cipher-security 2.0.0

package/lib/autonomous/task-parser.js

@@ -0,0 +1,127 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+
+/**
+ * Parse freeform CLI task text into structured taskInput for each autonomous mode.
+ *
+ * Each mode's system prompt template expects specific variables:
+ *   BLUE:      {ttp_id}, {ttp_description}
+ *   PURPLE:    {ttp_id}, {ttp_description}
+ *   INCIDENT:  {pcap_path}, {pcap_description}
+ *   RECON:     {target_domain}, {target_description}
+ *   PRIVACY:   {codebase_description}, {file_listing}
+ *   ARCHITECT: {system_description}
+ *
+ * The parser extracts what it can from the text and fills defaults for the rest.
+ */
+
+// ATT&CK technique ID pattern
+const TTP_RE = /\b(T\d{4}(?:\.\d{3})?)\b/i;
+
+// Domain/hostname pattern
+const DOMAIN_RE = /\b([a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+)\b/;
+
+// File path pattern
+const FILE_PATH_RE = /(?:^|\s)((?:\/|\.\/|~\/)[^\s]+|[a-zA-Z]:\\[^\s]+)/;
+
+/**
+ * Parse freeform task text into structured input for a given mode.
+ *
+ * @param {string} mode - Uppercase mode name (BLUE, INCIDENT, etc.)
+ * @param {string} taskText - Freeform user input
+ * @returns {object} Structured taskInput with mode-specific fields + user_message
+ */
+export function parseTaskInput(mode, taskText) {
+  const base = { user_message: taskText };
+
+  switch (mode) {
+    case 'BLUE':
+    case 'PURPLE':
+      return { ...parseTtpInput(taskText), ...base };
+
+    case 'INCIDENT':
+      return { ...parseIncidentInput(taskText), ...base };
+
+    case 'RECON':
+      return { ...parseReconInput(taskText), ...base };
+
+    case 'PRIVACY':
+      return { ...parsePrivacyInput(taskText), ...base };
+
+    case 'ARCHITECT':
+      return { system_description: taskText, ...base };
+
+    case 'RED':
+      return { task: taskText, ...base };
+
+    default:
+      return { task: taskText, ...base };
+  }
+}
+
+function parseTtpInput(text) {
+  const match = text.match(TTP_RE);
+  const ttpId = match ? match[1].toUpperCase() : '';
+
+  // Remove the TTP ID from description
+  let description = text;
+  if (ttpId) {
+    description = text.replace(TTP_RE, '').trim();
+  }
+
+  // If no description left, use the TTP ID as description
+  if (!description) {
+    description = `ATT&CK technique ${ttpId}`;
+  }
+
+  return {
+    ttp_id: ttpId || 'UNSPECIFIED',
+    ttp_description: description,
+  };
+}
+
+function parseIncidentInput(text) {
+  const pathMatch = text.match(FILE_PATH_RE);
+  const pcapPath = pathMatch ? pathMatch[1] : '';
+
+  let description = text;
+  if (pcapPath) {
+    description = text.replace(pcapPath, '').trim();
+  }
+  if (!description) {
+    description = pcapPath ? `Analyze packet capture: ${pcapPath}` : 'Triage the provided evidence';
+  }
+
+  return {
+    pcap_path: pcapPath || 'provided via tool input',
+    pcap_description: description,
+  };
+}
+
+function parseReconInput(text) {
+  const domainMatch = text.match(DOMAIN_RE);
+  const domain = domainMatch ? domainMatch[1] : '';
+
+  let description = text;
+  if (domain) {
+    description = text.replace(domain, '').trim();
+  }
+  if (!description) {
+    description = domain ? `Reconnaissance on ${domain}` : 'Perform OSINT reconnaissance';
+  }
+
+  return {
+    target_domain: domain || 'UNSPECIFIED',
+    target_description: description,
+  };
+}
+
+function parsePrivacyInput(text) {
+  const pathMatch = text.match(FILE_PATH_RE);
+  const fileListing = pathMatch ? pathMatch[1] : '';
+
+  return {
+    codebase_description: text,
+    file_listing: fileListing || 'Analyze the described system',
+  };
+}

package/lib/autonomous/validators/forensic.js

@@ -0,0 +1,266 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * Forensic report validator for INCIDENT mode agent output.
+ *
+ * Ported from autonomous/validators/forensic.py.
+ * Validates LLM-generated JSON forensic reports for structural correctness:
+ * required top-level sections, CVE-ID format, non-empty findings and services.
+ *
+ * @module autonomous/validators/forensic
+ */
+
+import { ValidationResult } from '../framework.js';
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const REQUIRED_SECTIONS = [
+  'summary', 'services', 'connections', 'findings', 'recommendations',
+];
+
+const RECOMMENDED_FINDING_FIELDS = ['severity', 'description', 'evidence'];
+
+const RECOMMENDED_TOP_LEVEL_FIELDS = ['pcap_file', 'analysis_timestamp'];
+
+// Matches well-formed CVE IDs: CVE-YYYY-NNNNN (4-7 digit suffix)
+const CVE_VALID_RE = /CVE-\d{4}-\d{4,7}/;
+
+// Matches anything that looks like a CVE reference (broader, to catch malformed)
+const CVE_LIKE_RE = /CVE-[A-Za-z0-9]+-[A-Za-z0-9]+/g;
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Extract JSON content from markdown code fences, or return text as-is.
+ * Uses findall+join pattern.
+ *
+ * @param {string} text
+ * @returns {string}
+ */
+function stripCodeFences(text) {
+  const matches = [...text.matchAll(/```(?:json)?\s*\n(.*?)```/gs)].map(m => m[1]);
+  if (matches.length > 0) {
+    return matches.join('\n');
+  }
+  return text;
+}
+
+/**
+ * Parse a JSON forensic report from text.
+ *
+ * @param {string} text
+ * @returns {Object}
+ * @throws {Error}
+ */
+function parseJsonReport(text) {
+  const stripped = stripCodeFences(text);
+  try {
+    return JSON.parse(stripped);
+  } catch (e) {
+    throw new Error(`JSON parse error: ${e.message}`);
+  }
+}
+
+/**
+ * Recursively collect all string values from a nested structure.
+ *
+ * @param {*} obj
+ * @returns {string[]}
+ */
+function collectStringValues(obj) {
+  const strings = [];
+  if (typeof obj === 'string') {
+    strings.push(obj);
+  } else if (Array.isArray(obj)) {
+    for (const item of obj) {
+      strings.push(...collectStringValues(item));
+    }
+  } else if (obj && typeof obj === 'object') {
+    for (const v of Object.values(obj)) {
+      strings.push(...collectStringValues(v));
+    }
+  }
+  return strings;
+}
+
+/**
+ * Validate a forensic report dict for structural correctness.
+ *
+ * @param {Object} report
+ * @returns {{ errors: string[], warnings: string[] }}
+ */
+function validateReport(report) {
+  const errors = [];
+  const warnings = [];
+
+  // Required top-level sections
+  for (const section of REQUIRED_SECTIONS) {
+    if (!(section in report)) {
+      errors.push(`Missing required section: ${section}`);
+    }
+  }
+
+  // findings must be a non-empty list
+  const findings = report.findings;
+  if (findings !== undefined) {
+    if (!Array.isArray(findings)) {
+      errors.push(`findings must be a list (got ${typeof findings})`);
+    } else if (findings.length === 0) {
+      errors.push('findings list must not be empty');
+    } else {
+      for (let i = 0; i < findings.length; i++) {
+        if (findings[i] && typeof findings[i] === 'object' && !Array.isArray(findings[i])) {
+          for (const fieldName of RECOMMENDED_FINDING_FIELDS) {
+            if (!(fieldName in findings[i])) {
+              warnings.push(`Finding ${i + 1}: missing recommended field '${fieldName}'`);
+            }
+          }
+        }
+      }
+    }
+  }
+
+  // services must be a non-empty list
+  const services = report.services;
+  if (services !== undefined) {
+    if (!Array.isArray(services)) {
+      errors.push(`services must be a list (got ${typeof services})`);
+    } else if (services.length === 0) {
+      errors.push('services list must not be empty');
+    }
+  }
+
+  // CVE format validation in findings
+  if (Array.isArray(findings)) {
+    const allStrings = collectStringValues(findings);
+    for (const s of allStrings) {
+      // Reset global regex
+      const cveLikeRe = /CVE-[A-Za-z0-9]+-[A-Za-z0-9]+/g;
+      let match;
+      while ((match = cveLikeRe.exec(s)) !== null) {
+        const cveRef = match[0];
+        if (!CVE_VALID_RE.test(cveRef)) {
+          errors.push(
+            `Malformed CVE ID: ${cveRef} (must match CVE-YYYY-NNNN[N{0,3}])`
+          );
+        }
+      }
+    }
+  }
+
+  // Recommended top-level fields
+  for (const fieldName of RECOMMENDED_TOP_LEVEL_FIELDS) {
+    if (!(fieldName in report)) {
+      warnings.push(`Missing recommended top-level field: ${fieldName}`);
+    }
+  }
+
+  return { errors, warnings };
+}
+
+// ---------------------------------------------------------------------------
+// ForensicValidator
+// ---------------------------------------------------------------------------
+
+/**
+ * Deterministic validator for JSON forensic reports.
+ *
+ * Scoring:
+ *   - 1.0: no errors and no warnings (clean)
+ *   - 0.5: warnings only (valid but imperfect)
+ *   - 0.0: any errors (invalid)
+ */
+export class ForensicValidator {
+  /**
+   * @param {import('../framework.js').ModeAgentResult} result
+   * @returns {import('../framework.js').ValidationResult}
+   */
+  validate(result) {
+    const text = result.outputText || '';
+    const emptyMeta = { findings_count: 0, services_count: 0, cve_count: 0 };
+
+    // Empty output
+    if (!text.trim()) {
+      return new ValidationResult({
+        valid: false,
+        errors: ['No forensic report found in output (empty)'],
+        warnings: [],
+        score: 0.0,
+        metadata: { ...emptyMeta },
+      });
+    }
+
+    // Parse JSON
+    let parsed;
+    try {
+      parsed = parseJsonReport(text);
+    } catch (e) {
+      return new ValidationResult({
+        valid: false,
+        errors: [e.message],
+        warnings: [],
+        score: 0.0,
+        metadata: { ...emptyMeta },
+      });
+    }
+
+    // Must be an object
+    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+      return new ValidationResult({
+        valid: false,
+        errors: [`Forensic report must be a JSON object (got ${Array.isArray(parsed) ? 'Array' : typeof parsed})`],
+        warnings: [],
+        score: 0.0,
+        metadata: { ...emptyMeta },
+      });
+    }
+
+    // Structural validation
+    const { errors, warnings } = validateReport(parsed);
+
+    // Compute metadata
+    const findings = parsed.findings || [];
+    const services = parsed.services || [];
+    const findingsCount = Array.isArray(findings) ? findings.length : 0;
+    const servicesCount = Array.isArray(services) ? services.length : 0;
+
+    // Count valid CVE references
+    let cveCount = 0;
+    if (Array.isArray(findings)) {
+      const allStrings = collectStringValues(findings);
+      for (const s of allStrings) {
+        const cveValidRe = /CVE-\d{4}-\d{4,7}/g;
+        const matches = s.match(cveValidRe);
+        if (matches) cveCount += matches.length;
+      }
+    }
+
+    // Scoring
+    let score;
+    if (errors.length > 0) {
+      score = 0.0;
+    } else if (warnings.length > 0) {
+      score = 0.5;
+    } else {
+      score = 1.0;
+    }
+
+    return new ValidationResult({
+      valid: errors.length === 0,
+      errors,
+      warnings,
+      score,
+      metadata: {
+        findings_count: findingsCount,
+        services_count: servicesCount,
+        cve_count: cveCount,
+      },
+    });
+  }
+}

package/lib/autonomous/validators/osint.js

@@ -0,0 +1,216 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * OSINT intelligence report validator for RECON mode agent output.
+ *
+ * Ported from autonomous/validators/osint.py.
+ * Validates LLM-generated JSON intelligence reports for structural correctness:
+ * required sections, non-empty data, and finding structure validation.
+ *
+ * @module autonomous/validators/osint
+ */
+
+import { ValidationResult } from '../framework.js';
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const REQUIRED_SECTIONS = [
+  'summary', 'target', 'dns_records', 'whois_data', 'technologies', 'findings',
+];
+
+const RECOMMENDED_TOP_LEVEL_FIELDS = [
+  'subdomains', 'infrastructure', 'collection_metadata',
+];
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Extract JSON content from markdown code fences, or return text as-is.
+ *
+ * @param {string} text
+ * @returns {string}
+ */
+function stripCodeFences(text) {
+  // Try explicit json-tagged fences first
+  let matches = [...text.matchAll(/```json\s*\n(.*?)```/gs)].map(m => m[1]);
+  if (matches.length > 0) return matches.join('\n');
+
+  // Fall back to bare fences
+  matches = [...text.matchAll(/```\s*\n(.*?)```/gs)].map(m => m[1]);
+  if (matches.length > 0) return matches.join('\n');
+
+  return text;
+}
+
+/**
+ * Parse a JSON OSINT report from text.
+ *
+ * @param {string} text
+ * @returns {Object}
+ * @throws {Error}
+ */
+function parseJsonReport(text) {
+  const stripped = stripCodeFences(text);
+  try {
+    return JSON.parse(stripped);
+  } catch (e) {
+    throw new Error(`JSON parse error: ${e.message}`);
+  }
+}
+
+/**
+ * Validate an OSINT report dict for structural correctness.
+ *
+ * @param {Object} report
+ * @returns {{ errors: string[], warnings: string[] }}
+ */
+function validateReport(report) {
+  const errors = [];
+  const warnings = [];
+
+  // Required top-level sections
+  for (const section of REQUIRED_SECTIONS) {
+    if (!(section in report)) {
+      errors.push(`Missing required section: ${section}`);
+    }
+  }
+
+  // findings must be a non-empty list
+  const findings = report.findings;
+  if (findings !== undefined) {
+    if (!Array.isArray(findings)) {
+      errors.push(`findings must be a list (got ${typeof findings})`);
+    } else if (findings.length === 0) {
+      errors.push('findings list must not be empty');
+    }
+  }
+
+  // dns_records must be a non-empty dict or list
+  const dnsRecords = report.dns_records;
+  if (dnsRecords !== undefined) {
+    if (typeof dnsRecords === 'object' && dnsRecords !== null && !Array.isArray(dnsRecords)) {
+      if (Object.keys(dnsRecords).length === 0) {
+        errors.push('dns_records must not be empty');
+      }
+    } else if (Array.isArray(dnsRecords)) {
+      if (dnsRecords.length === 0) {
+        errors.push('dns_records must not be empty');
+      }
+    } else {
+      errors.push(`dns_records must be a dict or list (got ${typeof dnsRecords})`);
+    }
+  }
+
+  // Recommended top-level fields
+  for (const fieldName of RECOMMENDED_TOP_LEVEL_FIELDS) {
+    if (!(fieldName in report)) {
+      warnings.push(`Missing recommended field: ${fieldName}`);
+    }
+  }
+
+  return { errors, warnings };
+}
+
+// ---------------------------------------------------------------------------
+// OSINTValidator
+// ---------------------------------------------------------------------------
+
+/**
+ * Deterministic validator for JSON OSINT intelligence reports.
+ *
+ * Scoring:
+ *   - 1.0: no errors and no warnings (clean)
+ *   - 0.5: warnings only (valid but imperfect)
+ *   - 0.0: any errors (invalid)
+ */
+export class OSINTValidator {
+  /**
+   * @param {import('../framework.js').ModeAgentResult} result
+   * @returns {import('../framework.js').ValidationResult}
+   */
+  validate(result) {
+    const text = result.outputText || '';
+    const emptyMeta = { findings_count: 0, technologies_count: 0, dns_record_types: [] };
+
+    // Empty output
+    if (!text.trim()) {
+      return new ValidationResult({
+        valid: false,
+        errors: ['No OSINT report found in output (empty)'],
+        warnings: [],
+        score: 0.0,
+        metadata: { ...emptyMeta },
+      });
+    }
+
+    // Parse JSON
+    let parsed;
+    try {
+      parsed = parseJsonReport(text);
+    } catch (e) {
+      return new ValidationResult({
+        valid: false,
+        errors: [e.message],
+        warnings: [],
+        score: 0.0,
+        metadata: { ...emptyMeta },
+      });
+    }
+
+    // Must be an object
+    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+      return new ValidationResult({
+        valid: false,
+        errors: [`OSINT report must be a JSON object (got ${Array.isArray(parsed) ? 'Array' : typeof parsed})`],
+        warnings: [],
+        score: 0.0,
+        metadata: { ...emptyMeta },
+      });
+    }
+
+    // Structural validation
+    const { errors, warnings } = validateReport(parsed);
+
+    // Compute metadata
+    const findings = parsed.findings || [];
+    const technologies = parsed.technologies || [];
+    const dnsRecords = parsed.dns_records || {};
+
+    const findingsCount = Array.isArray(findings) ? findings.length : 0;
+    const technologiesCount = Array.isArray(technologies) ? technologies.length
+      : (typeof technologies === 'object' && technologies !== null ? Object.keys(technologies).length : 0);
+
+    let dnsRecordTypes = [];
+    if (typeof dnsRecords === 'object' && dnsRecords !== null && !Array.isArray(dnsRecords)) {
+      dnsRecordTypes = Object.keys(dnsRecords).sort();
+    }
+
+    // Scoring
+    let score;
+    if (errors.length > 0) {
+      score = 0.0;
+    } else if (warnings.length > 0) {
+      score = 0.5;
+    } else {
+      score = 1.0;
+    }
+
+    return new ValidationResult({
+      valid: errors.length === 0,
+      errors,
+      warnings,
+      score,
+      metadata: {
+        findings_count: findingsCount,
+        technologies_count: technologiesCount,
+        dns_record_types: dnsRecordTypes,
+      },
+    });
+  }
+}