cipher-security 5.0.0

package/lib/bot/bot.js

@@ -0,0 +1,130 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+
+/**
+ * CIPHER Signal Bot — format utilities and session manager.
+ */
+
+// ---------------------------------------------------------------------------
+// Prefix mapping
+// ---------------------------------------------------------------------------
+
+const PREFIX_RE = /^(RED|BLUE|PURPLE|PRIVACY|RECON|INCIDENT|ARCHITECT):\s*/i;
+
+/**
+ * Map 'MODE: query' short-prefix format to '[MODE: MODE] query'.
+ * @param {string} text
+ * @returns {string}
+ */
+export function mapPrefix(text) {
+  const m = text.match(PREFIX_RE);
+  if (m) {
+    const mode = m[1].toUpperCase();
+    const rest = text.slice(m[0].length);
+    return `[MODE: ${mode}] ${rest}`;
+  }
+  return text;
+}
+
+// ---------------------------------------------------------------------------
+// Markdown stripping
+// ---------------------------------------------------------------------------
+
+const MD_PATTERNS = [
+  [/```[^\n]*\n([\s\S]*?)```/g, '$1'],       // Fenced code blocks
+  [/^#{1,6}\s+/gm, ''],                        // Headers
+  [/\*{2}([^*\n]+)\*{2}/g, '$1'],             // Bold
+  [/\*([^*\n]+)\*/g, '$1'],                    // Italic
+  [/`([^`\n]+)`/g, '$1'],                      // Inline code
+  [/\[([^\]]+)\]\([^)]+\)/g, '$1'],           // Links
+  [/^(\s*)[*-]\s+/gm, '$1• '],                // Bullets
+];
+
+/**
+ * Strip markdown formatting for plaintext Signal delivery.
+ * @param {string} text
+ * @returns {string}
+ */
+export function stripMarkdown(text) {
+  for (const [pattern, replacement] of MD_PATTERNS) {
+    text = text.replace(pattern, replacement);
+  }
+  return text.trim();
+}
+
+// ---------------------------------------------------------------------------
+// Session manager
+// ---------------------------------------------------------------------------
+
+/**
+ * In-memory conversation history manager keyed by sender.
+ */
+export class SessionManager {
+  /**
+   * @param {object} [opts]
+   * @param {number} [opts.timeoutSeconds=3600]
+   * @param {number} [opts.maxPairs=20]
+   */
+  constructor({ timeoutSeconds = 3600, maxPairs = 20 } = {}) {
+    this._sessions = new Map();
+    this._timeout = timeoutSeconds * 1000;
+    this._maxPairs = maxPairs;
+  }
+
+  get(sender) {
+    this.cleanup();
+    const session = this._sessions.get(sender);
+    return session ? [...session.history] : [];
+  }
+
+  update(sender, userMessage, assistantMessage) {
+    if (!this._sessions.has(sender)) {
+      this._sessions.set(sender, { history: [], lastActive: Date.now() });
+    }
+    const session = this._sessions.get(sender);
+    session.history.push({ role: 'user', content: userMessage });
+    session.history.push({ role: 'assistant', content: assistantMessage });
+    session.lastActive = Date.now();
+
+    const maxItems = this._maxPairs * 2;
+    if (session.history.length > maxItems) {
+      session.history = session.history.slice(-maxItems);
+    }
+  }
+
+  reset(sender) {
+    this._sessions.delete(sender);
+  }
+
+  cleanup() {
+    const now = Date.now();
+    for (const [sender, session] of this._sessions) {
+      if (now - session.lastActive > this._timeout) {
+        this._sessions.delete(sender);
+      }
+    }
+  }
+
+  get size() { return this._sessions.size; }
+}
+
+// ---------------------------------------------------------------------------
+// Bot runner (placeholder — requires signal-cli subprocess)
+// ---------------------------------------------------------------------------
+
+/**
+ * Start the CIPHER Signal bot.
+ *
+ * In the full implementation, this would:
+ * 1. Load config from config.yaml
+ * 2. Start signal-cli subprocess for receiving messages
+ * 3. Register CipherCommand handler
+ * 4. Run with exponential-backoff watchdog
+ *
+ * @param {object} config
+ */
+export function runBot(config) {
+  console.log(`CIPHER Bot starting (service: ${config.signalService}, phone: ${config.phoneNumber})`);
+  console.log('Bot requires signal-cli — see docs for setup.');
+  // The actual bot would use signal-cli subprocess here
+}

package/lib/commands.js

@@ -0,0 +1,99 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * commands.js — Command routing table for the CIPHER CLI.
+ *
+ * Maps all 29 CLI commands to one of three dispatch modes:
+ *   - native:       Dispatched directly through Node.js handler functions (no Python)
+ *   - passthrough:  Spawned directly as `python -m gateway.app <cmd>` with stdio: 'inherit'
+ *                   (full terminal access for Rich panels, Textual TUIs, long-running services)
+ *   - bridge:       (Legacy) Dispatched via JSON-RPC through python-bridge.js — no commands
+ *                   use this mode as of M007/S03, retained for backward compatibility
+ *
+ * @module commands
+ */
+
+/**
+ * Dispatch mode for each CLI command.
+ *
+ * @type {Record<string, { mode: 'native' | 'bridge' | 'passthrough', description: string }>}
+ */
+export const COMMAND_MODES = {
+  // ── Native commands (Node.js handler dispatch, no Python) ──────────────
+  query:           { mode: 'native',      description: 'Run a security query (smart routing + streaming)' },
+  ingest:          { mode: 'native',      description: 'Ingest security data' },
+  status:          { mode: 'native',      description: 'Show system status' },
+  doctor:          { mode: 'native',      description: 'Diagnose installation health' },
+  version:         { mode: 'native',      description: 'Print version information' },
+  plugin:          { mode: 'native',      description: 'Manage plugins' },
+  search:          { mode: 'native',      description: 'Search security data' },
+  store:           { mode: 'native',      description: 'Manage data stores' },
+  diff:            { mode: 'native',      description: 'Compare security states' },
+  workflow:        { mode: 'native',      description: 'Manage workflows' },
+  stats:           { mode: 'native',      description: 'Show statistics' },
+  domains:         { mode: 'native',      description: 'Manage domains' },
+  skills:          { mode: 'native',      description: 'Manage skills' },
+  score:           { mode: 'native',      description: 'Show security score' },
+  marketplace:     { mode: 'native',      description: 'Browse marketplace' },
+  compliance:      { mode: 'native',      description: 'Run compliance checks' },
+  leaderboard:     { mode: 'native',      description: 'Show leaderboard' },
+  feedback:        { mode: 'native',      description: 'Submit feedback' },
+  'memory-export': { mode: 'native',      description: 'Export memory' },
+  'memory-import': { mode: 'native',      description: 'Import memory' },
+  sarif:           { mode: 'native',      description: 'SARIF report tools' },
+  osint:           { mode: 'native',      description: 'OSINT intelligence tools' },
+
+  // ── Passthrough commands (direct Python spawn, full terminal) ──────────
+  // These were Python-dependent — now ported to Node.js.
+  scan:            { mode: 'native', description: 'Run a security scan' },
+  dashboard:       { mode: 'native', description: 'System dashboard' },
+  web:             { mode: 'native', description: 'Web interface (use `cipher api` instead)' },
+  bot:             { mode: 'native', description: 'Manage bot integrations (long-running service)' },
+  mcp:             { mode: 'native', description: 'MCP server tools (long-running service)' },
+  api:             { mode: 'native', description: 'API management (long-running server)' },
+  'setup-signal':  { mode: 'native', description: 'Configure Signal integration' },
+};
+
+/**
+ * Set of command names dispatched via passthrough (direct Python spawn).
+ * @type {Set<string>}
+ */
+export const PASSTHROUGH_COMMANDS = new Set(
+  Object.entries(COMMAND_MODES)
+    .filter(([, v]) => v.mode === 'passthrough')
+    .map(([k]) => k)
+);
+
+/**
+ * Set of command names dispatched via Node.js native handlers.
+ * @type {Set<string>}
+ */
+export const NATIVE_COMMANDS = new Set(
+  Object.entries(COMMAND_MODES)
+    .filter(([, v]) => v.mode === 'native')
+    .map(([k]) => k)
+);
+
+/**
+ * Set of command names dispatched via the JSON-RPC bridge.
+ * As of M007/S03, no commands use bridge mode — retained for backward compatibility.
+ * @type {Set<string>}
+ */
+export const BRIDGE_COMMANDS = new Set(
+  Object.entries(COMMAND_MODES)
+    .filter(([, v]) => v.mode === 'bridge')
+    .map(([k]) => k)
+);
+
+/**
+ * Look up the dispatch mode for a command.
+ *
+ * @param {string} name — command name (e.g., 'scan', 'status')
+ * @returns {'native' | 'bridge' | 'passthrough' | null} — mode string, or null if unknown
+ */
+export function getCommandMode(name) {
+  const entry = COMMAND_MODES[name];
+  return entry ? entry.mode : null;
+}

package/lib/complexity.js

@@ -0,0 +1,377 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * Smart routing complexity classifier for CIPHER CLI.
+ *
+ * Evaluates multiple heuristic signals to determine query complexity and
+ * route to the appropriate backend (Ollama for simple/moderate, Claude for
+ * complex/expert).
+ *
+ * Ported from src/gateway/complexity.py — all keyword dictionaries, regex
+ * patterns, score thresholds, and scoring logic are identical.
+ *
+ * @example
+ * import { classify, routeBackend, classifyAndRoute, COMPLEXITY } from './complexity.js';
+ *
+ * const level = classify("design a zero trust architecture for AWS");
+ * const backend = routeBackend(level); // "claude"
+ *
+ * const [lvl, be] = classifyAndRoute("what port does SSH use");
+ * // lvl === 1 (SIMPLE), be === "ollama"
+ */
+
+// ---------------------------------------------------------------------------
+// Complexity enum
+// ---------------------------------------------------------------------------
+
+/** Query complexity levels, ordered by increasing difficulty. */
+export const COMPLEXITY = Object.freeze({
+  SIMPLE: 1,   // Factual lookups, single-concept questions → Ollama
+  MODERATE: 2, // Multi-part but bounded questions → Ollama
+  COMPLEX: 3,  // Deep reasoning, threat models, architecture → Claude
+  EXPERT: 4,   // Cross-domain, multi-framework, advanced analysis → Claude
+});
+
+const _NAMES = Object.freeze({
+  [COMPLEXITY.SIMPLE]: 'SIMPLE',
+  [COMPLEXITY.MODERATE]: 'MODERATE',
+  [COMPLEXITY.COMPLEX]: 'COMPLEX',
+  [COMPLEXITY.EXPERT]: 'EXPERT',
+});
+
+/**
+ * Reverse lookup: complexity level integer → human-readable name.
+ * @param {number} level
+ * @returns {string}
+ */
+export function nameOf(level) {
+  return _NAMES[level] ?? 'UNKNOWN';
+}
+
+// ---------------------------------------------------------------------------
+// Tunable weights — adjust these to change routing sensitivity
+// ---------------------------------------------------------------------------
+
+/** Points thresholds for each complexity level. */
+export const THRESHOLDS = Object.freeze({
+  moderate: 3,  // >= 3 points → MODERATE
+  complex: 6,   // >= 6 points → COMPLEX
+  expert: 10,   // >= 10 points → EXPERT
+});
+
+/** Message length breakpoints (characters) and their point values. */
+export const LENGTH_SCORES = Object.freeze([
+  [500, 4], // Very long queries are likely complex
+  [300, 3], // Long queries
+  [150, 2], // Medium queries
+  [80, 1],  // Short but not trivial
+]);
+
+// ---------------------------------------------------------------------------
+// Keyword sets — each match adds the specified points
+// ---------------------------------------------------------------------------
+
+/** Simple indicators (negative points — pull toward Ollama). */
+export const SIMPLE_KEYWORDS = Object.freeze({
+  'what is': -2,
+  'what are': -1,
+  'what does': -2,
+  'what port': -3,
+  'which port': -3,
+  'default port': -3,
+  'how to install': -2,
+  'how to start': -2,
+  'how to run': -2,
+  'syntax for': -2,
+  'command for': -2,
+  'define ': -2,
+  'definition of': -2,
+  'meaning of': -2,
+  'example of': -1,
+  'list of': -1,
+  'difference between': -1,
+});
+
+/** Domain complexity indicators (positive points — push toward Claude). */
+export const COMPLEX_KEYWORDS = Object.freeze({
+  // Architecture & design
+  'threat model': 4,
+  'architecture': 3,
+  'design': 2,
+  'zero trust': 3,
+  'blast radius': 3,
+  'compensating control': 3,
+  'defense in depth': 2,
+  'security architecture': 4,
+  'data flow diagram': 3,
+  'trust boundary': 3,
+  // Risk & compliance
+  'dpia': 4,
+  'risk assessment': 4,
+  'risk analysis': 3,
+  'compliance mapping': 4,
+  'gap analysis': 3,
+  'maturity assessment': 3,
+  'audit finding': 3,
+  'control mapping': 3,
+  // Analysis & reasoning
+  'analyze': 2,
+  'analyse': 2,
+  'evaluate': 2,
+  'compare and contrast': 3,
+  'trade-off': 2,
+  'tradeoff': 2,
+  'pros and cons': 2,
+  'impact analysis': 3,
+  'root cause': 3,
+  // Offensive / red team
+  'attack chain': 4,
+  'attack path': 3,
+  'kill chain': 3,
+  'exploitation chain': 4,
+  'lateral movement': 2,
+  'privilege escalation': 2,
+  'privesc': 2,
+  'post-exploitation': 3,
+  'evasion technique': 3,
+  'bypass': 1,
+  // Incident response
+  'incident analysis': 4,
+  'incident': 2,
+  'forensic analysis': 4,
+  'forensic': 2,
+  'timeline reconstruction': 4,
+  'indicator of compromise': 2,
+  'ioc': 1,
+  'beacon': 2,
+  'cobalt strike': 3,
+  'mimikatz': 2,
+  'dcsync': 3,
+  'triage': 2,
+  'containment strategy': 3,
+  'eradication plan': 3,
+  'breach': 2,
+  'malware analysis': 3,
+  'reverse engineer': 3,
+  // Detection engineering
+  'detection logic': 3,
+  'sigma rule': 2,
+  'detection coverage': 3,
+  'false positive': 2,
+  'detection gap': 3,
+  'correlation rule': 3,
+  'hunting hypothesis': 3,
+  // Multi-step / planning
+  'strategy': 2,
+  'roadmap': 3,
+  'implementation plan': 3,
+  'step by step': 1,
+  'runbook': 2,
+  'playbook': 2,
+  'workflow': 1,
+});
+
+/** Framework references — signal expert-level queries. */
+export const FRAMEWORK_KEYWORDS = Object.freeze({
+  'nist': 2,
+  'nist 800-53': 3,
+  'nist 800-171': 3,
+  'nist csf': 3,
+  'mitre att&ck': 3,
+  'mitre attack': 3,
+  'stride': 3,
+  'pasta': 3,
+  'dread': 3,
+  'owasp': 2,
+  'owasp top 10': 2,
+  'cis controls': 2,
+  'cis benchmark': 2,
+  'iso 27001': 3,
+  'iso 27002': 3,
+  'soc 2': 2,
+  'pci dss': 3,
+  'hipaa': 2,
+  'gdpr': 2,
+  'ccpa': 2,
+  'fedramp': 3,
+  'cmmc': 3,
+  'cve-': 1,
+  'cwe-': 1,
+});
+
+// ---------------------------------------------------------------------------
+// Structural patterns — regex-based signals
+// ---------------------------------------------------------------------------
+
+/** Multi-part query indicators (each match adds points). */
+export const STRUCTURE_PATTERNS = Object.freeze([
+  // Conjunctions joining distinct requests
+  [/\b(?:and also|and then|additionally|furthermore|moreover)\b/, 2],
+  // Numbered lists in the query
+  [/(?:^|\n)\s*\d+[.)]\s/, 2],
+  // Conditional logic
+  [/\bif\s+.+\bthen\b/, 2],
+  [/\bwhat if\b/, 2],
+  [/\bassuming\b/, 1],
+  [/\bgiven that\b/, 1],
+  // Comparison requests
+  [/\bvs\.?\b/, 1],
+  [/\bversus\b/, 1],
+  [/\bcompare\b/, 2],
+  // Scope amplifiers
+  [/\b(?:comprehensive|exhaustive|thorough|detailed|in-depth|end-to-end)\b/, 2],
+  [/\b(?:enterprise|organization-wide|company-wide|across all)\b/, 2],
+  // Multiple question marks (multiple questions)
+  [/\?.*\?/, 2],
+]);
+
+/** Count of "and" conjunctions — many ands suggest multi-part queries. */
+export const AND_CONJUNCTION_THRESHOLD = 3;
+export const AND_CONJUNCTION_POINTS = 2;
+
+// ---------------------------------------------------------------------------
+// Scoring functions
+// ---------------------------------------------------------------------------
+
+/**
+ * Score based on message length.
+ * @param {string} message
+ * @returns {number}
+ */
+export function scoreLength(message) {
+  const length = message.length;
+  for (const [threshold, points] of LENGTH_SCORES) {
+    if (length >= threshold) {
+      return points;
+    }
+  }
+  return 0;
+}
+
+/**
+ * Score based on keyword presence. Returns sum of matched keyword points.
+ * @param {string} lower — lowercased message
+ * @param {Record<string, number>} keywordSet
+ * @returns {number}
+ */
+export function scoreKeywords(lower, keywordSet) {
+  let total = 0;
+  for (const [keyword, points] of Object.entries(keywordSet)) {
+    if (lower.includes(keyword)) {
+      total += points;
+    }
+  }
+  return total;
+}
+
+/**
+ * Score based on query structure patterns.
+ * @param {string} lower — lowercased message
+ * @returns {number}
+ */
+export function scoreStructure(lower) {
+  let total = 0;
+  for (const [pattern, points] of STRUCTURE_PATTERNS) {
+    if (pattern.test(lower)) {
+      total += points;
+    }
+  }
+
+  // Count "and" conjunctions
+  const andMatches = lower.match(/\band\b/g);
+  const andCount = andMatches ? andMatches.length : 0;
+  if (andCount > AND_CONJUNCTION_THRESHOLD) {
+    total += AND_CONJUNCTION_POINTS;
+  }
+
+  return total;
+}
+
+/**
+ * Bonus points when multiple frameworks are referenced.
+ * @param {string} lower — lowercased message
+ * @returns {number}
+ */
+export function scoreFrameworkDensity(lower) {
+  let matches = 0;
+  let totalPoints = 0;
+  for (const [keyword, points] of Object.entries(FRAMEWORK_KEYWORDS)) {
+    if (lower.includes(keyword)) {
+      matches += 1;
+      totalPoints += points;
+    }
+  }
+
+  // Bonus for cross-framework queries (referencing 3+ frameworks)
+  if (matches >= 3) {
+    totalPoints += 3;
+  }
+
+  return totalPoints;
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Classify a query's complexity based on multiple heuristic signals.
+ * @param {string} message — The user's query string.
+ * @returns {number} Complexity level (1=SIMPLE, 2=MODERATE, 3=COMPLEX, 4=EXPERT).
+ */
+export function classify(message) {
+  const lower = message.toLowerCase();
+
+  let score = 0;
+  score += scoreLength(message);
+  score += scoreKeywords(lower, SIMPLE_KEYWORDS);
+  score += scoreKeywords(lower, COMPLEX_KEYWORDS);
+  score += scoreStructure(lower);
+  score += scoreFrameworkDensity(lower);
+
+  // Floor at 0 — negative scores are still SIMPLE
+  score = Math.max(score, 0);
+
+  if (score >= THRESHOLDS.expert) {
+    return COMPLEXITY.EXPERT;
+  }
+  if (score >= THRESHOLDS.complex) {
+    return COMPLEXITY.COMPLEX;
+  }
+  if (score >= THRESHOLDS.moderate) {
+    return COMPLEXITY.MODERATE;
+  }
+  return COMPLEXITY.SIMPLE;
+}
+
+/**
+ * Map a complexity level to a backend name.
+ *
+ * COMPLEX and EXPERT → "claude", SIMPLE and MODERATE → "ollama".
+ * The "litellm" backend is user-configured, not auto-routed.
+ *
+ * @param {number} level — The classified complexity level.
+ * @returns {string} Backend string: "ollama" or "claude".
+ */
+export function routeBackend(level) {
+  if (level >= COMPLEXITY.COMPLEX) {
+    return 'claude';
+  }
+  return 'ollama';
+}
+
+/**
+ * Classify a message and return both the complexity level and backend.
+ *
+ * Convenience function combining classify() and routeBackend().
+ *
+ * @param {string} message — The user's query string.
+ * @returns {[number, string]} Tuple of [complexity level, backend name].
+ */
+export function classifyAndRoute(message) {
+  const level = classify(message);
+  const backend = routeBackend(level);
+  return [level, backend];
+}