cipher-security 5.2.0 → 5.3.0

package/bin/cipher.js

@@ -466,13 +466,29 @@ if (mode === 'native') {
       mcp.startStdio();
     // ── Bot command: Signal bot ──────────────────────────────────────────
     } else if (command === 'bot') {
-      const { banner, header, info, warn, divider } = await import('../lib/brand.js');
-      const svc = commandArgs.find((a, i) => commandArgs[i - 1] === '--service') || process.env.SIGNAL_SERVICE || '';
-      const phone = commandArgs.find((a, i) => commandArgs[i - 1] === '--phone') || process.env.SIGNAL_PHONE_NUMBER || '';
+      const { banner, header, info, warn, success, divider } = await import('../lib/brand.js');
+      const { loadConfig, configExists } = await import('../lib/config.js');
 
       banner(pkg.version);
       header('Signal Bot');
 
+      // Load signal config
+      let signalCfg = {};
+      if (configExists()) {
+        try {
+          const cfg = loadConfig();
+          signalCfg = cfg.signal || {};
+        } catch { /* ignore */ }
+      }
+
+      const svc = commandArgs.find((a, i) => commandArgs[i - 1] === '--service')
+        || process.env.SIGNAL_SERVICE || signalCfg.signal_service || '';
+      const phone = commandArgs.find((a, i) => commandArgs[i - 1] === '--phone')
+        || process.env.SIGNAL_PHONE_NUMBER || signalCfg.phone_number || '';
+      const whitelist = process.env.SIGNAL_WHITELIST
+        ? process.env.SIGNAL_WHITELIST.split(',').map(n => n.trim())
+        : signalCfg.whitelist || [];
+
       if (!svc || !phone) {
         divider();
         warn('Signal is not configured.');
@@ -481,13 +497,19 @@ if (mode === 'native') {
         process.exit(1);
       }
 
-      info(`Service: ${svc}`);
-      info(`Phone:   ${phone}`);
       divider();
-      info('Starting bot...');
+      success(`Service:   ${svc}`);
+      success(`Phone:     ${phone}`);
+      if (whitelist.length) {
+        success(`Whitelist: ${whitelist.join(', ')}`);
+      } else {
+        warn('Whitelist: none (all senders allowed)');
+      }
+      divider();
+      info('Starting bot... (Ctrl+C to stop)');
 
       const { runBot } = await import('../lib/bot/bot.js');
-      runBot({ signalService: svc, phoneNumber: phone });
+      await runBot({ signalService: svc, phoneNumber: phone, whitelist, sessionTimeout: signalCfg.session_timeout || 3600 });
     // ── Query command: streaming via Gateway or non-streaming via handler ──
     } else if (command === 'query') {
       const queryText = commandArgs.filter(a => !a.startsWith('-')).join(' ');

package/lib/bot/bot.js

@@ -2,20 +2,18 @@
 // Licensed under AGPL-3.0 — see LICENSE file for details.
 
 /**
- * CIPHER Signal Bot — format utilities and session manager.
+ * CIPHER Signal Bot — receives messages via signal-cli-rest-api WebSocket,
+ * dispatches through the gateway, and replies.
  */
 
+import { WebSocket } from 'ws';
+
 // ---------------------------------------------------------------------------
 // Prefix mapping
 // ---------------------------------------------------------------------------
 
 const PREFIX_RE = /^(RED|BLUE|PURPLE|PRIVACY|RECON|INCIDENT|ARCHITECT):\s*/i;
 
-/**
- * Map 'MODE: query' short-prefix format to '[MODE: MODE] query'.
- * @param {string} text
- * @returns {string}
- */
 export function mapPrefix(text) {
   const m = text.match(PREFIX_RE);
   if (m) {
@@ -31,20 +29,15 @@ export function mapPrefix(text) {
 // ---------------------------------------------------------------------------
 
 const MD_PATTERNS = [
-  [/```[^\n]*\n([\s\S]*?)```/g, '$1'],       // Fenced code blocks
-  [/^#{1,6}\s+/gm, ''],                        // Headers
-  [/\*{2}([^*\n]+)\*{2}/g, '$1'],             // Bold
-  [/\*([^*\n]+)\*/g, '$1'],                    // Italic
-  [/`([^`\n]+)`/g, '$1'],                      // Inline code
-  [/\[([^\]]+)\]\([^)]+\)/g, '$1'],           // Links
-  [/^(\s*)[*-]\s+/gm, '$1• '],                // Bullets
+  [/```[^\n]*\n([\s\S]*?)```/g, '$1'],
+  [/^#{1,6}\s+/gm, ''],
+  [/\*{2}([^*\n]+)\*{2}/g, '$1'],
+  [/\*([^*\n]+)\*/g, '$1'],
+  [/`([^`\n]+)`/g, '$1'],
+  [/\[([^\]]+)\]\([^)]+\)/g, '$1'],
+  [/^(\s*)[*-]\s+/gm, '$1• '],
 ];
 
-/**
- * Strip markdown formatting for plaintext Signal delivery.
- * @param {string} text
- * @returns {string}
- */
 export function stripMarkdown(text) {
   for (const [pattern, replacement] of MD_PATTERNS) {
     text = text.replace(pattern, replacement);
@@ -56,15 +49,7 @@ export function stripMarkdown(text) {
 // Session manager
 // ---------------------------------------------------------------------------
 
-/**
- * In-memory conversation history manager keyed by sender.
- */
 export class SessionManager {
-  /**
-   * @param {object} [opts]
-   * @param {number} [opts.timeoutSeconds=3600]
-   * @param {number} [opts.maxPairs=20]
-   */
   constructor({ timeoutSeconds = 3600, maxPairs = 20 } = {}) {
     this._sessions = new Map();
     this._timeout = timeoutSeconds * 1000;
@@ -92,9 +77,7 @@ export class SessionManager {
     }
   }
 
-  reset(sender) {
-    this._sessions.delete(sender);
-  }
+  reset(sender) { this._sessions.delete(sender); }
 
   cleanup() {
     const now = Date.now();
@@ -109,22 +92,147 @@ export class SessionManager {
 }
 
 // ---------------------------------------------------------------------------
-// Bot runner (placeholder — requires signal-cli subprocess)
+// Signal REST API client
+// ---------------------------------------------------------------------------
+
+async function sendMessage(signalService, phoneNumber, recipient, message) {
+  const resp = await fetch(`${signalService}/v2/send`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      message,
+      number: phoneNumber,
+      recipients: [recipient],
+    }),
+  });
+  if (!resp.ok) {
+    throw new Error(`Send failed: ${resp.status} ${await resp.text()}`);
+  }
+}
+
+async function sendReaction(signalService, phoneNumber, recipient, emoji, targetTimestamp) {
+  try {
+    await fetch(`${signalService}/v1/reactions/${phoneNumber}`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        reaction: emoji,
+        recipient,
+        timestamp: targetTimestamp,
+      }),
+    });
+  } catch { /* best-effort */ }
+}
+
+// ---------------------------------------------------------------------------
+// Bot runner
 // ---------------------------------------------------------------------------
 
 /**
  * Start the CIPHER Signal bot.
  *
- * In the full implementation, this would:
- * 1. Load config from config.yaml
- * 2. Start signal-cli subprocess for receiving messages
- * 3. Register CipherCommand handler
- * 4. Run with exponential-backoff watchdog
+ * Connects to signal-cli-rest-api WebSocket, listens for messages,
+ * dispatches through the gateway, and replies.
  *
  * @param {object} config
+ * @param {string} config.signalService - signal-cli-rest-api URL
+ * @param {string} config.phoneNumber - bot's phone number
+ * @param {string[]} [config.whitelist] - allowed sender numbers
+ * @param {number} [config.sessionTimeout] - session timeout in seconds
  */
-export function runBot(config) {
-  console.log(`CIPHER Bot starting (service: ${config.signalService}, phone: ${config.phoneNumber})`);
-  console.log('Bot requires signal-cli — see docs for setup.');
-  // The actual bot would use signal-cli subprocess here
+export async function runBot(config) {
+  const { signalService, phoneNumber, whitelist = [], sessionTimeout = 3600 } = config;
+  const sessions = new SessionManager({ timeoutSeconds: sessionTimeout });
+  const whitelistSet = new Set(whitelist);
+
+  const wsUrl = `${signalService.replace('http', 'ws')}/v1/receive/${phoneNumber}`;
+
+  let reconnectDelay = 1000;
+  const maxDelay = 60000;
+
+  function connect() {
+    const ws = new WebSocket(wsUrl);
+
+    ws.on('open', () => {
+      process.stderr.write(`  ● Connected to ${wsUrl}\n`);
+      reconnectDelay = 1000;
+    });
+
+    ws.on('message', async (data) => {
+      try {
+        const envelope = JSON.parse(data.toString());
+        await handleEnvelope(envelope, config, sessions, whitelistSet);
+      } catch (err) {
+        process.stderr.write(`  ✖ Message error: ${err.message}\n`);
+      }
+    });
+
+    ws.on('close', () => {
+      process.stderr.write(`  ⚠ WebSocket closed. Reconnecting in ${reconnectDelay / 1000}s...\n`);
+      setTimeout(connect, reconnectDelay);
+      reconnectDelay = Math.min(reconnectDelay * 2, maxDelay);
+    });
+
+    ws.on('error', (err) => {
+      process.stderr.write(`  ✖ WebSocket error: ${err.message}\n`);
+    });
+  }
+
+  connect();
+}
+
+async function handleEnvelope(envelope, config, sessions, whitelistSet) {
+  const msg = envelope.envelope?.dataMessage;
+  if (!msg || !msg.message) return;
+
+  const sender = envelope.envelope?.source;
+  if (!sender) return;
+
+  const text = msg.message.trim();
+  if (!text) return;
+
+  // Whitelist check
+  if (whitelistSet.size > 0 && !whitelistSet.has(sender)) {
+    return;
+  }
+
+  const timestamp = msg.timestamp;
+
+  // /reset command
+  if (text === '/reset') {
+    sessions.reset(sender);
+    await sendMessage(config.signalService, config.phoneNumber, sender, 'Session cleared.');
+    return;
+  }
+
+  // React with brain emoji to acknowledge
+  await sendReaction(config.signalService, config.phoneNumber, sender, '🧠', timestamp);
+
+  // Map prefix and get history
+  const mapped = mapPrefix(text);
+  const history = sessions.get(sender);
+
+  // Dispatch through gateway
+  let response;
+  try {
+    const { Gateway } = await import('../gateway/gateway.js');
+    const gw = new Gateway({ rag: true });
+    response = await gw.send(mapped, { history });
+  } catch (err) {
+    response = `Error: ${err.message}`;
+  }
+
+  // Update session and reply
+  sessions.update(sender, mapped, response);
+  const reply = stripMarkdown(response);
+
+  // Signal has a ~6000 char limit per message
+  if (reply.length > 5500) {
+    const chunks = reply.match(/.{1,5500}/gs) || [reply];
+    for (const chunk of chunks) {
+      await sendMessage(config.signalService, config.phoneNumber, sender, chunk);
+    }
+  } else {
+    await sendMessage(config.signalService, config.phoneNumber, sender, reply);
+  }
 }

package/lib/gateway/commands.js

@@ -821,17 +821,124 @@ export async function handleWeb(args = {}) {
 // ---------------------------------------------------------------------------
 
 export async function handleSetupSignal() {
+  const clack = await import('@clack/prompts');
+  const { execSync } = await import('node:child_process');
+  const { writeConfig, loadConfig, configExists } = await import('../config.js');
   const brand = await import('../brand.js');
-  brand.header('Signal Setup');
-  brand.divider();
-  brand.info('Set the following environment variables:');
-  process.stderr.write('\n');
-  process.stderr.write('  SIGNAL_SERVICE        Signal API service URL\n');
-  process.stderr.write('  SIGNAL_PHONE_NUMBER   Bot phone number (E.164 format)\n');
-  process.stderr.write('  SIGNAL_WHITELIST      Comma-separated allowed numbers\n');
-  process.stderr.write('\n');
-  brand.info('Then run: cipher bot');
-  brand.divider();
+
+  brand.banner();
+  clack.intro('Signal Bot Setup');
+
+  // Step 1: Check if signal-cli-rest-api is running
+  let signalService = 'http://localhost:8080';
+  let apiHealthy = false;
+
+  clack.log.step('Checking for signal-cli-rest-api...');
+
+  try {
+    const resp = execSync(`curl -sf ${signalService}/v1/about`, { encoding: 'utf-8', timeout: 5000 });
+    const info = JSON.parse(resp);
+    clack.log.success(`Signal API running (v${info.version}, mode: ${info.mode})`);
+    apiHealthy = true;
+  } catch {
+    clack.log.warn('Signal API not detected at localhost:8080');
+    clack.log.info(
+      'Start it with Docker:\n\n' +
+      '  docker compose --profile signal up -d signal-api\n\n' +
+      'Or manually:\n\n' +
+      '  docker run -d --name signal-api \\\n' +
+      '    -p 8080:8080 -e MODE=json-rpc \\\n' +
+      '    -v signal-data:/home/.local/share/signal-cli \\\n' +
+      '    bbernhard/signal-cli-rest-api:0.98'
+    );
+
+    const customUrl = await clack.text({
+      message: 'Signal API URL (or press Enter to skip)',
+      placeholder: 'http://localhost:8080',
+      defaultValue: '',
+    });
+    if (clack.isCancel(customUrl)) { clack.outro('Cancelled.'); process.exit(0); }
+
+    if (customUrl) {
+      signalService = customUrl;
+      try {
+        const resp = execSync(`curl -sf ${signalService}/v1/about`, { encoding: 'utf-8', timeout: 5000 });
+        clack.log.success('Signal API reachable.');
+        apiHealthy = true;
+      } catch {
+        clack.log.error('Cannot reach Signal API at that URL.');
+        clack.outro('Fix the Signal API first, then run cipher setup-signal again.');
+        process.exit(1);
+      }
+    } else {
+      clack.outro('Start the Signal API first, then run cipher setup-signal again.');
+      process.exit(1);
+    }
+  }
+
+  // Step 2: Check registered phone numbers
+  let phoneNumber = '';
+  try {
+    const accounts = JSON.parse(execSync(`curl -sf ${signalService}/v1/accounts`, { encoding: 'utf-8', timeout: 5000 }));
+    if (accounts.length > 0) {
+      if (accounts.length === 1) {
+        phoneNumber = accounts[0];
+        clack.log.success(`Registered number: ${phoneNumber}`);
+      } else {
+        const selected = await clack.select({
+          message: 'Select the phone number for the bot',
+          options: accounts.map(a => ({ value: a, label: a })),
+        });
+        if (clack.isCancel(selected)) { clack.outro('Cancelled.'); process.exit(0); }
+        phoneNumber = selected;
+      }
+    } else {
+      clack.log.warn('No phone numbers registered with signal-cli.');
+      clack.log.info(
+        'Register a number:\n\n' +
+        `  curl -X POST ${signalService}/v1/register/<YOUR_NUMBER>\n` +
+        `  curl -X POST ${signalService}/v1/verify/<YOUR_NUMBER> -d '{"token":"<CODE>"}'`
+      );
+      clack.outro('Register a number first, then run cipher setup-signal again.');
+      process.exit(1);
+    }
+  } catch (err) {
+    clack.log.error('Failed to query accounts: ' + err.message);
+    process.exit(1);
+  }
+
+  // Step 3: Whitelist
+  const whitelistInput = await clack.text({
+    message: 'Allowed phone numbers (comma-separated, E.164 format)',
+    placeholder: '+15551234567,+15559876543',
+    defaultValue: '',
+  });
+  if (clack.isCancel(whitelistInput)) { clack.outro('Cancelled.'); process.exit(0); }
+
+  const whitelist = whitelistInput
+    ? whitelistInput.split(',').map(n => n.trim()).filter(Boolean)
+    : [];
+
+  // Step 4: Save config
+  let existingConfig = {};
+  try {
+    if (configExists()) existingConfig = loadConfig();
+  } catch { /* ignore */ }
+
+  const config = {
+    ...existingConfig,
+    signal: {
+      signal_service: signalService,
+      phone_number: phoneNumber,
+      whitelist,
+      session_timeout: 3600,
+    },
+  };
+
+  const configPath = writeConfig(config);
+
+  clack.log.success('Signal configuration saved.');
+  clack.outro(`Run cipher bot to start. Config: ${configPath}`);
   return {};
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cipher-security",
-  "version": "5.2.0",
+  "version": "5.3.0",
   "description": "CIPHER — AI Security Engineering Platform CLI",
   "type": "module",
   "engines": {
@@ -25,6 +25,7 @@
     "@clack/prompts": "^1.1.0",
     "better-sqlite3": "^12.8.0",
     "openai": "^6.32.0",
+    "ws": "^8.19.0",
     "yaml": "^2.8.2"
   }
 }