cipher-security 2.0.0

package/lib/bot/bot.js

@@ -0,0 +1,238 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+
+/**
+ * CIPHER Signal Bot — receives messages via signal-cli-rest-api WebSocket,
+ * dispatches through the gateway, and replies.
+ */
+
+import { WebSocket } from 'ws';
+
+// ---------------------------------------------------------------------------
+// Prefix mapping
+// ---------------------------------------------------------------------------
+
+const PREFIX_RE = /^(RED|BLUE|PURPLE|PRIVACY|RECON|INCIDENT|ARCHITECT):\s*/i;
+
+export function mapPrefix(text) {
+  const m = text.match(PREFIX_RE);
+  if (m) {
+    const mode = m[1].toUpperCase();
+    const rest = text.slice(m[0].length);
+    return `[MODE: ${mode}] ${rest}`;
+  }
+  return text;
+}
+
+// ---------------------------------------------------------------------------
+// Markdown stripping
+// ---------------------------------------------------------------------------
+
+const MD_PATTERNS = [
+  [/```[^\n]*\n([\s\S]*?)```/g, '$1'],
+  [/^#{1,6}\s+/gm, ''],
+  [/\*{2}([^*\n]+)\*{2}/g, '$1'],
+  [/\*([^*\n]+)\*/g, '$1'],
+  [/`([^`\n]+)`/g, '$1'],
+  [/\[([^\]]+)\]\([^)]+\)/g, '$1'],
+  [/^(\s*)[*-]\s+/gm, '$1• '],
+];
+
+export function stripMarkdown(text) {
+  for (const [pattern, replacement] of MD_PATTERNS) {
+    text = text.replace(pattern, replacement);
+  }
+  return text.trim();
+}
+
+// ---------------------------------------------------------------------------
+// Session manager
+// ---------------------------------------------------------------------------
+
+export class SessionManager {
+  constructor({ timeoutSeconds = 3600, maxPairs = 20 } = {}) {
+    this._sessions = new Map();
+    this._timeout = timeoutSeconds * 1000;
+    this._maxPairs = maxPairs;
+  }
+
+  get(sender) {
+    this.cleanup();
+    const session = this._sessions.get(sender);
+    return session ? [...session.history] : [];
+  }
+
+  update(sender, userMessage, assistantMessage) {
+    if (!this._sessions.has(sender)) {
+      this._sessions.set(sender, { history: [], lastActive: Date.now() });
+    }
+    const session = this._sessions.get(sender);
+    session.history.push({ role: 'user', content: userMessage });
+    session.history.push({ role: 'assistant', content: assistantMessage });
+    session.lastActive = Date.now();
+
+    const maxItems = this._maxPairs * 2;
+    if (session.history.length > maxItems) {
+      session.history = session.history.slice(-maxItems);
+    }
+  }
+
+  reset(sender) { this._sessions.delete(sender); }
+
+  cleanup() {
+    const now = Date.now();
+    for (const [sender, session] of this._sessions) {
+      if (now - session.lastActive > this._timeout) {
+        this._sessions.delete(sender);
+      }
+    }
+  }
+
+  get size() { return this._sessions.size; }
+}
+
+// ---------------------------------------------------------------------------
+// Signal REST API client
+// ---------------------------------------------------------------------------
+
+async function sendMessage(signalService, phoneNumber, recipient, message) {
+  const resp = await fetch(`${signalService}/v2/send`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      message,
+      number: phoneNumber,
+      recipients: [recipient],
+    }),
+  });
+  if (!resp.ok) {
+    throw new Error(`Send failed: ${resp.status} ${await resp.text()}`);
+  }
+}
+
+async function sendReaction(signalService, phoneNumber, recipient, emoji, targetTimestamp) {
+  try {
+    await fetch(`${signalService}/v1/reactions/${phoneNumber}`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        reaction: emoji,
+        recipient,
+        timestamp: targetTimestamp,
+      }),
+    });
+  } catch { /* best-effort */ }
+}
+
+// ---------------------------------------------------------------------------
+// Bot runner
+// ---------------------------------------------------------------------------
+
+/**
+ * Start the CIPHER Signal bot.
+ *
+ * Connects to signal-cli-rest-api WebSocket, listens for messages,
+ * dispatches through the gateway, and replies.
+ *
+ * @param {object} config
+ * @param {string} config.signalService - signal-cli-rest-api URL
+ * @param {string} config.phoneNumber - bot's phone number
+ * @param {string[]} [config.whitelist] - allowed sender numbers
+ * @param {number} [config.sessionTimeout] - session timeout in seconds
+ */
+export async function runBot(config) {
+  const { signalService, phoneNumber, whitelist = [], sessionTimeout = 3600 } = config;
+  const sessions = new SessionManager({ timeoutSeconds: sessionTimeout });
+  const whitelistSet = new Set(whitelist);
+
+  const wsUrl = `${signalService.replace('http', 'ws')}/v1/receive/${phoneNumber}`;
+
+  let reconnectDelay = 1000;
+  const maxDelay = 60000;
+
+  function connect() {
+    const ws = new WebSocket(wsUrl);
+
+    ws.on('open', () => {
+      process.stderr.write(`  ● Connected to ${wsUrl}\n`);
+      reconnectDelay = 1000;
+    });
+
+    ws.on('message', async (data) => {
+      try {
+        const envelope = JSON.parse(data.toString());
+        await handleEnvelope(envelope, config, sessions, whitelistSet);
+      } catch (err) {
+        process.stderr.write(`  ✖ Message error: ${err.message}\n`);
+      }
+    });
+
+    ws.on('close', () => {
+      process.stderr.write(`  ⚠ WebSocket closed. Reconnecting in ${reconnectDelay / 1000}s...\n`);
+      setTimeout(connect, reconnectDelay);
+      reconnectDelay = Math.min(reconnectDelay * 2, maxDelay);
+    });
+
+    ws.on('error', (err) => {
+      process.stderr.write(`  ✖ WebSocket error: ${err.message}\n`);
+    });
+  }
+
+  connect();
+}
+
+async function handleEnvelope(envelope, config, sessions, whitelistSet) {
+  const msg = envelope.envelope?.dataMessage;
+  if (!msg || !msg.message) return;
+
+  const sender = envelope.envelope?.source;
+  if (!sender) return;
+
+  const text = msg.message.trim();
+  if (!text) return;
+
+  // Whitelist check
+  if (whitelistSet.size > 0 && !whitelistSet.has(sender)) {
+    return;
+  }
+
+  const timestamp = msg.timestamp;
+
+  // /reset command
+  if (text === '/reset') {
+    sessions.reset(sender);
+    await sendMessage(config.signalService, config.phoneNumber, sender, 'Session cleared.');
+    return;
+  }
+
+  // React with brain emoji to acknowledge
+  await sendReaction(config.signalService, config.phoneNumber, sender, '🧠', timestamp);
+
+  // Map prefix and get history
+  const mapped = mapPrefix(text);
+  const history = sessions.get(sender);
+
+  // Dispatch through gateway
+  let response;
+  try {
+    const { Gateway } = await import('../gateway/gateway.js');
+    const gw = new Gateway({ rag: true });
+    response = await gw.send(mapped, { history });
+  } catch (err) {
+    response = `Error: ${err.message}`;
+  }
+
+  // Update session and reply
+  sessions.update(sender, mapped, response);
+  const reply = stripMarkdown(response);
+
+  // Signal has a ~6000 char limit per message
+  if (reply.length > 5500) {
+    const chunks = reply.match(/.{1,5500}/gs) || [reply];
+    for (const chunk of chunks) {
+      await sendMessage(config.signalService, config.phoneNumber, sender, chunk);
+    }
+  } else {
+    await sendMessage(config.signalService, config.phoneNumber, sender, reply);
+  }
+}

package/lib/brand.js

@@ -0,0 +1,105 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+
+/**
+ * CIPHER branding — ASCII art, status indicators, formatted output.
+ */
+
+// ANSI colors
+const R = '\x1b[0m';     // reset
+const B = '\x1b[1m';     // bold
+const D = '\x1b[2m';     // dim
+const RED = '\x1b[31m';
+const GRN = '\x1b[32m';
+const YLW = '\x1b[33m';
+const BLU = '\x1b[34m';
+const MAG = '\x1b[35m';
+const CYN = '\x1b[36m';
+
+const LOGO = `${CYN}${B}
+   ██████╗██╗██████╗ ██╗  ██╗███████╗██████╗
+  ██╔════╝██║██╔══██╗██║  ██║██╔════╝██╔══██╗
+  ██║     ██║██████╔╝███████║█████╗  ██████╔╝
+  ██║     ██║██╔═══╝ ██╔══██║██╔══╝  ██╔══██╗
+  ╚██████╗██║██║     ██║  ██║███████╗██║  ██║
+   ╚═════╝╚═╝╚═╝     ╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝${R}`;
+
+const LOGO_SMALL = `${CYN}${B}▸ CIPHER${R}`;
+
+/** Status indicator dots */
+export const dot = {
+  ok:   `${GRN}●${R}`,
+  warn: `${YLW}●${R}`,
+  fail: `${RED}●${R}`,
+  info: `${BLU}●${R}`,
+  skip: `${D}○${R}`,
+};
+
+/** Print the full ASCII banner with version */
+export function banner(version = '') {
+  const ver = version ? `${D}v${version}${R}` : '';
+  process.stderr.write(`${LOGO}\n  ${D}Claude Integrated Privacy & Hardening Expert Resource${R}  ${ver}\n\n`);
+}
+
+/** Print a compact one-line header */
+export function header(text, version = '') {
+  const ver = version ? ` ${D}v${version}${R}` : '';
+  process.stderr.write(`${LOGO_SMALL}${ver} ${D}—${R} ${text}\n`);
+}
+
+/** Print a status line with colored dot */
+export function status(name, state, detail = '') {
+  const d = dot[state] || dot.info;
+  const detailStr = detail ? ` ${D}${detail}${R}` : '';
+  process.stderr.write(`  ${d} ${name}${detailStr}\n`);
+}
+
+/** Print a section divider */
+export function divider() {
+  process.stderr.write(`${D}${'─'.repeat(50)}${R}\n`);
+}
+
+/** Print a success message */
+export function success(msg) {
+  process.stderr.write(`  ${GRN}✔${R} ${msg}\n`);
+}
+
+/** Print a warning message */
+export function warn(msg) {
+  process.stderr.write(`  ${YLW}⚠${R} ${msg}\n`);
+}
+
+/** Print an error message */
+export function error(msg) {
+  process.stderr.write(`  ${RED}✖${R} ${msg}\n`);
+}
+
+/** Print an info message */
+export function info(msg) {
+  process.stderr.write(`  ${BLU}ℹ${R} ${msg}\n`);
+}
+
+/**
+ * Format doctor checks with status dots.
+ * @param {object[]} checks - Array of {name, status, detail}
+ * @returns {string} Formatted output for terminal
+ */
+export function formatDoctorChecks(checks) {
+  const lines = [];
+  for (const c of checks) {
+    const state = c.status === 'ok' ? 'ok' : c.status === 'optional' ? 'skip' : c.status === 'missing' ? 'fail' : 'warn';
+    const d = dot[state];
+    lines.push(`  ${d} ${B}${c.name}${R}  ${D}${c.detail}${R}`);
+  }
+  return lines.join('\n');
+}
+
+/**
+ * Format version output.
+ * @param {string} version
+ */
+export function formatVersion(version) {
+  return `${LOGO_SMALL} ${B}${version}${R}`;
+}
+
+export { LOGO, LOGO_SMALL, R, B, D, RED, GRN, YLW, BLU, MAG, CYN };

package/lib/commands.js

@@ -0,0 +1,100 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * commands.js — Command routing table for the CIPHER CLI.
+ *
+ * Maps all 29 CLI commands to one of three dispatch modes:
+ *   - native:       Dispatched directly through Node.js handler functions (no Python)
+ *   - passthrough:  Spawned directly as `python -m gateway.app <cmd>` with stdio: 'inherit'
+ *                   (full terminal access for Rich panels, Textual TUIs, long-running services)
+ *   - bridge:       (Legacy) Dispatched via JSON-RPC through python-bridge.js — no commands
+ *                   use this mode as of M007/S03, retained for backward compatibility
+ *
+ * @module commands
+ */
+
+/**
+ * Dispatch mode for each CLI command.
+ *
+ * @type {Record<string, { mode: 'native' | 'bridge' | 'passthrough', description: string }>}
+ */
+export const COMMAND_MODES = {
+  // ── Native commands (Node.js handler dispatch, no Python) ──────────────
+  query:           { mode: 'native',      description: 'Run a security query (smart routing + streaming)' },
+  ingest:          { mode: 'native',      description: 'Ingest security data' },
+  status:          { mode: 'native',      description: 'Show system status' },
+  doctor:          { mode: 'native',      description: 'Diagnose installation health' },
+  version:         { mode: 'native',      description: 'Print version information' },
+  plugin:          { mode: 'native',      description: 'Manage plugins' },
+  search:          { mode: 'native',      description: 'Search security data' },
+  store:           { mode: 'native',      description: 'Manage data stores' },
+  diff:            { mode: 'native',      description: 'Compare security states' },
+  workflow:        { mode: 'native',      description: 'Manage workflows' },
+  stats:           { mode: 'native',      description: 'Show statistics' },
+  domains:         { mode: 'native',      description: 'Manage domains' },
+  skills:          { mode: 'native',      description: 'Manage skills' },
+  score:           { mode: 'native',      description: 'Show security score' },
+  marketplace:     { mode: 'native',      description: 'Browse marketplace' },
+  compliance:      { mode: 'native',      description: 'Run compliance checks' },
+  leaderboard:     { mode: 'native',      description: 'Show leaderboard' },
+  feedback:        { mode: 'native',      description: 'Submit feedback' },
+  'memory-export': { mode: 'native',      description: 'Export memory' },
+  'memory-import': { mode: 'native',      description: 'Import memory' },
+  sarif:           { mode: 'native',      description: 'SARIF report tools' },
+  osint:           { mode: 'native',      description: 'OSINT intelligence tools' },
+  update:          { mode: 'native',      description: 'Update CIPHER to latest version' },
+
+  // ── Passthrough commands (direct Python spawn, full terminal) ──────────
+  // These were Python-dependent — now ported to Node.js.
+  scan:            { mode: 'native', description: 'Run a security scan' },
+  dashboard:       { mode: 'native', description: 'System dashboard' },
+  web:             { mode: 'native', description: 'Web interface (use `cipher api` instead)' },
+  bot:             { mode: 'native', description: 'Manage bot integrations (long-running service)' },
+  mcp:             { mode: 'native', description: 'MCP server tools (long-running service)' },
+  api:             { mode: 'native', description: 'API management (long-running server)' },
+  'setup-signal':  { mode: 'native', description: 'Configure Signal integration' },
+};
+
+/**
+ * Set of command names dispatched via passthrough (direct Python spawn).
+ * @type {Set<string>}
+ */
+export const PASSTHROUGH_COMMANDS = new Set(
+  Object.entries(COMMAND_MODES)
+    .filter(([, v]) => v.mode === 'passthrough')
+    .map(([k]) => k)
+);
+
+/**
+ * Set of command names dispatched via Node.js native handlers.
+ * @type {Set<string>}
+ */
+export const NATIVE_COMMANDS = new Set(
+  Object.entries(COMMAND_MODES)
+    .filter(([, v]) => v.mode === 'native')
+    .map(([k]) => k)
+);
+
+/**
+ * Set of command names dispatched via the JSON-RPC bridge.
+ * As of M007/S03, no commands use bridge mode — retained for backward compatibility.
+ * @type {Set<string>}
+ */
+export const BRIDGE_COMMANDS = new Set(
+  Object.entries(COMMAND_MODES)
+    .filter(([, v]) => v.mode === 'bridge')
+    .map(([k]) => k)
+);
+
+/**
+ * Look up the dispatch mode for a command.
+ *
+ * @param {string} name — command name (e.g., 'scan', 'status')
+ * @returns {'native' | 'bridge' | 'passthrough' | null} — mode string, or null if unknown
+ */
+export function getCommandMode(name) {
+  const entry = COMMAND_MODES[name];
+  return entry ? entry.mode : null;
+}