cipher-security 2.0.8 → 2.2.0

package/lib/mcp/server.js

@@ -5,7 +5,7 @@
  * CIPHER MCP Server — Full security platform over Model Context Protocol.
  *
  * Exposes CIPHER's complete capability stack as MCP tools via JSON-RPC over stdio.
- * 14 tools: memory (store, search, context, consolidate, stats), pipeline (scan, crawl,
+ * 18 tools: memory (store, search, context, consolidate, stats), pipeline (scan, crawl,
  * full_scan, analyze_diff, detect_secrets), evolution (score, evolve), skills (search, domains).
  */
 
@@ -191,6 +191,123 @@ export const MCP_TOOLS = {
     description: 'List all CIPHER skill domains and technique counts.',
     inputSchema: { type: 'object', properties: {} },
   },
+  cipher_compliance: {
+    description: 'Run a compliance check against a specific framework (SOC2, HIPAA, PCI-DSS, ISO27001, NIST-CSF, etc.). Returns a structured compliance report with control assessments.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        framework: { type: 'string', description: 'Compliance framework name (e.g., SOC2, HIPAA, PCI-DSS, ISO27001, NIST-CSF, GDPR)' },
+      },
+      required: ['framework'],
+    },
+  },
+  cipher_compliance_frameworks: {
+    description: 'List all available compliance frameworks supported by CIPHER.',
+    inputSchema: { type: 'object', properties: {} },
+  },
+  cipher_osint: {
+    description: 'Run an OSINT investigation on a target (domain, IP, email, or username). Returns intelligence results including DNS, WHOIS, certificates, and more.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        target: { type: 'string', description: 'Investigation target (domain, IP, email, or username)' },
+        type: { type: 'string', description: 'Investigation type: domain, ip, username, email, url. Auto-detected if omitted.' },
+      },
+      required: ['target'],
+    },
+  },
+  cipher_leaderboard: {
+    description: 'Get skill effectiveness metrics — top performing skills, domain rankings, and score distributions.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        action: { type: 'string', description: 'Action: dashboard (overview), top (top skills), domain (domain stats). Default: dashboard.' },
+        limit: { type: 'integer', default: 10, description: 'Number of results to return' },
+      },
+    },
+  },
+  cipher_code_review: {
+    description: 'Multi-layer code review engine — runs 3 parallel analysis layers (Blind Hunter: pattern-based vuln detection, Edge Case Hunter: boundary/failure analysis, Acceptance Auditor: security architecture review) with triage and deduplication. Returns unified findings with severity, CWE, remediation.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        input: { type: 'string', description: 'File path, directory path, or raw code string to review.' },
+        language: { type: 'string', description: 'Override language detection (javascript, typescript, python, etc.).' },
+        minSeverity: { type: 'string', enum: ['critical', 'high', 'medium', 'low', 'info'], description: 'Filter findings at or above this severity level.' },
+        format: { type: 'string', enum: ['text', 'json'], default: 'text', description: 'Output format: text (formatted report) or json (structured).' },
+      },
+      required: ['input'],
+    },
+  },
+  cipher_analyze: {
+    description: 'Cross-artifact consistency analyzer — scans CIPHER commands, agents, skills, knowledge docs, and CLAUDE.md for stale references, orphan artifacts, mode mismatches, coverage gaps, and structural issues.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        root: { type: 'string', description: 'Path to CIPHER repo root (auto-detected if omitted).' },
+        format: { type: 'string', enum: ['text', 'json'], default: 'text', description: 'Output format.' },
+      },
+    },
+  },
+  cipher_panel: {
+    description: 'Expert panel security assessment — 3 simulated expert personas (Red Team, Blue Team, Architect) independently review code, then findings are synthesized into consensus with conflict highlighting.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        input: { type: 'string', description: 'File path, directory path, or raw code string to review.' },
+        language: { type: 'string', description: 'Override language detection.' },
+        format: { type: 'string', enum: ['text', 'json'], default: 'text', description: 'Output format.' },
+      },
+      required: ['input'],
+    },
+  },
+  cipher_guardrail: {
+    description: 'Guardrail tripwire system — tests text against input/output guardrails for prompt injection, scope violations, dangerous commands, and data leaks.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        text: { type: 'string', description: 'Text to test against guardrails.' },
+        format: { type: 'string', enum: ['text', 'json'], default: 'text', description: 'Output format.' },
+      },
+      required: ['text'],
+    },
+  },
+  cipher_chain: {
+    description: 'Run a multi-mode agent chain (e.g. RED→PURPLE→BLUE). Each mode runs sequentially with filtered context passing.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        modes: { type: 'array', items: { type: 'string' }, description: 'Ordered list of mode names to execute (e.g. ["red", "purple", "blue"])' },
+        task: { type: 'string', description: 'Task description for the chain' },
+        backend: { type: 'string', description: 'Optional LLM backend override (ollama, claude, litellm)' },
+      },
+      required: ['modes', 'task'],
+    },
+  },
+  cipher_council: {
+    description: 'Multi-model consensus evaluation. Runs N parallel evaluations, cross-ranks, and synthesizes a consensus. Use --dry-run for cost estimate only.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        task: { type: 'string', description: 'Task to evaluate via council consensus' },
+        members: { type: 'integer', default: 3, description: 'Number of council members (default 3)' },
+        dryRun: { type: 'boolean', default: false, description: 'Return cost estimate only without running' },
+        backend: { type: 'string', description: 'Optional LLM backend override' },
+      },
+      required: ['task'],
+    },
+  },
+  cipher_resume: {
+    description: 'List or resume interrupted autonomous sessions. Use action "list" to see recent sessions, or provide a sessionId to resume.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        action: { type: 'string', enum: ['list', 'resume', 'details'], description: 'Action: list sessions, resume a session, or get session details' },
+        sessionId: { type: 'string', description: 'Session ID to resume or inspect (required for resume/details)' },
+      },
+      required: ['action'],
+    },
+  },
 };
 
 /**
@@ -366,8 +483,11 @@ export class CipherMCPServer {
         case 'cipher_evolve': {
           const { SkillEvolver } = await import('../memory/index.js');
           const evolver = new SkillEvolver();
-          const result = evolver.recordOutcome(params.skill_path, params.success, params.score || 0);
-          return text({ skill: params.skill_path, evolved: true, ...result });
+          // SkillEvolver.shouldEvolve checks if evolution is warranted;
+          // SkillEvolver.evolve generates new skills from failure patterns.
+          // For the MCP tool, we just record the signal — actual evolution
+          // happens through the feedback loop pipeline.
+          return text({ skill: params.skill_path, success: params.success, score: params.score || 0, recorded: true });
         }
 
         // ── Skills tools ────────────────────────────────────────────
@@ -419,6 +539,232 @@ export class CipherMCPServer {
           return text({ domains: domainMap, total_domains: Object.keys(domainMap).length, total_techniques: total });
         }
 
+        // ── Compliance tools ────────────────────────────────────────
+        case 'cipher_compliance': {
+          const { ComplianceEngine, ComplianceFramework } = await import('../api/compliance.js');
+          const engine = new ComplianceEngine();
+          const framework = params.framework;
+          if (!framework) return mcpError('framework parameter is required');
+          const fw = framework.toUpperCase();
+          if (!ComplianceFramework[fw]) {
+            return mcpError(`Unknown framework: ${framework}. Available: ${Object.keys(ComplianceFramework).join(', ')}`);
+          }
+          try {
+            const report = engine.assessFromFindings([], fw);
+            const dict = report.toDict();
+            return text(dict);
+          } catch (err) {
+            return mcpError(`Compliance assessment failed: ${err.message}`);
+          }
+        }
+
+        case 'cipher_compliance_frameworks': {
+          const { ComplianceFramework } = await import('../api/compliance.js');
+          const frameworks = Object.keys(ComplianceFramework);
+          return text({ frameworks, count: frameworks.length });
+        }
+
+        // ── OSINT tools ─────────────────────────────────────────────
+        case 'cipher_osint': {
+          const { OSINTPipeline } = await import('../pipeline/index.js');
+          const pipeline = new OSINTPipeline();
+          const target = params.target;
+          if (!target) return mcpError('target parameter is required');
+          const invType = params.type || 'domain';
+          try {
+            const result = await pipeline.investigate(target, { type: invType });
+            return text({
+              target,
+              type: invType,
+              results: Array.isArray(result) ? result.map(r => typeof r.toDict === 'function' ? r.toDict() : r) : result,
+            });
+          } catch (err) {
+            return mcpError(`OSINT investigation failed: ${err.message}`);
+          }
+        }
+
+        // ── Leaderboard tools ───────────────────────────────────────
+        case 'cipher_leaderboard': {
+          const { handleLeaderboard } = await import('../gateway/commands.js');
+          const action = params.action || 'dashboard';
+          try {
+            const result = await handleLeaderboard({ action, limit: params.limit || 10 });
+            return text(result);
+          } catch (err) {
+            return mcpError(`Leaderboard query failed: ${err.message}`);
+          }
+        }
+
+        case 'cipher_code_review': {
+          const { createReviewEngine } = await import('../review/engine.js');
+          try {
+            const engine = await createReviewEngine();
+            const result = await engine.review(params.input, {
+              language: params.language,
+              minSeverity: params.minSeverity,
+            });
+            if (params.format === 'json') {
+              return text(JSON.stringify(result.toJSON(), null, 2));
+            }
+            return text(result.toReport());
+          } catch (err) {
+            return mcpError(`Code review failed: ${err.message}`);
+          }
+        }
+
+        case 'cipher_analyze': {
+          const { ConsistencyAnalyzer } = await import('../analyze/consistency.js');
+          try {
+            const analyzer = new ConsistencyAnalyzer(params.root || undefined);
+            const result = analyzer.analyze();
+            if (params.format === 'json') {
+              return text(JSON.stringify(result.toJSON(), null, 2));
+            }
+            return text(result.toReport());
+          } catch (err) {
+            return mcpError(`Consistency analysis failed: ${err.message}`);
+          }
+        }
+
+        case 'cipher_panel': {
+          const { panelReview } = await import('../review/panel.js');
+          try {
+            const result = await panelReview(params.input, {
+              language: params.language,
+            });
+            if (params.format === 'json') {
+              return text(JSON.stringify(result.toJSON(), null, 2));
+            }
+            return text(result.toReport());
+          } catch (err) {
+            return mcpError(`Panel review failed: ${err.message}`);
+          }
+        }
+
+        case 'cipher_guardrail': {
+          const { createGuardrailEngine } = await import('../guardrails/engine.js');
+          try {
+            const engine = createGuardrailEngine();
+            const results = await engine.audit(params.text);
+            if (params.format === 'json') {
+              return text(JSON.stringify({
+                tripped: results.length > 0,
+                tripwires: results.map((r) => ({
+                  guardrail: r.guardrail,
+                  type: r.type,
+                  severity: r.severity,
+                  reason: r.reason,
+                  action: r.action,
+                })),
+              }, null, 2));
+            }
+            if (results.length === 0) return text('✓ No guardrails tripped.');
+            return text(results.map((r) =>
+              `[${r.severity.toUpperCase()}] ${r.guardrail}: ${r.reason}`
+            ).join('\n'));
+          } catch (err) {
+            return mcpError(`Guardrail check failed: ${err.message}`);
+          }
+        }
+
+        case 'cipher_chain': {
+          try {
+            const { initModes, availableModes } = await import('../autonomous/runner.js');
+            const { runChain } = await import('../autonomous/handoff.js');
+            await initModes();
+
+            const modes = (params.modes || []).map(m => m.toUpperCase());
+            const available = new Set(availableModes());
+            for (const mode of modes) {
+              if (!available.has(mode)) {
+                return mcpError(`Unknown mode: '${mode}'. Available: ${[...available].sort().join(', ')}`);
+              }
+            }
+            if (!params.task) return mcpError('Missing required parameter: task');
+
+            const result = await runChain(modes, { task: params.task, user_message: params.task }, {
+              backend: params.backend || null,
+            });
+
+            return text({
+              modes: result.modesExecuted,
+              results: result.results.map(r => ({
+                mode: r.mode,
+                outputText: (r.outputText || '').slice(0, 1000),
+                error: r.error,
+                tokensIn: r.tokensIn,
+                tokensOut: r.tokensOut,
+              })),
+              events: result.events.map(e => ({
+                source: e.sourceMode,
+                target: e.targetMode,
+                status: e.status,
+                timestamp: e.timestamp,
+              })),
+              totalDurationS: result.totalDurationS,
+              totalTokensIn: result.totalTokensIn,
+              totalTokensOut: result.totalTokensOut,
+              error: result.error,
+            });
+          } catch (err) {
+            return mcpError(`Chain failed: ${err.message}`);
+          }
+        }
+
+        case 'cipher_council': {
+          try {
+            const { runCouncil } = await import('../execution/council.js');
+            if (!params.task) return mcpError('Missing required parameter: task');
+
+            const result = await runCouncil(params.task, {
+              members: params.members || 3,
+              backend: params.backend || null,
+              dryRun: params.dryRun || false,
+            });
+
+            return text({
+              task: result.task,
+              memberCount: result.memberCount,
+              synthesis: result.synthesis,
+              confidence: result.confidence,
+              responses: result.responses.map(r => ({
+                memberId: r.memberId,
+                response: (r.response || '').slice(0, 500),
+                error: r.error,
+              })),
+              totalTokensIn: result.totalTokensIn,
+              totalTokensOut: result.totalTokensOut,
+              totalDurationS: result.totalDurationS,
+              estimatedCostUSD: result.estimatedCostUSD,
+              error: result.error,
+            });
+          } catch (err) {
+            return mcpError(`Council failed: ${err.message}`);
+          }
+        }
+
+        case 'cipher_resume': {
+          try {
+            const { listSessions, loadSession } = await import('../session/logger.js');
+
+            if (params.action === 'list') {
+              const sessions = listSessions({ limit: 20 });
+              return text({ sessions });
+            }
+
+            if (params.action === 'details' || params.action === 'resume') {
+              if (!params.sessionId) return mcpError('Missing required parameter: sessionId');
+              const session = loadSession(params.sessionId);
+              if (!session) return mcpError(`Session not found: ${params.sessionId}`);
+              return text(session.metadata);
+            }
+
+            return mcpError(`Unknown action: ${params.action}. Use: list, resume, details`);
+          } catch (err) {
+            return mcpError(`Resume failed: ${err.message}`);
+          }
+        }
+
         default:
           return mcpError(`Unknown tool: ${toolName}`);
       }

package/lib/memory/compressor.js

@@ -11,7 +11,7 @@
  * - Security-specific entity extraction (IPs, CVEs, MITRE ATT&CK, tools)
  * - Information density gating (skip low-information exchanges)
  * - Heuristic compression (always works, no LLM required)
- * - LLM compression (stubbed — S03 provides the LLM client)
+ * - LLM compression (Anthropic/OpenAI SDK — falls back to heuristic on error)
  *
  * Ported from Python memory/core/compressor.py.
  */
@@ -230,7 +230,7 @@ const _STOP_WORDS = new Set([
  * Processes dialogue windows through:
  * 1. Density gating — filter low-info turns
  * 2. Entity extraction — security-specific pattern matching
- * 3. LLM compression (stubbed) or heuristic extraction
+ * 3. LLM compression (when llmClient provided) or heuristic extraction
  * 4. Atomic entry creation — self-contained memory units
  */
 class SemanticCompressor {
@@ -300,14 +300,101 @@ class SemanticCompressor {
   }
 
   /**
-   * LLM compression — stubbed for S03 integration.
-   * Falls back to heuristic compression.
+   * LLM-powered compression — sends dialogue to LLM for structured extraction.
+   * Falls back to heuristic compression on error.
    * @private
    */
   async _llmCompress(window, entities) {
-    // LLM-based extraction not implemented — returns heuristic results
-    // For now, fall back to heuristic compression
-    return this._heuristicCompress(window, entities);
+    const dialogueText = window.map((t) => `[${t.role}] ${t.content}`).join('\n');
+    const extractionPrompt = this._buildExtractionPrompt(dialogueText, entities);
+
+    const systemPrompt = [
+      'You are a security engagement memory compressor. Extract atomic, self-contained memory entries from the dialogue.',
+      'Each entry must be a complete statement that can be understood without the original dialogue.',
+      '',
+      'Return a JSON array of entries. Each entry has:',
+      '- "restatement": string — lossless restatement of the finding/fact (1-3 sentences)',
+      '- "type": string — one of: finding, ioc, ttp, note, recommendation',
+      '- "confidence": string — one of: confirmed, inferred, uncertain',
+      '- "severity": string — one of: critical, high, medium, low, info, or empty',
+      '- "keywords": string[] — 3-8 content keywords for retrieval',
+      '- "topic": string — brief topic label (2-5 words)',
+      '',
+      'Rules:',
+      '- Extract ONLY security-relevant information. Skip greetings, confirmations, meta-discussion.',
+      '- Each entry must stand alone — include target, context, and detail.',
+      '- Prefer specific facts over vague summaries.',
+      '- If the dialogue contains no security-relevant information, return an empty array [].',
+      '',
+      'Respond with ONLY the JSON array, no markdown fencing, no explanation.',
+    ].join('\n');
+
+    try {
+      let responseText;
+
+      if (this.llmClient.messages?.create) {
+        // Anthropic SDK
+        const response = await this.llmClient.messages.create({
+          model: this.model,
+          max_tokens: 2048,
+          system: systemPrompt,
+          messages: [{ role: 'user', content: extractionPrompt }],
+        });
+        responseText = response.content?.[0]?.text || '[]';
+      } else if (this.llmClient.chat?.completions?.create) {
+        // OpenAI SDK (Ollama, OpenAI, etc.)
+        const response = await this.llmClient.chat.completions.create({
+          model: this.model,
+          max_tokens: 2048,
+          messages: [
+            { role: 'system', content: systemPrompt },
+            { role: 'user', content: extractionPrompt },
+          ],
+        });
+        responseText = response.choices?.[0]?.message?.content || '[]';
+      } else {
+        // Unknown client shape — fall back
+        return this._heuristicCompress(window, entities);
+      }
+
+      // Parse LLM response
+      const cleaned = responseText.replace(/^```(?:json)?\s*/m, '').replace(/\s*```\s*$/m, '').trim();
+      const parsed = JSON.parse(cleaned);
+
+      if (!Array.isArray(parsed) || parsed.length === 0) {
+        return this._heuristicCompress(window, entities);
+      }
+
+      // Convert to CompressedEntry objects
+      const entries = [];
+      const turnIds = window.map(t => t.turnId);
+      for (const item of parsed) {
+        if (!item.restatement || typeof item.restatement !== 'string') continue;
+
+        const validTypes = ['finding', 'ioc', 'ttp', 'note', 'recommendation'];
+        const validConfidence = ['confirmed', 'inferred', 'uncertain'];
+
+        entries.push(new CompressedEntry({
+          losslessRestatement: item.restatement,
+          memoryType: validTypes.includes(item.type) ? item.type : 'note',
+          confidence: validConfidence.includes(item.confidence) ? item.confidence : 'confirmed',
+          severity: item.severity || '',
+          keywords: Array.isArray(item.keywords) ? item.keywords.slice(0, 10) : [],
+          topic: item.topic || '',
+          sourceTurns: turnIds,
+          timestamp: window[0]?.timestamp || new Date().toISOString(),
+        }));
+      }
+
+      return entries.length > 0 ? entries : this._heuristicCompress(window, entities);
+    } catch (err) {
+      // LLM error — fall back to heuristic silently
+      const debug = process.env.CIPHER_DEBUG === '1'
+        ? (msg) => process.stderr.write(`[compressor] ${msg}\n`)
+        : () => {};
+      debug(`LLM compression failed: ${err.message}, falling back to heuristic`);
+      return this._heuristicCompress(window, entities);
+    }
   }
 
   /**