cipher-security 2.0.0

package/bin/cipher.js

@@ -0,0 +1,566 @@
+#!/usr/bin/env node
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * cipher — CLI entry point for the CIPHER security engineering platform.
+ *
+ * Fast path: --version / -V / --help / -h use only node:fs + node:path
+ * (zero dynamic imports, <200ms cold start).
+ *
+ * Command path: dynamically imports python-bridge.js, spawns the Python
+ * gateway, routes JSON-RPC commands, prints results, and exits.
+ */
+
+import { readFileSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { spawn } from 'node:child_process';
+
+// ---------------------------------------------------------------------------
+// Fast path — no dynamic imports, must complete in <200ms
+// ---------------------------------------------------------------------------
+
+const args = process.argv.slice(2);
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(readFileSync(resolve(__dirname, '..', 'package.json'), 'utf8'));
+
+if (args[0] === '--version' || args[0] === '-V') {
+  console.log(pkg.version);
+  process.exit(0);
+}
+
+if (args[0] === '--help' || args[0] === '-h') {
+  const CYN = '\x1b[36m';
+  const B = '\x1b[1m';
+  const D = '\x1b[2m';
+  const R = '\x1b[0m';
+  const GRN = '\x1b[32m';
+
+  console.log(`${CYN}${B}
+   ██████╗██╗██████╗ ██╗  ██╗███████╗██████╗
+  ██╔════╝██║██╔══██╗██║  ██║██╔════╝██╔══██╗
+  ██║     ██║██████╔╝███████║█████╗  ██████╔╝
+  ██║     ██║██╔═══╝ ██╔══██║██╔══╝  ██╔══██╗
+  ╚██████╗██║██║     ██║  ██║███████╗██║  ██║
+   ╚═════╝╚═╝╚═╝     ╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝${R}
+  ${D}Claude Integrated Privacy & Hardening Expert Resource${R}  ${D}v${pkg.version}${R}
+
+${B}Usage:${R} cipher [command] [options]
+       cipher <query>          ${D}Freeform security query${R}
+
+${B}Commands:${R}
+  ${GRN}query${R}             Run a security query
+  ${GRN}scan${R}              Run a security scan
+  ${GRN}compliance${R}        Run compliance checks (39 frameworks)
+  ${GRN}search${R}            Search security data
+  ${GRN}osint${R}             OSINT intelligence tools
+  ${GRN}diff${R}              Analyze git diff for security issues
+  ${GRN}sarif${R}             SARIF report tools
+
+  ${GRN}status${R}            Show system status
+  ${GRN}doctor${R}            Diagnose installation health
+  ${GRN}version${R}           Print version information
+  ${GRN}setup${R}             Run setup wizard
+  ${GRN}update${R}            Update CIPHER to latest version
+
+  ${GRN}domains${R}           List skill domains
+  ${GRN}skills${R}            Search skills
+  ${GRN}store${R}             Store findings in memory
+  ${GRN}stats${R}             Show statistics
+  ${GRN}leaderboard${R}       Skill effectiveness metrics
+  ${GRN}marketplace${R}       Browse skill marketplace
+
+  ${GRN}api${R}               Start REST API server
+  ${GRN}mcp${R}               Start MCP server (stdio)
+  ${GRN}bot${R}               Start Signal bot
+
+  ${GRN}workflow${R}           Generate CI/CD security workflow
+  ${GRN}memory-export${R}     Export memory to JSON
+  ${GRN}memory-import${R}     Import memory from JSON
+  ${GRN}feedback${R}          Run skill improvement loop
+  ${GRN}ingest${R}            Re-index knowledge base
+  ${GRN}plugin${R}            Manage plugins
+  ${GRN}setup-signal${R}      Configure Signal integration
+  ${GRN}score${R}             Score response quality
+  ${GRN}dashboard${R}         System dashboard
+  ${GRN}web${R}               Web interface (use cipher api)
+
+${B}Options:${R}
+  --version, -V     Print version and exit
+  --help, -h        Print this help and exit
+  --autonomous      Run in autonomous mode (cipher blue --autonomous "task")
+  --backend         Override LLM backend (ollama, claude, litellm)
+  --no-stream       Disable streaming output
+
+${B}Environment:${R}
+  CIPHER_DEBUG=1    Enable verbose debug logging
+
+${D}Documentation: https://github.com/defconxt/CIPHER${R}`);
+  process.exit(0);
+}
+
+// ---------------------------------------------------------------------------
+// No arguments: check if config exists → wizard or help
+// ---------------------------------------------------------------------------
+
+if (args.length === 0) {
+  try {
+    const { configExists } = await import('../lib/config.js');
+    if (!configExists()) {
+      const { runSetupWizard } = await import('../lib/setup-wizard.js');
+      await runSetupWizard();
+      process.exit(0);
+    }
+  } catch (err) {
+    console.error(`Setup wizard failed: ${err.message || err}`);
+    process.exit(1);
+  }
+  // Config exists but no command — show help hint
+  console.error('No command specified. Run `cipher --help` for usage.');
+  process.exit(1);
+}
+
+// ---------------------------------------------------------------------------
+// Node.js-native commands — handled before the Python bridge is loaded
+// ---------------------------------------------------------------------------
+
+const nativeCommands = new Set(['setup']);
+
+if (nativeCommands.has(args[0])) {
+  try {
+    const { runSetupWizard } = await import('../lib/setup-wizard.js');
+    await runSetupWizard();
+    process.exit(0);
+  } catch (err) {
+    console.error(`Setup wizard failed: ${err.message || err}`);
+    process.exit(1);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Extract query-specific flags before general command parsing
+// ---------------------------------------------------------------------------
+
+let queryBackendOverride = null;
+let queryNoStream = false;
+let autonomousMode = null;
+
+/** Set of valid autonomous mode names (lowercased). */
+const MODE_NAMES = new Set(['red', 'blue', 'incident', 'purple', 'recon', 'privacy', 'architect']);
+
+/** Clean args with --backend, --no-stream, and --autonomous extracted */
+const cleanedArgs = [];
+for (let i = 0; i < args.length; i++) {
+  if (args[i] === '--backend' && i + 1 < args.length) {
+    queryBackendOverride = args[i + 1];
+    i++; // skip value
+  } else if (args[i] === '--no-stream') {
+    queryNoStream = true;
+  } else if (args[i] === '--autonomous') {
+    // --autonomous flag found — look for a mode name in the remaining args.
+    // The mode name can be adjacent (cipher --autonomous blue "task")
+    // or positional-first (cipher blue --autonomous "task").
+    // We'll collect it after the loop from cleanedArgs.
+    autonomousMode = '__pending__';
+  } else {
+    cleanedArgs.push(args[i]);
+  }
+}
+
+// If --autonomous was found, extract the mode name from cleaned positional args
+if (autonomousMode === '__pending__') {
+  // Check the first positional arg (non-flag) for a mode name
+  const firstPositional = cleanedArgs.find(a => !a.startsWith('-'));
+  if (firstPositional && MODE_NAMES.has(firstPositional.toLowerCase())) {
+    autonomousMode = firstPositional.toLowerCase();
+    // Remove the mode name from cleanedArgs so parseCommand() doesn't see it
+    const idx = cleanedArgs.indexOf(firstPositional);
+    cleanedArgs.splice(idx, 1);
+  } else {
+    console.error(
+      `Error: --autonomous requires a valid mode name.\n` +
+      `Available modes: ${[...MODE_NAMES].sort().join(', ')}\n\n` +
+      `Usage: cipher <mode> --autonomous "task description"\n` +
+      `Example: cipher blue --autonomous "Generate Sigma rules for T1059.001"`
+    );
+    process.exit(1);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Command routing — dynamic imports below this point
+// ---------------------------------------------------------------------------
+
+const knownCommands = new Set([
+  // Gateway
+  'query', 'ingest', 'status', 'doctor', 'setup-signal',
+  'dashboard', 'web', 'version', 'plugin',
+  // Pipeline
+  'scan', 'search', 'store', 'diff', 'workflow', 'stats', 'domains',
+  'skills', 'score', 'marketplace', 'compliance', 'leaderboard',
+  'feedback', 'memory-export', 'memory-import', 'sarif', 'osint', 'update',
+  // Services
+  'bot', 'mcp', 'api',
+]);
+
+/**
+ * Parse argv into a command name and remaining args.
+ * First non-flag argument is checked against knownCommands.
+ * If not a known command, treat all non-flag words as a bare query.
+ *
+ * @param {string[]} argv
+ * @returns {{ command: string, commandArgs: string[] }}
+ */
+function parseCommand(argv) {
+  const flags = [];
+  const positional = [];
+
+  for (const arg of argv) {
+    if (arg.startsWith('-')) {
+      flags.push(arg);
+    } else {
+      positional.push(arg);
+    }
+  }
+
+  if (positional.length === 0) {
+    // No positional args — show help
+    console.error('No command specified. Run `cipher --help` for usage.');
+    process.exit(1);
+  }
+
+  const first = positional[0];
+
+  if (knownCommands.has(first)) {
+    return {
+      command: first,
+      commandArgs: [...positional.slice(1), ...flags],
+    };
+  }
+
+  // Bare query — join all positional words as query text
+  return {
+    command: 'query',
+    commandArgs: [...positional, ...flags],
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Bridge result formatter
+// ---------------------------------------------------------------------------
+
+/**
+ * Format and print a bridge command result, then exit if needed.
+ *
+ * Result shapes from bridge.py:
+ *   1. {output, exit_code, error: true} — command error: print output to stderr, exit with code
+ *   2. {output, exit_code}              — text-mode result: print output directly
+ *   3. Plain object (no output field)   — structured JSON: pretty-print as JSON
+ *   4. String                           — legacy: print directly
+ *   5. null/undefined                   — no output
+ *
+ * @param {*} result - Bridge command result
+ */
+async function formatBridgeResult(result, commandName = '') {
+  if (result === null || result === undefined) {
+    return;
+  }
+
+  if (typeof result === 'string') {
+    console.log(result);
+    return;
+  }
+
+  if (typeof result === 'object') {
+    // Error result — print to stderr and exit with error code
+    if (result.error === true) {
+      if (result.message) {
+        process.stderr.write(result.message + '\n');
+      } else if (result.output) {
+        process.stderr.write(result.output + '\n');
+      }
+      process.exit(result.exit_code || 1);
+    }
+
+    // Branded output for specific commands
+    if (commandName === 'version' && result.version) {
+      const { formatVersion } = await import('../lib/brand.js');
+      process.stderr.write(formatVersion(result.version) + '\n');
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+
+    if (commandName === 'doctor' && result.checks) {
+      const { header, formatDoctorChecks, divider, success, warn } = await import('../lib/brand.js');
+      header('Health Check');
+      divider();
+      process.stderr.write(formatDoctorChecks(result.checks) + '\n');
+      divider();
+      if (result.healthy) {
+        success(`All checks passed (${result.summary})`);
+      } else {
+        warn(result.summary);
+      }
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+
+    if (commandName === 'status' && result.status) {
+      const { header, status: statusDot, divider } = await import('../lib/brand.js');
+      header('Status');
+      divider();
+      statusDot('Backend', result.backend ? 'ok' : 'warn', result.backend || 'not configured');
+      statusDot('Config', result.config?.valid ? 'ok' : 'fail', result.config?.valid ? 'valid' : 'invalid or missing');
+      if (result.memory) {
+        statusDot('Memory', 'ok', `${result.memory.total} entries (${result.memory.active} active)`);
+      }
+      divider();
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+
+    // Text-mode result — print output directly (pre-formatted from CliRunner)
+    if ('output' in result) {
+      if (result.output) {
+        console.log(result.output);
+      }
+      if (result.exit_code && result.exit_code !== 0) {
+        process.exit(result.exit_code);
+      }
+      return;
+    }
+
+    // Structured JSON result — pretty-print (skip empty objects from branded commands)
+    if (Object.keys(result).length > 0) {
+      console.log(JSON.stringify(result, null, 2));
+    }
+    return;
+  }
+
+  // Fallback for unexpected types
+  console.log(String(result));
+}
+
+// ---------------------------------------------------------------------------
+// Dispatch helpers + autonomous/standard routing
+// ---------------------------------------------------------------------------
+
+const { command, commandArgs } = parseCommand(cleanedArgs);
+
+const debug = process.env.CIPHER_DEBUG === '1';
+
+
+// ---------------------------------------------------------------------------
+// Autonomous mode dispatch — bypasses normal command routing entirely
+// ---------------------------------------------------------------------------
+
+if (autonomousMode) {
+  // Build task text from remaining non-flag args
+  const taskText = commandArgs.filter(a => !a.startsWith('-')).join(' ')
+    || (command === 'query' ? commandArgs.join(' ') : '');
+
+  if (debug) {
+    process.stderr.write(
+      `[bridge:node] Autonomous dispatch: mode=${autonomousMode} task="${taskText}"\n`
+    );
+  }
+
+  try {
+    const { runAutonomous } = await import('../lib/autonomous/runner.js');
+    const { parseTaskInput } = await import('../lib/autonomous/task-parser.js');
+
+    const taskInput = parseTaskInput(autonomousMode.toUpperCase(), taskText);
+
+    const result = await runAutonomous(
+      autonomousMode,
+      taskInput,
+      queryBackendOverride,
+    );
+
+    // Format result
+    if (result.error) {
+      process.stderr.write(`Error: ${result.error}\n`);
+      process.exit(1);
+    }
+
+    // Print output
+    if (result.outputText) {
+      process.stdout.write(result.outputText + '\n');
+    }
+
+    // Print validation warnings to stderr
+    if (result.validation && !result.validation.valid) {
+      process.stderr.write('Validation warnings:\n');
+      for (const err of (result.validation.errors || [])) {
+        process.stderr.write(`  - ${err}\n`);
+      }
+    }
+  } catch (err) {
+    const msg = err.message || String(err);
+    process.stderr.write(`Error: ${msg}\n`);
+    process.exit(1);
+  }
+
+  process.exit(0);
+}
+
+// ---------------------------------------------------------------------------
+// Standard dispatch: passthrough vs native
+// ---------------------------------------------------------------------------
+
+const { getCommandMode } = await import('../lib/commands.js');
+const mode = getCommandMode(command);
+
+if (mode === 'native') {
+  // ── Native dispatch — Node.js handler functions (no Python) ────────────
+  if (debug) {
+    process.stderr.write(`[bridge:node] Dispatching command=${command} mode=native\n`);
+  }
+
+  /**
+   * Convert kebab-case command name to handler function name.
+   * 'memory-export' → 'handleMemoryExport'
+   * 'stats' → 'handleStats'
+   *
+   * @param {string} cmd
+   * @returns {string}
+   */
+  function toHandlerName(cmd) {
+    return 'handle' + cmd
+      .split('-')
+      .map(w => w[0].toUpperCase() + w.slice(1))
+      .join('');
+  }
+
+  try {
+    // ── API server command: long-running HTTP server (no Python) ──────────
+    if (command === 'api') {
+      const { createAPIServer, APIConfig } = await import('../lib/api/server.js');
+      const apiPort = commandArgs.find((a, i) => commandArgs[i - 1] === '--port') || '8443';
+      const apiHost = commandArgs.find((a, i) => commandArgs[i - 1] === '--host') || '127.0.0.1';
+      const noAuth = commandArgs.includes('--no-auth');
+      const cfg = new APIConfig({
+        port: parseInt(apiPort, 10),
+        host: apiHost,
+        requireAuth: !noAuth,
+      });
+      const api = createAPIServer(cfg);
+      const actualPort = await api.start();
+      console.log(`CIPHER API listening on ${cfg.host}:${actualPort}`);
+      // Keep process alive — Ctrl+C to stop
+      process.on('SIGINT', async () => {
+        await api.stop();
+        console.log('\nShutdown complete.');
+        process.exit(0);
+      });
+      process.on('SIGTERM', async () => {
+        await api.stop();
+        process.exit(0);
+      });
+    // ── MCP server command: JSON-RPC over stdio ──────────────────────────
+    } else if (command === 'mcp') {
+      const { CipherMCPServer } = await import('../lib/mcp/server.js');
+      const mcp = new CipherMCPServer();
+      mcp.startStdio();
+    // ── Bot command: Signal bot ──────────────────────────────────────────
+    } else if (command === 'bot') {
+      const { banner, header, info, warn, success, divider } = await import('../lib/brand.js');
+      const { loadConfig, configExists } = await import('../lib/config.js');
+
+      banner(pkg.version);
+      header('Signal Bot');
+
+      // Load signal config
+      let signalCfg = {};
+      if (configExists()) {
+        try {
+          const cfg = loadConfig();
+          signalCfg = cfg.signal || {};
+        } catch { /* ignore */ }
+      }
+
+      const svc = commandArgs.find((a, i) => commandArgs[i - 1] === '--service')
+        || process.env.SIGNAL_SERVICE || signalCfg.signal_service || '';
+      const phone = commandArgs.find((a, i) => commandArgs[i - 1] === '--phone')
+        || process.env.SIGNAL_PHONE_NUMBER || signalCfg.phone_number || '';
+      const whitelist = process.env.SIGNAL_WHITELIST
+        ? process.env.SIGNAL_WHITELIST.split(',').map(n => n.trim())
+        : signalCfg.whitelist || [];
+
+      if (!svc || !phone) {
+        divider();
+        warn('Signal is not configured.');
+        info('Run: cipher setup-signal');
+        divider();
+        process.exit(1);
+      }
+
+      divider();
+      success(`Service:   ${svc}`);
+      success(`Phone:     ${phone}`);
+      if (whitelist.length) {
+        success(`Whitelist: ${whitelist.join(', ')}`);
+      } else {
+        warn('Whitelist: none (all senders allowed)');
+      }
+      divider();
+      info('Starting bot... (Ctrl+C to stop)');
+
+      const { runBot } = await import('../lib/bot/bot.js');
+      await runBot({ signalService: svc, phoneNumber: phone, whitelist, sessionTimeout: signalCfg.session_timeout || 3600 });
+    // ── Query command: streaming via Gateway or non-streaming via handler ──
+    } else if (command === 'query') {
+      const queryText = commandArgs.filter(a => !a.startsWith('-')).join(' ');
+
+      if (queryNoStream) {
+        // --no-stream: use handleQuery for non-streaming response
+        const { handleQuery } = await import('../lib/gateway/commands.js');
+        const result = await handleQuery({ message: queryText });
+        await formatBridgeResult(result, command);
+      } else {
+        // Streaming path — Gateway.sendStream() → async iterator → stdout
+        const { Gateway } = await import('../lib/gateway/gateway.js');
+        const gw = new Gateway({
+          backendOverride: queryBackendOverride || undefined,
+          rag: true,
+        });
+
+        for await (const token of gw.sendStream(queryText)) {
+          process.stdout.write(token);
+        }
+        process.stdout.write('\n');
+      }
+    } else {
+      // ── Non-query native commands ──────────────────────────────────────
+      const handlers = await import('../lib/gateway/commands.js');
+      const handlerName = toHandlerName(command);
+      const handler = handlers[handlerName];
+
+      if (!handler) {
+        console.error(`Unknown native command: ${command}`);
+        process.exit(1);
+      }
+
+      const result = await handler(commandArgs);
+
+      // Native handlers return {error: true, message: "..."} for errors.
+      // formatBridgeResult expects {error: true, output: "...", exit_code: N}.
+      // Bridge the shape difference here.
+      if (result && result.error === true && result.message && !('output' in result)) {
+        process.stderr.write(result.message + '\n');
+        process.exit(result.exit_code || 1);
+      } else {
+        await formatBridgeResult(result, command);
+      }
+    }
+  } catch (err) {
+    console.error(`Error: ${err.message || err}`);
+    process.exit(1);
+  }
+} else {
+  // Unknown command mode — should not happen
+  console.error(`Unknown command: ${command}. Run \`cipher --help\` for usage.`);
+  process.exit(1);
+}