cryptoserve 0.1.3 → 0.2.1

package/README.md

@@ -1,6 +1,6 @@
 # CryptoServe CLI (Node.js)
 
-Zero-dependency CLI for cryptographic scanning, post-quantum readiness analysis, encryption, and local key management.
+Zero-dependency CLI for cryptographic scanning, post-quantum readiness analysis, CBOM generation, CI/CD gating, encryption, and local key management.
 
 ```bash
 npx cryptoserve pqc
@@ -24,6 +24,8 @@ Requires Node.js 18 or later. No dependencies — uses only Node.js built-in mod
 |---------|-------------|
 | `scan [path]` | Scan project for crypto libraries, hardcoded secrets, and weak patterns |
 | `pqc` | Post-quantum readiness analysis with SNDL risk assessment |
+| `cbom [path]` | Generate Cryptographic Bill of Materials (CycloneDX, SPDX, JSON) |
+| `gate [path]` | CI/CD quality gate with configurable thresholds |
 | `encrypt` / `decrypt` | Password-based encryption (strings and files) |
 | `context list` / `show` | List and inspect context-aware algorithm presets |
 | `hash-password` | scrypt / PBKDF2 password hashing |
@@ -33,18 +35,46 @@ Requires Node.js 18 or later. No dependencies — uses only Node.js built-in mod
 
 ## Scan
 
-Detect crypto libraries, algorithm usage, hardcoded secrets, and certificate files in JavaScript/TypeScript projects.
+Detect crypto libraries, algorithm usage, hardcoded secrets, and certificate files across multiple languages and ecosystems.
 
 ```bash
 cryptoserve scan .
 cryptoserve scan ./src --format json
+cryptoserve scan . --binary          # Include binary crypto detection
 ```
 
-Detects 20+ crypto packages (`jsonwebtoken`, `node-forge`, `@noble/curves`, etc.), `node:crypto` API usage, algorithm string literals, weak patterns (MD5, DES, ECB, `createCipher`), and hardcoded API keys (AWS, OpenAI, Anthropic, GitHub, Stripe, and more).
+### Supported Languages
+
+| Language | Extensions | Detection |
+|----------|-----------|-----------|
+| JavaScript/TypeScript | `.js`, `.ts`, `.mjs`, `.cjs`, `.jsx`, `.tsx` | Imports, algorithm literals, weak patterns |
+| Go | `.go` | `crypto/*` stdlib, `x/crypto`, `circl` |
+| Python | `.py` | `hashlib`, `cryptography`, `PyCryptodome`, `bcrypt` |
+| Java/Kotlin | `.java`, `.kt`, `.scala` | `Cipher.getInstance`, `MessageDigest`, `KeyPairGenerator` |
+| Rust | `.rs` | `aes-gcm`, `ring`, `ed25519-dalek`, `pqcrypto` |
+| C/C++ | `.c`, `.h`, `.cpp`, `.hpp`, `.cc` | OpenSSL `EVP_*`, `RSA_*`, `SHA*_Init` |
+
+### Supported Manifests
+
+| Manifest | Ecosystem |
+|----------|-----------|
+| `package.json` | npm |
+| `go.mod` | Go modules |
+| `requirements.txt` | PyPI |
+| `pyproject.toml` | PyPI (PEP 621 + Poetry) |
+| `Cargo.toml` | Cargo (Rust) |
+| `pom.xml` | Maven (Java) |
+
+### Additional Detection
+
+- **TLS/SSL versions** — nginx, Apache, Node.js, Go, Java configs
+- **Binary signatures** — AES S-box, DES tables, SHA constants, ChaCha20 sigma (with `--binary`)
+- **80+ algorithms** classified by quantum risk, weakness, and category
+- **Hardcoded secrets** — AWS, OpenAI, Anthropic, GitHub, Stripe, and more
 
 ## PQC Analysis
 
-Offline post-quantum readiness assessment. Evaluates your project's cryptographic posture against quantum threat timelines.
+Offline post-quantum readiness assessment with confidence indicators.
 
 ```bash
 cryptoserve pqc
@@ -55,7 +85,67 @@ cryptoserve pqc --format json
 
 **Profiles:** `general`, `national_security`, `healthcare`, `financial`, `intellectual_property`, `legal`, `authentication`, `session_tokens`, `ephemeral`
 
-Output includes quantum readiness score (0-100), SNDL risk assessment, KEM/signature recommendations (ML-KEM, ML-DSA, SLH-DSA), migration plan, and compliance references (CNSA 2.0, NIST SP 800-208, BSI, ANSSI).
+Output includes:
+- Quantum readiness score (0-100) with confidence level
+- Risk breakdown (critical/high/medium/low/safe)
+- Migration urgency (immediate/high/medium/low/none)
+- SNDL risk assessment
+- KEM/signature recommendations (ML-KEM, ML-DSA, SLH-DSA)
+- Migration plan with compliance references (CNSA 2.0, NIST SP 800-208, BSI, ANSSI)
+
+## CBOM Generation
+
+Generate a Cryptographic Bill of Materials in industry-standard formats.
+
+```bash
+# CycloneDX 1.5 format
+cryptoserve cbom . --format cyclonedx --output cbom.json
+
+# SPDX 2.3 format
+cryptoserve cbom . --format spdx --output cbom-spdx.json
+
+# Native JSON with quantum readiness data
+cryptoserve cbom . --format json --output cbom-native.json
+
+# Print to stdout
+cryptoserve cbom .
+```
+
+Each CBOM includes:
+- All detected crypto components with Package URLs (purls)
+- Quantum readiness score and risk assessment
+- Git metadata (commit, branch, remote)
+- Content hash for integrity verification
+
+## CI/CD Gate
+
+Enforce cryptographic policies in your CI/CD pipeline.
+
+```bash
+# Default: fail if quantum risk > high or score < 50
+cryptoserve gate .
+
+# Strict: fail on any high-risk algorithm
+cryptoserve gate . --max-risk medium
+
+# Fail on weak/deprecated algorithms (MD5, DES, RC4, etc.)
+cryptoserve gate . --fail-on-weak
+
+# Custom score threshold
+cryptoserve gate . --min-score 70
+
+# JSON output for CI parsing
+cryptoserve gate . --format json
+```
+
+**Exit codes:** `0` = pass, `1` = fail, `2` = error
+
+**Example GitHub Actions step:**
+
+```yaml
+- name: Crypto gate
+  run: npx cryptoserve gate . --max-risk high --min-score 50 --fail-on-weak
+```
 
 ## Encrypt / Decrypt
 
@@ -90,13 +180,8 @@ The encrypted blob format is byte-identical between the Python and Node.js SDKs.
 A 5-layer algorithm resolver selects the optimal encryption algorithm based on data sensitivity, compliance requirements, threat model, and access patterns.
 
 ```bash
-# List available contexts
 cryptoserve context list
-
-# Show full resolution rationale
 cryptoserve context show user-pii --verbose
-
-# Encrypt with automatic algorithm selection
 cryptoserve encrypt "patient diagnosis" --context health-data --password mypassword
 ```
 
@@ -176,6 +261,8 @@ import { encrypt, decrypt, encryptString, decryptString } from 'cryptoserve/lib/
 import { analyzeOffline } from 'cryptoserve/lib/pqc-engine.mjs';
 import { scanProject } from 'cryptoserve/lib/scanner.mjs';
 import { resolveContext } from 'cryptoserve/lib/context-resolver.mjs';
+import { generateCbom, toCycloneDx, toSpdx } from 'cryptoserve/lib/cbom.mjs';
+import { ALGORITHM_DB, lookupAlgorithm } from 'cryptoserve/lib/algorithm-db.mjs';
 ```
 
 ## License

package/bin/cryptoserve.mjs

@@ -15,13 +15,15 @@
  *   cryptoserve decrypt --file in --output out [--password P]
  *   cryptoserve hash-password [--algorithm scrypt|pbkdf2]
  *   cryptoserve context list | show NAME [--verbose] [--format json]
+ *   cryptoserve cbom [path] [--format cyclonedx|spdx|json] [--output file]
+ *   cryptoserve gate [path] [--max-risk R] [--min-score N] [--fail-on-weak] [--format json]
  *   cryptoserve vault init|set|get|list|delete|run|import|export
  *   cryptoserve login [--server URL]
  *   cryptoserve status
  */
 
-import { readFileSync } from 'node:fs';
-import { resolve, dirname, join } from 'node:path';
+import { readFileSync, writeFileSync } from 'node:fs';
+import { resolve, dirname, join, basename } from 'node:path';
 import { fileURLToPath } from 'node:url';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -31,6 +33,16 @@ const PKG = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf-
 // Arg parsing helpers
 // ---------------------------------------------------------------------------
 
+const OPTIONS_WITH_VALUES = new Set([
+  '--password', '--algorithm', '--profile', '--format', '--file',
+  '--output', '--server', '--context', '--max-risk', '--min-score',
+]);
+
+const KNOWN_FLAGS = new Set([
+  '--insecure-storage', '--verbose', '--binary', '--fail-on-weak',
+  '--help', '--version',
+]);
+
 function getFlag(args, name) {
   const idx = args.indexOf(name);
   return idx !== -1;
@@ -42,12 +54,11 @@ function getOption(args, name, defaultValue = null) {
   return args[idx + 1];
 }
 
-function getPositional(args, optionsWithValues = ['--password', '--algorithm', '--profile', '--format', '--file', '--output', '--server', '--context']) {
+function getPositional(args) {
   const result = [];
   for (let i = 0; i < args.length; i++) {
     if (args[i].startsWith('--')) {
-      // Skip the flag; if it takes a value, skip the next arg too
-      if (optionsWithValues.includes(args[i])) i++;
+      if (OPTIONS_WITH_VALUES.has(args[i])) i++;
       continue;
     }
     result.push(args[i]);
@@ -55,6 +66,16 @@ function getPositional(args, optionsWithValues = ['--password', '--algorithm', '
   return result;
 }
 
+function warnUnknownFlags(args) {
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg.startsWith('--') && !OPTIONS_WITH_VALUES.has(arg) && !KNOWN_FLAGS.has(arg)) {
+      console.error(`Warning: unknown flag "${arg}"`);
+    }
+    if (OPTIONS_WITH_VALUES.has(arg)) i++; // skip value
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Commands
 // ---------------------------------------------------------------------------
@@ -67,6 +88,8 @@ async function cmdHelp() {
   console.log(`  ${bold('Scanning & Analysis')}`);
   console.log(`    ${info('pqc [--profile P] [--format json]')}     Post-quantum readiness analysis`);
   console.log(`    ${info('scan [path] [--format json]')}           Scan project for crypto & secrets`);
+  console.log(`    ${info('cbom [path] [--format F] [--output O]')} Generate Crypto Bill of Materials`);
+  console.log(`    ${info('gate [path] [--max-risk R]')}            CI/CD gate (exit 0=pass, 1=fail)`);
   console.log();
   console.log(`  ${bold('Encryption')}`);
   console.log(`    ${info('encrypt "text" [--context C]')}          Encrypt with context-aware algorithm selection`);
@@ -167,13 +190,19 @@ async function cmdPqc(args) {
 
   // Use scanner results if available, otherwise use example libraries
   let libraries = [];
+  let scanMeta = {};
   try {
     const { scanProject, toLibraryInventory } = await import('../lib/scanner.mjs');
     const scanResults = scanProject(process.cwd());
     libraries = toLibraryInventory(scanResults);
+    scanMeta = {
+      filesScanned: scanResults.filesScanned,
+      languagesDetected: scanResults.languagesDetected,
+      manifestsFound: scanResults.manifestsFound,
+    };
   } catch { /* scanner not available, empty libraries */ }
 
-  const result = analyzeOffline(libraries, profile);
+  const result = analyzeOffline(libraries, profile, scanMeta);
 
   if (format === 'json') {
     console.log(JSON.stringify(result, null, 2));
@@ -188,9 +217,28 @@ async function cmdPqc(args) {
   console.log(labelValue('Protection needed', `${result.dataProfile.lifespanYears} years`));
   console.log(labelValue('Urgency', result.dataProfile.urgency.toUpperCase()));
 
-  // Quantum readiness score
+  // Quantum readiness score with confidence
   console.log(section('Quantum Readiness'));
-  console.log(`  ${progressBar(result.quantumReadinessScore, 100)} ${bold(`${result.quantumReadinessScore}/100`)}`);
+  const conf = result.confidence;
+  console.log(`  ${progressBar(result.quantumReadinessScore, 100)} ${bold(`${result.quantumReadinessScore}/100`)} ${dim(`(${conf.level} confidence — ${conf.reason})`)}`);
+  console.log(labelValue('Migration urgency', result.migrationUrgency.toUpperCase()));
+
+  // Risk breakdown
+  if (result.riskBreakdown) {
+    const rb = result.riskBreakdown;
+    const parts = [];
+    if (rb.critical > 0) parts.push(error(`${rb.critical} critical`));
+    if (rb.high > 0) parts.push(warning(`${rb.high} high`));
+    if (rb.medium > 0) parts.push(`${rb.medium} medium`);
+    if (rb.low > 0) parts.push(`${rb.low} low`);
+    if (rb.none > 0) parts.push(success(`${rb.none} safe`));
+    if (parts.length > 0) console.log(labelValue('Risk breakdown', parts.join(' / ')));
+  }
+
+  // Languages detected
+  if (scanMeta.languagesDetected?.length > 0) {
+    console.log(labelValue('Languages', scanMeta.languagesDetected.join(', ')));
+  }
 
   // SNDL assessment
   const sndl = result.sndlAssessment;
@@ -278,9 +326,16 @@ async function cmdScan(args) {
   const positional = getPositional(args);
   const scanDir = positional.length > 0 ? resolve(positional[0]) : process.cwd();
   const format = getOption(args, '--format', 'text');
+  const binaryFlag = getFlag(args, '--binary');
 
   const results = scanProject(scanDir);
 
+  // Binary scanning — lazy-loaded only when requested
+  if (binaryFlag) {
+    const { scanBinaries } = await import('../lib/scanner-binary.mjs');
+    results.binaryFindings = scanBinaries(scanDir);
+  }
+
   if (format === 'json') {
     console.log(JSON.stringify(results, null, 2));
     return;
@@ -327,6 +382,40 @@ async function cmdScan(args) {
     }
   }
 
+  // Multi-language source algorithms
+  if (results.sourceAlgorithms && results.sourceAlgorithms.length > 0) {
+    console.log(section('Source Code Crypto (Multi-Language)'));
+    console.log(tableHeader(['Algorithm', 'Category', 'Language', 'Risk'], [20, 14, 12, 10]));
+    for (const algo of results.sourceAlgorithms) {
+      console.log(tableRow(
+        [algo.algorithm, algo.category, algo.language, algo.quantumRisk],
+        [20, 14, 12, 10]
+      ));
+    }
+  }
+
+  // TLS findings
+  if (results.tlsFindings && results.tlsFindings.length > 0) {
+    console.log(section('TLS/SSL Issues'));
+    for (const tls of results.tlsFindings) {
+      const icon = tls.risk === 'critical' ? error(`[CRIT] ${tls.protocol}`) : warning(`[${tls.risk.toUpperCase()}] ${tls.protocol}`);
+      console.log(`  ${icon} ${dim(tls.file + ':' + tls.line)}`);
+      console.log(`    ${dim(tls.recommendation)}`);
+    }
+  }
+
+  // Binary findings
+  if (results.binaryFindings && results.binaryFindings.length > 0) {
+    console.log(section('Binary Crypto Signatures'));
+    console.log(tableHeader(['Signature', 'Algorithm', 'Severity', 'File'], [24, 12, 10, 30]));
+    for (const bf of results.binaryFindings) {
+      console.log(tableRow(
+        [bf.name, bf.algorithm, bf.severity, bf.file],
+        [24, 12, 10, 30]
+      ));
+    }
+  }
+
   // Cert files
   if (results.certFiles.length > 0) {
     console.log(section('Certificate/Key Files'));
@@ -338,8 +427,20 @@ async function cmdScan(args) {
   // Summary
   console.log(section('Summary'));
   console.log(labelValue('Libraries', String(results.libraries.length)));
+  if (results.sourceAlgorithms?.length > 0) {
+    console.log(labelValue('Source algorithms', String(results.sourceAlgorithms.length)));
+  }
+  if (results.languagesDetected?.length > 0) {
+    console.log(labelValue('Languages', results.languagesDetected.join(', ')));
+  }
+  if (results.manifestsFound?.length > 0) {
+    console.log(labelValue('Manifests', results.manifestsFound.join(', ')));
+  }
   console.log(labelValue('Secrets found', results.secrets.length > 0 ? error(String(results.secrets.length)) : success('0')));
   console.log(labelValue('Weak patterns', results.weakPatterns.length > 0 ? warning(String(results.weakPatterns.length)) : success('0')));
+  if (results.tlsFindings?.length > 0) {
+    console.log(labelValue('TLS issues', warning(String(results.tlsFindings.length))));
+  }
   console.log(labelValue('Cert/key files', String(results.certFiles.length)));
   console.log();
 }
@@ -674,6 +775,146 @@ async function cmdContext(args) {
   process.exit(1);
 }
 
+async function cmdCbom(args) {
+  const { compactHeader, section, labelValue, success, dim, bold, info } = await import('../lib/cli-style.mjs');
+  const { scanProject, toLibraryInventory } = await import('../lib/scanner.mjs');
+  const { analyzeOffline } = await import('../lib/pqc-engine.mjs');
+  const { generateCbom, toCycloneDx, toSpdx, toNativeJson } = await import('../lib/cbom.mjs');
+
+  const positional = getPositional(args);
+  const scanDir = positional.length > 0 ? resolve(positional[0]) : process.cwd();
+  const format = getOption(args, '--format', 'json');
+  const output = getOption(args, '--output');
+
+  const scanResults = scanProject(scanDir);
+  const libraries = toLibraryInventory(scanResults);
+  const pqcResult = analyzeOffline(libraries);
+  const projectName = basename(scanDir);
+
+  const cbom = generateCbom(scanResults, pqcResult, projectName, scanDir);
+
+  let formatted;
+  switch (format) {
+    case 'cyclonedx': formatted = JSON.stringify(toCycloneDx(cbom), null, 2); break;
+    case 'spdx':      formatted = JSON.stringify(toSpdx(cbom), null, 2); break;
+    default:          formatted = JSON.stringify(toNativeJson(cbom), null, 2); break;
+  }
+
+  if (output) {
+    writeFileSync(output, formatted + '\n');
+    console.log(success(`CBOM written to ${output}`));
+    console.log(labelValue('Format', format));
+    console.log(labelValue('Components', String(cbom.components.length)));
+    console.log(labelValue('Quantum readiness', `${cbom.quantumReadiness.score}/100`));
+    console.log(labelValue('Risk level', cbom.quantumReadiness.riskLevel));
+  } else {
+    console.log(formatted);
+  }
+}
+
+async function cmdGate(args) {
+  const { scanProject, toLibraryInventory } = await import('../lib/scanner.mjs');
+  const { analyzeOffline } = await import('../lib/pqc-engine.mjs');
+  const { lookupAlgorithm } = await import('../lib/algorithm-db.mjs');
+
+  const positional = getPositional(args);
+  const scanDir = positional.length > 0 ? resolve(positional[0]) : process.cwd();
+  const maxRisk = getOption(args, '--max-risk', 'high');
+  const minScore = parseInt(getOption(args, '--min-score', '50'), 10);
+  const failOnWeak = getFlag(args, '--fail-on-weak');
+  const format = getOption(args, '--format', 'text');
+
+  const riskOrder = ['none', 'low', 'medium', 'high', 'critical'];
+
+  try {
+    const scanResults = scanProject(scanDir);
+    const libraries = toLibraryInventory(scanResults);
+    const pqcResult = analyzeOffline(libraries);
+    const score = pqcResult.quantumReadinessScore;
+
+    // Collect violations
+    const violations = [];
+    const maxRiskIdx = riskOrder.indexOf(maxRisk);
+
+    for (const lib of libraries) {
+      for (const algoName of lib.algorithms) {
+        const entry = lookupAlgorithm(algoName);
+        if (!entry) continue;
+
+        const algoRiskIdx = riskOrder.indexOf(entry.quantumRisk);
+        if (algoRiskIdx > maxRiskIdx) {
+          violations.push({
+            algorithm: algoName,
+            risk: entry.quantumRisk,
+            source: lib.name + (lib.version !== 'source-code' ? `@${lib.version}` : ` (${lib.version})`),
+          });
+        }
+
+        if (failOnWeak && entry.isWeak) {
+          violations.push({
+            algorithm: algoName,
+            risk: entry.quantumRisk,
+            source: lib.name,
+            weak: true,
+            reason: entry.weaknessReason,
+          });
+        }
+      }
+    }
+
+    const scoreFail = score < minScore;
+    const pass = violations.length === 0 && !scoreFail;
+
+    const summary = {
+      total: libraries.reduce((sum, l) => sum + l.algorithms.length, 0),
+      safe: libraries.reduce((sum, l) => sum + l.algorithms.filter(a => {
+        const e = lookupAlgorithm(a);
+        return e && (e.quantumRisk === 'none' || e.quantumRisk === 'low');
+      }).length, 0),
+      vulnerable: violations.filter(v => !v.weak).length,
+      weak: violations.filter(v => v.weak).length,
+    };
+
+    if (format === 'json') {
+      console.log(JSON.stringify({
+        status: pass ? 'pass' : 'fail',
+        score,
+        violations,
+        summary,
+      }, null, 2));
+    } else {
+      const { compactHeader, success, error, warning, dim, bold, labelValue } = await import('../lib/cli-style.mjs');
+      console.log(compactHeader('gate'));
+      console.log(labelValue('Status', pass ? success('PASS') : error('FAIL')));
+      console.log(labelValue('Score', `${score}/100 (min: ${minScore})`));
+      console.log(labelValue('Max risk', maxRisk));
+
+      if (violations.length > 0) {
+        console.log(`\n  ${bold('Violations:')}`);
+        for (const v of violations) {
+          const label = v.weak ? warning(`[WEAK] ${v.algorithm}`) : error(`[${v.risk.toUpperCase()}] ${v.algorithm}`);
+          console.log(`  ${label} — ${dim(v.source)}${v.reason ? ` (${v.reason})` : ''}`);
+        }
+      }
+
+      if (scoreFail) {
+        console.log(`\n  ${error(`Score ${score} is below minimum ${minScore}`)}`);
+      }
+
+      console.log();
+    }
+
+    process.exit(pass ? 0 : 1);
+  } catch (e) {
+    if (format === 'json') {
+      console.log(JSON.stringify({ status: 'error', error: e.message }, null, 2));
+    } else {
+      console.error(`Error: ${e.message}`);
+    }
+    process.exit(2);
+  }
+}
+
 async function cmdLogin(args) {
   const { login } = await import('../lib/client.mjs');
   const server = getOption(args, '--server', 'https://localhost:8003');
@@ -755,9 +996,10 @@ const args = process.argv.slice(2);
 const command = args[0];
 const commandArgs = args.slice(1);
 
-// Filter out the command from args for sub-parsers
-// Strip flags that belong to the command router
-const filteredArgs = commandArgs.filter(a => a !== command);
+// Warn about unknown flags (skip for vault/context which have subcommands)
+if (command && !['vault', 'context', 'help', '--help', '-h', 'version', '--version', '-v'].includes(command)) {
+  warnUnknownFlags(commandArgs);
+}
 
 try {
   switch (command) {
@@ -793,6 +1035,12 @@ try {
     case 'context':
       await cmdContext(commandArgs);
       break;
+    case 'cbom':
+      await cmdCbom(commandArgs);
+      break;
+    case 'gate':
+      await cmdGate(commandArgs);
+      break;
     case 'vault':
       await cmdVault(commandArgs);
       break;