@phenixstar/talon 1.0.0

package/talon

@@ -0,0 +1,459 @@
+#!/bin/bash
+# Talon CLI - AI Penetration Testing Framework
+
+set -e
+
+# Prevent MSYS from converting Unix paths (e.g. /repos/my-repo) to Windows paths
+case "$OSTYPE" in
+  msys*) export MSYS_NO_PATHCONV=1 ;;
+esac
+
+# Detect Podman vs Docker and set compose files accordingly
+# Podman doesn't support host-gateway, so we only include the Docker override for actual Docker
+COMPOSE_BASE="docker-compose.yml"
+if command -v podman &>/dev/null; then
+  # Podman detected (either native or via Docker Desktop shim) - use base config only
+  COMPOSE_OVERRIDE=""
+else
+  # Docker detected - include extra_hosts override for Linux localhost access
+  COMPOSE_OVERRIDE="-f docker-compose.docker.yml"
+fi
+COMPOSE_FILE="$COMPOSE_BASE"
+
+# Load .env if present
+if [ -f .env ]; then
+  set -a
+  source .env
+  set +a
+fi
+
+show_help() {
+  cat << 'EOF'
+
+  ████████╗ █████╗ ██╗      ██████╗ ███╗   ██╗
+  ╚══██╔══╝██╔══██╗██║     ██╔═══██╗████╗  ██║
+     ██║   ███████║██║     ██║   ██║██╔██╗ ██║
+     ██║   ██╔══██║██║     ██║   ██║██║╚██╗██║
+     ██║   ██║  ██║███████╗╚██████╔╝██║ ╚████║
+     ╚═╝   ╚═╝  ╚═╝╚══════╝ ╚═════╝ ╚═╝  ╚═══╝
+
+           AI Penetration Testing Framework
+
+Usage:
+  ./talon setup                          Interactive setup wizard
+  ./talon doctor                         Validate configuration and dependencies
+  ./talon start URL=<url> REPO=<name>   Start a pentest workflow
+  ./talon benchmark TARGET=<name>       Run benchmark and compute F1 metrics
+  ./talon evolve GENERATIONS=<n>        Run N evolution generations on gene pool
+  ./talon workspaces                    List all workspaces
+  ./talon logs ID=<workflow-id>         Tail logs for a specific workflow
+  ./talon stop                          Stop all containers
+  ./talon help                          Show this help message
+
+Options for 'start':
+  REPO=<name>            Folder name under ./repos/ (e.g. REPO=repo-name)
+  CONFIG=<path>          Configuration file (YAML)
+  OUTPUT=<path>          Output directory for reports (default: ./audit-logs/)
+  WORKSPACE=<name>       Named workspace (auto-resumes if exists, creates if new)
+  PIPELINE_TESTING=true  Use minimal prompts for fast testing
+  ROUTER=true            Route requests through claude-code-router (multi-model support)
+
+Options for 'stop':
+  CLEAN=true             Remove all data including volumes
+
+Examples:
+  ./talon start URL=https://example.com REPO=repo-name
+  ./talon start URL=https://example.com REPO=repo-name WORKSPACE=q1-audit
+  ./talon start URL=https://example.com REPO=repo-name CONFIG=./config.yaml
+  ./talon start URL=https://example.com REPO=repo-name OUTPUT=./my-reports
+  ./talon workspaces
+  ./talon logs ID=example.com_talon-1234567890
+  ./talon stop CLEAN=true
+
+Monitor workflows at http://localhost:8233
+EOF
+}
+
+# Parse KEY=value arguments into variables
+parse_args() {
+  for arg in "$@"; do
+    case "$arg" in
+      URL=*) URL="${arg#URL=}" ;;
+      REPO=*) REPO="${arg#REPO=}" ;;
+      CONFIG=*) CONFIG="${arg#CONFIG=}" ;;
+      OUTPUT=*) OUTPUT="${arg#OUTPUT=}" ;;
+      ID=*) ID="${arg#ID=}" ;;
+      CLEAN=*) CLEAN="${arg#CLEAN=}" ;;
+      PIPELINE_TESTING=*) PIPELINE_TESTING="${arg#PIPELINE_TESTING=}" ;;
+      REBUILD=*) REBUILD="${arg#REBUILD=}" ;;
+      ROUTER=*) ROUTER="${arg#ROUTER=}" ;;
+      WORKSPACE=*) WORKSPACE="${arg#WORKSPACE=}" ;;
+      TARGET=*) TARGET="${arg#TARGET=}" ;;
+      GENERATIONS=*) GENERATIONS="${arg#GENERATIONS=}" ;;
+      GROUND_TRUTH=*) GROUND_TRUTH="${arg#GROUND_TRUTH=}" ;;
+      SEED=*) SEED="${arg#SEED=}" ;;
+    esac
+  done
+}
+
+# Check if Temporal is running and healthy
+is_temporal_ready() {
+  docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE exec -T temporal \
+    temporal operator cluster health --address localhost:7233 2>/dev/null | grep -q "SERVING"
+}
+
+# Ensure containers are running with correct mounts
+ensure_containers() {
+  # Quick check: if Temporal is already healthy, just refresh worker env
+  if is_temporal_ready; then
+    # Always refresh worker to pick up env var changes (ROUTER mode, model overrides, etc.)
+    docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE up -d worker 2>/dev/null || true
+    return 0
+  fi
+
+  # Need to start containers
+  echo "Starting Talon containers..."
+  if [ "$REBUILD" = "true" ]; then
+    # Force rebuild without cache (use when code changes aren't being picked up)
+    echo "Rebuilding with --no-cache..."
+    docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE build --no-cache worker
+  fi
+  docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE up -d --build
+
+  # Wait for Temporal to be ready
+  echo "Waiting for Temporal to be ready..."
+  for i in $(seq 1 30); do
+    if is_temporal_ready; then
+      echo "Temporal is ready!"
+      return 0
+    fi
+    if [ "$i" -eq 30 ]; then
+      echo "Timeout waiting for Temporal"
+      exit 1
+    fi
+    sleep 2
+  done
+}
+
+cmd_start() {
+  parse_args "$@"
+
+  # Validate required vars
+  if [ -z "$URL" ] || [ -z "$REPO" ]; then
+    echo "ERROR: URL and REPO are required"
+    echo "Usage: ./talon start URL=<url> REPO=<name>"
+    exit 1
+  fi
+
+  # Check for API key (Bedrock and router modes can bypass this)
+  if [ -z "$ANTHROPIC_API_KEY" ] && [ -z "$CLAUDE_CODE_OAUTH_TOKEN" ]; then
+    if [ "$CLAUDE_CODE_USE_BEDROCK" = "1" ]; then
+      # Bedrock mode — validate required AWS credentials
+      MISSING=""
+      [ -z "$AWS_REGION" ] && MISSING="$MISSING AWS_REGION"
+      [ -z "$AWS_BEARER_TOKEN_BEDROCK" ] && MISSING="$MISSING AWS_BEARER_TOKEN_BEDROCK"
+      [ -z "$ANTHROPIC_SMALL_MODEL" ] && MISSING="$MISSING ANTHROPIC_SMALL_MODEL"
+      [ -z "$ANTHROPIC_MEDIUM_MODEL" ] && MISSING="$MISSING ANTHROPIC_MEDIUM_MODEL"
+      [ -z "$ANTHROPIC_LARGE_MODEL" ] && MISSING="$MISSING ANTHROPIC_LARGE_MODEL"
+      if [ -n "$MISSING" ]; then
+        echo "ERROR: Bedrock mode requires the following env vars in .env:$MISSING"
+        exit 1
+      fi
+    elif [ "$CLAUDE_CODE_USE_VERTEX" = "1" ]; then
+      # Vertex AI mode — validate required GCP credentials
+      MISSING=""
+      [ -z "$CLOUD_ML_REGION" ] && MISSING="$MISSING CLOUD_ML_REGION"
+      [ -z "$ANTHROPIC_VERTEX_PROJECT_ID" ] && MISSING="$MISSING ANTHROPIC_VERTEX_PROJECT_ID"
+      [ -z "$ANTHROPIC_SMALL_MODEL" ] && MISSING="$MISSING ANTHROPIC_SMALL_MODEL"
+      [ -z "$ANTHROPIC_MEDIUM_MODEL" ] && MISSING="$MISSING ANTHROPIC_MEDIUM_MODEL"
+      [ -z "$ANTHROPIC_LARGE_MODEL" ] && MISSING="$MISSING ANTHROPIC_LARGE_MODEL"
+      if [ -n "$MISSING" ]; then
+        echo "ERROR: Vertex AI mode requires the following env vars in .env:$MISSING"
+        exit 1
+      fi
+      # Validate service account key file (must be inside ./credentials/ for Docker mount)
+      if [ -z "$GOOGLE_APPLICATION_CREDENTIALS" ]; then
+        echo "ERROR: Vertex AI mode requires GOOGLE_APPLICATION_CREDENTIALS in .env"
+        echo "       Place your service account key in ./credentials/ and set:"
+        echo "       GOOGLE_APPLICATION_CREDENTIALS=./credentials/gcp-sa-key.json"
+        exit 1
+      fi
+      if [ ! -f "$GOOGLE_APPLICATION_CREDENTIALS" ]; then
+        echo "ERROR: Service account key file not found: $GOOGLE_APPLICATION_CREDENTIALS"
+        echo "       Download a key from the GCP Console (IAM > Service Accounts > Keys)"
+        exit 1
+      fi
+    elif [ "$ROUTER" = "true" ] && { [ -n "$OPENAI_API_KEY" ] || [ -n "$OPENROUTER_API_KEY" ]; }; then
+      # Router mode with alternative provider - set a placeholder for SDK init
+      export ANTHROPIC_API_KEY="router-mode"
+    else
+      echo "ERROR: Set ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN in .env"
+      echo "       (or use CLAUDE_CODE_USE_BEDROCK=1 for AWS Bedrock,"
+      echo "        CLAUDE_CODE_USE_VERTEX=1 for Google Vertex AI,"
+      echo "        or ROUTER=true with OPENAI_API_KEY or OPENROUTER_API_KEY)"
+      exit 1
+    fi
+  fi
+
+  # Determine container path for REPO
+  # - If REPO is already a container path (/benchmarks/*, /repos/*), use as-is
+  # - Otherwise, treat as a folder name under ./repos/ (mounted at /repos in container)
+  case "$REPO" in
+    /benchmarks/*|/repos/*)
+      CONTAINER_REPO="$REPO"
+      ;;
+    *)
+      if [ ! -d "./repos/$REPO" ]; then
+        echo "ERROR: Repository not found at ./repos/$REPO"
+        echo ""
+        echo "Place your target repository under the ./repos/ directory"
+        exit 1
+      fi
+      CONTAINER_REPO="/repos/$REPO"
+      ;;
+  esac
+
+  # Handle custom OUTPUT directory
+  # Export OUTPUT_DIR for docker-compose volume mount BEFORE starting containers
+  if [ -n "$OUTPUT" ]; then
+    # Create output directory with write permissions for container user (UID 1001)
+    mkdir -p "$OUTPUT"
+    chmod 777 "$OUTPUT"  # 777 required: container UID 1001 differs from host UID
+    export OUTPUT_DIR="$OUTPUT"
+  fi
+
+  # Handle ROUTER flag - set env vars BEFORE starting containers
+  if [ "$ROUTER" = "true" ]; then
+    # Set ANTHROPIC_BASE_URL to route through router
+    export ANTHROPIC_BASE_URL="http://router:3456"
+    # Generate router auth token if not set (must match router-config.json APIKEY)
+    if [ -z "$TALON_ROUTER_KEY" ]; then
+      export TALON_ROUTER_KEY=$(openssl rand -hex 32)
+      echo "Generated router key (set TALON_ROUTER_KEY in .env to persist)"
+    fi
+    export ANTHROPIC_AUTH_TOKEN="$TALON_ROUTER_KEY"
+  fi
+
+  # Ensure audit-logs directory exists with write permissions for container user (UID 1001)
+  mkdir -p ./audit-logs ./credentials
+  chmod 777 ./audit-logs  # 777 required: container UID 1001 differs from host UID
+
+  # Ensure repo deliverables directory is writable by container user (UID 1001)
+  if [ -d "./repos/$REPO" ]; then
+    mkdir -p "./repos/$REPO/deliverables"
+    chmod 777 "./repos/$REPO/deliverables"  # 777 required: container UID 1001 differs from host UID
+  fi
+
+  # Start router BEFORE main containers so worker can reach it on boot
+  if [ "$ROUTER" = "true" ]; then
+    if [ -z "$OPENAI_API_KEY" ] && [ -z "$OPENROUTER_API_KEY" ]; then
+      echo "WARNING: No provider API key set (OPENAI_API_KEY or OPENROUTER_API_KEY). Router may not work."
+    fi
+
+    echo "Starting claude-code-router..."
+    docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE --profile router up -d --build router
+
+    # Wait for router health check
+    echo "Waiting for router to be ready..."
+    for i in $(seq 1 15); do
+      if docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE --profile router ps router 2>/dev/null | grep -q "healthy"; then
+        echo "Router is ready!"
+        break
+      fi
+      if [ "$i" -eq 15 ]; then
+        echo "WARNING: Router health check timed out (continuing anyway)"
+      fi
+      sleep 2
+    done
+  fi
+
+  # Ensure containers are running (starts them if needed)
+  ensure_containers
+
+  # Build optional args
+  ARGS=""
+  [ -n "$CONFIG" ] && ARGS="$ARGS --config $CONFIG"
+
+  # Pass container path for output (where OUTPUT_DIR is mounted)
+  # Also pass display path so client can show the host path to user
+  if [ -n "$OUTPUT" ]; then
+    ARGS="$ARGS --output /app/output --display-output $OUTPUT"
+  fi
+
+  [ "$PIPELINE_TESTING" = "true" ] && ARGS="$ARGS --pipeline-testing"
+  [ -n "$WORKSPACE" ] && ARGS="$ARGS --workspace $WORKSPACE"
+
+  # Run the client to submit workflow
+  docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE exec -T worker \
+    node dist/temporal/client.js "$URL" "$CONTAINER_REPO" $ARGS
+}
+
+cmd_logs() {
+  parse_args "$@"
+
+  if [ -z "$ID" ]; then
+    echo "ERROR: ID is required"
+    echo "Usage: ./talon logs ID=<workflow-id>"
+    exit 1
+  fi
+
+  # Auto-discover the workflow log file
+  # 1. Check default location first
+  # 2. Search common output directories
+  # 3. Fall back to find command
+  WORKFLOW_LOG=""
+
+  if [ -f "./audit-logs/${ID}/workflow.log" ]; then
+    WORKFLOW_LOG="./audit-logs/${ID}/workflow.log"
+  else
+    # For resume workflow IDs (e.g. workspace_resume_123), check the original workspace
+    WORKSPACE_ID="${ID%%_resume_*}"
+    if [ "$WORKSPACE_ID" != "$ID" ] && [ -f "./audit-logs/${WORKSPACE_ID}/workflow.log" ]; then
+      WORKFLOW_LOG="./audit-logs/${WORKSPACE_ID}/workflow.log"
+    fi
+
+    # For named workspace IDs (e.g. workspace_talon-123), check the workspace name
+    if [ -z "$WORKFLOW_LOG" ]; then
+      WORKSPACE_ID="${ID%%_talon-*}"
+      if [ "$WORKSPACE_ID" != "$ID" ] && [ -f "./audit-logs/${WORKSPACE_ID}/workflow.log" ]; then
+        WORKFLOW_LOG="./audit-logs/${WORKSPACE_ID}/workflow.log"
+      fi
+    fi
+
+    if [ -z "$WORKFLOW_LOG" ]; then
+      # Search for the workflow directory (handles custom OUTPUT paths)
+      FOUND=$(find . -maxdepth 3 -path "*/${ID}/workflow.log" -type f 2>/dev/null | head -1)
+      if [ -n "$FOUND" ]; then
+        WORKFLOW_LOG="$FOUND"
+      fi
+    fi
+  fi
+
+  if [ -n "$WORKFLOW_LOG" ]; then
+    echo "Tailing workflow log: $WORKFLOW_LOG"
+    tail -f "$WORKFLOW_LOG"
+  else
+    echo "ERROR: Workflow log not found for ID: $ID"
+    echo ""
+    echo "Possible causes:"
+    echo "  - Workflow hasn't started yet"
+    echo "  - Workflow ID is incorrect"
+    echo ""
+    echo "Check the Temporal Web UI at http://localhost:8233 for workflow details"
+    exit 1
+  fi
+}
+
+cmd_workspaces() {
+  # Ensure containers are running (need worker to execute node)
+  ensure_containers
+
+  docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE exec -T worker \
+    node dist/temporal/workspaces.js
+}
+
+cmd_benchmark() {
+  parse_args "$@"
+
+  if [ -z "$TARGET" ]; then
+    echo "ERROR: TARGET is required"
+    echo "Usage: ./talon benchmark TARGET=<name> [GROUND_TRUTH=<csv>]"
+    exit 1
+  fi
+
+  ensure_containers
+
+  ARGS=""
+  [ -n "$GROUND_TRUTH" ] && ARGS="$ARGS --ground-truth $GROUND_TRUTH"
+
+  docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE exec -T worker \
+    node dist/backtesting/benchmark-cli.js "$TARGET" --output /app/audit-logs $ARGS
+}
+
+cmd_evolve() {
+  parse_args "$@"
+
+  GENERATIONS="${GENERATIONS:-1}"
+
+  ensure_containers
+
+  ARGS="--generations $GENERATIONS"
+  [ -n "$SEED" ] && ARGS="$ARGS --seed $SEED"
+
+  docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE exec -T worker \
+    node dist/evolution/evolve-cli.js $ARGS
+}
+
+cmd_setup() {
+  if ! command -v node &>/dev/null; then
+    echo "Node.js is required for the setup wizard."
+    echo "Install Node.js 22+: https://nodejs.org/en/download"
+    exit 1
+  fi
+  if [ ! -f "dist/cli/setup.js" ]; then
+    echo "Building Talon..."
+    npm install --silent && npm run build
+  fi
+  node dist/cli/setup.js "$@"
+}
+
+cmd_doctor() {
+  if ! command -v node &>/dev/null; then
+    echo "Node.js is required. Install: https://nodejs.org/en/download"
+    exit 1
+  fi
+  if [ ! -f "dist/cli/doctor.js" ]; then
+    echo "Building Talon..."
+    npm install --silent && npm run build
+  fi
+  node dist/cli/doctor.js "$@"
+}
+
+cmd_stop() {
+  parse_args "$@"
+
+  if [ "$CLEAN" = "true" ]; then
+    docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE --profile router down -v
+  else
+    docker compose -f "$COMPOSE_FILE" $COMPOSE_OVERRIDE --profile router down
+  fi
+}
+
+# Main command dispatch
+case "${1:-help}" in
+  setup)
+    shift
+    cmd_setup "$@"
+    ;;
+  doctor)
+    shift
+    cmd_doctor "$@"
+    ;;
+  start)
+    shift
+    cmd_start "$@"
+    ;;
+  logs)
+    shift
+    cmd_logs "$@"
+    ;;
+  benchmark)
+    shift
+    cmd_benchmark "$@"
+    ;;
+  evolve)
+    shift
+    cmd_evolve "$@"
+    ;;
+  workspaces)
+    shift
+    cmd_workspaces
+    ;;
+  stop)
+    shift
+    cmd_stop "$@"
+    ;;
+  help|--help|-h|*)
+    show_help
+    ;;
+esac