cipher-security 5.0.0

package/lib/autonomous/modes/privacy.js

@@ -0,0 +1,369 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * PRIVACY mode agent — Compliance Assessment.
+ *
+ * Performs autonomous codebase analysis for PII patterns and GDPR triggers.
+ * Ported from autonomous/modes/privacy.py.
+ *
+ * @module autonomous/modes/privacy
+ */
+
+import { ModeAgentConfig, ToolRegistry } from '../framework.js';
+import { DPIAValidator } from '../validators/privacy.js';
+
+// ---------------------------------------------------------------------------
+// PII regex patterns (inline — NOT imported from skills/)
+// ---------------------------------------------------------------------------
+
+/** @type {Object<string, [RegExp, string]>} */
+export const PII_PATTERNS = {
+  ssn: [
+    /\b\d{3}-\d{2}-\d{4}\b/g,
+    'Social Security Number',
+  ],
+  credit_card: [
+    /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6(?:011|5\d{2}))[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b/g,
+    'Credit Card Number',
+  ],
+  email: [
+    /\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\b/g,
+    'Email Address',
+  ],
+  phone: [
+    /\b(?:\+1[- ]?)?\(?\d{3}\)?[- ]?\d{3}[- ]?\d{4}\b/g,
+    'US Phone Number',
+  ],
+  ip_address: [
+    /\b(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\b/g,
+    'IP Address',
+  ],
+};
+
+// ---------------------------------------------------------------------------
+// WP29 DPIA criteria and trigger keywords
+// ---------------------------------------------------------------------------
+
+export const WP29_CRITERIA = [
+  'Evaluation or scoring (profiling, predicting)',
+  'Automated decision-making with legal/significant effect',
+  'Systematic monitoring (observation, tracking)',
+  'Sensitive data or data of highly personal nature',
+  'Data processed on a large scale',
+  'Matching or combining datasets',
+  'Data concerning vulnerable subjects',
+  'Innovative use of new technology',
+  'Cross-border transfer outside EEA',
+  'Processing prevents exercising data subject rights',
+];
+
+export const TRIGGER_KEYWORDS = {
+  'profiling': 0,
+  'scoring': 0,
+  'automated decision': 1,
+  'systematic monitoring': 2,
+  'surveillance': 2,
+  'health': 3,
+  'biometric': 3,
+  'genetic': 3,
+  'racial': 3,
+  'political': 3,
+  'large-scale': 4,
+  'large scale': 4,
+  'combining': 5,
+  'matching': 5,
+  'children': 6,
+  'employee': 6,
+  'patient': 6,
+  'vulnerable': 6,
+  'innovative': 7,
+  'new technology': 7,
+  'cross-border': 8,
+  'transfer': 8,
+  'prevent': 9,
+  'restrict': 9,
+};
+
+// ---------------------------------------------------------------------------
+// Tool handlers
+// ---------------------------------------------------------------------------
+
+/**
+ * Scan source code content for PII patterns using inline regexes.
+ * @param {*} context
+ * @param {Object} toolInput
+ * @returns {string}
+ */
+export function _privacyScanCodebase(context, toolInput) {
+  const codeContent = toolInput.code_content || '';
+  if (!codeContent) {
+    return "ERROR: 'code_content' parameter is required.";
+  }
+
+  const filename = toolInput.filename || '<unknown>';
+  const findings = [];
+
+  const lines = codeContent.split('\n');
+  for (const [piiType, [pattern, label]] of Object.entries(PII_PATTERNS)) {
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+      const line = lines[lineNum];
+      // Reset regex lastIndex for each line (global flag)
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(line)) !== null) {
+        findings.push({
+          type: piiType,
+          label,
+          line: lineNum + 1,
+          match: match[0],
+        });
+      }
+    }
+  }
+
+  return JSON.stringify({
+    filename,
+    findings,
+    total_findings: findings.length,
+  }, null, 2);
+}
+
+/**
+ * Evaluate WP29 DPIA trigger criteria against a processing description.
+ * @param {*} context
+ * @param {Object} toolInput
+ * @returns {string}
+ */
+export function _privacyAssessDpiaTriggers(context, toolInput) {
+  const description = toolInput.processing_description || '';
+  if (!description) {
+    return "ERROR: 'processing_description' parameter is required.";
+  }
+
+  const descLower = description.toLowerCase();
+  const matchedIndices = new Set();
+
+  for (const [keyword, index] of Object.entries(TRIGGER_KEYWORDS)) {
+    if (descLower.includes(keyword)) {
+      matchedIndices.add(index);
+    }
+  }
+
+  const matchedCriteria = [...matchedIndices].sort((a, b) => a - b).map(i => WP29_CRITERIA[i]);
+  const dpiaRequired = matchedIndices.size >= 2;
+
+  return JSON.stringify({
+    processing_description: description,
+    criteria_matched: matchedCriteria,
+    criteria_count: matchedCriteria.length,
+    dpia_required: dpiaRequired,
+    reasoning: dpiaRequired
+      ? `DPIA required: ${matchedCriteria.length} WP29 criteria matched (threshold: 2)`
+      : `DPIA may not be required: only ${matchedCriteria.length} criteria matched`,
+    article_35_3_triggers: {
+      systematic_profiling: [0, 1].some(i => matchedIndices.has(i)),
+      special_category_large_scale: [3, 4].every(i => matchedIndices.has(i)),
+      systematic_public_monitoring: matchedIndices.has(2) && matchedIndices.has(4),
+    },
+  }, null, 2);
+}
+
+/**
+ * Store a structured JSON DPIA report in context.
+ * @param {*} context
+ * @param {Object} toolInput
+ * @returns {string}
+ */
+export function _privacyWriteDpiaReport(context, toolInput) {
+  const report = toolInput.report || '';
+
+  if (typeof context !== 'object' || context === null) {
+    return 'ERROR: Context must be a dict.';
+  }
+
+  let reportData;
+  if (typeof report === 'string') {
+    try {
+      reportData = JSON.parse(report);
+    } catch {
+      reportData = report;
+    }
+  } else {
+    reportData = report;
+  }
+
+  context.report = reportData;
+  const filename = toolInput.filename || 'dpia_report.json';
+
+  return (
+    `DPIA report stored as ${filename}. ` +
+    `Report is available in context['report'].`
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Tool schemas (Anthropic format)
+// ---------------------------------------------------------------------------
+
+const _PRIVACY_SCAN_CODEBASE_SCHEMA = {
+  name: 'scan_codebase',
+  description:
+    'Scan source code content for PII patterns (SSN, credit card, email, phone, ' +
+    'IP address) using regex matching. Returns findings with type, label, line, match.',
+  input_schema: {
+    type: 'object',
+    properties: {
+      code_content: {
+        type: 'string',
+        description: 'Source code content to scan for PII patterns',
+      },
+      filename: {
+        type: 'string',
+        description: 'Optional filename for attribution in results',
+      },
+    },
+    required: ['code_content'],
+  },
+};
+
+const _PRIVACY_ASSESS_DPIA_TRIGGERS_SCHEMA = {
+  name: 'assess_dpia_triggers',
+  description:
+    'Evaluate a data processing description against WP29 DPIA trigger criteria. ' +
+    'Returns matched criteria, count, DPIA determination, and Article 35(3) triggers.',
+  input_schema: {
+    type: 'object',
+    properties: {
+      processing_description: {
+        type: 'string',
+        description: 'Description of the data processing activity to assess',
+      },
+    },
+    required: ['processing_description'],
+  },
+};
+
+const _PRIVACY_WRITE_DPIA_REPORT_SCHEMA = {
+  name: 'write_dpia_report',
+  description:
+    'Submit the completed DPIA report as JSON with required sections: ' +
+    'processing_description, data_flows, legal_basis, risk_assessment, ' +
+    'mitigations, gdpr_articles, findings.',
+  input_schema: {
+    type: 'object',
+    properties: {
+      report: {
+        type: 'string',
+        description:
+          'Full JSON DPIA report with processing_description, data_flows, ' +
+          'legal_basis, risk_assessment, mitigations, gdpr_articles, findings.',
+      },
+      filename: {
+        type: 'string',
+        description: 'Filename for the report (e.g. dpia_report.json)',
+      },
+    },
+    required: ['report'],
+  },
+};
+
+// ---------------------------------------------------------------------------
+// System prompt template
+// ---------------------------------------------------------------------------
+
+const _PRIVACY_SYSTEM_PROMPT = `\
+You are an expert privacy engineer and GDPR compliance analyst. Your task is \
+to analyze a codebase for data processing activities and produce a structured \
+Data Protection Impact Assessment (DPIA) report.
+
+## Codebase
+Description: {codebase_description}
+Files: {file_listing}
+
+## Instructions
+1. Use \`scan_codebase\` to scan each source file for PII patterns.
+2. Use \`assess_dpia_triggers\` to evaluate WP29 criteria.
+3. Produce a structured JSON DPIA report using \`write_dpia_report\`.
+
+## Rules
+- Cite specific GDPR articles (e.g., Art. 35)
+- Assess all WP29 DPIA trigger criteria systematically
+- Flag any PII found in source code as high-priority findings
+- Document data flows completely
+`;
+
+// ---------------------------------------------------------------------------
+// Output parser (fallback for text-based output)
+// ---------------------------------------------------------------------------
+
+/**
+ * Extract JSON DPIA report from LLM text output.
+ * @param {string} text
+ * @returns {Object}
+ */
+export function _privacyOutputParser(text) {
+  if (!text || !text.trim()) {
+    return { raw_text: text, parse_error: 'empty output' };
+  }
+
+  let matches = [...text.matchAll(/```json\s*\n(.*?)```/gs)].map(m => m[1]);
+  if (matches.length > 0) {
+    const jsonText = matches.join('\n');
+    try { return JSON.parse(jsonText); } catch (e) {
+      return { raw_text: text, parse_error: e.message };
+    }
+  }
+
+  matches = [...text.matchAll(/```\s*\n(.*?)```/gs)].map(m => m[1]);
+  if (matches.length > 0) {
+    const jsonText = matches.join('\n');
+    try { return JSON.parse(jsonText); } catch (e) {
+      return { raw_text: text, parse_error: e.message };
+    }
+  }
+
+  try { return JSON.parse(text); } catch (e) {
+    return { raw_text: text, parse_error: e.message };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Factory function
+// ---------------------------------------------------------------------------
+
+/**
+ * Build a PRIVACY-mode ModeAgentConfig for compliance assessment.
+ * @returns {ModeAgentConfig}
+ */
+function _makePrivacyConfig() {
+  const reg = new ToolRegistry();
+  reg.register('scan_codebase', _PRIVACY_SCAN_CODEBASE_SCHEMA, _privacyScanCodebase);
+  reg.register('assess_dpia_triggers', _PRIVACY_ASSESS_DPIA_TRIGGERS_SCHEMA, _privacyAssessDpiaTriggers);
+  reg.register('write_dpia_report', _PRIVACY_WRITE_DPIA_REPORT_SCHEMA, _privacyWriteDpiaReport);
+
+  return new ModeAgentConfig({
+    mode: 'PRIVACY',
+    toolRegistry: reg,
+    systemPromptTemplate: _PRIVACY_SYSTEM_PROMPT,
+    validator: new DPIAValidator(),
+    maxTurns: 15,
+    requiresSandbox: false,
+    completionCheck: null,
+    outputParser: _privacyOutputParser,
+    outputFormat: 'json',
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Registration function — called by runner.initModes()
+// ---------------------------------------------------------------------------
+
+/**
+ * Register PRIVACY mode with the given registerMode function.
+ * @param {Function} registerMode
+ */
+export function register(registerMode) {
+  registerMode('PRIVACY', _makePrivacyConfig);
+}

package/lib/autonomous/modes/purple.js

@@ -0,0 +1,294 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * PURPLE mode agent — Emulate + Detect Cycle.
+ *
+ * Orchestrates a two-phase purple team exercise: (1) write an emulation plan,
+ * (2) write a matching Sigma detection rule. Cross-coherence validated.
+ * Ported from autonomous/modes/purple.py.
+ *
+ * @module autonomous/modes/purple
+ */
+
+import { ModeAgentConfig, ToolRegistry } from '../framework.js';
+import { ATTACK_TECHNIQUES } from './blue.js';
+import { PurpleValidator } from '../validators/purple.js';
+
+// ---------------------------------------------------------------------------
+// Tool handlers
+// ---------------------------------------------------------------------------
+
+/**
+ * Look up a MITRE ATT&CK technique by ID.
+ * Thin wrapper around BLUE's ATTACK_TECHNIQUES dict.
+ * @param {*} context
+ * @param {Object} toolInput
+ * @returns {string}
+ */
+export function _purpleLookupTechnique(context, toolInput) {
+  const techniqueId = (toolInput.technique_id || '').toUpperCase();
+  const entry = ATTACK_TECHNIQUES[techniqueId];
+
+  if (!entry) {
+    return (
+      `Technique ${techniqueId} is not in the local lookup table. ` +
+      `Proceed using your own knowledge of this ATT&CK technique. ` +
+      `Available techniques: ${Object.keys(ATTACK_TECHNIQUES).sort().join(', ')}`
+    );
+  }
+
+  const dataSourcesStr = entry.data_sources.map(ds => `  - ${ds}`).join('\n');
+  return (
+    `ATT&CK Technique: ${techniqueId} — ${entry.name}\n` +
+    `Tactic: ${entry.tactic}\n` +
+    `Description: ${entry.description}\n` +
+    `Data Sources:\n${dataSourcesStr}`
+  );
+}
+
+/**
+ * Store an emulation plan JSON in the shared context.
+ * @param {*} context
+ * @param {Object} toolInput
+ * @returns {string}
+ */
+export function _purpleWriteEmulationPlan(context, toolInput) {
+  const content = toolInput.content || '';
+
+  if (typeof context !== 'object' || context === null) {
+    return 'ERROR: Context must be a dict.';
+  }
+
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch (e) {
+    return `ERROR: Invalid JSON in emulation plan: ${e.message}`;
+  }
+
+  if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+    return 'ERROR: Emulation plan must be a JSON object (dict).';
+  }
+
+  context.emulation_plan = parsed;
+  const technique = parsed.technique_id || 'unknown';
+  return (
+    `Emulation plan stored for technique ${technique}. ` +
+    `Fields: ${Object.keys(parsed).sort().join(', ')}.`
+  );
+}
+
+/**
+ * Store a Sigma detection rule YAML string in the shared context.
+ * @param {*} context
+ * @param {Object} toolInput
+ * @returns {string}
+ */
+export function _purpleWriteDetectionRule(context, toolInput) {
+  const content = toolInput.content || '';
+  const filename = toolInput.filename || 'detection.yml';
+
+  if (typeof context !== 'object' || context === null) {
+    return 'ERROR: Context must be a dict.';
+  }
+
+  context.detection_rule = { filename, content };
+  return (
+    `Detection rule stored as ${filename}. ` +
+    `Content length: ${content.length} characters.`
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Tool schemas (Anthropic format)
+// ---------------------------------------------------------------------------
+
+const _PURPLE_LOOKUP_TECHNIQUE_SCHEMA = {
+  name: 'lookup_technique',
+  description:
+    'Look up a MITRE ATT&CK technique by its ID (e.g. T1059.001). ' +
+    'Returns technique name, tactic, description, and relevant data ' +
+    'sources to help design emulation plans and detection rules.',
+  input_schema: {
+    type: 'object',
+    properties: {
+      technique_id: {
+        type: 'string',
+        description: 'ATT&CK technique ID (e.g. T1059.001, T1190)',
+      },
+    },
+    required: ['technique_id'],
+  },
+};
+
+const _PURPLE_WRITE_EMULATION_PLAN_SCHEMA = {
+  name: 'write_emulation_plan',
+  description:
+    'Submit a completed emulation plan as a JSON object. Describes how to ' +
+    'execute the ATT&CK technique including prerequisites, steps, artifacts, cleanup.',
+  input_schema: {
+    type: 'object',
+    properties: {
+      content: {
+        type: 'string',
+        description:
+          'Full JSON content of the emulation plan. Must include: technique_id, ' +
+          'technique_name, tactic, prerequisites, emulation_steps, expected_artifacts, cleanup.',
+      },
+    },
+    required: ['content'],
+  },
+};
+
+const _PURPLE_WRITE_DETECTION_RULE_SCHEMA = {
+  name: 'write_detection_rule',
+  description:
+    'Submit a completed Sigma detection rule as YAML. The rule should ' +
+    'detect the activity described in the emulation plan.',
+  input_schema: {
+    type: 'object',
+    properties: {
+      filename: {
+        type: 'string',
+        description: 'Filename for the rule (e.g. detect_powershell_execution.yml)',
+      },
+      content: {
+        type: 'string',
+        description: 'Full YAML content of the Sigma detection rule',
+      },
+    },
+    required: ['content'],
+  },
+};
+
+// ---------------------------------------------------------------------------
+// System prompt template
+// ---------------------------------------------------------------------------
+
+const _PURPLE_SYSTEM_PROMPT = `\
+You are an expert purple team engineer who designs both adversary emulation \
+plans and matching detection rules for MITRE ATT&CK techniques. Your task \
+is to produce a coherent emulate→detect cycle for a specific TTP.
+
+## Task
+Design an emulation plan and a matching Sigma detection rule for TTP: \
+{ttp_id} — {ttp_description}
+
+## Phase 1: Emulation Plan
+1. Use the \`lookup_technique\` tool to retrieve metadata about the target TTP.
+2. Design an emulation plan with prerequisites, steps, artifacts, cleanup.
+3. Submit the plan via \`write_emulation_plan\` as a JSON object with fields:
+   technique_id, technique_name, tactic, prerequisites, emulation_steps,
+   expected_artifacts, cleanup.
+
+## Phase 2: Detection Rule
+4. Design a Sigma detection rule that catches the emulated activity.
+5. Submit the rule via \`write_detection_rule\` as valid Sigma YAML.
+
+## Coherence Requirement
+The detection rule's ATT&CK tags MUST reference the same technique ID as \
+the emulation plan.
+`;
+
+// ---------------------------------------------------------------------------
+// Output parser (fallback for text-based output)
+// ---------------------------------------------------------------------------
+
+/**
+ * Extract emulation plan JSON and Sigma YAML from LLM text output.
+ * @param {string} text
+ * @returns {Object}
+ */
+export function _purpleOutputParser(text) {
+  if (!text || !text.trim()) {
+    return { emulation_plan: null, detection_rule: null };
+  }
+
+  // Extract JSON emulation plan from ```json fences, then bare fences
+  let emulationPlan = null;
+  const jsonMatches = [...text.matchAll(/```json\s*\n(.*?)```/gs)].map(m => m[1]);
+  for (const match of jsonMatches) {
+    try {
+      const parsed = JSON.parse(match.trim());
+      if (typeof parsed === 'object' && parsed !== null && !Array.isArray(parsed)) {
+        emulationPlan = parsed;
+        break;
+      }
+    } catch {
+      continue;
+    }
+  }
+
+  if (emulationPlan === null) {
+    const bareMatches = [...text.matchAll(/```\s*\n(.*?)```/gs)].map(m => m[1]);
+    for (const match of bareMatches) {
+      try {
+        const parsed = JSON.parse(match.trim());
+        if (typeof parsed === 'object' && parsed !== null && !Array.isArray(parsed)) {
+          emulationPlan = parsed;
+          break;
+        }
+      } catch {
+        continue;
+      }
+    }
+  }
+
+  // Extract YAML detection rule from ```yaml fences, then bare fences
+  let detectionRule = null;
+  const yamlMatches = [...text.matchAll(/```ya?ml\s*\n(.*?)```/gs)].map(m => m[1]);
+  if (yamlMatches.length > 0) {
+    detectionRule = yamlMatches.join('\n---\n');
+  } else {
+    const bareMatches = [...text.matchAll(/```\s*\n(.*?)```/gs)].map(m => m[1]);
+    const yamlLike = bareMatches.filter(m =>
+      /^\s*(title|logsource|detection):/m.test(m)
+    );
+    if (yamlLike.length > 0) {
+      detectionRule = yamlLike.join('\n---\n');
+    }
+  }
+
+  return { emulation_plan: emulationPlan, detection_rule: detectionRule };
+}
+
+// ---------------------------------------------------------------------------
+// Factory function
+// ---------------------------------------------------------------------------
+
+/**
+ * Build a PURPLE-mode ModeAgentConfig for emulate→detect cycle.
+ * @returns {ModeAgentConfig}
+ */
+function _makePurpleConfig() {
+  const reg = new ToolRegistry();
+  reg.register('lookup_technique', _PURPLE_LOOKUP_TECHNIQUE_SCHEMA, _purpleLookupTechnique);
+  reg.register('write_emulation_plan', _PURPLE_WRITE_EMULATION_PLAN_SCHEMA, _purpleWriteEmulationPlan);
+  reg.register('write_detection_rule', _PURPLE_WRITE_DETECTION_RULE_SCHEMA, _purpleWriteDetectionRule);
+
+  return new ModeAgentConfig({
+    mode: 'PURPLE',
+    toolRegistry: reg,
+    systemPromptTemplate: _PURPLE_SYSTEM_PROMPT,
+    validator: new PurpleValidator(),
+    maxTurns: 15,
+    requiresSandbox: false,
+    completionCheck: null,
+    outputParser: _purpleOutputParser,
+    outputFormat: 'json',
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Registration function — called by runner.initModes()
+// ---------------------------------------------------------------------------
+
+/**
+ * Register PURPLE mode with the given registerMode function.
+ * @param {Function} registerMode
+ */
+export function register(registerMode) {
+  registerMode('PURPLE', _makePurpleConfig);
+}