cipher-security 5.0.0

package/bin/cipher.js

@@ -0,0 +1,465 @@
+#!/usr/bin/env node
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * cipher — CLI entry point for the CIPHER security engineering platform.
+ *
+ * Fast path: --version / -V / --help / -h use only node:fs + node:path
+ * (zero dynamic imports, <200ms cold start).
+ *
+ * Command path: dynamically imports python-bridge.js, spawns the Python
+ * gateway, routes JSON-RPC commands, prints results, and exits.
+ */
+
+import { readFileSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { spawn } from 'node:child_process';
+
+// ---------------------------------------------------------------------------
+// Fast path — no dynamic imports, must complete in <200ms
+// ---------------------------------------------------------------------------
+
+const args = process.argv.slice(2);
+
+if (args[0] === '--version' || args[0] === '-V') {
+  const __dirname = dirname(fileURLToPath(import.meta.url));
+  const pkg = JSON.parse(readFileSync(resolve(__dirname, '..', 'package.json'), 'utf8'));
+  console.log(pkg.version);
+  process.exit(0);
+}
+
+if (args[0] === '--help' || args[0] === '-h') {
+  console.log(`CIPHER — AI Security Engineering Platform
+
+Usage: cipher [command] [options]
+       cipher <query>          Freeform security query
+
+Commands:
+  query             Run a security query
+  ingest            Ingest security data
+  status            Show system status
+  doctor            Diagnose installation health
+  setup             Run setup wizard
+  setup-signal      Configure Signal integration
+  dashboard         Open the dashboard
+  web               Start the web interface
+  version           Print version information
+  plugin            Manage plugins
+  scan              Run a security scan
+  search            Search security data
+  store             Manage data stores
+  diff              Compare security states
+  workflow          Manage workflows
+  stats             Show statistics
+  domains           Manage domains
+  skills            Manage skills
+  score             Show security score
+  marketplace       Browse marketplace
+  compliance        Run compliance checks
+  leaderboard       Show leaderboard
+  feedback          Submit feedback
+  memory-export     Export memory
+  memory-import     Import memory
+  sarif             SARIF report tools
+  osint             OSINT intelligence tools
+  bot               Manage bot integrations
+  mcp               MCP server tools
+  api               API management
+
+Options:
+  --version, -V     Print version and exit
+  --help, -h        Print this help and exit
+
+Environment:
+  CIPHER_DEBUG=1    Enable verbose debug logging
+
+Documentation: https://github.com/defconxt/CIPHER`);
+  process.exit(0);
+}
+
+// ---------------------------------------------------------------------------
+// No arguments: check if config exists → wizard or help
+// ---------------------------------------------------------------------------
+
+if (args.length === 0) {
+  try {
+    const { configExists } = await import('../lib/config.js');
+    if (!configExists()) {
+      const { runSetupWizard } = await import('../lib/setup-wizard.js');
+      await runSetupWizard();
+      process.exit(0);
+    }
+  } catch (err) {
+    console.error(`Setup wizard failed: ${err.message || err}`);
+    process.exit(1);
+  }
+  // Config exists but no command — show help hint
+  console.error('No command specified. Run `cipher --help` for usage.');
+  process.exit(1);
+}
+
+// ---------------------------------------------------------------------------
+// Node.js-native commands — handled before the Python bridge is loaded
+// ---------------------------------------------------------------------------
+
+const nativeCommands = new Set(['setup']);
+
+if (nativeCommands.has(args[0])) {
+  try {
+    const { runSetupWizard } = await import('../lib/setup-wizard.js');
+    await runSetupWizard();
+    process.exit(0);
+  } catch (err) {
+    console.error(`Setup wizard failed: ${err.message || err}`);
+    process.exit(1);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Extract query-specific flags before general command parsing
+// ---------------------------------------------------------------------------
+
+let queryBackendOverride = null;
+let queryNoStream = false;
+let autonomousMode = null;
+
+/** Set of valid autonomous mode names (lowercased). */
+const MODE_NAMES = new Set(['red', 'blue', 'incident', 'purple', 'recon', 'privacy', 'architect']);
+
+/** Clean args with --backend, --no-stream, and --autonomous extracted */
+const cleanedArgs = [];
+for (let i = 0; i < args.length; i++) {
+  if (args[i] === '--backend' && i + 1 < args.length) {
+    queryBackendOverride = args[i + 1];
+    i++; // skip value
+  } else if (args[i] === '--no-stream') {
+    queryNoStream = true;
+  } else if (args[i] === '--autonomous') {
+    // --autonomous flag found — look for a mode name in the remaining args.
+    // The mode name can be adjacent (cipher --autonomous blue "task")
+    // or positional-first (cipher blue --autonomous "task").
+    // We'll collect it after the loop from cleanedArgs.
+    autonomousMode = '__pending__';
+  } else {
+    cleanedArgs.push(args[i]);
+  }
+}
+
+// If --autonomous was found, extract the mode name from cleaned positional args
+if (autonomousMode === '__pending__') {
+  // Check the first positional arg (non-flag) for a mode name
+  const firstPositional = cleanedArgs.find(a => !a.startsWith('-'));
+  if (firstPositional && MODE_NAMES.has(firstPositional.toLowerCase())) {
+    autonomousMode = firstPositional.toLowerCase();
+    // Remove the mode name from cleanedArgs so parseCommand() doesn't see it
+    const idx = cleanedArgs.indexOf(firstPositional);
+    cleanedArgs.splice(idx, 1);
+  } else {
+    console.error(
+      `Error: --autonomous requires a valid mode name.\n` +
+      `Available modes: ${[...MODE_NAMES].sort().join(', ')}\n\n` +
+      `Usage: cipher <mode> --autonomous "task description"\n` +
+      `Example: cipher blue --autonomous "Generate Sigma rules for T1059.001"`
+    );
+    process.exit(1);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Command routing — dynamic imports below this point
+// ---------------------------------------------------------------------------
+
+const knownCommands = new Set([
+  // Gateway
+  'query', 'ingest', 'status', 'doctor', 'setup-signal',
+  'dashboard', 'web', 'version', 'plugin',
+  // Pipeline
+  'scan', 'search', 'store', 'diff', 'workflow', 'stats', 'domains',
+  'skills', 'score', 'marketplace', 'compliance', 'leaderboard',
+  'feedback', 'memory-export', 'memory-import', 'sarif', 'osint',
+  // Services
+  'bot', 'mcp', 'api',
+]);
+
+/**
+ * Parse argv into a command name and remaining args.
+ * First non-flag argument is checked against knownCommands.
+ * If not a known command, treat all non-flag words as a bare query.
+ *
+ * @param {string[]} argv
+ * @returns {{ command: string, commandArgs: string[] }}
+ */
+function parseCommand(argv) {
+  const flags = [];
+  const positional = [];
+
+  for (const arg of argv) {
+    if (arg.startsWith('-')) {
+      flags.push(arg);
+    } else {
+      positional.push(arg);
+    }
+  }
+
+  if (positional.length === 0) {
+    // No positional args — show help
+    console.error('No command specified. Run `cipher --help` for usage.');
+    process.exit(1);
+  }
+
+  const first = positional[0];
+
+  if (knownCommands.has(first)) {
+    return {
+      command: first,
+      commandArgs: [...positional.slice(1), ...flags],
+    };
+  }
+
+  // Bare query — join all positional words as query text
+  return {
+    command: 'query',
+    commandArgs: [...positional, ...flags],
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Bridge result formatter
+// ---------------------------------------------------------------------------
+
+/**
+ * Format and print a bridge command result, then exit if needed.
+ *
+ * Result shapes from bridge.py:
+ *   1. {output, exit_code, error: true} — command error: print output to stderr, exit with code
+ *   2. {output, exit_code}              — text-mode result: print output directly
+ *   3. Plain object (no output field)   — structured JSON: pretty-print as JSON
+ *   4. String                           — legacy: print directly
+ *   5. null/undefined                   — no output
+ *
+ * @param {*} result - Bridge command result
+ */
+function formatBridgeResult(result) {
+  if (result === null || result === undefined) {
+    return;
+  }
+
+  if (typeof result === 'string') {
+    console.log(result);
+    return;
+  }
+
+  if (typeof result === 'object') {
+    // Error result — print to stderr and exit with error code
+    if (result.error === true) {
+      if (result.output) {
+        process.stderr.write(result.output + '\n');
+      }
+      process.exit(result.exit_code || 1);
+    }
+
+    // Text-mode result — print output directly (pre-formatted from CliRunner)
+    if ('output' in result) {
+      if (result.output) {
+        console.log(result.output);
+      }
+      if (result.exit_code && result.exit_code !== 0) {
+        process.exit(result.exit_code);
+      }
+      return;
+    }
+
+    // Structured JSON result — pretty-print
+    console.log(JSON.stringify(result, null, 2));
+    return;
+  }
+
+  // Fallback for unexpected types
+  console.log(String(result));
+}
+
+// ---------------------------------------------------------------------------
+// Dispatch helpers + autonomous/standard routing
+// ---------------------------------------------------------------------------
+
+const { command, commandArgs } = parseCommand(cleanedArgs);
+
+const debug = process.env.CIPHER_DEBUG === '1';
+
+
+// ---------------------------------------------------------------------------
+// Autonomous mode dispatch — bypasses normal command routing entirely
+// ---------------------------------------------------------------------------
+
+if (autonomousMode) {
+  // Build task text from remaining non-flag args
+  const taskText = commandArgs.filter(a => !a.startsWith('-')).join(' ')
+    || (command === 'query' ? commandArgs.join(' ') : '');
+
+  if (debug) {
+    process.stderr.write(
+      `[bridge:node] Autonomous dispatch: mode=${autonomousMode} task="${taskText}"\n`
+    );
+  }
+
+  try {
+    const { runAutonomous } = await import('../lib/autonomous/runner.js');
+    const { parseTaskInput } = await import('../lib/autonomous/task-parser.js');
+
+    const taskInput = parseTaskInput(autonomousMode.toUpperCase(), taskText);
+
+    const result = await runAutonomous(
+      autonomousMode,
+      taskInput,
+      queryBackendOverride,
+    );
+
+    // Format result
+    if (result.error) {
+      process.stderr.write(`Error: ${result.error}\n`);
+      process.exit(1);
+    }
+
+    // Print output
+    if (result.outputText) {
+      process.stdout.write(result.outputText + '\n');
+    }
+
+    // Print validation warnings to stderr
+    if (result.validation && !result.validation.valid) {
+      process.stderr.write('Validation warnings:\n');
+      for (const err of (result.validation.errors || [])) {
+        process.stderr.write(`  - ${err}\n`);
+      }
+    }
+  } catch (err) {
+    const msg = err.message || String(err);
+    process.stderr.write(`Error: ${msg}\n`);
+    process.exit(1);
+  }
+
+  process.exit(0);
+}
+
+// ---------------------------------------------------------------------------
+// Standard dispatch: passthrough vs native
+// ---------------------------------------------------------------------------
+
+const { getCommandMode } = await import('../lib/commands.js');
+const mode = getCommandMode(command);
+
+if (mode === 'native') {
+  // ── Native dispatch — Node.js handler functions (no Python) ────────────
+  if (debug) {
+    process.stderr.write(`[bridge:node] Dispatching command=${command} mode=native\n`);
+  }
+
+  /**
+   * Convert kebab-case command name to handler function name.
+   * 'memory-export' → 'handleMemoryExport'
+   * 'stats' → 'handleStats'
+   *
+   * @param {string} cmd
+   * @returns {string}
+   */
+  function toHandlerName(cmd) {
+    return 'handle' + cmd
+      .split('-')
+      .map(w => w[0].toUpperCase() + w.slice(1))
+      .join('');
+  }
+
+  try {
+    // ── API server command: long-running HTTP server (no Python) ──────────
+    if (command === 'api') {
+      const { createAPIServer, APIConfig } = await import('../lib/api/server.js');
+      const apiPort = commandArgs.find((a, i) => commandArgs[i - 1] === '--port') || '8443';
+      const apiHost = commandArgs.find((a, i) => commandArgs[i - 1] === '--host') || '127.0.0.1';
+      const noAuth = commandArgs.includes('--no-auth');
+      const cfg = new APIConfig({
+        port: parseInt(apiPort, 10),
+        host: apiHost,
+        requireAuth: !noAuth,
+      });
+      const api = createAPIServer(cfg);
+      const actualPort = await api.start();
+      console.log(`CIPHER API listening on ${cfg.host}:${actualPort}`);
+      // Keep process alive — Ctrl+C to stop
+      process.on('SIGINT', async () => {
+        await api.stop();
+        console.log('\nShutdown complete.');
+        process.exit(0);
+      });
+      process.on('SIGTERM', async () => {
+        await api.stop();
+        process.exit(0);
+      });
+    // ── MCP server command: JSON-RPC over stdio ──────────────────────────
+    } else if (command === 'mcp') {
+      const { CipherMCPServer } = await import('../lib/mcp/server.js');
+      const mcp = new CipherMCPServer();
+      mcp.startStdio();
+    // ── Bot command: Signal bot ──────────────────────────────────────────
+    } else if (command === 'bot') {
+      const { runBot } = await import('../lib/bot/bot.js');
+      runBot({
+        signalService: commandArgs.find((a, i) => commandArgs[i - 1] === '--service') || '',
+        phoneNumber: commandArgs.find((a, i) => commandArgs[i - 1] === '--phone') || '',
+      });
+    // ── Query command: streaming via Gateway or non-streaming via handler ──
+    } else if (command === 'query') {
+      const queryText = commandArgs.filter(a => !a.startsWith('-')).join(' ');
+
+      if (queryNoStream) {
+        // --no-stream: use handleQuery for non-streaming response
+        const { handleQuery } = await import('../lib/gateway/commands.js');
+        const result = await handleQuery({ message: queryText });
+        formatBridgeResult(result);
+      } else {
+        // Streaming path — Gateway.sendStream() → async iterator → stdout
+        const { Gateway } = await import('../lib/gateway/gateway.js');
+        const gw = new Gateway({
+          backendOverride: queryBackendOverride || undefined,
+          rag: true,
+        });
+
+        for await (const token of gw.sendStream(queryText)) {
+          process.stdout.write(token);
+        }
+        process.stdout.write('\n');
+      }
+    } else {
+      // ── Non-query native commands ──────────────────────────────────────
+      const handlers = await import('../lib/gateway/commands.js');
+      const handlerName = toHandlerName(command);
+      const handler = handlers[handlerName];
+
+      if (!handler) {
+        console.error(`Unknown native command: ${command}`);
+        process.exit(1);
+      }
+
+      const result = await handler(commandArgs);
+
+      // Native handlers return {error: true, message: "..."} for errors.
+      // formatBridgeResult expects {error: true, output: "...", exit_code: N}.
+      // Bridge the shape difference here.
+      if (result && result.error === true && result.message && !('output' in result)) {
+        process.stderr.write(result.message + '\n');
+        process.exit(result.exit_code || 1);
+      } else {
+        formatBridgeResult(result);
+      }
+    }
+  } catch (err) {
+    console.error(`Error: ${err.message || err}`);
+    process.exit(1);
+  }
+} else {
+  // Unknown command mode — should not happen
+  console.error(`Unknown command: ${command}. Run \`cipher --help\` for usage.`);
+  process.exit(1);
+}