cipher-security 5.0.0 → 5.2.0

package/bin/cipher.js

@@ -23,60 +23,81 @@ import { spawn } from 'node:child_process';
 // ---------------------------------------------------------------------------
 
 const args = process.argv.slice(2);
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(readFileSync(resolve(__dirname, '..', 'package.json'), 'utf8'));
 
 if (args[0] === '--version' || args[0] === '-V') {
-  const __dirname = dirname(fileURLToPath(import.meta.url));
-  const pkg = JSON.parse(readFileSync(resolve(__dirname, '..', 'package.json'), 'utf8'));
   console.log(pkg.version);
   process.exit(0);
 }
 
 if (args[0] === '--help' || args[0] === '-h') {
-  console.log(`CIPHER — AI Security Engineering Platform
-
-Usage: cipher [command] [options]
-       cipher <query>          Freeform security query
-
-Commands:
-  query             Run a security query
-  ingest            Ingest security data
-  status            Show system status
-  doctor            Diagnose installation health
-  setup             Run setup wizard
-  setup-signal      Configure Signal integration
-  dashboard         Open the dashboard
-  web               Start the web interface
-  version           Print version information
-  plugin            Manage plugins
-  scan              Run a security scan
-  search            Search security data
-  store             Manage data stores
-  diff              Compare security states
-  workflow          Manage workflows
-  stats             Show statistics
-  domains           Manage domains
-  skills            Manage skills
-  score             Show security score
-  marketplace       Browse marketplace
-  compliance        Run compliance checks
-  leaderboard       Show leaderboard
-  feedback          Submit feedback
-  memory-export     Export memory
-  memory-import     Import memory
-  sarif             SARIF report tools
-  osint             OSINT intelligence tools
-  bot               Manage bot integrations
-  mcp               MCP server tools
-  api               API management
-
-Options:
+  const CYN = '\x1b[36m';
+  const B = '\x1b[1m';
+  const D = '\x1b[2m';
+  const R = '\x1b[0m';
+  const GRN = '\x1b[32m';
+
+  console.log(`${CYN}${B}
+   ██████╗██╗██████╗ ██╗  ██╗███████╗██████╗
+  ██╔════╝██║██╔══██╗██║  ██║██╔════╝██╔══██╗
+  ██║     ██║██████╔╝███████║█████╗  ██████╔╝
+  ██║     ██║██╔═══╝ ██╔══██║██╔══╝  ██╔══██╗
+  ╚██████╗██║██║     ██║  ██║███████╗██║  ██║
+   ╚═════╝╚═╝╚═╝     ╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝${R}
+  ${D}Claude Integrated Privacy & Hardening Expert Resource${R}  ${D}v${pkg.version}${R}
+
+${B}Usage:${R} cipher [command] [options]
+       cipher <query>          ${D}Freeform security query${R}
+
+${B}Commands:${R}
+  ${GRN}query${R}             Run a security query
+  ${GRN}scan${R}              Run a security scan
+  ${GRN}compliance${R}        Run compliance checks (39 frameworks)
+  ${GRN}search${R}            Search security data
+  ${GRN}osint${R}             OSINT intelligence tools
+  ${GRN}diff${R}              Analyze git diff for security issues
+  ${GRN}sarif${R}             SARIF report tools
+
+  ${GRN}status${R}            Show system status
+  ${GRN}doctor${R}            Diagnose installation health
+  ${GRN}version${R}           Print version information
+  ${GRN}setup${R}             Run setup wizard
+  ${GRN}update${R}            Update CIPHER to latest version
+
+  ${GRN}domains${R}           List skill domains
+  ${GRN}skills${R}            Search skills
+  ${GRN}store${R}             Store findings in memory
+  ${GRN}stats${R}             Show statistics
+  ${GRN}leaderboard${R}       Skill effectiveness metrics
+  ${GRN}marketplace${R}       Browse skill marketplace
+
+  ${GRN}api${R}               Start REST API server
+  ${GRN}mcp${R}               Start MCP server (stdio)
+  ${GRN}bot${R}               Start Signal bot
+
+  ${GRN}workflow${R}           Generate CI/CD security workflow
+  ${GRN}memory-export${R}     Export memory to JSON
+  ${GRN}memory-import${R}     Import memory from JSON
+  ${GRN}feedback${R}          Run skill improvement loop
+  ${GRN}ingest${R}            Re-index knowledge base
+  ${GRN}plugin${R}            Manage plugins
+  ${GRN}setup-signal${R}      Configure Signal integration
+  ${GRN}score${R}             Score response quality
+  ${GRN}dashboard${R}         System dashboard
+  ${GRN}web${R}               Web interface (use cipher api)
+
+${B}Options:${R}
   --version, -V     Print version and exit
   --help, -h        Print this help and exit
+  --autonomous      Run in autonomous mode (cipher blue --autonomous "task")
+  --backend         Override LLM backend (ollama, claude, litellm)
+  --no-stream       Disable streaming output
 
-Environment:
+${B}Environment:${R}
   CIPHER_DEBUG=1    Enable verbose debug logging
 
-Documentation: https://github.com/defconxt/CIPHER`);
+${D}Documentation: https://github.com/defconxt/CIPHER${R}`);
   process.exit(0);
 }
 
@@ -179,7 +200,7 @@ const knownCommands = new Set([
   // Pipeline
   'scan', 'search', 'store', 'diff', 'workflow', 'stats', 'domains',
   'skills', 'score', 'marketplace', 'compliance', 'leaderboard',
-  'feedback', 'memory-export', 'memory-import', 'sarif', 'osint',
+  'feedback', 'memory-export', 'memory-import', 'sarif', 'osint', 'update',
   // Services
   'bot', 'mcp', 'api',
 ]);
@@ -242,7 +263,7 @@ function parseCommand(argv) {
  *
  * @param {*} result - Bridge command result
  */
-function formatBridgeResult(result) {
+async function formatBridgeResult(result, commandName = '') {
   if (result === null || result === undefined) {
     return;
   }
@@ -255,12 +276,51 @@ function formatBridgeResult(result) {
   if (typeof result === 'object') {
     // Error result — print to stderr and exit with error code
     if (result.error === true) {
-      if (result.output) {
+      if (result.message) {
+        process.stderr.write(result.message + '\n');
+      } else if (result.output) {
         process.stderr.write(result.output + '\n');
       }
       process.exit(result.exit_code || 1);
     }
 
+    // Branded output for specific commands
+    if (commandName === 'version' && result.version) {
+      const { formatVersion } = await import('../lib/brand.js');
+      process.stderr.write(formatVersion(result.version) + '\n');
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+
+    if (commandName === 'doctor' && result.checks) {
+      const { header, formatDoctorChecks, divider, success, warn } = await import('../lib/brand.js');
+      header('Health Check');
+      divider();
+      process.stderr.write(formatDoctorChecks(result.checks) + '\n');
+      divider();
+      if (result.healthy) {
+        success(`All checks passed (${result.summary})`);
+      } else {
+        warn(result.summary);
+      }
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+
+    if (commandName === 'status' && result.status) {
+      const { header, status: statusDot, divider } = await import('../lib/brand.js');
+      header('Status');
+      divider();
+      statusDot('Backend', result.backend ? 'ok' : 'warn', result.backend || 'not configured');
+      statusDot('Config', result.config?.valid ? 'ok' : 'fail', result.config?.valid ? 'valid' : 'invalid or missing');
+      if (result.memory) {
+        statusDot('Memory', 'ok', `${result.memory.total} entries (${result.memory.active} active)`);
+      }
+      divider();
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+
     // Text-mode result — print output directly (pre-formatted from CliRunner)
     if ('output' in result) {
       if (result.output) {
@@ -272,8 +332,10 @@ function formatBridgeResult(result) {
       return;
     }
 
-    // Structured JSON result — pretty-print
-    console.log(JSON.stringify(result, null, 2));
+    // Structured JSON result — pretty-print (skip empty objects from branded commands)
+    if (Object.keys(result).length > 0) {
+      console.log(JSON.stringify(result, null, 2));
+    }
     return;
   }
 
@@ -404,11 +466,28 @@ if (mode === 'native') {
       mcp.startStdio();
     // ── Bot command: Signal bot ──────────────────────────────────────────
     } else if (command === 'bot') {
+      const { banner, header, info, warn, divider } = await import('../lib/brand.js');
+      const svc = commandArgs.find((a, i) => commandArgs[i - 1] === '--service') || process.env.SIGNAL_SERVICE || '';
+      const phone = commandArgs.find((a, i) => commandArgs[i - 1] === '--phone') || process.env.SIGNAL_PHONE_NUMBER || '';
+
+      banner(pkg.version);
+      header('Signal Bot');
+
+      if (!svc || !phone) {
+        divider();
+        warn('Signal is not configured.');
+        info('Run: cipher setup-signal');
+        divider();
+        process.exit(1);
+      }
+
+      info(`Service: ${svc}`);
+      info(`Phone:   ${phone}`);
+      divider();
+      info('Starting bot...');
+
       const { runBot } = await import('../lib/bot/bot.js');
-      runBot({
-        signalService: commandArgs.find((a, i) => commandArgs[i - 1] === '--service') || '',
-        phoneNumber: commandArgs.find((a, i) => commandArgs[i - 1] === '--phone') || '',
-      });
+      runBot({ signalService: svc, phoneNumber: phone });
     // ── Query command: streaming via Gateway or non-streaming via handler ──
     } else if (command === 'query') {
       const queryText = commandArgs.filter(a => !a.startsWith('-')).join(' ');
@@ -417,7 +496,7 @@ if (mode === 'native') {
         // --no-stream: use handleQuery for non-streaming response
         const { handleQuery } = await import('../lib/gateway/commands.js');
         const result = await handleQuery({ message: queryText });
-        formatBridgeResult(result);
+        await formatBridgeResult(result, command);
       } else {
         // Streaming path — Gateway.sendStream() → async iterator → stdout
         const { Gateway } = await import('../lib/gateway/gateway.js');
@@ -451,7 +530,7 @@ if (mode === 'native') {
         process.stderr.write(result.message + '\n');
         process.exit(result.exit_code || 1);
       } else {
-        formatBridgeResult(result);
+        await formatBridgeResult(result, command);
       }
     }
   } catch (err) {

package/lib/brand.js

@@ -0,0 +1,105 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+
+/**
+ * CIPHER branding — ASCII art, status indicators, formatted output.
+ */
+
+// ANSI colors
+const R = '\x1b[0m';     // reset
+const B = '\x1b[1m';     // bold
+const D = '\x1b[2m';     // dim
+const RED = '\x1b[31m';
+const GRN = '\x1b[32m';
+const YLW = '\x1b[33m';
+const BLU = '\x1b[34m';
+const MAG = '\x1b[35m';
+const CYN = '\x1b[36m';
+
+const LOGO = `${CYN}${B}
+   ██████╗██╗██████╗ ██╗  ██╗███████╗██████╗
+  ██╔════╝██║██╔══██╗██║  ██║██╔════╝██╔══██╗
+  ██║     ██║██████╔╝███████║█████╗  ██████╔╝
+  ██║     ██║██╔═══╝ ██╔══██║██╔══╝  ██╔══██╗
+  ╚██████╗██║██║     ██║  ██║███████╗██║  ██║
+   ╚═════╝╚═╝╚═╝     ╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝${R}`;
+
+const LOGO_SMALL = `${CYN}${B}▸ CIPHER${R}`;
+
+/** Status indicator dots */
+export const dot = {
+  ok:   `${GRN}●${R}`,
+  warn: `${YLW}●${R}`,
+  fail: `${RED}●${R}`,
+  info: `${BLU}●${R}`,
+  skip: `${D}○${R}`,
+};
+
+/** Print the full ASCII banner with version */
+export function banner(version = '') {
+  const ver = version ? `${D}v${version}${R}` : '';
+  process.stderr.write(`${LOGO}\n  ${D}Claude Integrated Privacy & Hardening Expert Resource${R}  ${ver}\n\n`);
+}
+
+/** Print a compact one-line header */
+export function header(text, version = '') {
+  const ver = version ? ` ${D}v${version}${R}` : '';
+  process.stderr.write(`${LOGO_SMALL}${ver} ${D}—${R} ${text}\n`);
+}
+
+/** Print a status line with colored dot */
+export function status(name, state, detail = '') {
+  const d = dot[state] || dot.info;
+  const detailStr = detail ? ` ${D}${detail}${R}` : '';
+  process.stderr.write(`  ${d} ${name}${detailStr}\n`);
+}
+
+/** Print a section divider */
+export function divider() {
+  process.stderr.write(`${D}${'─'.repeat(50)}${R}\n`);
+}
+
+/** Print a success message */
+export function success(msg) {
+  process.stderr.write(`  ${GRN}✔${R} ${msg}\n`);
+}
+
+/** Print a warning message */
+export function warn(msg) {
+  process.stderr.write(`  ${YLW}⚠${R} ${msg}\n`);
+}
+
+/** Print an error message */
+export function error(msg) {
+  process.stderr.write(`  ${RED}✖${R} ${msg}\n`);
+}
+
+/** Print an info message */
+export function info(msg) {
+  process.stderr.write(`  ${BLU}ℹ${R} ${msg}\n`);
+}
+
+/**
+ * Format doctor checks with status dots.
+ * @param {object[]} checks - Array of {name, status, detail}
+ * @returns {string} Formatted output for terminal
+ */
+export function formatDoctorChecks(checks) {
+  const lines = [];
+  for (const c of checks) {
+    const state = c.status === 'ok' ? 'ok' : c.status === 'optional' ? 'skip' : c.status === 'missing' ? 'fail' : 'warn';
+    const d = dot[state];
+    lines.push(`  ${d} ${B}${c.name}${R}  ${D}${c.detail}${R}`);
+  }
+  return lines.join('\n');
+}
+
+/**
+ * Format version output.
+ * @param {string} version
+ */
+export function formatVersion(version) {
+  return `${LOGO_SMALL} ${B}${version}${R}`;
+}
+
+export { LOGO, LOGO_SMALL, R, B, D, RED, GRN, YLW, BLU, MAG, CYN };

package/lib/commands.js

@@ -44,6 +44,7 @@ export const COMMAND_MODES = {
   'memory-import': { mode: 'native',      description: 'Import memory' },
   sarif:           { mode: 'native',      description: 'SARIF report tools' },
   osint:           { mode: 'native',      description: 'OSINT intelligence tools' },
+  update:          { mode: 'native',      description: 'Update CIPHER to latest version' },
 
   // ── Passthrough commands (direct Python spawn, full terminal) ──────────
   // These were Python-dependent — now ported to Node.js.

package/lib/gateway/commands.js

@@ -821,10 +821,64 @@ export async function handleWeb(args = {}) {
 // ---------------------------------------------------------------------------
 
 export async function handleSetupSignal() {
-  return {
-    output: JSON.stringify({
-      status: 'info',
-      message: 'Signal setup: Set SIGNAL_SERVICE, SIGNAL_PHONE_NUMBER, and SIGNAL_WHITELIST environment variables, then run `cipher bot`.',
-    }, null, 2),
-  };
+  const brand = await import('../brand.js');
+  brand.header('Signal Setup');
+  brand.divider();
+  brand.info('Set the following environment variables:');
+  process.stderr.write('\n');
+  process.stderr.write('  SIGNAL_SERVICE        Signal API service URL\n');
+  process.stderr.write('  SIGNAL_PHONE_NUMBER   Bot phone number (E.164 format)\n');
+  process.stderr.write('  SIGNAL_WHITELIST      Comma-separated allowed numbers\n');
+  process.stderr.write('\n');
+  brand.info('Then run: cipher bot');
+  brand.divider();
+  return {};
+}
+
+// ---------------------------------------------------------------------------
+// Update command — self-update from npm
+// ---------------------------------------------------------------------------
+
+export async function handleUpdate(args = {}) {
+  const { execSync } = await import('node:child_process');
+  const { readFileSync } = await import('node:fs');
+  const { join, dirname } = await import('node:path');
+  const brand = await import('../brand.js');
+
+  const pkgPath = join(dirname(new URL(import.meta.url).pathname), '..', '..', 'package.json');
+  let currentVersion = 'unknown';
+  try {
+    currentVersion = JSON.parse(readFileSync(pkgPath, 'utf8')).version;
+  } catch { /* ignore */ }
+
+  brand.header('Update', currentVersion);
+  brand.info(`Current version: ${currentVersion}`);
+  brand.info('Checking npm for updates...');
+
+  try {
+    const latest = execSync('npm view cipher-security version', {
+      encoding: 'utf-8',
+      timeout: 10000,
+    }).trim();
+
+    if (latest === currentVersion) {
+      brand.success(`Already up to date (${currentVersion})`);
+      return {};
+    }
+
+    brand.warn(`New version available: ${latest}`);
+    brand.info('Installing update...');
+
+    execSync('npm install -g cipher-security@latest', {
+      encoding: 'utf-8',
+      timeout: 60000,
+      stdio: 'inherit',
+    });
+
+    brand.success(`Updated ${currentVersion} → ${latest}`);
+    return {};
+  } catch (err) {
+    brand.error(`Update failed: ${err.message}`);
+    return { error: true, message: `Update failed: ${err.message}` };
+  }
 }

package/lib/setup-wizard.js

@@ -19,7 +19,7 @@
  */
 
 import * as clack from '@clack/prompts';
-import { execFileSync } from 'node:child_process';
+import { execFileSync, execSync } from 'node:child_process';
 import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { writeConfig, getConfigPaths } from './config.js';
@@ -96,8 +96,9 @@ export async function runSetupWizard() {
     const provider = await clack.select({
       message: 'Choose your LLM backend',
       options: [
+        { value: 'claude-code', label: 'Claude Code', hint: 'Running inside Claude Code — no API key needed' },
         { value: 'ollama', label: 'Ollama', hint: 'Local inference, free, private (requires GPU)' },
-        { value: 'claude', label: 'Claude API', hint: 'Cloud inference, paid, highest quality' },
+        { value: 'claude', label: 'Claude API', hint: 'Standalone use with Anthropic API key' },
         { value: 'litellm', label: 'LiteLLM', hint: 'Multi-provider (OpenAI, Gemini, llama.cpp, etc.)' },
       ],
     });
@@ -105,8 +106,66 @@ export async function runSetupWizard() {
 
     let config;
 
+    // ── Claude Code path ──────────────────────────────────────────────
+    if (provider === 'claude-code') {
+      // Check if claude CLI is installed and authed
+      let claudeAuthed = false;
+      try {
+        const authJson = execSync('claude auth status', { encoding: 'utf-8', timeout: 5000 });
+        const auth = JSON.parse(authJson);
+        if (auth.loggedIn) {
+          clack.log.success(`Authenticated as ${auth.email} (${auth.subscriptionType})`);
+          claudeAuthed = true;
+        }
+      } catch {
+        // claude CLI not found or not authed
+      }
+
+      if (!claudeAuthed) {
+        clack.log.warn('Claude Code is not authenticated.');
+        clack.log.info('Run this in your terminal to log in:\n\n  claude login\n');
+
+        const proceed = await clack.confirm({
+          message: 'Continue setup anyway? (you can log in later)',
+          initialValue: false,
+        });
+        handleCancel(proceed);
+        if (!proceed) {
+          clack.outro('Run `claude login` first, then `cipher setup` again.');
+          process.exit(0);
+        }
+      }
+
+      clack.log.info(
+        'CIPHER activates automatically via CLAUDE.md inside Claude Code.\n' +
+        'No API key needed — Claude Code provides the LLM.'
+      );
+
+      // Offer Ollama as fallback for standalone use
+      const addOllama = await clack.confirm({
+        message: 'Also configure Ollama for standalone CLI use?',
+        initialValue: true,
+      });
+      handleCancel(addOllama);
+
+      if (addOllama) {
+        const ollamaPath = whichSync('ollama');
+        if (ollamaPath) {
+          clack.log.success(`Ollama found at ${ollamaPath}`);
+        } else {
+          clack.log.info('Ollama not found — install from https://ollama.com/download when ready.');
+        }
+      }
+
+      config = {
+        llm_backend: addOllama ? 'ollama' : 'claude-code',
+        ollama: defaultOllamaSection(),
+        claude: defaultClaudeSection(),
+      };
+    }
+
     // ── Ollama path ────────────────────────────────────────────────────
-    if (provider === 'ollama') {
+    else if (provider === 'ollama') {
       const ollamaPath = whichSync('ollama');
       if (ollamaPath) {
         clack.log.success(`Ollama found at ${ollamaPath}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cipher-security",
-  "version": "5.0.0",
+  "version": "5.2.0",
   "description": "CIPHER — AI Security Engineering Platform CLI",
   "type": "module",
   "engines": {