cipher-security 2.0.2 → 2.0.4

package/bin/cipher.js

@@ -9,15 +9,13 @@
  * Fast path: --version / -V / --help / -h use only node:fs + node:path
  * (zero dynamic imports, <200ms cold start).
  *
- * Command path: dynamically imports python-bridge.js, spawns the Python
- * gateway, routes JSON-RPC commands, prints results, and exits.
+ * Command path: dynamically imports gateway/commands.js handlers,
+ * dispatches to native Node.js functions, prints results.
  */
 
 import { readFileSync } from 'node:fs';
 import { resolve, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
-import { spawn } from 'node:child_process';
-
 // ---------------------------------------------------------------------------
 // Fast path — no dynamic imports, must complete in <200ms
 // ---------------------------------------------------------------------------
@@ -123,7 +121,7 @@ if (args.length === 0) {
 }
 
 // ---------------------------------------------------------------------------
-// Node.js-native commands — handled before the Python bridge is loaded
+// Native commands — handled before dynamic imports
 // ---------------------------------------------------------------------------
 
 const nativeCommands = new Set(['setup']);
@@ -214,36 +212,30 @@ const knownCommands = new Set([
  * @returns {{ command: string, commandArgs: string[] }}
  */
 function parseCommand(argv) {
-  const flags = [];
-  const positional = [];
-
-  for (const arg of argv) {
-    if (arg.startsWith('-')) {
-      flags.push(arg);
-    } else {
-      positional.push(arg);
-    }
+  if (argv.length === 0) {
+    console.error('No command specified. Run `cipher --help` for usage.');
+    process.exit(1);
   }
 
-  if (positional.length === 0) {
-    // No positional args — show help
+  const first = argv[0];
+
+  if (first.startsWith('-')) {
+    // No command, just flags — treat as error
     console.error('No command specified. Run `cipher --help` for usage.');
     process.exit(1);
   }
 
-  const first = positional[0];
-
   if (knownCommands.has(first)) {
     return {
       command: first,
-      commandArgs: [...positional.slice(1), ...flags],
+      commandArgs: argv.slice(1),  // Pass all args as-is, preserve flag-value order
     };
   }
 
-  // Bare query — join all positional words as query text
+  // Bare query — join everything as query text
   return {
     command: 'query',
-    commandArgs: [...positional, ...flags],
+    commandArgs: argv,
   };
 }
 
@@ -254,7 +246,7 @@ function parseCommand(argv) {
 /**
  * Format and print a bridge command result, then exit if needed.
  *
- * Result shapes from bridge.py:
+ * Result shapes from gateway/commands.js:
  *   1. {output, exit_code, error: true} — command error: print output to stderr, exit with code
  *   2. {output, exit_code}              — text-mode result: print output directly
  *   3. Plain object (no output field)   — structured JSON: pretty-print as JSON
@@ -350,8 +342,6 @@ async function formatBridgeResult(result, commandName = '') {
 const { command, commandArgs } = parseCommand(cleanedArgs);
 
 const debug = process.env.CIPHER_DEBUG === '1';
-
-
 // ---------------------------------------------------------------------------
 // Autonomous mode dispatch — bypasses normal command routing entirely
 // ---------------------------------------------------------------------------
@@ -414,7 +404,7 @@ const { getCommandMode } = await import('../lib/commands.js');
 const mode = getCommandMode(command);
 
 if (mode === 'native') {
-  // ── Native dispatch — Node.js handler functions (no Python) ────────────
+  // ── Native dispatch — handler functions ────────────────────────────────
   if (debug) {
     process.stderr.write(`[bridge:node] Dispatching command=${command} mode=native\n`);
   }
@@ -435,7 +425,7 @@ if (mode === 'native') {
   }
 
   try {
-    // ── API server command: long-running HTTP server (no Python) ──────────
+    // ── API server command: long-running HTTP server ──────────────────────
     if (command === 'api') {
       const { createAPIServer, APIConfig } = await import('../lib/api/server.js');
       const apiPort = commandArgs.find((a, i) => commandArgs[i - 1] === '--port') || '8443';

package/lib/api/billing.js

@@ -1,6 +1,9 @@
 // Copyright (c) 2026 defconxt. All rights reserved.
 // Licensed under AGPL-3.0 — see LICENSE file for details.
 
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+
 /**
  * CIPHER Billing Engine — usage-based metering middleware.
  *

package/lib/api/marketplace.js

@@ -1,6 +1,9 @@
 // Copyright (c) 2026 defconxt. All rights reserved.
 // Licensed under AGPL-3.0 — see LICENSE file for details.
 
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+
 /**
  * CIPHER Skill Marketplace — publish, discover, and install CIPHER skills.
  *

package/lib/autonomous/feedback-loop.js

@@ -172,20 +172,20 @@ export class SkillQualityAnalyzer {
       scores.section_coverage = 0;
     }
 
-    // Check agent.py
-    const agentPy = join(fullPath, 'scripts', 'agent.py');
-    if (existsSync(agentPy)) {
-      const agentContent = readFileSync(agentPy, 'utf-8');
+    // Check agent.js
+    const agentJs = join(fullPath, 'scripts', 'agent.js');
+    if (existsSync(agentJs)) {
+      const agentContent = readFileSync(agentJs, 'utf-8');
       const agentLines = agentContent.trim().split('\n');
       if (agentLines.length < SkillQualityAnalyzer.MIN_AGENT_PY_LINES) {
-        issues.push(`agent.py too short (${agentLines.length} lines)`);
+        issues.push(`agent.js too short (${agentLines.length} lines)`);
       }
       scores.agent_quality = Math.min(agentLines.length / 50, 1.0);
-      if (!agentContent.includes('argparse')) issues.push('agent.py missing argparse');
-      if (!agentContent.includes('json')) issues.push('agent.py missing JSON output');
-      if (!agentContent.includes('__main__')) issues.push('agent.py missing __main__ guard');
+      if (!agentContent.includes('process.argv')) issues.push('agent.js missing CLI dispatch');
+      if (!agentContent.includes('json')) issues.push('agent.js missing JSON output');
+      if (!agentContent.includes('process.argv')) issues.push('agent.js missing CLI entry point');
     } else {
-      issues.push('scripts/agent.py missing');
+      issues.push('scripts/agent.js missing');
       scores.agent_quality = 0;
     }
 

package/lib/autonomous/leaderboard.js

@@ -2,6 +2,8 @@
 // Licensed under AGPL-3.0 — see LICENSE file for details.
 // CIPHER is a trademark of defconxt.
 
+import { createRequire } from "node:module";
+const require = createRequire(import.meta.url);
 /**
  * Skill effectiveness tracking and metrics system.
  *

package/lib/autonomous/researcher.js

@@ -306,8 +306,8 @@ ${description}
 ## Verification
 
 \`\`\`bash
-python3 scripts/agent.py analyze --target example
-python3 scripts/agent.py report --format json
+node scripts/agent.js analyze --target example
+node scripts/agent.js report --format json
 \`\`\`
 
 ## References
@@ -373,7 +373,7 @@ function _generateApiReference(domain, techniqueName) {
 
 | Command | Description |
 |---|---|
-| \`python3 agent.py analyze --target <t>\` | Analyze a target for ${techniqueName} indicators |
+| \`node agent.js analyze --target <t>\` | Analyze a target for ${techniqueName} indicators |
 
 ## Options
 
@@ -406,7 +406,7 @@ export class AutonomousResearcher {
   }
 
   /**
-   * Create a complete hypothesis with SKILL.md, agent.py, and api-reference.md.
+   * Create a complete hypothesis with SKILL.md, agent.js, and api-reference.md.
    * @param {string} domain
    * @param {string} techniqueName
    * @returns {ResearchHypothesis}
@@ -507,7 +507,7 @@ export class AutonomousResearcher {
       mkdirSync(refsDir, { recursive: true });
 
       writeFileSync(join(base, 'SKILL.md'), hypothesis.skillContent, 'utf-8');
-      const agentPath = join(scriptsDir, 'agent.py');
+      const agentPath = join(scriptsDir, 'agent.js');
       writeFileSync(agentPath, hypothesis.agentScript, 'utf-8');
       try { chmodSync(agentPath, 0o755); } catch { /* ok */ }
       writeFileSync(join(refsDir, 'api-reference.md'), hypothesis.referenceContent, 'utf-8');

package/lib/bot/bot.js

@@ -217,7 +217,7 @@ async function handleEnvelope(envelope, config, sessions, whitelistSet) {
   try {
     const { Gateway } = await import('../gateway/gateway.js');
     const gw = new Gateway({ rag: true });
-    response = await gw.send(mapped, { history });
+    response = await gw.send(mapped, history);
   } catch (err) {
     response = `Error: ${err.message}`;
   }

package/lib/commands.js

@@ -5,9 +5,9 @@
 /**
  * commands.js — Command routing table for the CIPHER CLI.
  *
- * Maps all 29 CLI commands to one of three dispatch modes:
+ * Maps all 30 CLI commands to one of three dispatch modes:
  *   - native:       Dispatched directly through Node.js handler functions (no Python)
- *   - passthrough:  Spawned directly as `python -m gateway.app <cmd>` with stdio: 'inherit'
+ *   - passthrough:  Legacy mode — no commands use this as of v2.0
  *                   (full terminal access for Rich panels, Textual TUIs, long-running services)
  *   - bridge:       (Legacy) Dispatched via JSON-RPC through python-bridge.js — no commands
  *                   use this mode as of M007/S03, retained for backward compatibility

package/lib/config.js

@@ -7,7 +7,7 @@
  *
  * Mirrors the Python gateway/config.py load_config() format and precedence:
  *   1. Environment variables (LLM_BACKEND, ANTHROPIC_API_KEY)   — highest
- *   2. Project-root config.yaml (where pyproject.toml lives)
+ *   2. Project-root config.yaml (where cli/ directory lives)
  *   3. ~/.config/cipher/config.yaml                             — lowest
  *
  * Produces YAML that Python's yaml.safe_load() can parse identically.
@@ -25,8 +25,8 @@ import { parse, stringify } from 'yaml';
 // ---------------------------------------------------------------------------
 
 /**
- * Walk up from `startDir` looking for pyproject.toml — same logic as Python's
- * _find_project_root(). Returns the directory containing pyproject.toml, or null.
+ * Walk up from `startDir` looking for cli/ directory — same logic as Python's
+ * _find_project_root(). Returns the directory containing cli/ directory, or null.
  *
  * @param {string} [startDir=process.cwd()]
  * @returns {string | null}
@@ -34,7 +34,7 @@ import { parse, stringify } from 'yaml';
 function findProjectRoot(startDir = process.cwd()) {
   let current = resolve(startDir);
   for (let i = 0; i < 20; i++) {
-    if (existsSync(join(current, 'pyproject.toml'))) {
+    if (existsSync(join(current, 'cli'))) {
       return current;
     }
     const parent = dirname(current);

package/lib/gateway/commands.js

@@ -3,7 +3,7 @@
 // CIPHER is a trademark of defconxt.
 
 /**
- * commands.js — Node.js handler functions for all 22 bridge-mode commands.
+ * commands.js — Node.js handler functions for all 30 CLI commands.
  *
  * Each handler accepts a plain args object and returns a plain JS object.
  * No Rich formatting, no Typer framework — just data. The rendering
@@ -35,6 +35,39 @@ function defaultMemoryDir() {
   return join(homedir(), '.cipher', 'memory', 'default');
 }
 
+/**
+ * Extract a value from CLI args array or object.
+ * Handles both `cipher search lateral movement` (array) and `{query: "..."}` (object).
+ * @param {string[]|object} args
+ * @param {string} key - object key (e.g. 'query')
+ * @param {string} [flagName] - CLI flag (e.g. '--query'). If null, uses positional args.
+ * @returns {string}
+ */
+function getArg(args, key, flagName) {
+  if (!Array.isArray(args)) return args[key] || '';
+  if (flagName) {
+    const idx = args.indexOf(flagName);
+    if (idx !== -1 && idx + 1 < args.length) return args[idx + 1];
+  }
+  // Positional: join all non-flag args
+  return args.filter(a => !a.startsWith('-')).join(' ');
+}
+
+/**
+ * Extract a flag value from CLI args.
+ * @param {string[]|object} args
+ * @param {string} key - object key
+ * @param {string} flag - CLI flag (e.g. '--limit')
+ * @param {*} defaultVal
+ * @returns {*}
+ */
+function getFlagArg(args, key, flag, defaultVal) {
+  if (!Array.isArray(args)) return args[key] ?? defaultVal;
+  const idx = args.indexOf(flag);
+  if (idx !== -1 && idx + 1 < args.length) return args[idx + 1];
+  return defaultVal;
+}
+
 /**
  * Resolve the repository root by walking up from this file.
  * @returns {string}
@@ -93,13 +126,13 @@ export async function handleSearch(args = {}) {
   try {
     const retriever = new AdaptiveRetriever(memory);
     const results = retriever.retrieve(
-      args.query || '',
-      args.engagement || '',
-      args.limit || 10,
+      getArg(args, "query"),
+      getFlagArg(args, "engagement", "--engagement", ""),
+      getFlagArg(args, "limit", "--limit", 10),
     );
     debug(`search: ${results.length} results for "${args.query}"`);
     return {
-      query: args.query || '',
+      query: getArg(args, "query"),
       count: results.length,
       results: results.map(r => ({
         content: r.content,
@@ -126,18 +159,20 @@ export async function handleSearch(args = {}) {
  * @returns {Promise<object>}
  */
 export async function handleStore(args = {}) {
+  const content = getArg(args, 'content', '--content');
+  if (!content) {
+    return { error: true, message: 'Usage: cipher store --content "finding text" [--type finding|ioc|ttp|note]' };
+  }
   const { CipherMemory, MemoryEntry, MemoryType } = await import('../memory/index.js');
   const memory = new CipherMemory(defaultMemoryDir());
   try {
-    const typeStr = args.type || 'note';
+    const typeStr = getFlagArg(args, 'type', '--type', 'note');
     const entry = new MemoryEntry({
-      content: args.content || '',
+      content,
       memoryType: Object.values(MemoryType).includes(typeStr) ? typeStr : MemoryType.NOTE,
-      severity: args.severity || '',
-      engagementId: args.engagement || '',
-      tags: Array.isArray(args.tags)
-        ? args.tags
-        : (typeof args.tags === 'string' && args.tags ? args.tags.split(',') : []),
+      severity: getFlagArg(args, 'severity', '--severity', ''),
+      engagementId: getFlagArg(args, 'engagement', '--engagement', ''),
+      tags: [],
     });
     const entryId = memory.store(entry);
     debug(`store: id=${entryId} type=${typeStr}`);
@@ -173,7 +208,7 @@ export async function handleStats(args = {}) {
           } catch { return false; }
         }).length;
         // Count script files recursively
-        scriptCount = countFiles(sDir, '*.py', 'scripts');
+        scriptCount = countFiles(sDir, '*.js', 'scripts');
       } catch {
         // Skills dir unreadable
       }
@@ -199,13 +234,14 @@ export async function handleStats(args = {}) {
  * @returns {Promise<object>}
  */
 export async function handleScore(args = {}) {
+  const query = getFlagArg(args, 'query', '--query', '');
+  const response = getFlagArg(args, 'response', '--response', '');
+  if (!query || !response) {
+    return { error: true, message: 'Usage: cipher score --query "question" --response "answer"' };
+  }
   const { ResponseScorer } = await import('../memory/index.js');
   const scorer = new ResponseScorer();
-  const scored = scorer.score(
-    args.query || '',
-    args.response || '',
-    args.mode || '',
-  );
+  const scored = scorer.score(query, response, getFlagArg(args, 'mode', '--mode', ''));
   debug(`score: ${scored.score}`);
   return {
     score: scored.score,
@@ -249,9 +285,12 @@ export async function handleMemoryExport(args = {}) {
  * @returns {Promise<object>}
  */
 export async function handleMemoryImport(args = {}) {
-  const file = args.file;
-  if (!file || !existsSync(file)) {
-    return { error: true, message: `File not found: ${file || '(none)'}` };
+  const file = getArg(args, 'file');
+  if (!file) {
+    return { error: true, message: 'Usage: cipher memory-import <file.json>\n\nImport findings, IOCs, and notes from a previously exported JSON file.' };
+  }
+  if (!existsSync(file)) {
+    return { error: true, message: `File not found: ${file}` };
   }
   const { CipherMemory, MemoryEntry } = await import('../memory/index.js');
   const memory = new CipherMemory(defaultMemoryDir());
@@ -283,9 +322,11 @@ export async function handleIngest(args = {}) {
   const { CipherMemory } = await import('../memory/index.js');
   const memory = new CipherMemory(defaultMemoryDir());
   try {
+    // Rebuild FTS5 index to fix stale/corrupt indexes
+    memory.symbolic.db.exec("INSERT INTO entries_fts(entries_fts) VALUES('rebuild')");
     const stats = memory.consolidate();
-    debug('ingest: consolidation complete');
-    return { ingested: true, ...stats };
+    debug('ingest: FTS rebuild + consolidation complete');
+    return { ingested: true, fts_rebuilt: true, ...stats };
   } finally {
     memory.close();
   }
@@ -346,10 +387,13 @@ export async function handleStatus(args = {}) {
  * @returns {Promise<object>}
  */
 export async function handleDiff(args = {}) {
+  let diffText = getArg(args, 'file');
+  if (!diffText) {
+    return { error: true, message: 'Usage: cipher diff <file.patch>\n       cat changes.diff | cipher diff -' };
+  }
   const { SecurityDiffAnalyzer } = await import('../pipeline/index.js');
   const analyzer = new SecurityDiffAnalyzer();
 
-  let diffText = args.file || '';
   // If it looks like a file path (no newlines, exists on disk), read it
   if (diffText && !diffText.includes('\n') && existsSync(diffText)) {
     diffText = readFileSync(diffText, 'utf-8');
@@ -393,11 +437,14 @@ export async function handleWorkflow(args = {}) {
  * @returns {Promise<object>}
  */
 export async function handleSarif(args = {}) {
-  const { SarifReport } = await import('../pipeline/index.js');
-  const input = args.input;
-  if (!input || !existsSync(input)) {
-    return { error: true, message: `Input file not found: ${input || '(none)'}` };
+  const input = getArg(args, 'input');
+  if (!input) {
+    return { error: true, message: 'Usage: cipher sarif <scan-results.json> [--output results.sarif]\n\nConvert scan findings to SARIF v2.1.0 for GitHub Advanced Security / CI pipelines.' };
+  }
+  if (!existsSync(input)) {
+    return { error: true, message: `File not found: ${input}` };
   }
+  const { SarifReport } = await import('../pipeline/index.js');
 
   const data = JSON.parse(readFileSync(input, 'utf-8'));
   const report = new SarifReport();
@@ -423,10 +470,13 @@ export async function handleSarif(args = {}) {
  * @returns {Promise<object>}
  */
 export async function handleOsint(args = {}) {
+  const target = getArg(args, 'target');
+  if (!target) {
+    return { error: true, message: 'Usage: cipher osint <domain|ip> [--type domain|ip]' };
+  }
   const { OSINTPipeline } = await import('../pipeline/index.js');
   const pipeline = new OSINTPipeline();
-  const target = args.target || '';
-  const type = args.type || 'domain';
+  const type = getFlagArg(args, 'type', '--type', 'domain');
 
   const results = type === 'ip'
     ? pipeline.investigateIp(target)
@@ -493,12 +543,12 @@ export async function handleDomains(args = {}) {
  */
 export async function handleSkills(args = {}) {
   const sDir = skillsDir();
-  const query = (args.query || '').toLowerCase();
-  const limit = args.limit || 10;
+  const query = getArg(args, 'query').toLowerCase();
+  const limit = parseInt(getFlagArg(args, 'limit', '--limit', 10), 10);
   const results = [];
 
   if (!existsSync(sDir)) {
-    return { query: args.query || '', count: 0, results: [] };
+    return { query, count: 0, results: [] };
   }
 
   // Walk skills dir looking for SKILL.md files
@@ -526,7 +576,7 @@ export async function handleSkills(args = {}) {
 
   walk(sDir, '');
   debug(`skills: "${query}" → ${results.length} results`);
-  return { query: args.query || '', count: results.length, results };
+  return { query, count: results.length, results };
 }
 
 // ---------------------------------------------------------------------------
@@ -684,40 +734,128 @@ export async function handleQuery(args = {}) {
  * @returns {Promise<object>}
  */
 export async function handleLeaderboard(args = {}) {
-  return {
-    error: true,
-    message: 'Leaderboard requires autonomous framework (available after S04). Use Python bridge: cipher leaderboard --bridge',
-  };
+  try {
+    const { SkillLeaderboard } = await import('../autonomous/leaderboard.js');
+    const lb = new SkillLeaderboard();
+    const action = Array.isArray(args) ? args[0] : args.action;
+
+    if (action === 'dashboard') {
+      const dashboard = lb.getDashboard();
+      lb.close();
+      return dashboard;
+    }
+
+    const top = lb.getTopSkills(20);
+    lb.close();
+    return {
+      top_skills: top.map((e, i) => ({
+        rank: i + 1,
+        skill: e.skillPath,
+        score: e.avgScore,
+        invocations: e.invocationCount,
+      })),
+      total: top.length,
+    };
+  } catch (err) {
+    return { error: true, message: `Leaderboard error: ${err.message}` };
+  }
 }
 
 /**
  * @returns {Promise<object>}
  */
 export async function handleFeedback(args = {}) {
-  return {
-    error: true,
-    message: 'Feedback loop requires autonomous framework (available after S04). Use Python bridge: cipher feedback --bridge',
-  };
+  try {
+    const { SkillQualityAnalyzer } = await import('../autonomous/feedback-loop.js');
+    const analyzer = new SkillQualityAnalyzer(skillsDir());
+    const dryRun = Array.isArray(args) ? args.includes('--dry-run') : args.dryRun;
+    const maxSkills = Array.isArray(args)
+      ? parseInt(args.find((a, i) => args[i - 1] === '--max') || '10', 10)
+      : args.max || 10;
+
+    // Analyze skills quality
+    const results = [];
+    const { readdirSync } = await import('node:fs');
+    const sDir = skillsDir();
+    for (const domain of readdirSync(sDir).slice(0, maxSkills)) {
+      try {
+        const analysis = analyzer.analyzeSkill(domain);
+        if (analysis.needsImprovement) {
+          results.push({ skill: domain, quality: analysis.overallQuality, issues: analysis.issues.length });
+        }
+      } catch { /* skip */ }
+    }
+
+    return {
+      analyzed: maxSkills,
+      needs_improvement: results.length,
+      dry_run: !!dryRun,
+      candidates: results,
+    };
+  } catch (err) {
+    return { error: true, message: `Feedback error: ${err.message}` };
+  }
 }
 
 /**
  * @returns {Promise<object>}
  */
 export async function handleMarketplace(args = {}) {
-  return {
-    error: true,
-    message: 'Marketplace requires api/marketplace module (available after S05). Use Python bridge: cipher marketplace --bridge',
-  };
+  try {
+    const { SkillMarketplace } = await import('../api/marketplace.js');
+    const mp = new SkillMarketplace();
+    const action = Array.isArray(args) ? args[0] : args.action;
+
+    if (action === 'search') {
+      const query = Array.isArray(args) ? args.find((a, i) => args[i - 1] === '--query') || args[1] || '' : args.query || '';
+      const results = mp.search(query);
+      mp.close();
+      return { query, results: results.map(p => ({ name: p.name, domain: p.domain, rating: p.rating, downloads: p.downloads })), total: results.length };
+    }
+
+    const index = mp.getIndex();
+    mp.close();
+    return index;
+  } catch (err) {
+    return { error: true, message: `Marketplace error: ${err.message}` };
+  }
 }
 
 /**
  * @returns {Promise<object>}
  */
 export async function handleCompliance(args = {}) {
-  return {
-    error: true,
-    message: 'Compliance requires api/compliance module (available after S05). Use Python bridge: cipher compliance --bridge',
-  };
+  try {
+    const { ComplianceEngine, ComplianceFramework } = await import('../api/compliance.js');
+    const engine = new ComplianceEngine();
+    const framework = Array.isArray(args) ? args[0] : args.framework;
+
+    if (!framework) {
+      return {
+        available_frameworks: Object.keys(ComplianceFramework),
+        total: Object.keys(ComplianceFramework).length,
+        usage: 'cipher compliance <FRAMEWORK> [--format json|markdown|csv]',
+      };
+    }
+
+    const fw = framework.toUpperCase();
+    if (!ComplianceFramework[fw]) {
+      return { error: true, message: `Unknown framework: ${framework}. Available: ${Object.keys(ComplianceFramework).join(', ')}` };
+    }
+
+    const format = Array.isArray(args) ? (args.find((a, i) => args[i - 1] === '--format') || 'json') : (args.format || 'json');
+    const report = engine.assessFromFindings([], fw);
+
+    if (format === 'markdown') {
+      return { output: report.toMarkdown() };
+    } else if (format === 'csv') {
+      return { output: engine.exportCsv(report) };
+    }
+
+    return report.toDict();
+  } catch (err) {
+    return { error: true, message: `Compliance error: ${err.message}` };
+  }
 }
 
 // ---------------------------------------------------------------------------
@@ -795,12 +933,15 @@ export async function handleScan(args = {}) {
 // ---------------------------------------------------------------------------
 
 export async function handleDashboard() {
-  return {
-    output: JSON.stringify({
-      status: 'info',
-      message: 'Dashboard TUI is not yet available in Node.js mode. Use `cipher status` for system status or `cipher api` for the REST API.',
-    }, null, 2),
-  };
+  const brand = await import('../brand.js');
+  brand.header('Dashboard');
+  brand.divider();
+  brand.info('Dashboard TUI is not yet available.');
+  brand.info('Use: cipher status    \u2014 system status');
+  brand.info('Use: cipher doctor    \u2014 health check');
+  brand.info('Use: cipher api       \u2014 REST API server');
+  brand.divider();
+  return {};
 }
 
 // ---------------------------------------------------------------------------
@@ -808,12 +949,13 @@ export async function handleDashboard() {
 // ---------------------------------------------------------------------------
 
 export async function handleWeb(args = {}) {
-  return {
-    output: JSON.stringify({
-      status: 'info',
-      message: 'The web interface has been consolidated into `cipher api`. Use `cipher api --no-auth --port 8443` to start the REST API server.',
-    }, null, 2),
-  };
+  const brand = await import('../brand.js');
+  brand.header('Web Interface');
+  brand.divider();
+  brand.info('The web interface has been consolidated into the API server.');
+  brand.info('Use: cipher api --no-auth --port 8443');
+  brand.divider();
+  return {};
 }
 
 // ---------------------------------------------------------------------------

package/lib/gateway/index.js

@@ -59,4 +59,9 @@ export {
   handleFeedback,
   handleMarketplace,
   handleCompliance,
+  handleScan,
+  handleDashboard,
+  handleWeb,
+  handleSetupSignal,
+  handleUpdate,
 } from './commands.js';

package/lib/gateway/prompt.js

@@ -25,7 +25,7 @@ const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
 /**
- * Walk up from startDir looking for pyproject.toml or package.json.
+ * Walk up from startDir looking for cli/ directory or package.json.
  * Returns the directory or null.
  *
  * @param {string} startDir
@@ -35,15 +35,15 @@ function findRepoRoot(startDir) {
   let current = resolve(startDir);
   for (let i = 0; i < 20; i++) {
     if (
-      existsSync(join(current, 'pyproject.toml')) ||
+      existsSync(join(current, 'cli')) ||
       existsSync(join(current, 'package.json'))
     ) {
       // Check for knowledge/ dir to distinguish from cli/package.json
       if (existsSync(join(current, 'knowledge')) || existsSync(join(current, 'skills'))) {
         return current;
       }
-      // If it has pyproject.toml, it's the repo root
-      if (existsSync(join(current, 'pyproject.toml'))) {
+      // If it has cli/, it is the repo root
+      if (existsSync(join(current, 'cli'))) {
         return current;
       }
     }

package/lib/mcp/server.js

@@ -10,6 +10,16 @@
  */
 
 import { createInterface } from 'node:readline';
+import { readFileSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const _version = (() => {
+  try {
+    return JSON.parse(readFileSync(join(__dirname, '..', '..', 'package.json'), 'utf-8')).version;
+  } catch { return 'unknown'; }
+})();
 
 /**
  * MCP tool definitions — schema registry for all 14 tools.
@@ -205,7 +215,7 @@ export class CipherMCPServer {
         result: {
           protocolVersion: '2024-11-05',
           capabilities: { tools: {} },
-          serverInfo: { name: 'cipher-mcp', version: '4.4.1' },
+          serverInfo: { name: 'cipher-mcp', version: _version },
         },
       };
     }

package/lib/memory/compressor.js

@@ -305,7 +305,7 @@ class SemanticCompressor {
    * @private
    */
   async _llmCompress(window, entities) {
-    // TODO: S03 LLM integration — call this.llmClient with extraction prompt
+    // LLM-based extraction not implemented — returns heuristic results
     // For now, fall back to heuristic compression
     return this._heuristicCompress(window, entities);
   }

package/lib/memory/engine.js

@@ -481,22 +481,26 @@ class CipherMemory {
   search(query, filters = {}, limit = DEFAULT_TOP_K) {
     const resultLists = [];
 
-    // Layer 1: Lexical search (BM25)
+    // Layer 1: Lexical search (BM25) — always run when query is provided
     const lexicalResults = this.symbolic.searchLexical(query, limit * 2);
     if (lexicalResults.length > 0) {
       resultLists.push(lexicalResults.map((r) => r.entry_id));
     }
 
-    // Layer 2: Symbolic search (structured)
-    const symbolicResults = this.symbolic.searchSymbolic({
-      engagementId: filters.engagementId ?? '',
-      memoryType: filters.memoryType ?? '',
-      severity: filters.severity ?? '',
-      mitreTechnique: filters.mitreTechnique ?? '',
-      limit: limit * 2,
-    });
-    if (symbolicResults.length > 0) {
-      resultLists.push(symbolicResults.map((r) => r.entry_id));
+    // Layer 2: Symbolic search (structured) — only when filters are provided
+    // Without filters, symbolic returns ALL entries which drowns out lexical ranking
+    const hasFilters = !!(filters.engagementId || filters.memoryType || filters.severity || filters.mitreTechnique);
+    if (hasFilters) {
+      const symbolicResults = this.symbolic.searchSymbolic({
+        engagementId: filters.engagementId ?? '',
+        memoryType: filters.memoryType ?? '',
+        severity: filters.severity ?? '',
+        mitreTechnique: filters.mitreTechnique ?? '',
+        limit: limit * 2,
+      });
+      if (symbolicResults.length > 0) {
+        resultLists.push(symbolicResults.map((r) => r.entry_id));
+      }
     }
 
     // Fuse with RRF

package/lib/pipeline/github-actions.js

@@ -678,9 +678,9 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with: { fetch-depth: 0 }
-      - uses: actions/setup-python@v5
-        with: { python-version: "3.12" }
-      - run: pip install cipher-security
+      - uses: actions/setup-node@v5
+        with: { node-version: "22" }
+      - run: npm install -g cipher-security
       - name: Run PR Security Review
         env:
           GITHUB_TOKEN: \${{ secrets.GITHUB_TOKEN }}
@@ -722,9 +722,9 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/setup-python@v5
-      with: { python-version: "3.12" }
-    - { shell: bash, run: "pip install cipher-security" }
+    - uses: actions/setup-node@v5
+      with: { node-version: "22" }
+    - { shell: bash, run: "npm install -g cipher-security" }
     - name: Run Security Review
       shell: bash
       env:

package/lib/setup-wizard.js

@@ -251,16 +251,7 @@ export async function runSetupWizard() {
     // ── Write config ──────────────────────────────────────────────────
     const configPath = writeConfig(config);
 
-    // Also write to project root if pyproject.toml exists (dual-write like Python)
-    const { projectConfig } = getConfigPaths();
-    const projectRoot = join(projectConfig, '..');
-    if (existsSync(join(projectRoot, 'pyproject.toml')) && projectConfig !== configPath) {
-      try {
-        writeConfig(config, projectConfig);
-      } catch {
-        // Non-fatal — user config was already written
-      }
-    }
+
 
     // ── Completion summary ────────────────────────────────────────────
     const summaryLines = [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cipher-security",
-  "version": "2.0.2",
+  "version": "2.0.4",
   "description": "CIPHER — AI Security Engineering Platform CLI",
   "type": "module",
   "engines": {

package/lib/complexity.js

@@ -1,377 +0,0 @@
-// Copyright (c) 2026 defconxt. All rights reserved.
-// Licensed under AGPL-3.0 — see LICENSE file for details.
-// CIPHER is a trademark of defconxt.
-
-/**
- * Smart routing complexity classifier for CIPHER CLI.
- *
- * Evaluates multiple heuristic signals to determine query complexity and
- * route to the appropriate backend (Ollama for simple/moderate, Claude for
- * complex/expert).
- *
- * Ported from src/gateway/complexity.py — all keyword dictionaries, regex
- * patterns, score thresholds, and scoring logic are identical.
- *
- * @example
- * import { classify, routeBackend, classifyAndRoute, COMPLEXITY } from './complexity.js';
- *
- * const level = classify("design a zero trust architecture for AWS");
- * const backend = routeBackend(level); // "claude"
- *
- * const [lvl, be] = classifyAndRoute("what port does SSH use");
- * // lvl === 1 (SIMPLE), be === "ollama"
- */
-
-// ---------------------------------------------------------------------------
-// Complexity enum
-// ---------------------------------------------------------------------------
-
-/** Query complexity levels, ordered by increasing difficulty. */
-export const COMPLEXITY = Object.freeze({
-  SIMPLE: 1,   // Factual lookups, single-concept questions → Ollama
-  MODERATE: 2, // Multi-part but bounded questions → Ollama
-  COMPLEX: 3,  // Deep reasoning, threat models, architecture → Claude
-  EXPERT: 4,   // Cross-domain, multi-framework, advanced analysis → Claude
-});
-
-const _NAMES = Object.freeze({
-  [COMPLEXITY.SIMPLE]: 'SIMPLE',
-  [COMPLEXITY.MODERATE]: 'MODERATE',
-  [COMPLEXITY.COMPLEX]: 'COMPLEX',
-  [COMPLEXITY.EXPERT]: 'EXPERT',
-});
-
-/**
- * Reverse lookup: complexity level integer → human-readable name.
- * @param {number} level
- * @returns {string}
- */
-export function nameOf(level) {
-  return _NAMES[level] ?? 'UNKNOWN';
-}
-
-// ---------------------------------------------------------------------------
-// Tunable weights — adjust these to change routing sensitivity
-// ---------------------------------------------------------------------------
-
-/** Points thresholds for each complexity level. */
-export const THRESHOLDS = Object.freeze({
-  moderate: 3,  // >= 3 points → MODERATE
-  complex: 6,   // >= 6 points → COMPLEX
-  expert: 10,   // >= 10 points → EXPERT
-});
-
-/** Message length breakpoints (characters) and their point values. */
-export const LENGTH_SCORES = Object.freeze([
-  [500, 4], // Very long queries are likely complex
-  [300, 3], // Long queries
-  [150, 2], // Medium queries
-  [80, 1],  // Short but not trivial
-]);
-
-// ---------------------------------------------------------------------------
-// Keyword sets — each match adds the specified points
-// ---------------------------------------------------------------------------
-
-/** Simple indicators (negative points — pull toward Ollama). */
-export const SIMPLE_KEYWORDS = Object.freeze({
-  'what is': -2,
-  'what are': -1,
-  'what does': -2,
-  'what port': -3,
-  'which port': -3,
-  'default port': -3,
-  'how to install': -2,
-  'how to start': -2,
-  'how to run': -2,
-  'syntax for': -2,
-  'command for': -2,
-  'define ': -2,
-  'definition of': -2,
-  'meaning of': -2,
-  'example of': -1,
-  'list of': -1,
-  'difference between': -1,
-});
-
-/** Domain complexity indicators (positive points — push toward Claude). */
-export const COMPLEX_KEYWORDS = Object.freeze({
-  // Architecture & design
-  'threat model': 4,
-  'architecture': 3,
-  'design': 2,
-  'zero trust': 3,
-  'blast radius': 3,
-  'compensating control': 3,
-  'defense in depth': 2,
-  'security architecture': 4,
-  'data flow diagram': 3,
-  'trust boundary': 3,
-  // Risk & compliance
-  'dpia': 4,
-  'risk assessment': 4,
-  'risk analysis': 3,
-  'compliance mapping': 4,
-  'gap analysis': 3,
-  'maturity assessment': 3,
-  'audit finding': 3,
-  'control mapping': 3,
-  // Analysis & reasoning
-  'analyze': 2,
-  'analyse': 2,
-  'evaluate': 2,
-  'compare and contrast': 3,
-  'trade-off': 2,
-  'tradeoff': 2,
-  'pros and cons': 2,
-  'impact analysis': 3,
-  'root cause': 3,
-  // Offensive / red team
-  'attack chain': 4,
-  'attack path': 3,
-  'kill chain': 3,
-  'exploitation chain': 4,
-  'lateral movement': 2,
-  'privilege escalation': 2,
-  'privesc': 2,
-  'post-exploitation': 3,
-  'evasion technique': 3,
-  'bypass': 1,
-  // Incident response
-  'incident analysis': 4,
-  'incident': 2,
-  'forensic analysis': 4,
-  'forensic': 2,
-  'timeline reconstruction': 4,
-  'indicator of compromise': 2,
-  'ioc': 1,
-  'beacon': 2,
-  'cobalt strike': 3,
-  'mimikatz': 2,
-  'dcsync': 3,
-  'triage': 2,
-  'containment strategy': 3,
-  'eradication plan': 3,
-  'breach': 2,
-  'malware analysis': 3,
-  'reverse engineer': 3,
-  // Detection engineering
-  'detection logic': 3,
-  'sigma rule': 2,
-  'detection coverage': 3,
-  'false positive': 2,
-  'detection gap': 3,
-  'correlation rule': 3,
-  'hunting hypothesis': 3,
-  // Multi-step / planning
-  'strategy': 2,
-  'roadmap': 3,
-  'implementation plan': 3,
-  'step by step': 1,
-  'runbook': 2,
-  'playbook': 2,
-  'workflow': 1,
-});
-
-/** Framework references — signal expert-level queries. */
-export const FRAMEWORK_KEYWORDS = Object.freeze({
-  'nist': 2,
-  'nist 800-53': 3,
-  'nist 800-171': 3,
-  'nist csf': 3,
-  'mitre att&ck': 3,
-  'mitre attack': 3,
-  'stride': 3,
-  'pasta': 3,
-  'dread': 3,
-  'owasp': 2,
-  'owasp top 10': 2,
-  'cis controls': 2,
-  'cis benchmark': 2,
-  'iso 27001': 3,
-  'iso 27002': 3,
-  'soc 2': 2,
-  'pci dss': 3,
-  'hipaa': 2,
-  'gdpr': 2,
-  'ccpa': 2,
-  'fedramp': 3,
-  'cmmc': 3,
-  'cve-': 1,
-  'cwe-': 1,
-});
-
-// ---------------------------------------------------------------------------
-// Structural patterns — regex-based signals
-// ---------------------------------------------------------------------------
-
-/** Multi-part query indicators (each match adds points). */
-export const STRUCTURE_PATTERNS = Object.freeze([
-  // Conjunctions joining distinct requests
-  [/\b(?:and also|and then|additionally|furthermore|moreover)\b/, 2],
-  // Numbered lists in the query
-  [/(?:^|\n)\s*\d+[.)]\s/, 2],
-  // Conditional logic
-  [/\bif\s+.+\bthen\b/, 2],
-  [/\bwhat if\b/, 2],
-  [/\bassuming\b/, 1],
-  [/\bgiven that\b/, 1],
-  // Comparison requests
-  [/\bvs\.?\b/, 1],
-  [/\bversus\b/, 1],
-  [/\bcompare\b/, 2],
-  // Scope amplifiers
-  [/\b(?:comprehensive|exhaustive|thorough|detailed|in-depth|end-to-end)\b/, 2],
-  [/\b(?:enterprise|organization-wide|company-wide|across all)\b/, 2],
-  // Multiple question marks (multiple questions)
-  [/\?.*\?/, 2],
-]);
-
-/** Count of "and" conjunctions — many ands suggest multi-part queries. */
-export const AND_CONJUNCTION_THRESHOLD = 3;
-export const AND_CONJUNCTION_POINTS = 2;
-
-// ---------------------------------------------------------------------------
-// Scoring functions
-// ---------------------------------------------------------------------------
-
-/**
- * Score based on message length.
- * @param {string} message
- * @returns {number}
- */
-export function scoreLength(message) {
-  const length = message.length;
-  for (const [threshold, points] of LENGTH_SCORES) {
-    if (length >= threshold) {
-      return points;
-    }
-  }
-  return 0;
-}
-
-/**
- * Score based on keyword presence. Returns sum of matched keyword points.
- * @param {string} lower — lowercased message
- * @param {Record<string, number>} keywordSet
- * @returns {number}
- */
-export function scoreKeywords(lower, keywordSet) {
-  let total = 0;
-  for (const [keyword, points] of Object.entries(keywordSet)) {
-    if (lower.includes(keyword)) {
-      total += points;
-    }
-  }
-  return total;
-}
-
-/**
- * Score based on query structure patterns.
- * @param {string} lower — lowercased message
- * @returns {number}
- */
-export function scoreStructure(lower) {
-  let total = 0;
-  for (const [pattern, points] of STRUCTURE_PATTERNS) {
-    if (pattern.test(lower)) {
-      total += points;
-    }
-  }
-
-  // Count "and" conjunctions
-  const andMatches = lower.match(/\band\b/g);
-  const andCount = andMatches ? andMatches.length : 0;
-  if (andCount > AND_CONJUNCTION_THRESHOLD) {
-    total += AND_CONJUNCTION_POINTS;
-  }
-
-  return total;
-}
-
-/**
- * Bonus points when multiple frameworks are referenced.
- * @param {string} lower — lowercased message
- * @returns {number}
- */
-export function scoreFrameworkDensity(lower) {
-  let matches = 0;
-  let totalPoints = 0;
-  for (const [keyword, points] of Object.entries(FRAMEWORK_KEYWORDS)) {
-    if (lower.includes(keyword)) {
-      matches += 1;
-      totalPoints += points;
-    }
-  }
-
-  // Bonus for cross-framework queries (referencing 3+ frameworks)
-  if (matches >= 3) {
-    totalPoints += 3;
-  }
-
-  return totalPoints;
-}
-
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-
-/**
- * Classify a query's complexity based on multiple heuristic signals.
- * @param {string} message — The user's query string.
- * @returns {number} Complexity level (1=SIMPLE, 2=MODERATE, 3=COMPLEX, 4=EXPERT).
- */
-export function classify(message) {
-  const lower = message.toLowerCase();
-
-  let score = 0;
-  score += scoreLength(message);
-  score += scoreKeywords(lower, SIMPLE_KEYWORDS);
-  score += scoreKeywords(lower, COMPLEX_KEYWORDS);
-  score += scoreStructure(lower);
-  score += scoreFrameworkDensity(lower);
-
-  // Floor at 0 — negative scores are still SIMPLE
-  score = Math.max(score, 0);
-
-  if (score >= THRESHOLDS.expert) {
-    return COMPLEXITY.EXPERT;
-  }
-  if (score >= THRESHOLDS.complex) {
-    return COMPLEXITY.COMPLEX;
-  }
-  if (score >= THRESHOLDS.moderate) {
-    return COMPLEXITY.MODERATE;
-  }
-  return COMPLEXITY.SIMPLE;
-}
-
-/**
- * Map a complexity level to a backend name.
- *
- * COMPLEX and EXPERT → "claude", SIMPLE and MODERATE → "ollama".
- * The "litellm" backend is user-configured, not auto-routed.
- *
- * @param {number} level — The classified complexity level.
- * @returns {string} Backend string: "ollama" or "claude".
- */
-export function routeBackend(level) {
-  if (level >= COMPLEXITY.COMPLEX) {
-    return 'claude';
-  }
-  return 'ollama';
-}
-
-/**
- * Classify a message and return both the complexity level and backend.
- *
- * Convenience function combining classify() and routeBackend().
- *
- * @param {string} message — The user's query string.
- * @returns {[number, string]} Tuple of [complexity level, backend name].
- */
-export function classifyAndRoute(message) {
-  const level = classify(message);
-  const backend = routeBackend(level);
-  return [level, backend];
-}