cryptoserve 0.1.0

package/lib/cli-style.mjs

@@ -0,0 +1,217 @@
+/**
+ * Professional CLI styling for CryptoServe.
+ *
+ * Provides consistent, enterprise-grade terminal output styling.
+ * Port of sdk/python/cryptoserve/_cli_style.py — zero dependencies.
+ */
+
+import { env, stdout } from 'node:process';
+
+function supportsColor() {
+  if (env.NO_COLOR) return false;
+  if (env.FORCE_COLOR) return true;
+  if (!stdout.isTTY) return false;
+  if (process.platform === 'win32') {
+    return env.TERM === 'xterm' || !!env.ANSICON;
+  }
+  return true;
+}
+
+const ENABLED = supportsColor();
+const e = (code) => ENABLED ? code : '';
+
+export const Colors = {
+  RESET:          e('\x1b[0m'),
+  BLACK:          e('\x1b[30m'),
+  RED:            e('\x1b[31m'),
+  GREEN:          e('\x1b[32m'),
+  YELLOW:         e('\x1b[33m'),
+  BLUE:           e('\x1b[34m'),
+  MAGENTA:        e('\x1b[35m'),
+  CYAN:           e('\x1b[36m'),
+  WHITE:          e('\x1b[37m'),
+  BRIGHT_BLACK:   e('\x1b[90m'),
+  BRIGHT_RED:     e('\x1b[91m'),
+  BRIGHT_GREEN:   e('\x1b[92m'),
+  BRIGHT_YELLOW:  e('\x1b[93m'),
+  BRIGHT_BLUE:    e('\x1b[94m'),
+  BRIGHT_MAGENTA: e('\x1b[95m'),
+  BRIGHT_CYAN:    e('\x1b[96m'),
+  BRIGHT_WHITE:   e('\x1b[97m'),
+  BOLD:           e('\x1b[1m'),
+  DIM:            e('\x1b[2m'),
+  ITALIC:         e('\x1b[3m'),
+  UNDERLINE:      e('\x1b[4m'),
+};
+
+export const Style = {
+  SUCCESS:   Colors.BRIGHT_GREEN,
+  ERROR:     Colors.BRIGHT_RED,
+  WARNING:   Colors.BRIGHT_YELLOW,
+  INFO:      Colors.BRIGHT_BLUE,
+  HEADER:    Colors.BRIGHT_CYAN + Colors.BOLD,
+  SUBHEADER: Colors.CYAN,
+  LABEL:     Colors.BRIGHT_WHITE + Colors.BOLD,
+  VALUE:     Colors.WHITE,
+  DIM:       Colors.BRIGHT_BLACK,
+  ACCENT:    Colors.BRIGHT_MAGENTA,
+  RESET:     Colors.RESET,
+};
+
+export const Box = {
+  TOP_LEFT:     '╭',
+  TOP_RIGHT:    '╮',
+  BOTTOM_LEFT:  '╰',
+  BOTTOM_RIGHT: '╯',
+  HORIZONTAL:   '─',
+  VERTICAL:     '│',
+  T_DOWN:       '┬',
+  T_UP:         '┴',
+  T_RIGHT:      '├',
+  T_LEFT:       '┤',
+  CROSS:        '┼',
+  DOUBLE_HORIZONTAL: '═',
+  DOUBLE_VERTICAL:   '║',
+};
+
+export const Icons = {
+  SUCCESS:      '+',
+  ERROR:        'x',
+  WARNING:      '!',
+  INFO:         '*',
+  PENDING:      'o',
+  IN_PROGRESS:  '-',
+  ARROW_RIGHT:  '>',
+  ARROW_LEFT:   '<',
+  BULLET:       '-',
+  STAR:         '*',
+  LOCK:         '[locked]',
+  UNLOCK:       '[unlocked]',
+  KEY:          '[key]',
+  SHIELD:       '[secure]',
+  CHECK:        '[x]',
+  ROCKET:       '[deploy]',
+  CLOCK:        '[time]',
+  LINK:         '[link]',
+};
+
+export function header(text, width = 60) {
+  const pad = width - 4;
+  const centered = text.length >= pad
+    ? text.slice(0, pad)
+    : ' '.repeat(Math.floor((pad - text.length) / 2)) + text +
+      ' '.repeat(Math.ceil((pad - text.length) / 2));
+  return [
+    `${Style.HEADER}${Box.TOP_LEFT}${Box.HORIZONTAL.repeat(width - 2)}${Box.TOP_RIGHT}${Style.RESET}`,
+    `${Style.HEADER}${Box.VERTICAL}${Style.RESET} ${centered} ${Style.HEADER}${Box.VERTICAL}${Style.RESET}`,
+    `${Style.HEADER}${Box.BOTTOM_LEFT}${Box.HORIZONTAL.repeat(width - 2)}${Box.BOTTOM_RIGHT}${Style.RESET}`,
+  ].join('\n');
+}
+
+export function compactHeader(command = '') {
+  if (command) {
+    return `\n${Style.HEADER}CRYPTOSERVE${Style.RESET} ${Style.DIM}›${Style.RESET} ${Style.LABEL}${command}${Style.RESET}\n`;
+  }
+  return `\n${Style.HEADER}CRYPTOSERVE${Style.RESET}\n`;
+}
+
+export function subheader(text, width = 60) {
+  const line = Box.HORIZONTAL.repeat(width);
+  return `\n${Style.SUBHEADER}${line}\n  ${text}\n${line}${Style.RESET}`;
+}
+
+export function section(title) {
+  return `\n${Style.LABEL}${title}${Style.RESET}`;
+}
+
+export function divider(width = 60, char = '─') {
+  return `${Style.DIM}${char.repeat(width)}${Style.RESET}`;
+}
+
+export function success(text) {
+  return `${Style.SUCCESS}${Icons.SUCCESS}${Style.RESET} ${text}`;
+}
+
+export function error(text) {
+  return `${Style.ERROR}${Icons.ERROR}${Style.RESET} ${text}`;
+}
+
+export function warning(text) {
+  return `${Style.WARNING}${Icons.WARNING}${Style.RESET}  ${text}`;
+}
+
+export function info(text) {
+  return `${Style.INFO}${Icons.INFO}${Style.RESET}  ${text}`;
+}
+
+export function dim(text) {
+  return `${Style.DIM}${text}${Style.RESET}`;
+}
+
+export function bold(text) {
+  return `${Colors.BOLD}${text}${Style.RESET}`;
+}
+
+export function labelValue(label, value, labelWidth = 20) {
+  return `  ${Style.LABEL}${label.padEnd(labelWidth)}${Style.RESET} ${Style.VALUE}${value}${Style.RESET}`;
+}
+
+export function tableRow(columns, widths) {
+  const parts = columns.map((col, i) =>
+    String(col).padEnd(widths[i]).slice(0, widths[i])
+  );
+  return `  ${parts.join(' ')}`;
+}
+
+export function tableHeader(columns, widths) {
+  const headerLine = tableRow(columns, widths);
+  const underline = '  ' + widths.map(w => Box.HORIZONTAL.repeat(w)).join(' ');
+  return `${Style.LABEL}${headerLine}${Style.RESET}\n${Style.DIM}${underline}${Style.RESET}`;
+}
+
+export function progressBar(current, total, width = 30, showPercent = true) {
+  const percent = total === 0 ? 100 : Math.floor((current / total) * 100);
+  const filled = Math.floor((current / Math.max(total, 1)) * width);
+  const empty = width - filled;
+  const bar = '█'.repeat(filled) + '░'.repeat(empty);
+  const color = percent >= 80 ? Style.SUCCESS : percent >= 50 ? Style.WARNING : Style.ERROR;
+  return showPercent
+    ? `${color}${bar}${Style.RESET} ${percent}%`
+    : `${color}${bar}${Style.RESET}`;
+}
+
+export function statusBadge(status) {
+  const lower = status.toLowerCase();
+  if (['ready', 'active', 'success', 'healthy', 'ok'].includes(lower)) {
+    return `${Style.SUCCESS}● ${status}${Style.RESET}`;
+  }
+  if (['pending', 'waiting', 'in_progress'].includes(lower)) {
+    return `${Style.WARNING}○ ${status}${Style.RESET}`;
+  }
+  if (['error', 'failed', 'blocked'].includes(lower)) {
+    return `${Style.ERROR}● ${status}${Style.RESET}`;
+  }
+  return `${Style.DIM}○ ${status}${Style.RESET}`;
+}
+
+export function codeBlock(code) {
+  const lines = code.trim().split('\n');
+  const formatted = [];
+  formatted.push(`${Style.DIM}┌${'─'.repeat(58)}┐${Style.RESET}`);
+  for (const line of lines) {
+    formatted.push(`${Style.DIM}│${Style.RESET} ${Style.ACCENT}${line.padEnd(56)}${Style.RESET} ${Style.DIM}│${Style.RESET}`);
+  }
+  formatted.push(`${Style.DIM}└${'─'.repeat(58)}┘${Style.RESET}`);
+  return formatted.join('\n');
+}
+
+export function brandHeader() {
+  return `
+${Style.HEADER}╭────────────────────────────────────────────────────────╮
+│                                                        │
+│   ${Colors.BRIGHT_WHITE}CRYPTOSERVE${Style.HEADER}                                        │
+│   ${Style.DIM}Enterprise Cryptography Platform${Style.HEADER}                    │
+│                                                        │
+╰────────────────────────────────────────────────────────╯${Style.RESET}
+`;
+}

package/lib/client.mjs

@@ -0,0 +1,138 @@
+/**
+ * HTTP client for CryptoServe server API.
+ *
+ * Uses global fetch (Node 18+) — zero dependencies.
+ * Used only when connected to a server; all scanning/PQC/crypto work offline.
+ */
+
+import { loadToken, saveToken } from './credentials.mjs';
+import { createServer } from 'node:http';
+
+const DEFAULT_SERVER = 'https://localhost:8003';
+const CALLBACK_PORT = 9876;
+
+// ---------------------------------------------------------------------------
+// URL validation (SSRF protection)
+// ---------------------------------------------------------------------------
+
+const BLOCKED_HOSTS = [
+  '169.254.169.254',            // AWS metadata
+  'metadata.google.internal',   // GCP metadata
+  '100.100.100.200',            // Alibaba metadata
+  'fd00::',                     // IPv6 link-local
+];
+
+function validateServerUrl(url) {
+  try {
+    const parsed = new URL(url);
+    if (!['http:', 'https:'].includes(parsed.protocol)) {
+      throw new Error('Server URL must use http or https');
+    }
+    if (BLOCKED_HOSTS.some(h => parsed.hostname === h || parsed.hostname.includes(h))) {
+      throw new Error('Server URL points to a blocked address');
+    }
+    return parsed.toString().replace(/\/$/, '');
+  } catch (e) {
+    if (e.message.includes('blocked') || e.message.includes('must use')) throw e;
+    throw new Error(`Invalid server URL: ${url}`);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// API client
+// ---------------------------------------------------------------------------
+
+export async function apiCall(method, path, body = null, options = {}) {
+  const creds = loadToken();
+  if (!creds) throw new Error('Not logged in. Run "cryptoserve login" first.');
+
+  const server = validateServerUrl(options.server || creds.server || DEFAULT_SERVER);
+  const url = `${server}${path}`;
+
+  const headers = {
+    'Content-Type': 'application/json',
+    'Cookie': `session=${creds.token}`,
+  };
+
+  const fetchOpts = {
+    method,
+    headers,
+    signal: AbortSignal.timeout(options.timeout || 30000),
+  };
+
+  if (body) fetchOpts.body = JSON.stringify(body);
+
+  const response = await fetch(url, fetchOpts);
+
+  if (!response.ok) {
+    if (response.status === 401) {
+      throw new Error('Session expired. Run "cryptoserve login" again.');
+    }
+    throw new Error(`API error ${response.status}: ${await response.text()}`);
+  }
+
+  return response.json();
+}
+
+export async function getStatus(server = null) {
+  const creds = loadToken();
+  const url = validateServerUrl(server || creds?.server || DEFAULT_SERVER);
+
+  try {
+    const start = Date.now();
+    const response = await fetch(`${url}/health`, {
+      signal: AbortSignal.timeout(10000),
+    });
+    const latency = Date.now() - start;
+    const data = await response.json();
+    return { connected: true, latency, ...data };
+  } catch (e) {
+    return { connected: false, error: e.message };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Login flow (browser OAuth with localhost callback)
+// ---------------------------------------------------------------------------
+
+export async function login(serverUrl = DEFAULT_SERVER) {
+  const server = validateServerUrl(serverUrl);
+
+  // Start local callback server
+  return new Promise((resolve, reject) => {
+    const httpServer = createServer((req, res) => {
+      const url = new URL(req.url, `http://localhost:${CALLBACK_PORT}`);
+      const token = url.searchParams.get('token') || url.searchParams.get('session');
+
+      if (token) {
+        saveToken(token, server);
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end('<html><body><h2>Login successful</h2><p>You can close this tab.</p></body></html>');
+        httpServer.close();
+        resolve({ success: true, server });
+      } else {
+        res.writeHead(400);
+        res.end('Missing token');
+      }
+    });
+
+    httpServer.listen(CALLBACK_PORT, () => {
+      const authUrl = `${server}/auth/cli?redirect=http://localhost:${CALLBACK_PORT}/callback`;
+      console.log(`\nOpen this URL to log in:\n  ${authUrl}\n`);
+
+      // Try to open browser
+      const { exec } = import('node:child_process').then(m => {
+        const cmd = process.platform === 'darwin' ? 'open'
+          : process.platform === 'win32' ? 'start'
+          : 'xdg-open';
+        m.exec(`${cmd} "${authUrl}"`);
+      });
+    });
+
+    // Timeout after 120 seconds
+    setTimeout(() => {
+      httpServer.close();
+      reject(new Error('Login timed out after 120 seconds'));
+    }, 120000);
+  });
+}

package/lib/context-resolver.mjs

@@ -0,0 +1,339 @@
+/**
+ * Context-aware algorithm resolver for the CryptoServe CLI.
+ *
+ * Port of the 5-layer context model from the CryptoServe backend
+ * (backend/app/core/algorithm_resolver.py + backend/app/schemas/context.py).
+ *
+ * Resolves context labels like "user-pii" to optimal algorithms from the
+ * set the CLI can actually execute: AES-256-GCM, AES-128-GCM, ChaCha20-Poly1305.
+ *
+ * Zero dependencies — uses only node:fs for loading .cryptoserve.json.
+ */
+
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+
+// =============================================================================
+// Enums / Constants
+// =============================================================================
+
+const SENSITIVITY = { critical: 'critical', high: 'high', medium: 'medium', low: 'low' };
+
+const ADVERSARIES = {
+  opportunistic: 'opportunistic',
+  organized_crime: 'organized_crime',
+  nation_state: 'nation_state',
+  insider: 'insider',
+  quantum: 'quantum',
+};
+
+const USAGE = {
+  at_rest: 'at_rest',
+  in_transit: 'in_transit',
+  in_use: 'in_use',
+  streaming: 'streaming',
+  disk: 'disk',
+};
+
+const FREQUENCY = { high: 'high', medium: 'medium', low: 'low', rare: 'rare' };
+
+// Executable algorithms — what the CLI can actually do
+const EXECUTABLE_ALGORITHMS = {
+  'AES-256-GCM':       { keyBits: 256, securityBits: 256, hwAccelerated: true,  mode: 'gcm' },
+  'AES-128-GCM':       { keyBits: 128, securityBits: 128, hwAccelerated: true,  mode: 'gcm' },
+  'ChaCha20-Poly1305': { keyBits: 256, securityBits: 256, hwAccelerated: false, mode: 'stream' },
+};
+
+// Sensitivity → minimum key bits
+const SENSITIVITY_MIN_BITS = {
+  critical: 256,
+  high: 256,
+  medium: 128,
+  low: 128,
+};
+
+// Sensitivity → key rotation recommendation (days)
+const SENSITIVITY_ROTATION = {
+  critical: 30,
+  high: 90,
+  medium: 180,
+  low: 365,
+};
+
+// Compliance framework constraints
+const COMPLIANCE_CONSTRAINTS = {
+  'PCI-DSS':  { minBits: 256, maxRotationDays: 90 },
+  'HIPAA':    { minBits: 256, maxRotationDays: 90 },
+  'GDPR':     { minBits: 128, maxRotationDays: 365 },
+  'SOX':      { minBits: 256, maxRotationDays: 180 },
+  'OWASP':    { minBits: 128, maxRotationDays: 365 },
+  'CCPA':     { minBits: 128, maxRotationDays: 365 },
+  'NIST':     { minBits: 256, maxRotationDays: 365 },
+};
+
+// =============================================================================
+// Built-in presets (ported from backend/app/main.py seed contexts)
+// =============================================================================
+
+const BUILT_IN_CONTEXTS = {
+  'user-pii': {
+    displayName: 'User Personal Data',
+    description: 'Personally identifiable information that can identify an individual',
+    sensitivity: 'high',
+    compliance: ['GDPR'],
+    adversaries: ['organized_crime', 'nation_state'],
+    protectionYears: 20,
+    usage: 'at_rest',
+    frequency: 'high',
+    pii: true,
+    examples: ['email', 'SSN', 'phone number', 'home address', 'date of birth'],
+  },
+  'payment-data': {
+    displayName: 'Payment & Financial',
+    description: 'Payment card data and financial account information',
+    sensitivity: 'critical',
+    compliance: ['PCI-DSS'],
+    adversaries: ['organized_crime', 'insider'],
+    protectionYears: 7,
+    usage: 'at_rest',
+    frequency: 'high',
+    pci: true,
+    examples: ['credit card number', 'bank account', 'CVV', 'billing address'],
+  },
+  'session-tokens': {
+    displayName: 'Session & Auth Tokens',
+    description: 'Temporary authentication and session data',
+    sensitivity: 'medium',
+    compliance: ['OWASP'],
+    adversaries: ['opportunistic'],
+    protectionYears: 0.01,
+    usage: 'in_transit',
+    frequency: 'high',
+    examples: ['JWT tokens', 'session IDs', 'refresh tokens', 'API keys'],
+  },
+  'health-data': {
+    displayName: 'Health Information',
+    description: 'Protected health information and medical records',
+    sensitivity: 'critical',
+    compliance: ['HIPAA'],
+    adversaries: ['organized_crime', 'nation_state'],
+    protectionYears: 25,
+    usage: 'at_rest',
+    frequency: 'medium',
+    phi: true,
+    examples: ['diagnosis', 'prescriptions', 'medical history', 'insurance ID'],
+  },
+  'general': {
+    displayName: 'General Purpose',
+    description: 'General data without specific regulatory requirements',
+    sensitivity: 'medium',
+    compliance: [],
+    adversaries: ['opportunistic'],
+    protectionYears: 5,
+    usage: 'at_rest',
+    frequency: 'medium',
+    examples: ['internal IDs', 'configuration secrets', 'API responses'],
+  },
+};
+
+// Context config defaults for custom contexts
+const CONTEXT_DEFAULTS = {
+  sensitivity: 'medium',
+  compliance: [],
+  adversaries: ['opportunistic'],
+  protectionYears: 5,
+  usage: 'at_rest',
+  frequency: 'medium',
+};
+
+// =============================================================================
+// Custom context loader
+// =============================================================================
+
+/**
+ * Load custom contexts from .cryptoserve.json in the given directory.
+ * Returns merged built-in + custom contexts.
+ */
+export function loadContexts(dir = process.cwd()) {
+  const contexts = { ...BUILT_IN_CONTEXTS };
+
+  try {
+    const configPath = resolve(dir, '.cryptoserve.json');
+    const config = JSON.parse(readFileSync(configPath, 'utf-8'));
+    if (config.contexts && typeof config.contexts === 'object') {
+      for (const [name, userCtx] of Object.entries(config.contexts)) {
+        // Validate name format
+        if (!/^[a-z][a-z0-9-]*$/.test(name)) continue;
+        // Merge with defaults
+        contexts[name] = { ...CONTEXT_DEFAULTS, ...userCtx, _custom: true };
+      }
+    }
+  } catch { /* no config file or parse error — use built-ins only */ }
+
+  return contexts;
+}
+
+// =============================================================================
+// 5-Layer Algorithm Resolver
+// =============================================================================
+
+/**
+ * Resolve a context name to an optimal algorithm and rationale.
+ *
+ * @param {string} contextName - Context label (e.g. "user-pii")
+ * @param {string} [dir] - Directory to look for .cryptoserve.json
+ * @returns {{ algorithm, keyBits, context, factors[], alternatives[] }}
+ */
+export function resolveContext(contextName, dir = process.cwd()) {
+  const contexts = loadContexts(dir);
+  const ctx = contexts[contextName];
+  if (!ctx) {
+    return { error: `Unknown context: "${contextName}"`, validContexts: Object.keys(contexts) };
+  }
+
+  const factors = [];
+  const alternatives = [];
+
+  // ---- Layer 1: Data Identity (Sensitivity) ----
+  const sensitivity = ctx.sensitivity || 'medium';
+  let minBits = SENSITIVITY_MIN_BITS[sensitivity] || 128;
+  factors.push(`Sensitivity: ${sensitivity.toUpperCase()} → ${minBits}-bit minimum`);
+
+  // ---- Layer 2: Regulatory Mapping (Compliance) ----
+  let rotationDays = SENSITIVITY_ROTATION[sensitivity] || 180;
+  const compliance = ctx.compliance || [];
+  for (const framework of compliance) {
+    const constraint = COMPLIANCE_CONSTRAINTS[framework];
+    if (constraint) {
+      minBits = Math.max(minBits, constraint.minBits);
+      rotationDays = Math.min(rotationDays, constraint.maxRotationDays);
+      factors.push(`Compliance: ${framework} → ${constraint.minBits}-bit min, ${constraint.maxRotationDays}-day rotation`);
+    }
+  }
+
+  // ---- Layer 3: Threat Model ----
+  const adversaries = ctx.adversaries || ['opportunistic'];
+  const protectionYears = ctx.protectionYears ?? 5;
+
+  if (adversaries.includes('nation_state')) {
+    minBits = Math.max(minBits, 256);
+    factors.push('Threat: Nation-state adversary → 256-bit enforced');
+  }
+
+  let quantumRisk = false;
+  if (adversaries.includes('quantum') || protectionYears > 10) {
+    quantumRisk = true;
+    minBits = Math.max(minBits, 256);
+    const reason = adversaries.includes('quantum')
+      ? 'Quantum adversary specified'
+      : `Protection period ${protectionYears}yr exceeds quantum horizon`;
+    factors.push(`Quantum: ${reason} → 256-bit, PQC recommended`);
+  }
+
+  // ---- Layer 4: Access Patterns ----
+  const usage = ctx.usage || 'at_rest';
+  const frequency = ctx.frequency || 'medium';
+  let preferHwAccel = false;
+
+  if (frequency === 'high') {
+    preferHwAccel = true;
+    factors.push('Access: High frequency → hardware acceleration preferred (AES-NI)');
+  }
+
+  if (usage === 'streaming') {
+    factors.push('Usage: Streaming → stream cipher preferred');
+  }
+
+  // ---- Layer 5: Algorithm Selection ----
+  let algorithm;
+
+  if (usage === 'streaming' && minBits <= 256) {
+    // Streaming contexts prefer ChaCha20 (native stream cipher)
+    algorithm = 'ChaCha20-Poly1305';
+    factors.push('Selected: ChaCha20-Poly1305 (native stream cipher for streaming context)');
+    alternatives.push({ algorithm: 'AES-256-GCM', reason: 'If AES-NI hardware acceleration is available' });
+  } else if (minBits > 128) {
+    // 256-bit requirement
+    if (preferHwAccel) {
+      algorithm = 'AES-256-GCM';
+      factors.push('Selected: AES-256-GCM (256-bit, hardware accelerated, FIPS 197 + SP 800-38D)');
+      alternatives.push({ algorithm: 'ChaCha20-Poly1305', reason: 'Better on systems without AES-NI' });
+    } else {
+      // No strong hw-accel preference — still default to AES-256-GCM (most compatible)
+      algorithm = 'AES-256-GCM';
+      factors.push('Selected: AES-256-GCM (256-bit, widely supported, FIPS compliant)');
+      alternatives.push({ algorithm: 'ChaCha20-Poly1305', reason: 'Equal security, better without AES-NI' });
+    }
+  } else {
+    // 128-bit sufficient
+    if (preferHwAccel) {
+      algorithm = 'AES-128-GCM';
+      factors.push('Selected: AES-128-GCM (128-bit sufficient, fast with AES-NI)');
+      alternatives.push({ algorithm: 'AES-256-GCM', reason: 'If future-proofing or compliance requires 256-bit' });
+      alternatives.push({ algorithm: 'ChaCha20-Poly1305', reason: 'Better on systems without AES-NI' });
+    } else {
+      algorithm = 'AES-128-GCM';
+      factors.push('Selected: AES-128-GCM (128-bit sufficient for threat model)');
+      alternatives.push({ algorithm: 'ChaCha20-Poly1305', reason: 'Better performance without AES-NI' });
+      alternatives.push({ algorithm: 'AES-256-GCM', reason: 'If upgrading to 256-bit for future-proofing' });
+    }
+  }
+
+  if (quantumRisk) {
+    factors.push('Note: Post-quantum migration recommended — use CryptoServe server for hybrid PQC');
+  }
+
+  return {
+    algorithm,
+    keyBits: EXECUTABLE_ALGORITHMS[algorithm].keyBits,
+    context: {
+      name: contextName,
+      displayName: ctx.displayName || contextName,
+      description: ctx.description || '',
+      sensitivity,
+      compliance,
+      adversaries,
+      protectionYears,
+      usage,
+      frequency,
+      pii: ctx.pii || false,
+      phi: ctx.phi || false,
+      pci: ctx.pci || false,
+      examples: ctx.examples || [],
+      custom: !!ctx._custom,
+    },
+    rotationDays,
+    quantumRisk,
+    factors,
+    alternatives,
+  };
+}
+
+/**
+ * List all available contexts (built-in + custom).
+ *
+ * @param {string} [dir] - Directory to look for .cryptoserve.json
+ * @returns {Array<{ name, displayName, sensitivity, algorithm, compliance, custom }>}
+ */
+export function listContexts(dir = process.cwd()) {
+  const contexts = loadContexts(dir);
+  const result = [];
+
+  for (const [name, ctx] of Object.entries(contexts)) {
+    const resolved = resolveContext(name, dir);
+    result.push({
+      name,
+      displayName: ctx.displayName || name,
+      description: ctx.description || '',
+      sensitivity: ctx.sensitivity || 'medium',
+      algorithm: resolved.algorithm,
+      compliance: ctx.compliance || [],
+      custom: !!ctx._custom,
+    });
+  }
+
+  return result;
+}
+
+// Re-export for CLI validation
+export { BUILT_IN_CONTEXTS, EXECUTABLE_ALGORITHMS };