cipher-security 2.0.0

package/lib/complexity.js

@@ -0,0 +1,377 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * Smart routing complexity classifier for CIPHER CLI.
+ *
+ * Evaluates multiple heuristic signals to determine query complexity and
+ * route to the appropriate backend (Ollama for simple/moderate, Claude for
+ * complex/expert).
+ *
+ * Ported from src/gateway/complexity.py — all keyword dictionaries, regex
+ * patterns, score thresholds, and scoring logic are identical.
+ *
+ * @example
+ * import { classify, routeBackend, classifyAndRoute, COMPLEXITY } from './complexity.js';
+ *
+ * const level = classify("design a zero trust architecture for AWS");
+ * const backend = routeBackend(level); // "claude"
+ *
+ * const [lvl, be] = classifyAndRoute("what port does SSH use");
+ * // lvl === 1 (SIMPLE), be === "ollama"
+ */
+
+// ---------------------------------------------------------------------------
+// Complexity enum
+// ---------------------------------------------------------------------------
+
+/** Query complexity levels, ordered by increasing difficulty. */
+export const COMPLEXITY = Object.freeze({
+  SIMPLE: 1,   // Factual lookups, single-concept questions → Ollama
+  MODERATE: 2, // Multi-part but bounded questions → Ollama
+  COMPLEX: 3,  // Deep reasoning, threat models, architecture → Claude
+  EXPERT: 4,   // Cross-domain, multi-framework, advanced analysis → Claude
+});
+
+const _NAMES = Object.freeze({
+  [COMPLEXITY.SIMPLE]: 'SIMPLE',
+  [COMPLEXITY.MODERATE]: 'MODERATE',
+  [COMPLEXITY.COMPLEX]: 'COMPLEX',
+  [COMPLEXITY.EXPERT]: 'EXPERT',
+});
+
+/**
+ * Reverse lookup: complexity level integer → human-readable name.
+ * @param {number} level
+ * @returns {string}
+ */
+export function nameOf(level) {
+  return _NAMES[level] ?? 'UNKNOWN';
+}
+
+// ---------------------------------------------------------------------------
+// Tunable weights — adjust these to change routing sensitivity
+// ---------------------------------------------------------------------------
+
+/** Points thresholds for each complexity level. */
+export const THRESHOLDS = Object.freeze({
+  moderate: 3,  // >= 3 points → MODERATE
+  complex: 6,   // >= 6 points → COMPLEX
+  expert: 10,   // >= 10 points → EXPERT
+});
+
+/** Message length breakpoints (characters) and their point values. */
+export const LENGTH_SCORES = Object.freeze([
+  [500, 4], // Very long queries are likely complex
+  [300, 3], // Long queries
+  [150, 2], // Medium queries
+  [80, 1],  // Short but not trivial
+]);
+
+// ---------------------------------------------------------------------------
+// Keyword sets — each match adds the specified points
+// ---------------------------------------------------------------------------
+
+/** Simple indicators (negative points — pull toward Ollama). */
+export const SIMPLE_KEYWORDS = Object.freeze({
+  'what is': -2,
+  'what are': -1,
+  'what does': -2,
+  'what port': -3,
+  'which port': -3,
+  'default port': -3,
+  'how to install': -2,
+  'how to start': -2,
+  'how to run': -2,
+  'syntax for': -2,
+  'command for': -2,
+  'define ': -2,
+  'definition of': -2,
+  'meaning of': -2,
+  'example of': -1,
+  'list of': -1,
+  'difference between': -1,
+});
+
+/** Domain complexity indicators (positive points — push toward Claude). */
+export const COMPLEX_KEYWORDS = Object.freeze({
+  // Architecture & design
+  'threat model': 4,
+  'architecture': 3,
+  'design': 2,
+  'zero trust': 3,
+  'blast radius': 3,
+  'compensating control': 3,
+  'defense in depth': 2,
+  'security architecture': 4,
+  'data flow diagram': 3,
+  'trust boundary': 3,
+  // Risk & compliance
+  'dpia': 4,
+  'risk assessment': 4,
+  'risk analysis': 3,
+  'compliance mapping': 4,
+  'gap analysis': 3,
+  'maturity assessment': 3,
+  'audit finding': 3,
+  'control mapping': 3,
+  // Analysis & reasoning
+  'analyze': 2,
+  'analyse': 2,
+  'evaluate': 2,
+  'compare and contrast': 3,
+  'trade-off': 2,
+  'tradeoff': 2,
+  'pros and cons': 2,
+  'impact analysis': 3,
+  'root cause': 3,
+  // Offensive / red team
+  'attack chain': 4,
+  'attack path': 3,
+  'kill chain': 3,
+  'exploitation chain': 4,
+  'lateral movement': 2,
+  'privilege escalation': 2,
+  'privesc': 2,
+  'post-exploitation': 3,
+  'evasion technique': 3,
+  'bypass': 1,
+  // Incident response
+  'incident analysis': 4,
+  'incident': 2,
+  'forensic analysis': 4,
+  'forensic': 2,
+  'timeline reconstruction': 4,
+  'indicator of compromise': 2,
+  'ioc': 1,
+  'beacon': 2,
+  'cobalt strike': 3,
+  'mimikatz': 2,
+  'dcsync': 3,
+  'triage': 2,
+  'containment strategy': 3,
+  'eradication plan': 3,
+  'breach': 2,
+  'malware analysis': 3,
+  'reverse engineer': 3,
+  // Detection engineering
+  'detection logic': 3,
+  'sigma rule': 2,
+  'detection coverage': 3,
+  'false positive': 2,
+  'detection gap': 3,
+  'correlation rule': 3,
+  'hunting hypothesis': 3,
+  // Multi-step / planning
+  'strategy': 2,
+  'roadmap': 3,
+  'implementation plan': 3,
+  'step by step': 1,
+  'runbook': 2,
+  'playbook': 2,
+  'workflow': 1,
+});
+
+/** Framework references — signal expert-level queries. */
+export const FRAMEWORK_KEYWORDS = Object.freeze({
+  'nist': 2,
+  'nist 800-53': 3,
+  'nist 800-171': 3,
+  'nist csf': 3,
+  'mitre att&ck': 3,
+  'mitre attack': 3,
+  'stride': 3,
+  'pasta': 3,
+  'dread': 3,
+  'owasp': 2,
+  'owasp top 10': 2,
+  'cis controls': 2,
+  'cis benchmark': 2,
+  'iso 27001': 3,
+  'iso 27002': 3,
+  'soc 2': 2,
+  'pci dss': 3,
+  'hipaa': 2,
+  'gdpr': 2,
+  'ccpa': 2,
+  'fedramp': 3,
+  'cmmc': 3,
+  'cve-': 1,
+  'cwe-': 1,
+});
+
+// ---------------------------------------------------------------------------
+// Structural patterns — regex-based signals
+// ---------------------------------------------------------------------------
+
+/** Multi-part query indicators (each match adds points). */
+export const STRUCTURE_PATTERNS = Object.freeze([
+  // Conjunctions joining distinct requests
+  [/\b(?:and also|and then|additionally|furthermore|moreover)\b/, 2],
+  // Numbered lists in the query
+  [/(?:^|\n)\s*\d+[.)]\s/, 2],
+  // Conditional logic
+  [/\bif\s+.+\bthen\b/, 2],
+  [/\bwhat if\b/, 2],
+  [/\bassuming\b/, 1],
+  [/\bgiven that\b/, 1],
+  // Comparison requests
+  [/\bvs\.?\b/, 1],
+  [/\bversus\b/, 1],
+  [/\bcompare\b/, 2],
+  // Scope amplifiers
+  [/\b(?:comprehensive|exhaustive|thorough|detailed|in-depth|end-to-end)\b/, 2],
+  [/\b(?:enterprise|organization-wide|company-wide|across all)\b/, 2],
+  // Multiple question marks (multiple questions)
+  [/\?.*\?/, 2],
+]);
+
+/** Count of "and" conjunctions — many ands suggest multi-part queries. */
+export const AND_CONJUNCTION_THRESHOLD = 3;
+export const AND_CONJUNCTION_POINTS = 2;
+
+// ---------------------------------------------------------------------------
+// Scoring functions
+// ---------------------------------------------------------------------------
+
+/**
+ * Score based on message length.
+ * @param {string} message
+ * @returns {number}
+ */
+export function scoreLength(message) {
+  const length = message.length;
+  for (const [threshold, points] of LENGTH_SCORES) {
+    if (length >= threshold) {
+      return points;
+    }
+  }
+  return 0;
+}
+
+/**
+ * Score based on keyword presence. Returns sum of matched keyword points.
+ * @param {string} lower — lowercased message
+ * @param {Record<string, number>} keywordSet
+ * @returns {number}
+ */
+export function scoreKeywords(lower, keywordSet) {
+  let total = 0;
+  for (const [keyword, points] of Object.entries(keywordSet)) {
+    if (lower.includes(keyword)) {
+      total += points;
+    }
+  }
+  return total;
+}
+
+/**
+ * Score based on query structure patterns.
+ * @param {string} lower — lowercased message
+ * @returns {number}
+ */
+export function scoreStructure(lower) {
+  let total = 0;
+  for (const [pattern, points] of STRUCTURE_PATTERNS) {
+    if (pattern.test(lower)) {
+      total += points;
+    }
+  }
+
+  // Count "and" conjunctions
+  const andMatches = lower.match(/\band\b/g);
+  const andCount = andMatches ? andMatches.length : 0;
+  if (andCount > AND_CONJUNCTION_THRESHOLD) {
+    total += AND_CONJUNCTION_POINTS;
+  }
+
+  return total;
+}
+
+/**
+ * Bonus points when multiple frameworks are referenced.
+ * @param {string} lower — lowercased message
+ * @returns {number}
+ */
+export function scoreFrameworkDensity(lower) {
+  let matches = 0;
+  let totalPoints = 0;
+  for (const [keyword, points] of Object.entries(FRAMEWORK_KEYWORDS)) {
+    if (lower.includes(keyword)) {
+      matches += 1;
+      totalPoints += points;
+    }
+  }
+
+  // Bonus for cross-framework queries (referencing 3+ frameworks)
+  if (matches >= 3) {
+    totalPoints += 3;
+  }
+
+  return totalPoints;
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Classify a query's complexity based on multiple heuristic signals.
+ * @param {string} message — The user's query string.
+ * @returns {number} Complexity level (1=SIMPLE, 2=MODERATE, 3=COMPLEX, 4=EXPERT).
+ */
+export function classify(message) {
+  const lower = message.toLowerCase();
+
+  let score = 0;
+  score += scoreLength(message);
+  score += scoreKeywords(lower, SIMPLE_KEYWORDS);
+  score += scoreKeywords(lower, COMPLEX_KEYWORDS);
+  score += scoreStructure(lower);
+  score += scoreFrameworkDensity(lower);
+
+  // Floor at 0 — negative scores are still SIMPLE
+  score = Math.max(score, 0);
+
+  if (score >= THRESHOLDS.expert) {
+    return COMPLEXITY.EXPERT;
+  }
+  if (score >= THRESHOLDS.complex) {
+    return COMPLEXITY.COMPLEX;
+  }
+  if (score >= THRESHOLDS.moderate) {
+    return COMPLEXITY.MODERATE;
+  }
+  return COMPLEXITY.SIMPLE;
+}
+
+/**
+ * Map a complexity level to a backend name.
+ *
+ * COMPLEX and EXPERT → "claude", SIMPLE and MODERATE → "ollama".
+ * The "litellm" backend is user-configured, not auto-routed.
+ *
+ * @param {number} level — The classified complexity level.
+ * @returns {string} Backend string: "ollama" or "claude".
+ */
+export function routeBackend(level) {
+  if (level >= COMPLEXITY.COMPLEX) {
+    return 'claude';
+  }
+  return 'ollama';
+}
+
+/**
+ * Classify a message and return both the complexity level and backend.
+ *
+ * Convenience function combining classify() and routeBackend().
+ *
+ * @param {string} message — The user's query string.
+ * @returns {[number, string]} Tuple of [complexity level, backend name].
+ */
+export function classifyAndRoute(message) {
+  const level = classify(message);
+  const backend = routeBackend(level);
+  return [level, backend];
+}

package/lib/config.js

@@ -0,0 +1,213 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * config.js — YAML config reader/writer for CIPHER CLI.
+ *
+ * Mirrors the Python gateway/config.py load_config() format and precedence:
+ *   1. Environment variables (LLM_BACKEND, ANTHROPIC_API_KEY)   — highest
+ *   2. Project-root config.yaml (where pyproject.toml lives)
+ *   3. ~/.config/cipher/config.yaml                             — lowest
+ *
+ * Produces YAML that Python's yaml.safe_load() can parse identically.
+ *
+ * @module config
+ */
+
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { join, dirname, resolve } from 'node:path';
+import { homedir } from 'node:os';
+import { parse, stringify } from 'yaml';
+
+// ---------------------------------------------------------------------------
+// Path resolution
+// ---------------------------------------------------------------------------
+
+/**
+ * Walk up from `startDir` looking for pyproject.toml — same logic as Python's
+ * _find_project_root(). Returns the directory containing pyproject.toml, or null.
+ *
+ * @param {string} [startDir=process.cwd()]
+ * @returns {string | null}
+ */
+function findProjectRoot(startDir = process.cwd()) {
+  let current = resolve(startDir);
+  for (let i = 0; i < 20; i++) {
+    if (existsSync(join(current, 'pyproject.toml'))) {
+      return current;
+    }
+    const parent = dirname(current);
+    if (parent === current) break; // filesystem root
+    current = parent;
+  }
+  return null;
+}
+
+/**
+ * Return the two config file paths CIPHER checks.
+ *
+ * @param {{ home?: string, cwd?: string }} [opts] — overrides for testing
+ * @returns {{ userConfig: string, projectConfig: string }}
+ */
+export function getConfigPaths(opts = {}) {
+  const home = opts.home || homedir();
+  const startDir = opts.cwd || process.cwd();
+  const userConfig = join(home, '.config', 'cipher', 'config.yaml');
+  const projectRoot = findProjectRoot(startDir);
+  const projectConfig = projectRoot
+    ? join(projectRoot, 'config.yaml')
+    : join(startDir, 'config.yaml');
+  return { userConfig, projectConfig };
+}
+
+/**
+ * Check whether any config file exists (user-home or project-root).
+ *
+ * @param {{ home?: string, cwd?: string }} [opts] — overrides for testing
+ * @returns {boolean}
+ */
+export function configExists(opts) {
+  const { userConfig, projectConfig } = getConfigPaths(opts);
+  return existsSync(userConfig) || existsSync(projectConfig);
+}
+
+// ---------------------------------------------------------------------------
+// YAML file I/O
+// ---------------------------------------------------------------------------
+
+/**
+ * Safely load a YAML file. Returns empty object if missing or empty.
+ * Wraps parse errors with the file path for diagnostics.
+ *
+ * @param {string} filePath
+ * @returns {Record<string, any>}
+ */
+function loadYamlFile(filePath) {
+  if (!existsSync(filePath)) return {};
+  try {
+    const raw = readFileSync(filePath, 'utf-8');
+    const data = parse(raw);
+    return data && typeof data === 'object' && !Array.isArray(data) ? data : {};
+  } catch (err) {
+    throw new Error(
+      `Failed to parse config at ${filePath}: ${err.message}`
+    );
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Deep merge helper
+// ---------------------------------------------------------------------------
+
+/**
+ * Deep-merge `source` into `target`. Source values override target.
+ * Only merges plain objects — arrays and primitives are replaced wholesale.
+ *
+ * @param {Record<string, any>} target
+ * @param {Record<string, any>} source
+ * @returns {Record<string, any>}
+ */
+function deepMerge(target, source) {
+  const result = { ...target };
+  for (const key of Object.keys(source)) {
+    if (
+      source[key] &&
+      typeof source[key] === 'object' &&
+      !Array.isArray(source[key]) &&
+      target[key] &&
+      typeof target[key] === 'object' &&
+      !Array.isArray(target[key])
+    ) {
+      result[key] = deepMerge(target[key], source[key]);
+    } else {
+      result[key] = source[key];
+    }
+  }
+  return result;
+}
+
+// ---------------------------------------------------------------------------
+// Load config
+// ---------------------------------------------------------------------------
+
+/**
+ * Load configuration from YAML files and environment variable overrides.
+ *
+ * Precedence (highest → lowest):
+ *   1. Environment variables
+ *   2. Project-root config.yaml
+ *   3. ~/.config/cipher/config.yaml
+ *
+ * @param {{ home?: string, cwd?: string }} [opts] — overrides for testing
+ * @returns {Record<string, any>} Plain config object matching the Python shape.
+ */
+export function loadConfig(opts) {
+  const { userConfig, projectConfig } = getConfigPaths(opts);
+
+  // Load both files — project-root overrides user-home via deep merge
+  const userData = loadYamlFile(userConfig);
+  const projectData = loadYamlFile(projectConfig);
+  const merged = deepMerge(userData, projectData);
+
+  // Apply env var overrides (highest precedence)
+  if (process.env.LLM_BACKEND) {
+    merged.llm_backend = process.env.LLM_BACKEND;
+  }
+  if (process.env.ANTHROPIC_API_KEY) {
+    if (!merged.claude || typeof merged.claude !== 'object') {
+      merged.claude = {};
+    }
+    merged.claude.api_key = process.env.ANTHROPIC_API_KEY;
+  }
+
+  return merged;
+}
+
+// ---------------------------------------------------------------------------
+// Write config
+// ---------------------------------------------------------------------------
+
+/**
+ * Write a config object as YAML. Creates parent directories if needed.
+ *
+ * @param {Record<string, any>} config — config object to write
+ * @param {string} [targetPath] — defaults to ~/.config/cipher/config.yaml
+ * @returns {string} The path that was written.
+ */
+export function writeConfig(config, targetPath) {
+  const dest = targetPath || join(homedir(), '.config', 'cipher', 'config.yaml');
+  const dir = dirname(dest);
+
+  try {
+    mkdirSync(dir, { recursive: true });
+  } catch (err) {
+    throw new Error(
+      `Failed to create config directory ${dir}: ${err.code || err.message}`
+    );
+  }
+
+  const yamlStr = stringify(config, {
+    lineWidth: 0,       // no line wrapping — matches Python's default_flow_style=False
+    nullStr: '""',      // empty strings stay as "" not null
+  });
+
+  // Add the standard header comment
+  const header = [
+    '# CIPHER Gateway Configuration',
+    `# Written by cipher setup — ${new Date().toISOString()}`,
+    '#',
+    '# Precedence: env vars > project-root config.yaml > ~/.config/cipher/config.yaml',
+    '',
+  ].join('\n');
+
+  try {
+    writeFileSync(dest, header + yamlStr, 'utf-8');
+  } catch (err) {
+    throw new Error(
+      `Failed to write config to ${dest}: ${err.code || err.message}`
+    );
+  }
+
+  return dest;
+}