, (res) => {

package/lib/tools-registry.js

@@ -76,6 +76,45 @@ const FALLBACK_TOOLS = [
   { slug: 'magnum_number_theory', name: 'magnum_number_theory', description: 'Number theory specialist with mandatory numerical verification. Fixed hallucination problem.', price: 0.35, tier: 'enterprise', category: 'math_verification' },
   { slug: 'magnum_find_theorem', name: 'magnum_find_theorem', description: 'Find relevant theorems and literature with citations.', price: 0.30, tier: 'enterprise', category: 'math_verification' },
   { slug: 'magnum_test_conjecture', name: 'magnum_test_conjecture', description: 'Adversarial conjecture testing. Finds counterexamples or estimates plausibility.', price: 0.35, tier: 'enterprise', category: 'math_verification' },
+
+  // Titan Deep Solvers (Foundation/Enterprise)
+  { slug: 'titan_1', name: 'titan_1', description: 'Deep orchestrated solver. 7 phases: Diverge, Ground-truth, Explore, Attack, Resolve, Repair, Verify.', price: 10.00, tier: 'enterprise', category: 'deep_ai' },
+  { slug: 'titan_2', name: 'titan_2', description: 'Compute-anchored deep solver. Ground-truth, Analysis, Synthesis, Scoring.', price: 5.00, tier: 'enterprise', category: 'deep_ai' },
+  { slug: 'titan_3', name: 'titan_3', description: 'Proof-audited deep solver. 6 phases: understand, construct, verify, audit, fix, synthesize.', price: 10.00, tier: 'enterprise', category: 'deep_ai' },
+  { slug: 'titan_4', name: 'titan_4', description: 'Compute-before-assert deep solver. 5 phases: blast, verify, fix, synthesize, claim_audit.', price: 2.00, tier: 'enterprise', category: 'deep_ai' },
+
+  // Clarity Mode
+  { slug: 'clarity', name: 'clarity', description: 'Clarity Mode: tools self-activate based on input relevance. Modes: on/off/auto.', price: 0, tier: 'free', category: 'deep_ai' },
+
+  // Skeptic POV - adversarial verification
+  { slug: 'skeptic_pov', name: 'skeptic_pov', description: '5-lens adversarial verification (Factual, Logical, Computational, Constructive, STEM).', price: 0, tier: 'free', category: 'deep_ai' },
+
+  // Solve - iterative deep solver
+  { slug: 'solve', name: 'solve', description: 'Deep iterative solver. Researches, audits, verifies computationally, and self-corrects.', price: 0, tier: 'free', category: 'deep_ai' },
+
+  // Justice - ethical reasoning
+  { slug: 'justice', name: 'justice', description: 'Multi-framework ethical reasoning engine. 5+ frameworks with internal objections.', price: 0.10, tier: 'pro', category: 'deep_ai' },
+
+  // Artist Mode - creative construction
+  { slug: 'artist_mode', name: 'artist_mode', description: 'Divergent creative construction engine. Novel artifacts under constraints.', price: 0.10, tier: 'pro', category: 'deep_ai' },
+
+  // Self Modeling - epistemic analysis
+  { slug: 'self_modeling', name: 'self_modeling', description: 'Epistemic self-analysis. Calibrates confidence, distinguishes retrieval vs computation.', price: 0.08, tier: 'pro', category: 'deep_ai' },
+
+  // Magnum Advanced Tools
+  { slug: 'magnum_dependency_dag', name: 'magnum_dependency_dag', description: 'Build dependency DAG for proofs. Track theorem/axiom dependencies, find circular refs.', price: 0.25, tier: 'enterprise', category: 'math_verification' },
+  { slug: 'magnum_symbolic_computational_hybrid', name: 'magnum_symbolic_computational_hybrid', description: 'Hybrid solver bridging symbolic and computational verification.', price: 0.40, tier: 'enterprise', category: 'math_verification' },
+  { slug: 'mcp_conductor', name: 'mcp_conductor', description: 'Meta-orchestrator ensuring Magnum tools consistency. Resolves conflicts.', price: 0.50, tier: 'enterprise', category: 'math_verification' },
+
+  // Caz dedup
+  { slug: 'caz_dedup', name: 'caz_dedup', description: 'Semantic deduplication of items.', price: 0.03, tier: 'starter', category: 'context' },
+
+  // SEO Tools
+  { slug: 'seo_audit', name: 'seo_audit', description: 'Quick SEO audit of a URL.', price: 0.10, tier: 'pro', category: 'web_seo' },
+  { slug: 'traffic_optimizer', name: 'traffic_optimizer', description: 'Traffic optimization strategies.', price: 0.10, tier: 'pro', category: 'web_seo' },
+  { slug: 'schema_generator', name: 'schema_generator', description: 'Generate JSON-LD structured data.', price: 0.05, tier: 'pro', category: 'web_seo' },
+  { slug: 'faq_generator', name: 'faq_generator', description: 'Generate FAQ content with schema.', price: 0.05, tier: 'pro', category: 'web_seo' },
+
   { slug: 'magnum_design_computation', name: 'magnum_design_computation', description: 'Design computational verification experiments with runnable code.', price: 0.30, tier: 'enterprise', category: 'math_verification' },
 ];
 

package/package.json

@@ -1,39 +1,39 @@
-{
-  "name": "50c",
-  "version": "3.9.1",
-  "description": "AI developer tools via MCP. Pay-per-use from $0.01. No subscriptions.",
-  "bin": {
-    "50c": "./bin/50c.js"
-  },
-  "scripts": {
-    "postinstall": "node -e \"console.log('\\n50c Hub installed. Run: 50c install\\n')\""
-  },
-  "keywords": [
-    "mcp",
-    "ai",
-    "llm",
-    "cli",
-    "agent",
-    "50c",
-    "hints",
-    "genius",
-    "beacon",
-    "developer-tools",
-    "context",
-    "compression",
-    "caz",
-    "file-memory"
-  ],
-  "author": "genxis",
-  "license": "SEE LICENSE IN LICENSE",
-  "homepage": "https://50c.ai",
-  "engines": {
-    "node": ">=18.0.0"
-  },
-  "files": [
-    "bin/",
-    "lib/",
-    "README.md",
-    "LICENSE"
-  ]
-}
+{
+  "name": "50c",
+  "version": "3.9.3",
+  "description": "AI developer tools via MCP. Pay-per-use from $0.01. No subscriptions.",
+  "bin": {
+    "50c": "./bin/50c.js"
+  },
+  "scripts": {
+    "postinstall": "node -e \"console.log('\\n50c Hub installed. Run: 50c install\\n')\""
+  },
+  "keywords": [
+    "mcp",
+    "ai",
+    "llm",
+    "cli",
+    "agent",
+    "50c",
+    "hints",
+    "genius",
+    "beacon",
+    "developer-tools",
+    "context",
+    "compression",
+    "caz",
+    "file-memory"
+  ],
+  "author": "genxis",
+  "license": "SEE LICENSE IN LICENSE",
+  "homepage": "https://50c.ai",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "files": [
+    "bin/",
+    "lib/",
+    "README.md",
+    "LICENSE"
+  ]
+}