cipher-security 2.0.0

package/lib/pipeline/xss-scanner.js

@@ -0,0 +1,353 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * Static XSS heuristic scanner — detects DOM XSS sinks and sources without a browser.
+ *
+ * Covers ~40-60% of reflected/DOM XSS patterns via regex-based sink/source analysis.
+ * This is the static layer; full runtime DOM XSS requires Playwright (dom-xss-scanner.js).
+ *
+ * Ported from pipeline/xss_scanner.py (338 LOC Python).
+ */
+
+import { readFileSync, readdirSync, statSync } from 'node:fs';
+import { join, extname } from 'node:path';
+
+// ---------------------------------------------------------------------------
+// Sink patterns — where untrusted data reaches dangerous APIs
+// Note: No /g flag on any regex to avoid lastIndex state issues.
+// ---------------------------------------------------------------------------
+
+/** @type {Array<[string, string, RegExp]>} [name, severity, pattern] */
+const SINK_PATTERNS = [
+  ['innerHTML', 'critical', /\.\s*innerHTML\s*=(?!=)/i],
+  ['outerHTML', 'critical', /\.\s*outerHTML\s*=(?!=)/i],
+  ['document.write', 'critical', /document\s*\.\s*write(ln)?\s*\(/i],
+  ['eval', 'critical', /\beval\s*\(/i],
+  ['setTimeout-string', 'high', /setTimeout\s*\(\s*['"]/i],
+  ['setInterval-string', 'high', /setInterval\s*\(\s*['"]/i],
+  ['Function-constructor', 'critical', /\bnew\s+Function\s*\(/i],
+  ['insertAdjacentHTML', 'high', /\.insertAdjacentHTML\s*\(/i],
+  ['dangerouslySetInnerHTML', 'critical', /dangerouslySetInnerHTML\s*=\s*\{/i],
+  ['v-html', 'high', /\bv-html\s*=/i],
+  ['[innerHTML]', 'high', /\[innerHTML\]\s*=/i],
+  ['bypassSecurityTrust', 'critical', /bypassSecurityTrust(Html|Script|Url|ResourceUrl|Style)/i],
+  ['jquery-html', 'high', /\$\([^)]*\)\s*\.\s*html\s*\(/i],
+  ['jquery-append-raw', 'medium', /\$\([^)]*\)\s*\.\s*append\s*\(/i],
+  ['document.domain', 'high', /document\s*\.\s*domain\s*=/i],
+  ['location-assign', 'high', /location\s*\.\s*(href|assign|replace)\s*=/i],
+  ['srcdoc', 'high', /\bsrcdoc\s*=/i],
+  ['postMessage-star', 'medium', /\.postMessage\s*\([^,]+,\s*['"]?\*/i],
+];
+
+// ---------------------------------------------------------------------------
+// Source patterns — where untrusted data enters the application
+// ---------------------------------------------------------------------------
+
+/** @type {Array<[string, RegExp]>} [name, pattern] */
+const SOURCE_PATTERNS = [
+  ['location.hash', /location\s*\.\s*hash/i],
+  ['location.search', /location\s*\.\s*search/i],
+  ['location.href', /location\s*\.\s*href(?!\s*=)/i],
+  ['document.URL', /document\s*\.\s*URL/i],
+  ['document.referrer', /document\s*\.\s*referrer/i],
+  ['document.cookie', /document\s*\.\s*cookie/i],
+  ['window.name', /window\s*\.\s*name/i],
+  ['URLSearchParams', /new\s+URLSearchParams/i],
+  ['postMessage-handler', /addEventListener\s*\(\s*['"]message['"]/i],
+];
+
+// ---------------------------------------------------------------------------
+// Template injection patterns (server-side)
+// ---------------------------------------------------------------------------
+
+/** @type {Array<[string, string, RegExp]>} [name, severity, pattern] */
+const TEMPLATE_SINKS = [
+  ['jinja2-raw', 'high', /\{\{.*\|.*safe\s*\}\}/i],
+  ['jinja2-autoescape-off', 'critical', /\{%\s*autoescape\s+false/i],
+  ['erb-raw', 'high', /<%=\s*raw\s+/i],
+  ['php-echo-unescaped', 'high', /<\?=\s*\$_(GET|POST|REQUEST|COOKIE)/i],
+  ['asp-response-write', 'high', /Response\.Write\s*\(\s*Request/i],
+  ['thymeleaf-utext', 'high', /th:utext\s*=/i],
+  ['razor-raw', 'high', /@Html\.Raw\s*\(/i],
+];
+
+// ---------------------------------------------------------------------------
+// File extensions to scan
+// ---------------------------------------------------------------------------
+
+const SCANNABLE_EXTENSIONS = new Set([
+  '.js', '.jsx', '.ts', '.tsx', '.vue', '.svelte',
+  '.html', '.htm', '.php', '.erb', '.ejs', '.hbs',
+  '.pug', '.jade', '.py', '.rb', '.java', '.cs',
+  '.asp', '.aspx',
+]);
+
+const SKIP_DIRS = new Set(['node_modules', 'vendor', '.venv', '__pycache__']);
+
+// ---------------------------------------------------------------------------
+// Data classes
+// ---------------------------------------------------------------------------
+
+class XSSFinding {
+  /**
+   * @param {object} opts
+   * @param {string} opts.file
+   * @param {number} opts.lineNumber
+   * @param {string} opts.lineContent
+   * @param {string} opts.sinkName
+   * @param {string} opts.severity  critical | high | medium
+   * @param {string} opts.category  dom-sink | dom-source | template-injection
+   * @param {string|null} [opts.sourceNearby=null]
+   */
+  constructor(opts) {
+    this.file = opts.file;
+    this.lineNumber = opts.lineNumber;
+    this.lineContent = opts.lineContent;
+    this.sinkName = opts.sinkName;
+    this.severity = opts.severity;
+    this.category = opts.category;
+    this.sourceNearby = opts.sourceNearby ?? null;
+  }
+
+  toDict() {
+    const d = {
+      file: this.file,
+      line: this.lineNumber,
+      sink: this.sinkName,
+      severity: this.severity,
+      category: this.category,
+      content: this.lineContent.trim().slice(0, 200),
+    };
+    if (this.sourceNearby) {
+      d.source_nearby = this.sourceNearby;
+    }
+    return d;
+  }
+}
+
+class XSSScanResult {
+  /**
+   * @param {object} [opts]
+   * @param {number} [opts.filesScanned=0]
+   * @param {XSSFinding[]} [opts.findings=[]]
+   * @param {Array<object>} [opts.sourcesFound=[]]
+   */
+  constructor(opts = {}) {
+    this.filesScanned = opts.filesScanned ?? 0;
+    this.findings = opts.findings ?? [];
+    this.sourcesFound = opts.sourcesFound ?? [];
+  }
+
+  get criticalCount() {
+    return this.findings.filter((f) => f.severity === 'critical').length;
+  }
+
+  get highCount() {
+    return this.findings.filter((f) => f.severity === 'high').length;
+  }
+
+  toDict() {
+    return {
+      files_scanned: this.filesScanned,
+      total_findings: this.findings.length,
+      critical: this.criticalCount,
+      high: this.highCount,
+      medium: this.findings.length - this.criticalCount - this.highCount,
+      findings: this.findings.map((f) => f.toDict()),
+      sources_found: this.sourcesFound,
+    };
+  }
+
+  summary() {
+    if (this.findings.length === 0) {
+      return `No XSS sinks detected in ${this.filesScanned} files.`;
+    }
+    return (
+      `${this.findings.length} XSS sink(s) in ${this.filesScanned} files: ` +
+      `${this.criticalCount} critical, ${this.highCount} high`
+    );
+  }
+}
+
+// ---------------------------------------------------------------------------
+// XSSScanner
+// ---------------------------------------------------------------------------
+
+class XSSScanner {
+  /**
+   * Scan a single file for XSS patterns.
+   * @param {string} filepath
+   * @returns {XSSFinding[]}
+   */
+  scanFile(filepath) {
+    const ext = extname(filepath).toLowerCase();
+    if (!SCANNABLE_EXTENSIONS.has(ext)) return [];
+
+    let content;
+    try {
+      content = readFileSync(filepath, 'utf-8');
+    } catch {
+      return [];
+    }
+
+    const lines = content.split('\n');
+    const findings = [];
+    /** @type {Map<number, string>} lineNumber → sourceName */
+    const sourceLines = new Map();
+
+    // First pass: find all source locations
+    for (let i = 0; i < lines.length; i++) {
+      for (const [srcName, srcPat] of SOURCE_PATTERNS) {
+        if (srcPat.test(lines[i])) {
+          sourceLines.set(i + 1, srcName);
+          break;
+        }
+      }
+    }
+
+    // Second pass: find sinks + correlate nearby sources
+    for (let i = 0; i < lines.length; i++) {
+      const lineNo = i + 1;
+      const line = lines[i];
+
+      for (const [sinkName, severity, sinkPat] of SINK_PATTERNS) {
+        if (sinkPat.test(line)) {
+          // Check if a source is within 10 lines
+          let nearbySource = null;
+          let adjustedSeverity = severity;
+          for (const [srcLineNo, srcName] of sourceLines) {
+            if (Math.abs(srcLineNo - lineNo) <= 10) {
+              nearbySource = srcName;
+              adjustedSeverity = 'critical'; // Source + sink = confirmed dangerous
+              break;
+            }
+          }
+          findings.push(
+            new XSSFinding({
+              file: filepath,
+              lineNumber: lineNo,
+              lineContent: line,
+              sinkName,
+              severity: adjustedSeverity,
+              category: 'dom-sink',
+              sourceNearby: nearbySource,
+            }),
+          );
+        }
+      }
+
+      for (const [sinkName, severity, sinkPat] of TEMPLATE_SINKS) {
+        if (sinkPat.test(line)) {
+          findings.push(
+            new XSSFinding({
+              file: filepath,
+              lineNumber: lineNo,
+              lineContent: line,
+              sinkName,
+              severity,
+              category: 'template-injection',
+            }),
+          );
+        }
+      }
+    }
+
+    return findings;
+  }
+
+  /**
+   * Scan a directory for XSS patterns.
+   * @param {string} directory
+   * @param {object} [opts]
+   * @param {boolean} [opts.recursive=true]
+   * @returns {XSSScanResult}
+   */
+  scanDirectory(directory, opts = {}) {
+    const recursive = opts.recursive !== false;
+    const result = new XSSScanResult();
+
+    const walk = (dir) => {
+      let entries;
+      try {
+        entries = readdirSync(dir, { withFileTypes: true });
+      } catch {
+        return;
+      }
+      for (const ent of entries.sort((a, b) => a.name.localeCompare(b.name))) {
+        if (ent.name.startsWith('.') || SKIP_DIRS.has(ent.name)) continue;
+        const full = join(dir, ent.name);
+        if (ent.isDirectory() && recursive) {
+          walk(full);
+        } else if (ent.isFile() && SCANNABLE_EXTENSIONS.has(extname(ent.name).toLowerCase())) {
+          result.filesScanned++;
+          const findings = this.scanFile(full);
+          result.findings.push(...findings);
+        }
+      }
+    };
+    walk(directory);
+    return result;
+  }
+
+  /**
+   * Scan added lines in a unified diff for XSS patterns.
+   * @param {string} diffText
+   * @param {string} [filename='<diff>']
+   * @returns {XSSFinding[]}
+   */
+  scanDiff(diffText, filename = '<diff>') {
+    const findings = [];
+    let lineNo = 0;
+
+    for (const line of diffText.split('\n')) {
+      if (line.startsWith('@@')) {
+        const m = line.match(/\+(\d+)/);
+        lineNo = m ? parseInt(m[1], 10) : 0;
+        continue;
+      }
+      if (line.startsWith('+') && !line.startsWith('+++')) {
+        const content = line.slice(1);
+        lineNo++;
+
+        const allSinks = [...SINK_PATTERNS, ...TEMPLATE_SINKS];
+        for (const [sinkName, severity, sinkPat] of allSinks) {
+          if (sinkPat.test(content)) {
+            const isTemplate = TEMPLATE_SINKS.some((t) => t[0] === sinkName);
+            findings.push(
+              new XSSFinding({
+                file: filename,
+                lineNumber: lineNo,
+                lineContent: content,
+                sinkName,
+                severity,
+                category: isTemplate ? 'template-injection' : 'dom-sink',
+              }),
+            );
+          }
+        }
+      } else if (!line.startsWith('-')) {
+        lineNo++;
+      }
+    }
+    return findings;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Exports
+// ---------------------------------------------------------------------------
+
+export {
+  // Pattern arrays (for testing/inspection)
+  SINK_PATTERNS,
+  SOURCE_PATTERNS,
+  TEMPLATE_SINKS,
+  SCANNABLE_EXTENSIONS,
+  // Data classes
+  XSSFinding,
+  XSSScanResult,
+  // Scanner
+  XSSScanner,
+};

package/lib/setup-wizard.js

@@ -0,0 +1,288 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * setup-wizard.js — Interactive @clack/prompts setup wizard for CIPHER.
+ *
+ * Implements R002 (interactive wizard) and R006 (craft feel):
+ *   - Provider selection (Ollama / Claude API / LiteLLM)
+ *   - Masked API key input
+ *   - Ollama binary detection
+ *   - Python availability check
+ *   - Completion summary with configured settings
+ *
+ * All prompts write to stderr via @clack/prompts — stdout stays clean
+ * for protocol use.
+ *
+ * @module setup-wizard
+ */
+
+import * as clack from '@clack/prompts';
+import { execFileSync, execSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { writeConfig, getConfigPaths } from './config.js';
+
+/**
+ * Check whether a binary exists on $PATH.
+ *
+ * @param {string} name — binary name to look up
+ * @returns {string | null} — absolute path if found, null otherwise
+ */
+function whichSync(name) {
+  try {
+    return execFileSync('which', [name], {
+      encoding: 'utf-8',
+      timeout: 3000,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Handle @clack/prompts cancellation. Call after every prompt.
+ * If the user pressed Ctrl+C, shows a cancel message and exits cleanly.
+ *
+ * @param {any} value — return value from a @clack/prompts call
+ */
+function handleCancel(value) {
+  if (clack.isCancel(value)) {
+    clack.cancel('Setup cancelled.');
+    process.exit(0);
+  }
+}
+
+/**
+ * Build the default config sections that every provider path includes.
+ * Matches the Python setup wizard's defaults exactly.
+ */
+function defaultOllamaSection(model = 'cipher') {
+  return {
+    base_url: 'http://127.0.0.1:11434',
+    model,
+    timeout: 300,
+  };
+}
+
+function defaultClaudeSection(apiKey = '', model = 'claude-sonnet-4-5-20250929') {
+  return {
+    api_key: apiKey,
+    model,
+    timeout: 120,
+  };
+}
+
+/**
+ * Run the interactive setup wizard.
+ *
+ * Walks the user through provider selection, backend-specific configuration,
+ * and writes a valid config.yaml. Uses @clack/prompts for all I/O (stderr).
+ *
+ * @returns {Promise<void>}
+ */
+export async function runSetupWizard() {
+  try {
+    // ── Intro ──────────────────────────────────────────────────────────
+    clack.intro('CIPHER Setup');
+    clack.log.info('Configure your LLM backend to get started with CIPHER.');
+
+    // ── Python no longer required ────────────────────────────────────
+    clack.log.success('CIPHER runs natively on Node.js — no Python required.');
+
+    // ── Provider selection ─────────────────────────────────────────────
+    const provider = await clack.select({
+      message: 'Choose your LLM backend',
+      options: [
+        { value: 'claude-code', label: 'Claude Code', hint: 'Running inside Claude Code — no API key needed' },
+        { value: 'ollama', label: 'Ollama', hint: 'Local inference, free, private (requires GPU)' },
+        { value: 'claude', label: 'Claude API', hint: 'Standalone use with Anthropic API key' },
+        { value: 'litellm', label: 'LiteLLM', hint: 'Multi-provider (OpenAI, Gemini, llama.cpp, etc.)' },
+      ],
+    });
+    handleCancel(provider);
+
+    let config;
+
+    // ── Claude Code path ──────────────────────────────────────────────
+    if (provider === 'claude-code') {
+      // Check if claude CLI is installed and authed
+      let claudeAuthed = false;
+      try {
+        const authJson = execSync('claude auth status', { encoding: 'utf-8', timeout: 5000 });
+        const auth = JSON.parse(authJson);
+        if (auth.loggedIn) {
+          clack.log.success(`Authenticated as ${auth.email} (${auth.subscriptionType})`);
+          claudeAuthed = true;
+        }
+      } catch {
+        // claude CLI not found or not authed
+      }
+
+      if (!claudeAuthed) {
+        clack.log.warn('Claude Code is not authenticated.');
+        clack.log.info('Run this in your terminal to log in:\n\n  claude login\n');
+
+        const proceed = await clack.confirm({
+          message: 'Continue setup anyway? (you can log in later)',
+          initialValue: false,
+        });
+        handleCancel(proceed);
+        if (!proceed) {
+          clack.outro('Run `claude login` first, then `cipher setup` again.');
+          process.exit(0);
+        }
+      }
+
+      clack.log.info(
+        'CIPHER activates automatically via CLAUDE.md inside Claude Code.\n' +
+        'No API key needed — Claude Code provides the LLM.'
+      );
+
+      // Offer Ollama as fallback for standalone use
+      const addOllama = await clack.confirm({
+        message: 'Also configure Ollama for standalone CLI use?',
+        initialValue: true,
+      });
+      handleCancel(addOllama);
+
+      if (addOllama) {
+        const ollamaPath = whichSync('ollama');
+        if (ollamaPath) {
+          clack.log.success(`Ollama found at ${ollamaPath}`);
+        } else {
+          clack.log.info('Ollama not found — install from https://ollama.com/download when ready.');
+        }
+      }
+
+      config = {
+        llm_backend: addOllama ? 'ollama' : 'claude-code',
+        ollama: defaultOllamaSection(),
+        claude: defaultClaudeSection(),
+      };
+    }
+
+    // ── Ollama path ────────────────────────────────────────────────────
+    else if (provider === 'ollama') {
+      const ollamaPath = whichSync('ollama');
+      if (ollamaPath) {
+        clack.log.success(`Ollama found at ${ollamaPath}`);
+      } else {
+        clack.log.info(
+          'Ollama not found on PATH. Install it from https://ollama.com/download'
+        );
+      }
+
+      const model = await clack.text({
+        message: 'Ollama model name',
+        placeholder: 'cipher',
+        defaultValue: 'cipher',
+      });
+      handleCancel(model);
+
+      config = {
+        llm_backend: 'ollama',
+        ollama: defaultOllamaSection(model),
+        claude: defaultClaudeSection(),
+      };
+    }
+
+    // ── Claude path ────────────────────────────────────────────────────
+    else if (provider === 'claude') {
+      const apiKey = await clack.password({
+        message: 'Anthropic API key',
+        mask: '•',
+      });
+      handleCancel(apiKey);
+
+      const model = await clack.select({
+        message: 'Claude model',
+        options: [
+          { value: 'claude-sonnet-4-5-20250929', label: 'Claude Sonnet 4.5', hint: 'Recommended' },
+          { value: 'claude-opus-4-6', label: 'Claude Opus 4' },
+          { value: 'claude-haiku-3-5', label: 'Claude Haiku 3.5' },
+        ],
+      });
+      handleCancel(model);
+
+      config = {
+        llm_backend: 'claude',
+        ollama: defaultOllamaSection(),
+        claude: defaultClaudeSection(apiKey, model),
+      };
+    }
+
+    // ── LiteLLM path ──────────────────────────────────────────────────
+    else if (provider === 'litellm') {
+      const model = await clack.text({
+        message: 'LiteLLM model string',
+        placeholder: 'gpt-4o, gemini/gemini-2.0-flash, ollama/llama3.1',
+      });
+      handleCancel(model);
+
+      const apiKey = await clack.password({
+        message: 'API key (leave empty if not needed)',
+        mask: '•',
+      });
+      handleCancel(apiKey);
+
+      const apiBase = await clack.text({
+        message: 'Custom API base URL (leave empty for default)',
+        placeholder: '',
+        defaultValue: '',
+      });
+      handleCancel(apiBase);
+
+      config = {
+        llm_backend: 'litellm',
+        ollama: defaultOllamaSection(),
+        claude: defaultClaudeSection(),
+        litellm: {
+          model: model || '',
+          api_key: apiKey || '',
+          api_base: apiBase || '',
+          timeout: 120,
+        },
+      };
+    }
+
+    // ── Write config ──────────────────────────────────────────────────
+    const configPath = writeConfig(config);
+
+    // Also write to project root if pyproject.toml exists (dual-write like Python)
+    const { projectConfig } = getConfigPaths();
+    const projectRoot = join(projectConfig, '..');
+    if (existsSync(join(projectRoot, 'pyproject.toml')) && projectConfig !== configPath) {
+      try {
+        writeConfig(config, projectConfig);
+      } catch {
+        // Non-fatal — user config was already written
+      }
+    }
+
+    // ── Completion summary ────────────────────────────────────────────
+    const summaryLines = [
+      `Provider:    ${provider}`,
+    ];
+
+    if (provider === 'ollama') {
+      summaryLines.push(`Model:       ${config.ollama.model}`);
+    } else if (provider === 'claude') {
+      summaryLines.push(`Model:       ${config.claude.model}`);
+    } else if (provider === 'litellm') {
+      summaryLines.push(`Model:       ${config.litellm.model || '(not set)'}`);
+    }
+
+    summaryLines.push(`Config path: ${configPath}`);
+
+    clack.note(summaryLines.join('\n'), 'Configuration Summary');
+    clack.outro('Setup complete! Run cipher --help to get started.');
+  } catch (err) {
+    // isCancel paths call process.exit(0) directly — this catches
+    // unexpected errors only.
+    clack.log.error(err.message || String(err));
+    process.exit(1);
+  }
+}

package/package.json

@@ -0,0 +1,31 @@
+{
+  "name": "cipher-security",
+  "version": "2.0.0",
+  "description": "CIPHER — AI Security Engineering Platform CLI",
+  "type": "module",
+  "engines": {
+    "node": ">=18"
+  },
+  "license": "AGPL-3.0-only",
+  "bin": {
+    "cipher": "bin/cipher.js"
+  },
+  "files": [
+    "bin/",
+    "lib/"
+  ],
+  "scripts": {
+    "test": "vitest run"
+  },
+  "devDependencies": {
+    "vitest": "^3"
+  },
+  "dependencies": {
+    "@anthropic-ai/sdk": "^0.80.0",
+    "@clack/prompts": "^1.1.0",
+    "better-sqlite3": "^12.8.0",
+    "openai": "^6.32.0",
+    "ws": "^8.19.0",
+    "yaml": "^2.8.2"
+  }
+}