erosolar-cli 2.1.249 → 2.1.252

package/dist/shell/interactiveShell.js

@@ -310,6 +310,32 @@ export class InteractiveShell {
             description: 'Deploy operational infrastructure (usage: /infra [region])',
             category: 'security',
         });
+        // Bidirectional audit commands
+        this.slashCommands.push({
+            command: '/audit-forward',
+            description: 'Run forward attack chain audit: Local → Apple → End users',
+            category: 'security',
+        });
+        this.slashCommands.push({
+            command: '/audit-reverse',
+            description: 'Run reverse attack chain audit: Threats → Apple → Local',
+            category: 'security',
+        });
+        this.slashCommands.push({
+            command: '/audit-bidir',
+            description: 'Run full bidirectional audit with correlation analysis',
+            category: 'security',
+        });
+        this.slashCommands.push({
+            command: '/audit-correlate',
+            description: 'Find correlations between forward and reverse attack paths',
+            category: 'security',
+        });
+        this.slashCommands.push({
+            command: '/audit-evidence',
+            description: 'Export audit results as legal evidence package',
+            category: 'security',
+        });
         this.statusTracker = config.statusTracker;
         this.ui = config.ui;
         this.uiAdapter = config.ui.adapter;
@@ -2999,6 +3025,49 @@ export class InteractiveShell {
                         // These commands are handled through the UnifiedAttackChain tool
                         this.processInput(`Execute ${command.slice(1)} operation: ${input.slice(command.length).trim() || 'analyze current target'}`);
                         break;
+                    // Bidirectional audit commands
+                    case '/audit':
+                    case '/trace':
+                    case '/forward':
+                    case '/reverse':
+                    case '/bidirectional':
+                        await this.handleAuditCommand(input);
+                        break;
+                    // New bidirectional audit commands (aliases for /audit)
+                    case '/audit-forward':
+                    case '/audit-reverse':
+                    case '/audit-bidir':
+                    case '/audit-correlate':
+                    case '/audit-evidence':
+                        // Map to standard audit command format
+                        await this.handleAuditCommand(input.replace(command, '/audit ' + command.slice(7)));
+                        break;
+                    // Defensive security commands
+                    case '/defend':
+                    case '/scan':
+                    case '/detect':
+                    case '/harden':
+                    case '/evidence':
+                        await this.handleDefensiveCommand(input);
+                        break;
+                    // Offensive transparency commands
+                    case '/offensive':
+                    case '/probe':
+                    case '/expose':
+                    case '/complain':
+                    case '/disclose':
+                    case '/block-telemetry':
+                        await this.handleDefensiveCommand(input);
+                        break;
+                    // Threat intelligence commands
+                    case '/threat':
+                    case '/intel-report':
+                    case '/actors':
+                    case '/vectors':
+                    case '/ioc':
+                    case '/capability':
+                        await this.handleIntelCommand(input);
+                        break;
                     default:
                         if (!(await this.tryCustomSlashCommand(command, input))) {
                             this.showInlineStatus(`Unknown command "${command}".`, 'warning', { autoClearMs: 1800 });
@@ -3762,7 +3831,7 @@ export class InteractiveShell {
                     const icon = opp.type === 'bug-fix' ? '🐛' : opp.type === 'refactor' ? '🔧' : '⚡';
                     lines.push(`  ${icon} ${opp.description.slice(0, 60)}`);
                     lines.push(`     ${theme.ui.muted(`File: ${opp.sourceFile}`)}`);
-                    lines.push(`     ${theme.dim(`Suggested: ${opp.suggestedChange.slice(0, 100)}...`)}`);
+                    lines.push(`     ${theme.dim(`Suggested: ${opp.suggestedChange?.slice(0, 100) || 'N/A'}...`)}`);
                     lines.push('');
                 }
                 lines.push(theme.bold('Run `/improve apply` to execute these changes.'));
@@ -4263,8 +4332,8 @@ export class InteractiveShell {
             for (const update of updates.slice(0, 10)) {
                 lines.push(`  📦 ${update.component} [${update.type}]`);
                 lines.push(`     ${theme.dim(update.description)}`);
-                lines.push(`     Before: ${theme.error(update.before.slice(0, 40))}`);
-                lines.push(`     After:  ${theme.success(update.after.slice(0, 40))}`);
+                lines.push(`     Before: ${theme.error(update.before?.slice(0, 40) || 'N/A')}`);
+                lines.push(`     After:  ${theme.success(update.after?.slice(0, 40) || 'N/A')}`);
                 lines.push('');
             }
             display.showSystemMessage(lines.join('\n'));
@@ -4767,6 +4836,927 @@ export class InteractiveShell {
         await this.processRequest('Please perform a comprehensive security review of the codebase. Check for OWASP top 10 vulnerabilities, insecure patterns, and potential attack vectors.');
     }
     // ═══════════════════════════════════════════════════════════════════════════════
+    // BIDIRECTIONAL AUDIT COMMAND HANDLERS
+    // ═══════════════════════════════════════════════════════════════════════════════
+    /**
+     * Handle bidirectional audit commands.
+     * Usage: /audit [forward|reverse|bidirectional|full] [--evidence-dir=<path>]
+     *        /trace [direction]
+     *        /forward - run forward attack chain trace
+     *        /reverse - run reverse attack chain trace
+     *        /bidirectional - run full bidirectional audit
+     */
+    async handleAuditCommand(input) {
+        if (this.isProcessing) {
+            this.showSlashWarning('Wait for the current operation to finish.');
+            return;
+        }
+        const parts = input.trim().split(/\s+/);
+        const command = parts[0]?.toLowerCase() || '/audit';
+        const args = parts.slice(1);
+        // Parse direction from command or args
+        let direction = 'bidirectional';
+        if (command === '/forward') {
+            direction = 'forward';
+        }
+        else if (command === '/reverse') {
+            direction = 'reverse';
+        }
+        else if (command === '/bidirectional') {
+            direction = 'bidirectional';
+        }
+        else {
+            // Parse from args
+            const dirArg = args.find(a => ['forward', 'reverse', 'bidirectional', 'full'].includes(a.toLowerCase()));
+            if (dirArg) {
+                direction = dirArg === 'full' ? 'bidirectional' : dirArg.toLowerCase();
+            }
+        }
+        // Parse evidence directory
+        const evidenceDirArg = args.find(a => a.startsWith('--evidence-dir='));
+        const evidenceDir = evidenceDirArg
+            ? evidenceDirArg.replace('--evidence-dir=', '')
+            : `${this.workingDir}/.erosolar/evidence/audit-${new Date().toISOString().split('T')[0]}`;
+        // Show audit banner
+        this.showAuditBanner(direction, evidenceDir);
+        // Execute the audit via AI
+        const prompt = this.buildAuditPrompt(direction, evidenceDir);
+        await this.processRequest(prompt);
+    }
+    /**
+     * Build the AI prompt for audit execution.
+     */
+    buildAuditPrompt(direction, evidenceDir) {
+        const prompts = {
+            forward: `Execute a FORWARD attack chain trace using the bidirectional_audit tool.
+
+Direction: forward
+Evidence Directory: ${evidenceDir}
+
+This traces the path FROM this device THROUGH infrastructure TO end users:
+1. Local System (device, firmware, secure enclave)
+2. System Daemons (identityservicesd, imagent, apsd, cloudd)
+3. Network Layer (connections, DNS, TLS)
+4. Edge Servers (APNs courier, IDS identity, CloudKit)
+5. Core Infrastructure (key databases, message relay, escrow)
+6. Corporate Infrastructure (data centers, third parties)
+7. End User Attack Vectors (update push, key injection, etc.)
+
+Generate a complete evidence package with cryptographic hashes.`,
+            reverse: `Execute a REVERSE attack chain trace using the bidirectional_audit tool.
+
+Direction: reverse
+Evidence Directory: ${evidenceDir}
+
+This traces the path FROM end users BACK TO this device:
+1. Identify all attack vectors that could reach end users
+2. Trace persistence mechanisms in corporate infrastructure
+3. Map core infrastructure control points
+4. Identify edge server vulnerabilities
+5. Analyze network-level interception points
+6. Document daemon-level access
+7. Assess local system exposure
+
+Generate a complete evidence package with cryptographic hashes.`,
+            bidirectional: `Execute a COMPLETE BIDIRECTIONAL attack chain audit using the bidirectional_audit tool.
+
+Direction: bidirectional
+Evidence Directory: ${evidenceDir}
+
+This performs BOTH forward and reverse traces to create a complete picture:
+
+FORWARD CHAIN (7 layers):
+- Local System → Daemons → Network → Edge → Core → Corporate → End Users
+
+REVERSE CHAIN (analysis):
+- End User Vectors → Corporate Persistence → Core Control → Edge Vulnerabilities → Network Interception → Daemon Access → Local Exposure
+
+Output should include:
+1. Complete node and edge graph
+2. Attack surfaces at each layer
+3. Evidence files with SHA-256 hashes
+4. Master hash of complete audit package
+5. Summary of user defense capabilities (expected: NONE)
+
+Generate a professional audit report suitable for compliance, legal, or security review purposes.`,
+        };
+        return (prompts[direction] ?? prompts['bidirectional']);
+    }
+    /**
+     * Show audit execution banner.
+     */
+    showAuditBanner(direction, evidenceDir) {
+        const dirLabels = {
+            forward: 'Forward Attack Chain Trace',
+            reverse: 'Reverse Attack Chain Trace',
+            bidirectional: 'Complete Bidirectional Audit',
+        };
+        const lines = [
+            '',
+            theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+            theme.gradient.primary(`  ${dirLabels[direction]}`),
+            theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+            '',
+            theme.bold('Direction: ') + direction.toUpperCase(),
+            theme.bold('Evidence: ') + evidenceDir,
+            '',
+        ];
+        if (direction === 'forward' || direction === 'bidirectional') {
+            lines.push(theme.secondary('Forward trace layers:'));
+            lines.push('  1. Local System (device, firmware, SEP)');
+            lines.push('  2. System Daemons (IDS, iMessage, APNs)');
+            lines.push('  3. Network (connections, DNS, TLS)');
+            lines.push('  4. Edge Servers (courier, identity, gateway)');
+            lines.push('  5. Core Infrastructure (key DB, escrow)');
+            lines.push('  6. Corporate (data centers, third parties)');
+            lines.push('  7. End User Attack Vectors');
+            lines.push('');
+        }
+        if (direction === 'reverse' || direction === 'bidirectional') {
+            lines.push(theme.secondary('Reverse trace analysis:'));
+            lines.push('  • End user attack vectors');
+            lines.push('  • Corporate persistence mechanisms');
+            lines.push('  • Core infrastructure control points');
+            lines.push('  • Edge server vulnerabilities');
+            lines.push('  • Network interception points');
+            lines.push('  • Daemon access pathways');
+            lines.push('  • Local system exposure');
+            lines.push('');
+        }
+        lines.push(theme.ui.muted('Press Ctrl+C to abort operation.'));
+        lines.push('');
+        display.showSystemMessage(lines.join('\n'));
+    }
+    /**
+     * Show audit help.
+     */
+    showAuditHelp() {
+        const lines = [
+            theme.gradient.primary('Bidirectional Audit Commands'),
+            '',
+            theme.bold('/audit [direction] [--evidence-dir=<path>]'),
+            '  Run bidirectional attack chain audit',
+            '',
+            theme.bold('Directions:'),
+            '  forward        - Trace from device to end users',
+            '  reverse        - Trace from end users back to device',
+            '  bidirectional  - Complete both directions (default)',
+            '  full           - Alias for bidirectional',
+            '',
+            theme.bold('Shortcut Commands:'),
+            '  /forward       - Run forward trace only',
+            '  /reverse       - Run reverse trace only',
+            '  /bidirectional - Run full bidirectional audit',
+            '  /trace         - Alias for /audit',
+            '',
+            theme.secondary('Examples:'),
+            '  /audit                           - Full bidirectional audit',
+            '  /audit forward                   - Forward trace only',
+            '  /forward                         - Forward trace (shortcut)',
+            '  /reverse --evidence-dir=/tmp/ev  - Reverse trace with custom path',
+            '',
+            theme.secondary('Output:'),
+            '  • Evidence files in .erosolar/evidence/',
+            '  • SHA-256 hashes for all evidence',
+            '  • Master hash of complete package',
+            '  • Professional audit report',
+        ];
+        display.showSystemMessage(lines.join('\n'));
+    }
+    // ═══════════════════════════════════════════════════════════════════════════════
+    // BIDIRECTIONAL AUDIT COMMAND HANDLERS
+    // ═══════════════════════════════════════════════════════════════════════════════
+    /**
+     * Handle bidirectional audit commands with AI-powered analysis.
+     *
+     * Commands:
+     *   /audit-forward    - Forward attack chain: Local → Apple → End users
+     *   /audit-reverse    - Reverse attack chain: Threats → Apple → Local
+     *   /audit-bidir      - Full bidirectional with correlation
+     *   /audit-correlate  - Find forward/reverse convergence points
+     *   /audit-evidence   - Export legal evidence package
+     */
+    async handleBidirectionalAuditCommand(command, input) {
+        if (this.isProcessing) {
+            this.showSlashWarning('Wait for the current operation to finish.');
+            return;
+        }
+        const args = input.slice(command.length).trim();
+        const evidenceDir = `${this.workingDir}/.erosolar/evidence`;
+        const toolPrompts = {
+            '/audit-forward': `Use the BidirectionalAudit tool to run a forward attack chain audit.
+Parameters: direction="forward", outputFormat="report", saveEvidence=true
+This traces: Local System → Daemons → Network → Apple Edge → Apple Core → Corporate → End Users
+Analyze each layer's attack surface and identify Apple-controlled chokepoints.
+Evidence will be saved to: ${evidenceDir}`,
+            '/audit-reverse': `Use the BidirectionalAudit tool to run a reverse attack chain audit.
+Parameters: direction="reverse", outputFormat="report", saveEvidence=true
+This traces: External Threats → Supply Chain → Apple Entry Points → Protocols → Crypto → Local
+Analyze how external threat actors can leverage Apple infrastructure to reach target devices.
+Evidence will be saved to: ${evidenceDir}`,
+            '/audit-bidir': `Use the BidirectionalAudit tool to run a full bidirectional audit with correlation analysis.
+Parameters: direction="bidirectional", outputFormat="report", saveEvidence=true
+This performs BOTH:
+1. FORWARD: Local → Apple → End Users (7 layers)
+2. REVERSE: Threats → Apple → Local (6 layers)
+3. CORRELATION: Where forward and reverse paths converge
+Generate attack surface score and identify user defense gaps.
+Evidence will be saved to: ${evidenceDir}`,
+            '/audit-correlate': `Use the CorrelationFind tool to analyze where forward and reverse attack paths converge.
+Parameters: minThreatLevel="high"
+This identifies:
+- Points where outbound vulnerabilities meet inbound threats
+- Apple-controlled infrastructure enabling both attack directions
+- Complete attack chains from threat actor to target`,
+            '/audit-evidence': `Use the AuditEvidenceExport tool to create a legal evidence package.
+Parameters: format="all", includeRawData=true
+Generate evidence suitable for legal proceedings, regulatory submissions, security assessments.
+Include cryptographic signatures and chain of custody documentation.
+Evidence will be saved to: ${evidenceDir}`,
+        };
+        const prompt = toolPrompts[command];
+        if (!prompt) {
+            this.showSlashWarning(`Unknown audit command: ${command}`);
+            return;
+        }
+        this.showBidirectionalAuditBanner(command);
+        await this.processRequest(prompt + (args ? `\n\nAdditional context: ${args}` : ''));
+    }
+    showBidirectionalAuditBanner(command) {
+        const banners = {
+            '/audit-forward': [
+                '', theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+                theme.gradient.primary('  FORWARD ATTACK CHAIN AUDIT'),
+                theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+                '', theme.bold('Direction: ') + 'LOCAL → APPLE → END USERS', '',
+                theme.secondary('Tracing 7 layers:'),
+                '  1. Local System (hardware, SEP, keychain)',
+                '  2. System Daemons (identityservicesd, imagent, apsd)',
+                '  3. Network Layer (connections, DNS, TLS)',
+                '  4. Apple Edge (IDS, APNs, CloudKit)',
+                '  5. Apple Core (key database, relay, escrow)',
+                '  6. Corporate (data centers, third parties)',
+                '  7. End User Vectors (key injection, updates)', '',
+            ],
+            '/audit-reverse': [
+                '', theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+                theme.gradient.primary('  REVERSE ATTACK CHAIN AUDIT'),
+                theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+                '', theme.bold('Direction: ') + 'THREATS → APPLE → LOCAL', '',
+                theme.secondary('Tracing 6 layers:'),
+                '  1. External Threats (state actors, insiders)',
+                '  2. Supply Chain (hardware, firmware)',
+                '  3. Apple Entry Points (legal, enterprise)',
+                '  4. Protocol Vulnerabilities (IDS, APNs)',
+                '  5. Cryptographic Weaknesses (escrow, TOFU)',
+                '  6. Local Attack Surface (SIP, TCC)', '',
+            ],
+            '/audit-bidir': [
+                '', theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+                theme.gradient.primary('  BIDIRECTIONAL ATTACK CHAIN AUDIT'),
+                theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+                '', theme.bold('Direction: ') + 'FORWARD + REVERSE + CORRELATION', '',
+                theme.secondary('Forward (7 layers):'),
+                '  Local → Daemons → Network → Edge → Core → Corp → End Users', '',
+                theme.secondary('Reverse (6 layers):'),
+                '  Threats → Supply Chain → Entry → Protocols → Crypto → Local', '',
+                theme.secondary('Correlation Analysis:'),
+                '  • Convergence points • Attack surface score • Defense gap analysis', '',
+            ],
+            '/audit-correlate': [
+                '', theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+                theme.gradient.primary('  CORRELATION ANALYSIS'),
+                theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+                '', theme.secondary('Finding where forward and reverse paths converge...'), '',
+            ],
+            '/audit-evidence': [
+                '', theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+                theme.gradient.primary('  EVIDENCE EXPORT'),
+                theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+                '', theme.secondary('Creating legal evidence package...'), '',
+            ],
+        };
+        const lines = banners[command] ?? banners['/audit-bidir'] ?? [];
+        lines.push(theme.ui.muted('Press Ctrl+C to abort operation.'));
+        lines.push('');
+        display.showSystemMessage(lines.join('\n'));
+    }
+    // ═══════════════════════════════════════════════════════════════════════════════
+    // DEFENSIVE SECURITY COMMAND HANDLERS
+    // ═══════════════════════════════════════════════════════════════════════════════
+    /**
+     * Handle defensive security commands.
+     * These scan YOUR OWN device for intrusions and collect evidence.
+     *
+     * Usage:
+     *   /defend [--evidence-dir=<path>]     - Full defensive scan with evidence collection
+     *   /scan [process|network|persistence] - Scan specific area
+     *   /detect                             - Detect intrusion indicators
+     *   /harden                             - Check and recommend hardening
+     *   /evidence <purpose>                 - Collect forensic evidence package
+     */
+    async handleDefensiveCommand(input) {
+        if (this.isProcessing) {
+            this.showSlashWarning('Wait for the current operation to finish.');
+            return;
+        }
+        const parts = input.trim().split(/\s+/);
+        const command = parts[0]?.toLowerCase() || '/defend';
+        const args = parts.slice(1);
+        // Parse evidence directory
+        const evidenceDirArg = args.find(a => a.startsWith('--evidence-dir='));
+        const evidenceDir = evidenceDirArg
+            ? evidenceDirArg.replace('--evidence-dir=', '')
+            : `${this.workingDir}/.erosolar/evidence/defensive-${new Date().toISOString().split('T')[0]}`;
+        // Show banner
+        this.showDefensiveBanner(command, evidenceDir);
+        // Build appropriate prompt based on command
+        let prompt = '';
+        switch (command) {
+            case '/scan': {
+                const scanType = args.find(a => ['process', 'network', 'persistence', 'all'].includes(a.toLowerCase()));
+                prompt = `Run a defensive security scan on MY OWN DEVICE using the defensive_scan tool.
+
+Scan Type: ${scanType || 'all'}
+Evidence Directory: ${evidenceDir}
+
+This is a DEFENSIVE scan of the user's own system to detect:
+1. Suspicious processes running from unusual locations
+2. Potentially malicious network connections
+3. Unauthorized persistence mechanisms (LaunchAgents, cron, etc.)
+4. Security hardening gaps
+
+Generate a security posture report with actionable recommendations.`;
+                break;
+            }
+            case '/detect':
+                prompt = `Run intrusion detection on MY OWN DEVICE using the defensive_scan tool.
+
+Evidence Directory: ${evidenceDir}
+
+Detect intrusion indicators including:
+- Processes with suspicious characteristics
+- Network connections to known bad ports or unusual destinations
+- Recently modified persistence mechanisms
+- Signs of privilege escalation or credential access
+
+Map findings to MITRE ATT&CK framework where applicable.`;
+                break;
+            case '/harden':
+                prompt = `Check security hardening status on MY OWN DEVICE using the defensive_scan tool.
+
+Check and report on:
+1. macOS Firewall status
+2. System Integrity Protection (SIP)
+3. FileVault encryption
+4. Gatekeeper status
+5. XProtect status
+6. Automatic updates
+
+For each disabled protection, provide:
+- Risk assessment
+- Enable command
+- Implementation steps`;
+                break;
+            case '/evidence': {
+                const purpose = args.filter(a => !a.startsWith('--')).join(' ') || 'Security incident investigation';
+                prompt = `Collect a forensic evidence package from MY OWN DEVICE using the defensive_scan tool.
+
+Purpose: ${purpose}
+Evidence Directory: ${evidenceDir}
+
+Collect:
+1. System logs (system.log, unified log)
+2. All detected intrusion indicators
+3. Security configuration state
+4. Running processes and network connections
+
+Generate a legally-compliant evidence package with:
+- Chain of custody documentation
+- SHA-256 hashes for all artifacts
+- Master hash of complete package
+- Timeline of events
+- Professional report suitable for law enforcement submission`;
+                break;
+            }
+            default: // /defend - full defensive scan
+                prompt = `Run a COMPLETE defensive security scan on MY OWN DEVICE using the defensive_scan tool.
+
+Evidence Directory: ${evidenceDir}
+
+This performs a full defensive assessment:
+
+1. INTRUSION DETECTION
+   - Process analysis
+   - Network connection review
+   - Persistence mechanism audit
+
+2. SECURITY HARDENING CHECK
+   - Firewall, SIP, FileVault, Gatekeeper, XProtect
+   - Automatic updates status
+
+3. EVIDENCE COLLECTION
+   - System logs
+   - Forensic artifacts with hashes
+   - Chain of custody documentation
+
+4. RECOMMENDATIONS
+   - Prioritized remediation steps
+   - Hardening commands
+
+Generate a complete security posture report with evidence package.`;
+        }
+        await this.processRequest(prompt);
+    }
+    /**
+     * Show defensive command banner.
+     */
+    showDefensiveBanner(command, evidenceDir) {
+        const commandLabels = {
+            '/defend': 'Full Defensive Security Scan',
+            '/scan': 'Targeted Security Scan',
+            '/detect': 'Intrusion Detection',
+            '/harden': 'Security Hardening Check',
+            '/evidence': 'Forensic Evidence Collection',
+        };
+        const lines = [
+            '',
+            theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+            theme.gradient.primary(`  ${commandLabels[command] || 'Defensive Security'}`),
+            theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+            '',
+            theme.bold('Mode: ') + 'DEFENSIVE (scanning YOUR device)',
+            theme.bold('Evidence: ') + evidenceDir,
+            '',
+            theme.secondary('Capabilities:'),
+            '  • Intrusion indicator detection',
+            '  • Process and network analysis',
+            '  • Persistence mechanism audit',
+            '  • Security hardening assessment',
+            '  • Forensic evidence collection',
+            '  • Chain of custody documentation',
+            '',
+            theme.ui.muted('This scan only analyzes YOUR OWN device.'),
+            theme.ui.muted('Press Ctrl+C to abort.'),
+            '',
+        ];
+        display.showSystemMessage(lines.join('\n'));
+    }
+    /**
+     * Show defensive command help.
+     */
+    showDefensiveHelp() {
+        const lines = [
+            theme.gradient.primary('Defensive Security Commands'),
+            '',
+            theme.bold('/defend [--evidence-dir=<path>]'),
+            '  Run full defensive security scan with evidence collection',
+            '',
+            theme.bold('/scan [process|network|persistence|all]'),
+            '  Scan specific area for intrusion indicators',
+            '',
+            theme.bold('/detect'),
+            '  Detect intrusion indicators and map to MITRE ATT&CK',
+            '',
+            theme.bold('/harden'),
+            '  Check security hardening and get recommendations',
+            '',
+            theme.bold('/evidence <purpose>'),
+            '  Collect forensic evidence package for legal/LE submission',
+            '',
+            theme.secondary('Examples:'),
+            '  /defend                          - Full defensive scan',
+            '  /scan network                    - Scan network connections only',
+            '  /harden                          - Check hardening status',
+            '  /evidence "Incident on 2024-01"  - Collect evidence with purpose',
+            '',
+            theme.secondary('Output:'),
+            '  • Security posture assessment',
+            '  • Intrusion indicators with MITRE ATT&CK mapping',
+            '  • Remediation recommendations',
+            '  • Forensic evidence package with hashes',
+            '  • Chain of custody documentation',
+        ];
+        display.showSystemMessage(lines.join('\n'));
+    }
+    // ═══════════════════════════════════════════════════════════════════════════════
+    // THREAT INTELLIGENCE COMMAND HANDLERS
+    // ═══════════════════════════════════════════════════════════════════════════════
+    // OFFENSIVE TRANSPARENCY COMMAND HANDLERS
+    // ═══════════════════════════════════════════════════════════════════════════════
+    /**
+     * Handle offensive transparency commands.
+     * These are LEGAL offensive operations for deterrence and transparency.
+     *
+     * Usage:
+     *   /offensive [full|probe|complaints|disclosure]  - Run offensive transparency
+     *   /probe                                          - Probe Apple infrastructure
+     *   /expose                                         - Expose Key Transparency lies
+     *   /complain                                       - Generate regulatory complaints
+     *   /disclose                                       - Create disclosure package
+     *   /block-telemetry                               - Generate telemetry blocking rules
+     */
+    async handleOffensiveCommand(input) {
+        if (this.isProcessing) {
+            this.showSlashWarning('Wait for the current operation to finish.');
+            return;
+        }
+        const parts = input.trim().split(/\s+/);
+        const command = parts[0]?.toLowerCase() || '/offensive';
+        const args = parts.slice(1).join(' ');
+        // Map command to operation
+        let operation = 'full';
+        if (command === '/probe') {
+            operation = 'probe';
+        }
+        else if (command === '/expose') {
+            operation = 'key-transparency';
+        }
+        else if (command === '/complain') {
+            operation = 'complaints';
+        }
+        else if (command === '/disclose') {
+            operation = 'disclosure';
+        }
+        else if (command === '/block-telemetry') {
+            operation = 'telemetry';
+        }
+        else if (args) {
+            // Parse operation from args
+            const validOps = ['full', 'probe', 'key-transparency', 'telemetry', 'complaints', 'disclosure'];
+            if (validOps.includes(args.toLowerCase())) {
+                operation = args.toLowerCase();
+            }
+        }
+        // Parse evidence directory
+        const evidenceDirArg = parts.find(a => a.startsWith('--evidence-dir='));
+        const evidenceDir = evidenceDirArg
+            ? evidenceDirArg.replace('--evidence-dir=', '')
+            : `${this.workingDir}/.erosolar/evidence/offensive-${new Date().toISOString().split('T')[0]}`;
+        // Show offensive banner
+        this.showOffensiveBanner(operation, evidenceDir);
+        // Build the prompt
+        const prompt = this.buildOffensivePrompt(operation, evidenceDir);
+        await this.processRequest(prompt);
+    }
+    /**
+     * Build the AI prompt for offensive transparency operations.
+     */
+    buildOffensivePrompt(operation, evidenceDir) {
+        const prompts = {
+            full: `Execute a FULL offensive transparency operation using the offensive_transparency tool.
+
+Operation: full
+Evidence Directory: ${evidenceDir}
+
+This performs ALL legal offensive operations:
+1. Probe all Apple infrastructure endpoints
+2. Verify Key Transparency (expose lies about auditability)
+3. Analyze and block telemetry
+4. Generate regulatory complaints (FTC, DOJ, EU DMA)
+5. Create public disclosure package
+
+Generate complete evidence with cryptographic hashes for:
+- Legal proceedings
+- Regulatory filings
+- Public disclosure
+- Media releases`,
+            probe: `Execute an infrastructure probing operation using the offensive_transparency tool.
+
+Operation: probe
+Evidence Directory: ${evidenceDir}
+
+Probe ALL public Apple endpoints:
+- Identity and authentication servers
+- Key and message services
+- Push notification infrastructure
+- iCloud gateways
+- Escrow services
+- Update and control servers
+
+Document TLS configurations, certificate chains, and security anomalies.`,
+            'key-transparency': `Execute Key Transparency exposure using the offensive_transparency tool.
+
+Operation: key-transparency
+Evidence Directory: ${evidenceDir}
+
+EXPOSE Apple's Key Transparency lies:
+1. Probe Key Transparency endpoints
+2. Verify if public audit is actually available (it's not)
+3. Check for Merkle proof accessibility (missing)
+4. Document the gap between claims and reality
+
+This proves Apple's "Key Transparency" is a marketing claim, not a technical guarantee.`,
+            telemetry: `Execute telemetry analysis and blocking using the offensive_transparency tool.
+
+Operation: telemetry
+Evidence Directory: ${evidenceDir}
+
+1. Analyze current Apple telemetry connections
+2. Identify data leakage to Apple
+3. Generate hosts file blocking rules
+4. Generate PF firewall rules
+5. List LaunchDaemons to disable
+6. Provide system preference changes
+
+Give user ability to BLOCK Apple's surveillance of their own device.`,
+            complaints: `Generate regulatory complaints using the offensive_transparency tool.
+
+Operation: complaints
+Evidence Directory: ${evidenceDir}
+
+Generate READY-TO-FILE complaints for:
+
+1. FTC (Federal Trade Commission)
+   - Deceptive end-to-end encryption claims
+   - Consumer protection violations
+
+2. DOJ (Department of Justice)
+   - Antitrust violations
+   - Monopolistic control of security infrastructure
+
+3. EU DMA (Digital Markets Act)
+   - Gatekeeper violations
+   - Interoperability requirements
+
+Each complaint includes allegations, evidence references, and requested remedies.`,
+            disclosure: `Create public disclosure package using the offensive_transparency tool.
+
+Operation: disclosure
+Evidence Directory: ${evidenceDir}
+
+Generate complete disclosure materials:
+
+1. Technical findings report
+2. Impact assessment
+3. Affected parties list
+4. Timeline of events
+5. Evidence with SHA-256 hashes
+6. Media kit:
+   - Summary for journalists
+   - Key points
+   - Quotable findings
+7. Press release template
+8. Coordinated disclosure document
+
+Ready for responsible disclosure or public release.`,
+        };
+        return (prompts[operation] ?? prompts['full']);
+    }
+    /**
+     * Show offensive operation banner.
+     */
+    showOffensiveBanner(operation, evidenceDir) {
+        const opLabels = {
+            full: 'Full Offensive Transparency',
+            probe: 'Infrastructure Probing',
+            'key-transparency': 'Key Transparency Exposure',
+            telemetry: 'Telemetry Analysis & Blocking',
+            complaints: 'Regulatory Complaint Generation',
+            disclosure: 'Public Disclosure Package',
+        };
+        const lines = [
+            '',
+            theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+            theme.gradient.primary(`  ${opLabels[operation] || 'Offensive Transparency'}`),
+            theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+            '',
+            theme.bold('Mode: ') + 'OFFENSIVE (legal deterrence operations)',
+            theme.bold('Operation: ') + operation.toUpperCase(),
+            theme.bold('Evidence: ') + evidenceDir,
+            '',
+            theme.secondary('Legal offensive capabilities:'),
+            '  • Probe public Apple endpoints',
+            '  • Expose Key Transparency lies',
+            '  • Block Apple telemetry on YOUR device',
+            '  • Generate regulatory complaints',
+            '  • Create disclosure packages',
+            '',
+            theme.warning('This is LEGAL - probing public endpoints, filing complaints,'),
+            theme.warning('blocking telemetry on your device, and public disclosure.'),
+            '',
+            theme.ui.muted('Press Ctrl+C to abort.'),
+            '',
+        ];
+        display.showSystemMessage(lines.join('\n'));
+    }
+    /**
+     * Show offensive command help.
+     */
+    showOffensiveHelp() {
+        const lines = [
+            theme.gradient.primary('Offensive Transparency Commands'),
+            '',
+            theme.bold('/offensive [operation]'),
+            '  Run offensive transparency operations',
+            '  Operations: full, probe, key-transparency, telemetry, complaints, disclosure',
+            '',
+            theme.bold('/probe'),
+            '  Probe all Apple infrastructure endpoints',
+            '',
+            theme.bold('/expose'),
+            '  Expose Key Transparency lies (not actually auditable)',
+            '',
+            theme.bold('/complain'),
+            '  Generate regulatory complaints (FTC, DOJ, EU DMA)',
+            '',
+            theme.bold('/disclose'),
+            '  Create public disclosure package with media kit',
+            '',
+            theme.bold('/block-telemetry'),
+            '  Generate rules to block Apple telemetry on YOUR device',
+            '',
+            theme.secondary('Examples:'),
+            '  /offensive                  - Full offensive operation',
+            '  /offensive probe            - Probe infrastructure only',
+            '  /probe                      - Shortcut for probing',
+            '  /complain                   - Generate regulatory complaints',
+            '  /disclose                   - Create disclosure package',
+            '',
+            theme.secondary('Output:'),
+            '  • Evidence with SHA-256 hashes',
+            '  • Ready-to-file regulatory complaints',
+            '  • Media kit for journalists',
+            '  • Press release template',
+            '  • Telemetry blocking rules',
+            '',
+            theme.warning('All operations are LEGAL:'),
+            '  • Probing public endpoints',
+            '  • Filing regulatory complaints',
+            '  • Blocking telemetry on your device',
+            '  • Public disclosure (free speech)',
+        ];
+        display.showSystemMessage(lines.join('\n'));
+    }
+    // ═══════════════════════════════════════════════════════════════════════════════
+    /**
+     * Handle threat intelligence commands.
+     * These analyze threat actors, attack vectors, and demonstrate capability awareness.
+     *
+     * Usage:
+     *   /threat [--evidence-dir=<path>]  - Generate full threat intelligence report
+     *   /actors [actor-id]               - List/detail threat actors
+     *   /vectors [category]              - List attack vectors
+     *   /ioc                             - Scan for indicators of compromise
+     *   /capability [actor-id]           - Assess threat actor capabilities
+     */
+    async handleIntelCommand(input) {
+        if (this.isProcessing) {
+            this.showSlashWarning('Wait for the current operation to finish.');
+            return;
+        }
+        const parts = input.trim().split(/\s+/);
+        const command = parts[0]?.toLowerCase() || '/threat';
+        const args = parts.slice(1);
+        // Parse evidence directory
+        const evidenceDirArg = args.find(a => a.startsWith('--evidence-dir='));
+        const evidenceDir = evidenceDirArg
+            ? evidenceDirArg.replace('--evidence-dir=', '')
+            : `${this.workingDir}/.erosolar/evidence/threat-intel-${new Date().toISOString().split('T')[0]}`;
+        // Show banner
+        this.showThreatIntelBanner(command, evidenceDir);
+        // Build appropriate prompt
+        let prompt = '';
+        switch (command) {
+            case '/actors': {
+                const actorId = args.find(a => !a.startsWith('--'));
+                prompt = `Analyze threat actors using the threat_intelligence tool.
+
+${actorId ? `Focus on actor: ${actorId}` : 'List all known threat actors'}
+
+Provide:
+1. Threat actor profiles (type, capabilities, TTPs)
+2. Known infrastructure they control
+3. Targeting profiles
+4. Attribution confidence
+
+This analysis helps understand WHO might attack and HOW.`;
+                break;
+            }
+            case '/vectors': {
+                const category = args.find(a => ['network', 'application', 'supply-chain', 'physical', 'social'].includes(a.toLowerCase()));
+                prompt = `Analyze attack vectors using the threat_intelligence tool.
+
+${category ? `Focus on category: ${category}` : 'Analyze all attack vector categories'}
+
+For each vector provide:
+1. MITRE ATT&CK mapping
+2. Prerequisites for attack
+3. User defense capability (none/partial/full)
+4. Detection methods
+5. Evidence indicators
+
+This demonstrates understanding of HOW attacks are conducted.`;
+                break;
+            }
+            case '/ioc':
+                prompt = `Scan for Indicators of Compromise (IOCs) using the threat_intelligence tool.
+
+Evidence Directory: ${evidenceDir}
+
+Scan for:
+1. Suspicious network connections
+2. Certificate anomalies
+3. Persistence mechanisms
+4. Kernel extensions
+5. DNS resolution anomalies
+
+Generate IOC report with confidence scores and context.`;
+                break;
+            case '/capability': {
+                const actorId = args.find(a => !a.startsWith('--')) || 'ta-apple-internal';
+                prompt = `Assess threat actor capabilities using the threat_intelligence tool.
+
+Target Actor: ${actorId}
+Evidence Directory: ${evidenceDir}
+
+For each capability assess:
+1. Technical requirements
+2. Resource requirements
+3. Likelihood of use
+4. Impact if used
+5. Detection methods
+6. Available mitigations
+
+This DEMONSTRATES our understanding of attacker capabilities,
+which is a form of deterrence through transparency.`;
+                break;
+            }
+            default: // /threat or /intel-report
+                prompt = `Generate a comprehensive threat intelligence report using the threat_intelligence tool.
+
+Evidence Directory: ${evidenceDir}
+
+Include:
+1. THREAT ACTOR ANALYSIS
+   - Known threat actors with access to target platform
+   - Capabilities, TTPs, and infrastructure
+   - Attribution confidence levels
+
+2. ATTACK VECTOR CATALOG
+   - All applicable attack vectors
+   - MITRE ATT&CK mapping
+   - User defense capability for each
+
+3. INDICATOR OF COMPROMISE SCAN
+   - Current IOCs on this system
+   - Confidence scores
+   - Recommended response
+
+4. CAPABILITY ASSESSMENT
+   - Detailed analysis of primary threat actor capabilities
+   - Impact and likelihood assessments
+   - Detection and mitigation options
+
+5. RISK SCORING
+   - Overall risk score
+   - Breakdown by category
+
+6. RECOMMENDATIONS
+   - Immediate actions
+   - Long-term strategy
+   - Legal/regulatory options
+
+This report demonstrates comprehensive threat understanding,
+serving as both intelligence and deterrence documentation.`;
+        }
+        await this.processRequest(prompt);
+    }
+    /**
+     * Show threat intelligence banner.
+     */
+    showThreatIntelBanner(command, evidenceDir) {
+        const commandLabels = {
+            '/threat': 'Comprehensive Threat Intelligence Report',
+            '/intel-report': 'Comprehensive Threat Intelligence Report',
+            '/actors': 'Threat Actor Analysis',
+            '/vectors': 'Attack Vector Catalog',
+            '/ioc': 'Indicator of Compromise Scan',
+            '/capability': 'Capability Assessment',
+        };
+        const lines = [
+            '',
+            theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+            theme.gradient.primary(`  ${commandLabels[command] || 'Threat Intelligence'}`),
+            theme.gradient.primary('═══════════════════════════════════════════════════════════'),
+            '',
+            theme.bold('Mode: ') + 'INTELLIGENCE (analyzing threats against YOU)',
+            theme.bold('Evidence: ') + evidenceDir,
+            '',
+            theme.secondary('Capabilities:'),
+            '  • Threat actor profiling',
+            '  • Attack vector analysis with MITRE ATT&CK',
+            '  • Indicator of Compromise detection',
+            '  • Capability assessment',
+            '  • Risk scoring and recommendations',
+            '',
+            theme.ui.muted('This analysis demonstrates threat understanding.'),
+            theme.ui.muted('Understanding capabilities is a form of deterrence.'),
+            '',
+        ];
+        display.showSystemMessage(lines.join('\n'));
+    }
+    // ═══════════════════════════════════════════════════════════════════════════════
     // ATTACK CHAIN COMMAND HANDLERS
     // ═══════════════════════════════════════════════════════════════════════════════
     /**
@@ -4872,10 +5862,11 @@ export class InteractiveShell {
         });
     }
     /**
-     * Gather intelligence on targets.
+     * Gather intelligence on targets (attack chain mode).
      * Usage: /intel <targets>
+     * Note: Different from handleIntelCommand which handles threat intel commands
      */
-    async handleIntelCommand(input) {
+    async handleIntelCollectionCommand(input) {
         if (this.isProcessing) {
             this.showSlashWarning('Wait for the current operation to finish.');
             return;
@@ -6487,7 +7478,8 @@ export class InteractiveShell {
             this.autosaveIfEnabled();
             // Track metrics with Alpha Zero 2
             elapsedMs = Date.now() - requestStartTime;
-            this.alphaZeroMetrics.recordMessage(elapsedMs);
+            this.alphaZeroMetrics.recordMessage();
+            this.alphaZeroMetrics.recordResponseTime(elapsedMs);
             if (!responseText?.trim()) {
                 display.showWarning('The provider returned an empty response. Check your API key/provider selection or retry the prompt.');
             }
@@ -6496,7 +7488,9 @@ export class InteractiveShell {
                 ? orchestratorResult.toolsUsed
                 : this.getExecutedTools(responseText);
             this.currentToolCalls = toolsUsed.map(name => ({
+                toolName: name,
                 name,
+                args: {},
                 arguments: {},
                 success: true, // Assume success if we got here
                 duration: 0,
@@ -6575,6 +7569,7 @@ export class InteractiveShell {
                     const toolPattern = {
                         taskType: this.currentTaskType,
                         toolSequence: this.currentToolCalls.map(t => t.name),
+                        success: true,
                         successRate: 1.0,
                         avgDuration: elapsedMs,
                         occurrences: 1,