cipher-security 2.0.0

package/lib/api/openai-proxy.js

@@ -0,0 +1,383 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+
+/**
+ * CIPHER OpenAI-compatible completion proxy.
+ *
+ * Intercepts chat completion requests, injects relevant security skills
+ * as system context, forwards to the upstream LLM, and logs interactions.
+ */
+
+import { createServer as httpCreateServer, request as httpRequest } from 'node:http';
+import { URL } from 'node:url';
+import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+
+// ---------------------------------------------------------------------------
+// Proxy config
+// ---------------------------------------------------------------------------
+
+export class ProxyConfig {
+  constructor(opts = {}) {
+    this.upstreamUrl = opts.upstreamUrl || process.env.CIPHER_UPSTREAM_URL || 'http://localhost:11434/v1';
+    this.host = opts.host || process.env.CIPHER_PROXY_HOST || '127.0.0.1';
+    this.port = opts.port ?? parseInt(process.env.CIPHER_PROXY_PORT || '8100', 10);
+    this.injectSkills = opts.injectSkills ?? true;
+    this.maxSkills = opts.maxSkills ?? 3;
+    this.logInteractions = opts.logInteractions ?? true;
+    this.modelOverride = opts.modelOverride || '';
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Skill injection
+// ---------------------------------------------------------------------------
+
+/** Security keyword → domain mapping for skill matching. */
+const KEYWORD_DOMAINS = {
+  xss: ['web-application-security', 'browser-security'],
+  'sql injection': ['web-application-security', 'database-security'],
+  sqli: ['web-application-security', 'database-security'],
+  'privilege escalation': ['linux-security', 'windows-security'],
+  privesc: ['linux-security', 'windows-security'],
+  'active directory': ['active-directory-security'],
+  kerberos: ['active-directory-security'],
+  malware: ['malware-analysis'],
+  'reverse engineer': ['reverse-engineering'],
+  incident: ['incident-response'],
+  forensic: ['digital-forensics', 'cloud-forensics'],
+  osint: ['osint-techniques'],
+  reconnaissance: ['osint-techniques', 'network-security'],
+  container: ['container-security'],
+  docker: ['container-security'],
+  kubernetes: ['container-security'],
+  cloud: ['cloud-security'],
+  aws: ['cloud-security'],
+  azure: ['cloud-security'],
+  api: ['api-security'],
+  cryptograph: ['cryptography'],
+  encrypt: ['cryptography'],
+  phishing: ['social-engineering'],
+  exploit: ['exploit-development', 'binary-exploitation'],
+  'buffer overflow': ['binary-exploitation'],
+  rop: ['binary-exploitation'],
+  c2: ['c2-frameworks'],
+  'command and control': ['c2-frameworks'],
+  siem: ['log-analysis'],
+  detection: ['log-analysis', 'threat-intelligence'],
+  sigma: ['log-analysis'],
+  'threat intel': ['threat-intelligence'],
+  'zero trust': ['zero-trust'],
+  compliance: ['compliance-auditing'],
+  gdpr: ['privacy-engineering'],
+  privacy: ['privacy-engineering'],
+  network: ['network-security'],
+  firewall: ['network-security'],
+  wireless: ['wireless-security'],
+  wifi: ['wireless-security'],
+  mobile: ['mobile-security'],
+  android: ['mobile-security'],
+  ios: ['mobile-security'],
+  'supply chain': ['supply-chain-security'],
+  password: ['password-cracking'],
+  'brute force': ['password-cracking'],
+  'bug bounty': ['bug-bounty'],
+};
+
+/**
+ * Find matching CIPHER skills for the conversation.
+ * @param {object[]} messages
+ * @param {number} [maxSkills=3]
+ * @returns {string}
+ */
+export function findMatchingSkills(messages, maxSkills = 3) {
+  const skillsRoot = resolve(__dirname_workaround(), '..', '..', 'skills');
+  if (!existsSync(skillsRoot)) return '';
+
+  const userText = messages
+    .filter((m) => m.role === 'user' && typeof m.content === 'string')
+    .map((m) => m.content)
+    .join(' ')
+    .toLowerCase();
+
+  if (!userText) return '';
+
+  const matchedDomains = [];
+  for (const [keyword, domains] of Object.entries(KEYWORD_DOMAINS)) {
+    if (userText.includes(keyword)) {
+      for (const d of domains) {
+        if (!matchedDomains.includes(d)) matchedDomains.push(d);
+      }
+    }
+  }
+
+  if (!matchedDomains.length) return '';
+
+  const injections = [];
+  for (const domain of matchedDomains.slice(0, maxSkills)) {
+    const domainDir = join(skillsRoot, domain);
+    if (!existsSync(domainDir)) continue;
+
+    const skillMd = join(domainDir, 'SKILL.md');
+    if (existsSync(skillMd)) {
+      try {
+        const content = readFileSync(skillMd, 'utf8');
+        const lines = content.split('\n');
+        const descLines = [];
+        let inBody = false;
+        for (const line of lines) {
+          if (inBody) {
+            if (line.trim() === '' && descLines.length) break;
+            if (line.trim().startsWith('#')) {
+              if (descLines.length) break;
+              continue;
+            }
+            descLines.push(line.trim());
+          } else if (line.trim().startsWith('# ') || line.trim() === '---') {
+            inBody = true;
+          }
+        }
+        if (descLines.length) {
+          injections.push(`[CIPHER/${domain}] ${descLines.slice(0, 3).join(' ')}`);
+        }
+      } catch { /* skip */ }
+    }
+
+    const techDir = join(domainDir, 'techniques');
+    if (existsSync(techDir)) {
+      try {
+        const techniques = readdirSync(techDir)
+          .filter((t) => { try { return statSync(join(techDir, t)).isDirectory(); } catch { return false; } })
+          .sort()
+          .slice(0, 8);
+        if (techniques.length) {
+          injections.push(`  Available techniques: ${techniques.map((t) => t.replace(/-/g, ' ')).join(', ')}`);
+        }
+      } catch { /* skip */ }
+    }
+  }
+
+  if (!injections.length) return '';
+
+  return `\n\n--- CIPHER Security Context ---\n${injections.join('\n')}\n--- End CIPHER Context ---\n`;
+}
+
+/** Resolve dirname equivalent for ESM. */
+function __dirname_workaround() {
+  try {
+    return new URL('.', import.meta.url).pathname;
+  } catch {
+    return process.cwd();
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Proxy server
+// ---------------------------------------------------------------------------
+
+/**
+ * Create an OpenAI-compatible proxy server.
+ * @param {ProxyConfig} [config]
+ * @returns {{ server: import('node:http').Server, config: ProxyConfig, start: () => Promise<number>, stop: () => Promise<void> }}
+ */
+export function createOpenAIProxy(config) {
+  config = config instanceof ProxyConfig ? config : new ProxyConfig(config);
+
+  function setCors(res) {
+    res.setHeader('Access-Control-Allow-Origin', '*');
+    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+  }
+
+  function respond(res, status, data) {
+    const body = JSON.stringify(data);
+    setCors(res);
+    res.writeHead(status, { 'Content-Type': 'application/json' });
+    res.end(body);
+  }
+
+  function readBody(req) {
+    return new Promise((resolve) => {
+      const chunks = [];
+      let size = 0;
+      req.on('data', (chunk) => {
+        size += chunk.length;
+        if (size > 10 * 1024 * 1024) { resolve(null); req.destroy(); return; }
+        chunks.push(chunk);
+      });
+      req.on('end', () => {
+        if (size === 0) return resolve(null);
+        try { resolve(JSON.parse(Buffer.concat(chunks).toString('utf8'))); }
+        catch { resolve(null); }
+      });
+      req.on('error', () => resolve(null));
+    });
+  }
+
+  function forwardPost(path, body, headers) {
+    return new Promise((resolve, reject) => {
+      const upstream = new URL(config.upstreamUrl.replace(/\/+$/, '') + path);
+      const data = JSON.stringify(body);
+      const reqHeaders = { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) };
+      if (headers?.authorization) reqHeaders.Authorization = headers.authorization;
+
+      const req = httpRequest(
+        { hostname: upstream.hostname, port: upstream.port, path: upstream.pathname, method: 'POST', headers: reqHeaders, timeout: 120000 },
+        (res) => {
+          const chunks = [];
+          res.on('data', (c) => chunks.push(c));
+          res.on('end', () => {
+            try { resolve({ status: res.statusCode, body: JSON.parse(Buffer.concat(chunks).toString()) }); }
+            catch { resolve({ status: res.statusCode, body: { error: 'invalid upstream response' } }); }
+          });
+        },
+      );
+      req.on('error', reject);
+      req.on('timeout', () => { req.destroy(); reject(new Error('upstream timeout')); });
+      req.write(data);
+      req.end();
+    });
+  }
+
+  function forwardStream(path, body, headers, res) {
+    return new Promise((resolve, reject) => {
+      const upstream = new URL(config.upstreamUrl.replace(/\/+$/, '') + path);
+      const data = JSON.stringify(body);
+      const reqHeaders = { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) };
+      if (headers?.authorization) reqHeaders.Authorization = headers.authorization;
+
+      const req = httpRequest(
+        { hostname: upstream.hostname, port: upstream.port, path: upstream.pathname, method: 'POST', headers: reqHeaders, timeout: 120000 },
+        (upstreamRes) => {
+          setCors(res);
+          res.writeHead(200, { 'Content-Type': 'text/event-stream', 'Cache-Control': 'no-cache' });
+          upstreamRes.on('data', (chunk) => { res.write(chunk); });
+          upstreamRes.on('end', () => { res.end(); resolve(); });
+        },
+      );
+      req.on('error', (err) => { respond(res, 502, { error: 'upstream stream failed' }); reject(err); });
+      req.write(data);
+      req.end();
+    });
+  }
+
+  async function logInteraction(messages, result) {
+    try {
+      const { SkillLeaderboard } = await import('../autonomous/leaderboard.js');
+      const lb = new SkillLeaderboard();
+      const sysMsg = messages.find((m) => m.role === 'system')?.content || '';
+      const domains = [...sysMsg.matchAll(/\[CIPHER\/([^\]]+)\]/g)].map((m) => m[1]);
+      const usage = result?.usage || {};
+      const completionTokens = usage.completion_tokens || 0;
+      const score = Math.min(0.9, 0.3 + completionTokens / 700);
+      for (const domain of domains) {
+        lb.recordInvocation(`${domain}/proxy-invocation`, { success: true, score, context: { source: 'openai_proxy', model: result?.model || '' } });
+      }
+      lb.close();
+    } catch { /* logging is best-effort */ }
+  }
+
+  async function handleRequest(req, res) {
+    setCors(res);
+
+    if (req.method === 'OPTIONS') {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+
+    const url = new URL(req.url, `http://${req.headers.host || 'localhost'}`);
+    const path = url.pathname;
+
+    // GET routes
+    if (req.method === 'GET') {
+      if (path === '/health' || path === '/v1/health') {
+        return respond(res, 200, { status: 'ok', proxy: 'cipher' });
+      }
+      if (path === '/v1/models' || path === '/v1/models/') {
+        return respond(res, 200, {
+          object: 'list',
+          data: [{
+            id: config.modelOverride || 'cipher-proxy',
+            object: 'model',
+            created: Math.floor(Date.now() / 1000),
+            owned_by: 'cipher',
+          }],
+        });
+      }
+      return respond(res, 404, { error: 'not found' });
+    }
+
+    // POST routes
+    if (req.method === 'POST') {
+      const body = await readBody(req);
+      if (!body) return respond(res, 400, { error: 'invalid or empty body' });
+
+      if (path === '/v1/chat/completions') {
+        const messages = body.messages || [];
+
+        // Inject skills
+        if (config.injectSkills && messages.length) {
+          const skillContext = findMatchingSkills(messages, config.maxSkills);
+          if (skillContext) {
+            if (messages[0]?.role === 'system') {
+              messages[0].content = (messages[0].content || '') + skillContext;
+            } else {
+              messages.unshift({ role: 'system', content: skillContext });
+            }
+            body.messages = messages;
+          }
+        }
+
+        // Model override
+        if (config.modelOverride) body.model = config.modelOverride;
+
+        // Forward
+        try {
+          if (body.stream) {
+            await forwardStream('/v1/chat/completions', body, req.headers, res);
+          } else {
+            const result = await forwardPost('/v1/chat/completions', body, req.headers);
+            respond(res, result.status, result.body);
+            if (config.logInteractions) logInteraction(messages, result.body);
+          }
+        } catch {
+          respond(res, 502, { error: 'upstream unavailable' });
+        }
+        return;
+      }
+
+      if (path === '/v1/completions') {
+        try {
+          const result = await forwardPost('/v1/completions', body, req.headers);
+          respond(res, result.status, result.body);
+        } catch {
+          respond(res, 502, { error: 'upstream unavailable' });
+        }
+        return;
+      }
+
+      return respond(res, 404, { error: 'not found' });
+    }
+
+    respond(res, 405, { error: 'method not allowed' });
+  }
+
+  const server = httpCreateServer(handleRequest);
+
+  return {
+    server,
+    config,
+    start() {
+      return new Promise((resolve, reject) => {
+        server.listen(config.port, config.host, () => {
+          resolve(server.address().port);
+        });
+        server.once('error', reject);
+      });
+    },
+    stop() {
+      return new Promise((resolve) => { server.close(() => resolve()); });
+    },
+  };
+}