cipher-security 5.1.0 → 5.3.0

package/bin/cipher.js

@@ -23,61 +23,81 @@ import { spawn } from 'node:child_process';
 // ---------------------------------------------------------------------------
 
 const args = process.argv.slice(2);
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(readFileSync(resolve(__dirname, '..', 'package.json'), 'utf8'));
 
 if (args[0] === '--version' || args[0] === '-V') {
-  const __dirname = dirname(fileURLToPath(import.meta.url));
-  const pkg = JSON.parse(readFileSync(resolve(__dirname, '..', 'package.json'), 'utf8'));
   console.log(pkg.version);
   process.exit(0);
 }
 
 if (args[0] === '--help' || args[0] === '-h') {
-  console.log(`CIPHER — AI Security Engineering Platform
-
-Usage: cipher [command] [options]
-       cipher <query>          Freeform security query
-
-Commands:
-  query             Run a security query
-  ingest            Ingest security data
-  status            Show system status
-  doctor            Diagnose installation health
-  setup             Run setup wizard
-  setup-signal      Configure Signal integration
-  dashboard         Open the dashboard
-  web               Start the web interface
-  version           Print version information
-  plugin            Manage plugins
-  scan              Run a security scan
-  search            Search security data
-  store             Manage data stores
-  diff              Compare security states
-  workflow          Manage workflows
-  stats             Show statistics
-  domains           Manage domains
-  skills            Manage skills
-  score             Show security score
-  marketplace       Browse marketplace
-  compliance        Run compliance checks
-  leaderboard       Show leaderboard
-  feedback          Submit feedback
-  memory-export     Export memory
-  memory-import     Import memory
-  sarif             SARIF report tools
-  osint             OSINT intelligence tools
-  update            Update CIPHER to latest version
-  bot               Manage bot integrations
-  mcp               MCP server tools
-  api               API management
-
-Options:
+  const CYN = '\x1b[36m';
+  const B = '\x1b[1m';
+  const D = '\x1b[2m';
+  const R = '\x1b[0m';
+  const GRN = '\x1b[32m';
+
+  console.log(`${CYN}${B}
+   ██████╗██╗██████╗ ██╗  ██╗███████╗██████╗
+  ██╔════╝██║██╔══██╗██║  ██║██╔════╝██╔══██╗
+  ██║     ██║██████╔╝███████║█████╗  ██████╔╝
+  ██║     ██║██╔═══╝ ██╔══██║██╔══╝  ██╔══██╗
+  ╚██████╗██║██║     ██║  ██║███████╗██║  ██║
+   ╚═════╝╚═╝╚═╝     ╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝${R}
+  ${D}Claude Integrated Privacy & Hardening Expert Resource${R}  ${D}v${pkg.version}${R}
+
+${B}Usage:${R} cipher [command] [options]
+       cipher <query>          ${D}Freeform security query${R}
+
+${B}Commands:${R}
+  ${GRN}query${R}             Run a security query
+  ${GRN}scan${R}              Run a security scan
+  ${GRN}compliance${R}        Run compliance checks (39 frameworks)
+  ${GRN}search${R}            Search security data
+  ${GRN}osint${R}             OSINT intelligence tools
+  ${GRN}diff${R}              Analyze git diff for security issues
+  ${GRN}sarif${R}             SARIF report tools
+
+  ${GRN}status${R}            Show system status
+  ${GRN}doctor${R}            Diagnose installation health
+  ${GRN}version${R}           Print version information
+  ${GRN}setup${R}             Run setup wizard
+  ${GRN}update${R}            Update CIPHER to latest version
+
+  ${GRN}domains${R}           List skill domains
+  ${GRN}skills${R}            Search skills
+  ${GRN}store${R}             Store findings in memory
+  ${GRN}stats${R}             Show statistics
+  ${GRN}leaderboard${R}       Skill effectiveness metrics
+  ${GRN}marketplace${R}       Browse skill marketplace
+
+  ${GRN}api${R}               Start REST API server
+  ${GRN}mcp${R}               Start MCP server (stdio)
+  ${GRN}bot${R}               Start Signal bot
+
+  ${GRN}workflow${R}           Generate CI/CD security workflow
+  ${GRN}memory-export${R}     Export memory to JSON
+  ${GRN}memory-import${R}     Import memory from JSON
+  ${GRN}feedback${R}          Run skill improvement loop
+  ${GRN}ingest${R}            Re-index knowledge base
+  ${GRN}plugin${R}            Manage plugins
+  ${GRN}setup-signal${R}      Configure Signal integration
+  ${GRN}score${R}             Score response quality
+  ${GRN}dashboard${R}         System dashboard
+  ${GRN}web${R}               Web interface (use cipher api)
+
+${B}Options:${R}
   --version, -V     Print version and exit
   --help, -h        Print this help and exit
+  --autonomous      Run in autonomous mode (cipher blue --autonomous "task")
+  --backend         Override LLM backend (ollama, claude, litellm)
+  --no-stream       Disable streaming output
 
-Environment:
+${B}Environment:${R}
   CIPHER_DEBUG=1    Enable verbose debug logging
 
-Documentation: https://github.com/defconxt/CIPHER`);
+${D}Documentation: https://github.com/defconxt/CIPHER${R}`);
   process.exit(0);
 }
 
@@ -274,7 +294,7 @@ async function formatBridgeResult(result, commandName = '') {
 
     if (commandName === 'doctor' && result.checks) {
       const { header, formatDoctorChecks, divider, success, warn } = await import('../lib/brand.js');
-      header('Health Check', result.checks.find(c => c.name === 'Node.js')?.detail || '');
+      header('Health Check');
       divider();
       process.stderr.write(formatDoctorChecks(result.checks) + '\n');
       divider();
@@ -287,6 +307,20 @@ async function formatBridgeResult(result, commandName = '') {
       return;
     }
 
+    if (commandName === 'status' && result.status) {
+      const { header, status: statusDot, divider } = await import('../lib/brand.js');
+      header('Status');
+      divider();
+      statusDot('Backend', result.backend ? 'ok' : 'warn', result.backend || 'not configured');
+      statusDot('Config', result.config?.valid ? 'ok' : 'fail', result.config?.valid ? 'valid' : 'invalid or missing');
+      if (result.memory) {
+        statusDot('Memory', 'ok', `${result.memory.total} entries (${result.memory.active} active)`);
+      }
+      divider();
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+
     // Text-mode result — print output directly (pre-formatted from CliRunner)
     if ('output' in result) {
       if (result.output) {
@@ -298,8 +332,10 @@ async function formatBridgeResult(result, commandName = '') {
       return;
     }
 
-    // Structured JSON result — pretty-print
-    console.log(JSON.stringify(result, null, 2));
+    // Structured JSON result — pretty-print (skip empty objects from branded commands)
+    if (Object.keys(result).length > 0) {
+      console.log(JSON.stringify(result, null, 2));
+    }
     return;
   }
 
@@ -430,11 +466,50 @@ if (mode === 'native') {
       mcp.startStdio();
     // ── Bot command: Signal bot ──────────────────────────────────────────
     } else if (command === 'bot') {
+      const { banner, header, info, warn, success, divider } = await import('../lib/brand.js');
+      const { loadConfig, configExists } = await import('../lib/config.js');
+
+      banner(pkg.version);
+      header('Signal Bot');
+
+      // Load signal config
+      let signalCfg = {};
+      if (configExists()) {
+        try {
+          const cfg = loadConfig();
+          signalCfg = cfg.signal || {};
+        } catch { /* ignore */ }
+      }
+
+      const svc = commandArgs.find((a, i) => commandArgs[i - 1] === '--service')
+        || process.env.SIGNAL_SERVICE || signalCfg.signal_service || '';
+      const phone = commandArgs.find((a, i) => commandArgs[i - 1] === '--phone')
+        || process.env.SIGNAL_PHONE_NUMBER || signalCfg.phone_number || '';
+      const whitelist = process.env.SIGNAL_WHITELIST
+        ? process.env.SIGNAL_WHITELIST.split(',').map(n => n.trim())
+        : signalCfg.whitelist || [];
+
+      if (!svc || !phone) {
+        divider();
+        warn('Signal is not configured.');
+        info('Run: cipher setup-signal');
+        divider();
+        process.exit(1);
+      }
+
+      divider();
+      success(`Service:   ${svc}`);
+      success(`Phone:     ${phone}`);
+      if (whitelist.length) {
+        success(`Whitelist: ${whitelist.join(', ')}`);
+      } else {
+        warn('Whitelist: none (all senders allowed)');
+      }
+      divider();
+      info('Starting bot... (Ctrl+C to stop)');
+
       const { runBot } = await import('../lib/bot/bot.js');
-      runBot({
-        signalService: commandArgs.find((a, i) => commandArgs[i - 1] === '--service') || '',
-        phoneNumber: commandArgs.find((a, i) => commandArgs[i - 1] === '--phone') || '',
-      });
+      await runBot({ signalService: svc, phoneNumber: phone, whitelist, sessionTimeout: signalCfg.session_timeout || 3600 });
     // ── Query command: streaming via Gateway or non-streaming via handler ──
     } else if (command === 'query') {
       const queryText = commandArgs.filter(a => !a.startsWith('-')).join(' ');

package/lib/bot/bot.js

@@ -2,20 +2,18 @@
 // Licensed under AGPL-3.0 — see LICENSE file for details.
 
 /**
- * CIPHER Signal Bot — format utilities and session manager.
+ * CIPHER Signal Bot — receives messages via signal-cli-rest-api WebSocket,
+ * dispatches through the gateway, and replies.
  */
 
+import { WebSocket } from 'ws';
+
 // ---------------------------------------------------------------------------
 // Prefix mapping
 // ---------------------------------------------------------------------------
 
 const PREFIX_RE = /^(RED|BLUE|PURPLE|PRIVACY|RECON|INCIDENT|ARCHITECT):\s*/i;
 
-/**
- * Map 'MODE: query' short-prefix format to '[MODE: MODE] query'.
- * @param {string} text
- * @returns {string}
- */
 export function mapPrefix(text) {
   const m = text.match(PREFIX_RE);
   if (m) {
@@ -31,20 +29,15 @@ export function mapPrefix(text) {
 // ---------------------------------------------------------------------------
 
 const MD_PATTERNS = [
-  [/```[^\n]*\n([\s\S]*?)```/g, '$1'],       // Fenced code blocks
-  [/^#{1,6}\s+/gm, ''],                        // Headers
-  [/\*{2}([^*\n]+)\*{2}/g, '$1'],             // Bold
-  [/\*([^*\n]+)\*/g, '$1'],                    // Italic
-  [/`([^`\n]+)`/g, '$1'],                      // Inline code
-  [/\[([^\]]+)\]\([^)]+\)/g, '$1'],           // Links
-  [/^(\s*)[*-]\s+/gm, '$1• '],                // Bullets
+  [/```[^\n]*\n([\s\S]*?)```/g, '$1'],
+  [/^#{1,6}\s+/gm, ''],
+  [/\*{2}([^*\n]+)\*{2}/g, '$1'],
+  [/\*([^*\n]+)\*/g, '$1'],
+  [/`([^`\n]+)`/g, '$1'],
+  [/\[([^\]]+)\]\([^)]+\)/g, '$1'],
+  [/^(\s*)[*-]\s+/gm, '$1• '],
 ];
 
-/**
- * Strip markdown formatting for plaintext Signal delivery.
- * @param {string} text
- * @returns {string}
- */
 export function stripMarkdown(text) {
   for (const [pattern, replacement] of MD_PATTERNS) {
     text = text.replace(pattern, replacement);
@@ -56,15 +49,7 @@ export function stripMarkdown(text) {
 // Session manager
 // ---------------------------------------------------------------------------
 
-/**
- * In-memory conversation history manager keyed by sender.
- */
 export class SessionManager {
-  /**
-   * @param {object} [opts]
-   * @param {number} [opts.timeoutSeconds=3600]
-   * @param {number} [opts.maxPairs=20]
-   */
   constructor({ timeoutSeconds = 3600, maxPairs = 20 } = {}) {
     this._sessions = new Map();
     this._timeout = timeoutSeconds * 1000;
@@ -92,9 +77,7 @@ export class SessionManager {
     }
   }
 
-  reset(sender) {
-    this._sessions.delete(sender);
-  }
+  reset(sender) { this._sessions.delete(sender); }
 
   cleanup() {
     const now = Date.now();
@@ -109,22 +92,147 @@ export class SessionManager {
 }
 
 // ---------------------------------------------------------------------------
-// Bot runner (placeholder — requires signal-cli subprocess)
+// Signal REST API client
+// ---------------------------------------------------------------------------
+
+async function sendMessage(signalService, phoneNumber, recipient, message) {
+  const resp = await fetch(`${signalService}/v2/send`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      message,
+      number: phoneNumber,
+      recipients: [recipient],
+    }),
+  });
+  if (!resp.ok) {
+    throw new Error(`Send failed: ${resp.status} ${await resp.text()}`);
+  }
+}
+
+async function sendReaction(signalService, phoneNumber, recipient, emoji, targetTimestamp) {
+  try {
+    await fetch(`${signalService}/v1/reactions/${phoneNumber}`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        reaction: emoji,
+        recipient,
+        timestamp: targetTimestamp,
+      }),
+    });
+  } catch { /* best-effort */ }
+}
+
+// ---------------------------------------------------------------------------
+// Bot runner
 // ---------------------------------------------------------------------------
 
 /**
  * Start the CIPHER Signal bot.
  *
- * In the full implementation, this would:
- * 1. Load config from config.yaml
- * 2. Start signal-cli subprocess for receiving messages
- * 3. Register CipherCommand handler
- * 4. Run with exponential-backoff watchdog
+ * Connects to signal-cli-rest-api WebSocket, listens for messages,
+ * dispatches through the gateway, and replies.
  *
  * @param {object} config
+ * @param {string} config.signalService - signal-cli-rest-api URL
+ * @param {string} config.phoneNumber - bot's phone number
+ * @param {string[]} [config.whitelist] - allowed sender numbers
+ * @param {number} [config.sessionTimeout] - session timeout in seconds
  */
-export function runBot(config) {
-  console.log(`CIPHER Bot starting (service: ${config.signalService}, phone: ${config.phoneNumber})`);
-  console.log('Bot requires signal-cli — see docs for setup.');
-  // The actual bot would use signal-cli subprocess here
+export async function runBot(config) {
+  const { signalService, phoneNumber, whitelist = [], sessionTimeout = 3600 } = config;
+  const sessions = new SessionManager({ timeoutSeconds: sessionTimeout });
+  const whitelistSet = new Set(whitelist);
+
+  const wsUrl = `${signalService.replace('http', 'ws')}/v1/receive/${phoneNumber}`;
+
+  let reconnectDelay = 1000;
+  const maxDelay = 60000;
+
+  function connect() {
+    const ws = new WebSocket(wsUrl);
+
+    ws.on('open', () => {
+      process.stderr.write(`  ● Connected to ${wsUrl}\n`);
+      reconnectDelay = 1000;
+    });
+
+    ws.on('message', async (data) => {
+      try {
+        const envelope = JSON.parse(data.toString());
+        await handleEnvelope(envelope, config, sessions, whitelistSet);
+      } catch (err) {
+        process.stderr.write(`  ✖ Message error: ${err.message}\n`);
+      }
+    });
+
+    ws.on('close', () => {
+      process.stderr.write(`  ⚠ WebSocket closed. Reconnecting in ${reconnectDelay / 1000}s...\n`);
+      setTimeout(connect, reconnectDelay);
+      reconnectDelay = Math.min(reconnectDelay * 2, maxDelay);
+    });
+
+    ws.on('error', (err) => {
+      process.stderr.write(`  ✖ WebSocket error: ${err.message}\n`);
+    });
+  }
+
+  connect();
+}
+
+async function handleEnvelope(envelope, config, sessions, whitelistSet) {
+  const msg = envelope.envelope?.dataMessage;
+  if (!msg || !msg.message) return;
+
+  const sender = envelope.envelope?.source;
+  if (!sender) return;
+
+  const text = msg.message.trim();
+  if (!text) return;
+
+  // Whitelist check
+  if (whitelistSet.size > 0 && !whitelistSet.has(sender)) {
+    return;
+  }
+
+  const timestamp = msg.timestamp;
+
+  // /reset command
+  if (text === '/reset') {
+    sessions.reset(sender);
+    await sendMessage(config.signalService, config.phoneNumber, sender, 'Session cleared.');
+    return;
+  }
+
+  // React with brain emoji to acknowledge
+  await sendReaction(config.signalService, config.phoneNumber, sender, '🧠', timestamp);
+
+  // Map prefix and get history
+  const mapped = mapPrefix(text);
+  const history = sessions.get(sender);
+
+  // Dispatch through gateway
+  let response;
+  try {
+    const { Gateway } = await import('../gateway/gateway.js');
+    const gw = new Gateway({ rag: true });
+    response = await gw.send(mapped, { history });
+  } catch (err) {
+    response = `Error: ${err.message}`;
+  }
+
+  // Update session and reply
+  sessions.update(sender, mapped, response);
+  const reply = stripMarkdown(response);
+
+  // Signal has a ~6000 char limit per message
+  if (reply.length > 5500) {
+    const chunks = reply.match(/.{1,5500}/gs) || [reply];
+    for (const chunk of chunks) {
+      await sendMessage(config.signalService, config.phoneNumber, sender, chunk);
+    }
+  } else {
+    await sendMessage(config.signalService, config.phoneNumber, sender, reply);
+  }
 }

package/lib/gateway/commands.js

@@ -821,12 +821,125 @@ export async function handleWeb(args = {}) {
 // ---------------------------------------------------------------------------
 
 export async function handleSetupSignal() {
-  return {
-    output: JSON.stringify({
-      status: 'info',
-      message: 'Signal setup: Set SIGNAL_SERVICE, SIGNAL_PHONE_NUMBER, and SIGNAL_WHITELIST environment variables, then run `cipher bot`.',
-    }, null, 2),
+  const clack = await import('@clack/prompts');
+  const { execSync } = await import('node:child_process');
+  const { writeConfig, loadConfig, configExists } = await import('../config.js');
+  const brand = await import('../brand.js');
+
+  brand.banner();
+  clack.intro('Signal Bot Setup');
+
+  // Step 1: Check if signal-cli-rest-api is running
+  let signalService = 'http://localhost:8080';
+  let apiHealthy = false;
+
+  clack.log.step('Checking for signal-cli-rest-api...');
+
+  try {
+    const resp = execSync(`curl -sf ${signalService}/v1/about`, { encoding: 'utf-8', timeout: 5000 });
+    const info = JSON.parse(resp);
+    clack.log.success(`Signal API running (v${info.version}, mode: ${info.mode})`);
+    apiHealthy = true;
+  } catch {
+    clack.log.warn('Signal API not detected at localhost:8080');
+    clack.log.info(
+      'Start it with Docker:\n\n' +
+      '  docker compose --profile signal up -d signal-api\n\n' +
+      'Or manually:\n\n' +
+      '  docker run -d --name signal-api \\\n' +
+      '    -p 8080:8080 -e MODE=json-rpc \\\n' +
+      '    -v signal-data:/home/.local/share/signal-cli \\\n' +
+      '    bbernhard/signal-cli-rest-api:0.98'
+    );
+
+    const customUrl = await clack.text({
+      message: 'Signal API URL (or press Enter to skip)',
+      placeholder: 'http://localhost:8080',
+      defaultValue: '',
+    });
+    if (clack.isCancel(customUrl)) { clack.outro('Cancelled.'); process.exit(0); }
+
+    if (customUrl) {
+      signalService = customUrl;
+      try {
+        const resp = execSync(`curl -sf ${signalService}/v1/about`, { encoding: 'utf-8', timeout: 5000 });
+        clack.log.success('Signal API reachable.');
+        apiHealthy = true;
+      } catch {
+        clack.log.error('Cannot reach Signal API at that URL.');
+        clack.outro('Fix the Signal API first, then run cipher setup-signal again.');
+        process.exit(1);
+      }
+    } else {
+      clack.outro('Start the Signal API first, then run cipher setup-signal again.');
+      process.exit(1);
+    }
+  }
+
+  // Step 2: Check registered phone numbers
+  let phoneNumber = '';
+  try {
+    const accounts = JSON.parse(execSync(`curl -sf ${signalService}/v1/accounts`, { encoding: 'utf-8', timeout: 5000 }));
+    if (accounts.length > 0) {
+      if (accounts.length === 1) {
+        phoneNumber = accounts[0];
+        clack.log.success(`Registered number: ${phoneNumber}`);
+      } else {
+        const selected = await clack.select({
+          message: 'Select the phone number for the bot',
+          options: accounts.map(a => ({ value: a, label: a })),
+        });
+        if (clack.isCancel(selected)) { clack.outro('Cancelled.'); process.exit(0); }
+        phoneNumber = selected;
+      }
+    } else {
+      clack.log.warn('No phone numbers registered with signal-cli.');
+      clack.log.info(
+        'Register a number:\n\n' +
+        `  curl -X POST ${signalService}/v1/register/<YOUR_NUMBER>\n` +
+        `  curl -X POST ${signalService}/v1/verify/<YOUR_NUMBER> -d '{"token":"<CODE>"}'`
+      );
+      clack.outro('Register a number first, then run cipher setup-signal again.');
+      process.exit(1);
+    }
+  } catch (err) {
+    clack.log.error('Failed to query accounts: ' + err.message);
+    process.exit(1);
+  }
+
+  // Step 3: Whitelist
+  const whitelistInput = await clack.text({
+    message: 'Allowed phone numbers (comma-separated, E.164 format)',
+    placeholder: '+15551234567,+15559876543',
+    defaultValue: '',
+  });
+  if (clack.isCancel(whitelistInput)) { clack.outro('Cancelled.'); process.exit(0); }
+
+  const whitelist = whitelistInput
+    ? whitelistInput.split(',').map(n => n.trim()).filter(Boolean)
+    : [];
+
+  // Step 4: Save config
+  let existingConfig = {};
+  try {
+    if (configExists()) existingConfig = loadConfig();
+  } catch { /* ignore */ }
+
+  const config = {
+    ...existingConfig,
+    signal: {
+      signal_service: signalService,
+      phone_number: phoneNumber,
+      whitelist,
+      session_timeout: 3600,
+    },
   };
+
+  const configPath = writeConfig(config);
+
+  clack.log.success('Signal configuration saved.');
+  clack.outro(`Run cipher bot to start. Config: ${configPath}`);
+  return {};
 }
 
 // ---------------------------------------------------------------------------
@@ -857,7 +970,7 @@ export async function handleUpdate(args = {}) {
 
     if (latest === currentVersion) {
       brand.success(`Already up to date (${currentVersion})`);
-      return { output: JSON.stringify({ current: currentVersion, latest, upToDate: true }, null, 2) };
+      return {};
     }
 
     brand.warn(`New version available: ${latest}`);
@@ -870,7 +983,7 @@ export async function handleUpdate(args = {}) {
     });
 
     brand.success(`Updated ${currentVersion} → ${latest}`);
-    return { output: JSON.stringify({ previous: currentVersion, updated: latest, success: true }, null, 2) };
+    return {};
   } catch (err) {
     brand.error(`Update failed: ${err.message}`);
     return { error: true, message: `Update failed: ${err.message}` };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cipher-security",
-  "version": "5.1.0",
+  "version": "5.3.0",
   "description": "CIPHER — AI Security Engineering Platform CLI",
   "type": "module",
   "engines": {
@@ -25,6 +25,7 @@
     "@clack/prompts": "^1.1.0",
     "better-sqlite3": "^12.8.0",
     "openai": "^6.32.0",
+    "ws": "^8.19.0",
     "yaml": "^2.8.2"
   }
 }