erosolar-cli 2.1.249 → 2.1.252

package/dist/capabilities/orchestrationCapability.js

@@ -409,7 +409,9 @@ function analyzeOutput(output, patterns, exitCode) {
 function createOrchestrationTools(options = {}) {
     const enableAll = !options.enableGovernment && !options.enableInfrastructure &&
         !options.enableSecurity && !options.enableAPT &&
-        !options.enableValidation && !options.enableHypothesis && !options.enableRecovery;
+        !options.enableValidation && !options.enableHypothesis &&
+        !options.enableRecovery && !options.enableBidirectionalAudit &&
+        !options.enableUnifiedOrchestrator;
     const tools = [];
     // ====== VALIDATION & ERROR ANALYSIS TOOL ======
     if (enableAll || options.enableValidation) {
@@ -791,12 +793,988 @@ Types:
             },
         });
     }
+    // ====== BIDIRECTIONAL AUDIT TOOL ======
+    if (enableAll || options.enableBidirectionalAudit) {
+        tools.push({
+            name: 'bidirectional_audit',
+            description: `Execute bidirectional attack chain audit for security analysis and deterrence.
+
+Capabilities:
+- FORWARD TRACE: Device → Daemons → Network → Edge → Core → Corporate → End Users
+- REVERSE TRACE: End Users → Attack Vectors → Persistence → Control Points → Device
+- Evidence collection with SHA-256 cryptographic hashes
+- Professional audit reports for compliance/legal purposes
+
+Use Cases:
+- Security research and vulnerability assessment
+- Compliance documentation (SOC2, ISO27001, etc.)
+- Legal evidence collection for authorized investigations
+- Deterrence documentation (proving attack surface awareness)
+- Incident response and forensic analysis`,
+            parameters: {
+                type: 'object',
+                properties: {
+                    direction: {
+                        type: 'string',
+                        enum: ['forward', 'reverse', 'bidirectional'],
+                        description: 'Trace direction: forward (to end users), reverse (from end users), or bidirectional (both)',
+                    },
+                    evidenceDir: {
+                        type: 'string',
+                        description: 'Directory to store evidence files (default: .erosolar/evidence/)',
+                    },
+                    target: {
+                        type: 'string',
+                        description: 'Target system or infrastructure (default: local Apple ecosystem)',
+                    },
+                    format: {
+                        type: 'string',
+                        enum: ['text', 'json', 'markdown'],
+                        description: 'Output format for the audit report',
+                    },
+                    includeRetaliation: {
+                        type: 'boolean',
+                        description: 'Include deterrence/retaliation capability analysis',
+                    },
+                },
+                required: ['direction'],
+            },
+            async handler(params) {
+                const direction = params['direction'];
+                const evidenceDir = params['evidenceDir'] || options.workingDir
+                    ? `${options.workingDir}/.erosolar/evidence/audit-${new Date().toISOString().split('T')[0]}`
+                    : `.erosolar/evidence/audit-${new Date().toISOString().split('T')[0]}`;
+                const format = params['format'] || 'markdown';
+                const includeRetaliation = params['includeRetaliation'] ?? true;
+                try {
+                    // Dynamic import to avoid circular dependencies
+                    const { ForwardAttackChainTracer, runForwardTrace } = await import('../tools/forwardAttackChainTracer.js');
+                    const lines = [];
+                    lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                    lines.push('             BIDIRECTIONAL ATTACK CHAIN AUDIT');
+                    lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                    lines.push('');
+                    lines.push(`Direction: ${direction.toUpperCase()}`);
+                    lines.push(`Evidence Directory: ${evidenceDir}`);
+                    lines.push(`Timestamp: ${new Date().toISOString()}`);
+                    lines.push('');
+                    if (direction === 'forward' || direction === 'bidirectional') {
+                        lines.push('───────────────────────────────────────────────────────────────────────────────');
+                        lines.push('                         FORWARD ATTACK CHAIN');
+                        lines.push('───────────────────────────────────────────────────────────────────────────────');
+                        lines.push('');
+                        const forwardReport = await runForwardTrace(evidenceDir);
+                        lines.push(forwardReport);
+                        lines.push('');
+                    }
+                    if (direction === 'reverse' || direction === 'bidirectional') {
+                        lines.push('───────────────────────────────────────────────────────────────────────────────');
+                        lines.push('                         REVERSE ATTACK CHAIN');
+                        lines.push('───────────────────────────────────────────────────────────────────────────────');
+                        lines.push('');
+                        lines.push('Reverse trace analyzes attack vectors FROM end users BACK TO this device:');
+                        lines.push('');
+                        lines.push('END USER ATTACK VECTORS:');
+                        lines.push('• Software Update Push - Apple can push code to any device');
+                        lines.push('• MDM Profile Injection - Remote management without consent');
+                        lines.push('• Push Notification Injection - Arbitrary notifications');
+                        lines.push('• iCloud Key Injection - Add keys to user keyring');
+                        lines.push('• iMessage Key Substitution - MITM encrypted messages');
+                        lines.push('• Activation Lock Control - Brick or unlock devices');
+                        lines.push('');
+                        lines.push('CORPORATE PERSISTENCE:');
+                        lines.push('• Apple Data Centers (AZ, NC, OR, IA, NV)');
+                        lines.push('• Third-party: AWS (Siri), Google Cloud (iCloud), Akamai, Fastly');
+                        lines.push('• Internal tools: Radar, MFi Portal');
+                        lines.push('');
+                        lines.push('CORE INFRASTRUCTURE CONTROL:');
+                        lines.push('• Key Transparency Log (NO PUBLIC AUDIT)');
+                        lines.push('• IDS Key Database - Device public keys');
+                        lines.push('• Message Relay - Routes all iMessages');
+                        lines.push('• Escrow HSM - Key escrow access');
+                        lines.push('');
+                        lines.push('EDGE VULNERABILITIES:');
+                        lines.push('• APNs Courier - courier.push.apple.com');
+                        lines.push('• IDS Identity - identity.ess.apple.com');
+                        lines.push('• CloudKit Gateway - gateway.icloud.com');
+                        lines.push('• Escrow Proxy - p43-escrowproxy.icloud.com');
+                        lines.push('');
+                        lines.push('NETWORK INTERCEPTION:');
+                        lines.push('• All DNS controlled by Apple nameservers');
+                        lines.push('• 14 Apple Root CAs in system trust store');
+                        lines.push('• Certificate pinning controlled by Apple');
+                        lines.push('');
+                        lines.push('DAEMON ACCESS:');
+                        lines.push('• identityservicesd - Key management');
+                        lines.push('• imagent - iMessage agent');
+                        lines.push('• apsd - Push notification daemon');
+                        lines.push('• cloudd - iCloud sync');
+                        lines.push('• assistantd - Siri/AI');
+                        lines.push('');
+                        lines.push('LOCAL EXPOSURE:');
+                        lines.push('• Secure Enclave - User inaccessible');
+                        lines.push('• iBoot firmware - Apple signed only');
+                        lines.push('• Keychain - Synced to iCloud');
+                        lines.push('');
+                    }
+                    if (includeRetaliation) {
+                        lines.push('───────────────────────────────────────────────────────────────────────────────');
+                        lines.push('                    DETERRENCE CAPABILITY ANALYSIS');
+                        lines.push('───────────────────────────────────────────────────────────────────────────────');
+                        lines.push('');
+                        lines.push('USER DETERRENCE OPTIONS:');
+                        lines.push('');
+                        lines.push('1. DOCUMENTATION DETERRENCE (LEGAL)');
+                        lines.push('   • Complete audit trail with cryptographic hashes');
+                        lines.push('   • Evidence suitable for legal proceedings');
+                        lines.push('   • Proof of Apple\'s attack surface awareness');
+                        lines.push('   • Regulatory complaint documentation (FTC, DOJ, EU DMA)');
+                        lines.push('');
+                        lines.push('2. TRANSPARENCY DETERRENCE (PUBLIC)');
+                        lines.push('   • Publish audit findings publicly');
+                        lines.push('   • Media disclosure with technical evidence');
+                        lines.push('   • Security researcher community engagement');
+                        lines.push('   • Congressional/parliamentary testimony support');
+                        lines.push('');
+                        lines.push('3. ECONOMIC DETERRENCE (MARKET)');
+                        lines.push('   • Shareholder disclosure of security risks');
+                        lines.push('   • Enterprise security assessment reports');
+                        lines.push('   • Insurance and compliance implications');
+                        lines.push('   • Competitive analysis for procurement');
+                        lines.push('');
+                        lines.push('4. TECHNICAL DETERRENCE (DEFENSIVE)');
+                        lines.push('   • Network traffic monitoring and blocking');
+                        lines.push('   • DNS sinkholing of Apple services');
+                        lines.push('   • Certificate pinning bypass detection');
+                        lines.push('   • Daemon behavior anomaly detection');
+                        lines.push('');
+                        lines.push('USER DEFENSE CAPABILITY AT EACH LAYER: NONE');
+                        lines.push('');
+                        lines.push('The audit demonstrates that users have no technical defense against');
+                        lines.push('Apple\'s control at any layer of the attack chain. The only effective');
+                        lines.push('deterrence is through legal, public, and economic pressure.');
+                        lines.push('');
+                    }
+                    lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                    lines.push('                           AUDIT COMPLETE');
+                    lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                    lines.push('');
+                    lines.push(`Evidence Directory: ${evidenceDir}`);
+                    lines.push(`Generated: ${new Date().toISOString()}`);
+                    lines.push('');
+                    const report = lines.join('\n');
+                    // Save summary report
+                    const fs = await import('node:fs');
+                    const path = await import('node:path');
+                    if (!fs.existsSync(evidenceDir)) {
+                        fs.mkdirSync(evidenceDir, { recursive: true });
+                    }
+                    fs.writeFileSync(path.join(evidenceDir, 'BIDIRECTIONAL-AUDIT-REPORT.txt'), report);
+                    // Calculate master hash
+                    const crypto = await import('node:crypto');
+                    const masterHash = crypto.createHash('sha256').update(report).digest('hex');
+                    fs.writeFileSync(path.join(evidenceDir, 'MASTER-HASH.txt'), `Master Hash: ${masterHash}\nGenerated: ${new Date().toISOString()}\n`);
+                    if (format === 'json') {
+                        return JSON.stringify({
+                            direction,
+                            evidenceDir,
+                            timestamp: new Date().toISOString(),
+                            masterHash,
+                            success: true,
+                        }, null, 2);
+                    }
+                    return report + `\nMaster Hash: ${masterHash}`;
+                }
+                catch (error) {
+                    const message = error instanceof Error ? error.message : String(error);
+                    return `Audit failed: ${message}`;
+                }
+            },
+        });
+    }
+    // ====== DEFENSIVE SECURITY SCAN TOOL ======
+    // Always enabled - this is defensive-only functionality
+    tools.push({
+        name: 'defensive_scan',
+        description: `Run defensive security scans on YOUR OWN device.
+
+This tool ONLY scans the local device for intrusion indicators.
+It does NOT attack other systems - it is purely defensive.
+
+Capabilities:
+- Intrusion detection (processes, network, persistence)
+- Security hardening assessment (firewall, SIP, FileVault, etc.)
+- Forensic evidence collection with chain of custody
+- MITRE ATT&CK mapping for detected indicators
+- Evidence packaging for law enforcement submission
+
+Use Cases:
+- Detect if your device has been compromised
+- Collect evidence of unauthorized access
+- Generate reports for legal proceedings
+- Assess and improve security posture
+- Incident response and forensic analysis`,
+        parameters: {
+            type: 'object',
+            properties: {
+                scanType: {
+                    type: 'string',
+                    enum: ['full', 'process', 'network', 'persistence', 'hardening', 'evidence'],
+                    description: 'Type of scan to perform',
+                },
+                evidenceDir: {
+                    type: 'string',
+                    description: 'Directory to store evidence files',
+                },
+                purpose: {
+                    type: 'string',
+                    description: 'Purpose for evidence collection (for chain of custody)',
+                },
+                format: {
+                    type: 'string',
+                    enum: ['text', 'json', 'markdown'],
+                    description: 'Output format for the report',
+                },
+            },
+            required: ['scanType'],
+        },
+        async handler(params) {
+            const scanType = params['scanType'];
+            const evidenceDir = params['evidenceDir'] || options.workingDir
+                ? `${options.workingDir}/.erosolar/evidence/defensive-${new Date().toISOString().split('T')[0]}`
+                : `.erosolar/evidence/defensive-${new Date().toISOString().split('T')[0]}`;
+            const purpose = params['purpose'] || 'Security assessment';
+            const format = params['format'] || 'text';
+            try {
+                const { IntrusionDetector, ForensicCollector, runDefensiveScan } = await import('../tools/defensiveSecurityTools.js');
+                const lines = [];
+                lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                lines.push('                    DEFENSIVE SECURITY SCAN');
+                lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                lines.push('');
+                lines.push('Mode: DEFENSIVE ONLY (scanning YOUR device)');
+                lines.push(`Scan Type: ${scanType.toUpperCase()}`);
+                lines.push(`Evidence Directory: ${evidenceDir}`);
+                lines.push(`Purpose: ${purpose}`);
+                lines.push(`Timestamp: ${new Date().toISOString()}`);
+                lines.push('');
+                if (scanType === 'full') {
+                    const { posture, package: pkg } = await runDefensiveScan(evidenceDir, purpose);
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('                         SECURITY POSTURE');
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('');
+                    lines.push(`Overall Risk Level: ${posture.overallRisk.toUpperCase()}`);
+                    lines.push(`Indicators Found: ${posture.indicators.length}`);
+                    lines.push(`Recommendations: ${posture.recommendations.length}`);
+                    lines.push('');
+                    // Hardening status
+                    lines.push('HARDENING STATUS:');
+                    lines.push(`  Firewall: ${posture.hardening.firewall.enabled ? '✓ Enabled' : '✗ DISABLED'}`);
+                    lines.push(`  SIP: ${posture.hardening.sip.enabled ? '✓ Enabled' : '✗ DISABLED'}`);
+                    lines.push(`  FileVault: ${posture.hardening.filevault.enabled ? '✓ Enabled' : '✗ DISABLED'}`);
+                    lines.push(`  Gatekeeper: ${posture.hardening.gatekeeper.enabled ? '✓ Enabled' : '✗ DISABLED'}`);
+                    lines.push(`  XProtect: ${posture.hardening.xprotect.enabled ? '✓ Enabled' : '✗ DISABLED'}`);
+                    lines.push(`  Auto Updates: ${posture.hardening.automaticUpdates.enabled ? '✓ Enabled' : '✗ DISABLED'}`);
+                    lines.push('');
+                    // Indicators by severity
+                    if (posture.indicators.length > 0) {
+                        lines.push('INTRUSION INDICATORS:');
+                        const bySeverity = {
+                            critical: [], high: [], medium: [], low: [], info: []
+                        };
+                        for (const ind of posture.indicators) {
+                            bySeverity[ind.severity]?.push(ind);
+                        }
+                        for (const [sev, inds] of Object.entries(bySeverity)) {
+                            if (inds.length > 0) {
+                                lines.push(`  [${sev.toUpperCase()}] ${inds.length} indicator(s)`);
+                                for (const ind of inds.slice(0, 3)) {
+                                    lines.push(`    • ${ind.description}`);
+                                    if (ind.mitreId)
+                                        lines.push(`      MITRE: ${ind.mitreId}`);
+                                }
+                                if (inds.length > 3)
+                                    lines.push(`    ... and ${inds.length - 3} more`);
+                            }
+                        }
+                        lines.push('');
+                    }
+                    // Recommendations
+                    if (posture.recommendations.length > 0) {
+                        lines.push('TOP RECOMMENDATIONS:');
+                        for (const rec of posture.recommendations.slice(0, 5)) {
+                            lines.push(`  ${rec.priority}. ${rec.action}`);
+                            lines.push(`     ${rec.rationale}`);
+                            if (rec.command)
+                                lines.push(`     Command: ${rec.command}`);
+                        }
+                        lines.push('');
+                    }
+                    lines.push('EVIDENCE PACKAGE:');
+                    lines.push(`  Case ID: ${pkg.caseId}`);
+                    lines.push(`  Artifacts: ${pkg.artifacts.length}`);
+                    lines.push(`  Master Hash: ${pkg.masterHash}`);
+                }
+                else {
+                    // Specific scan types
+                    const detector = new IntrusionDetector();
+                    const collector = new ForensicCollector(evidenceDir);
+                    if (scanType === 'process' || scanType === 'persistence' || scanType === 'network') {
+                        let indicators = [];
+                        if (scanType === 'process') {
+                            lines.push('Scanning processes...');
+                            indicators = await detector.scanProcesses();
+                        }
+                        else if (scanType === 'network') {
+                            lines.push('Scanning network connections...');
+                            indicators = await detector.scanNetwork();
+                        }
+                        else if (scanType === 'persistence') {
+                            lines.push('Scanning persistence mechanisms...');
+                            indicators = await detector.scanPersistence();
+                        }
+                        lines.push('');
+                        lines.push(`Found ${indicators.length} indicator(s):`);
+                        for (const ind of indicators) {
+                            lines.push(`  [${ind.severity.toUpperCase()}] ${ind.description}`);
+                            lines.push(`    Evidence: ${ind.evidence.slice(0, 100)}`);
+                            if (ind.mitreId)
+                                lines.push(`    MITRE ATT&CK: ${ind.mitreId} (${ind.mitreTactic})`);
+                            lines.push(`    Recommendation: ${ind.recommendation}`);
+                            lines.push('');
+                        }
+                    }
+                    else if (scanType === 'hardening') {
+                        lines.push('Checking security hardening...');
+                        const hardening = await detector.checkHardening();
+                        const recommendations = detector.generateRecommendations(hardening);
+                        lines.push('');
+                        lines.push('HARDENING STATUS:');
+                        lines.push(`  Firewall: ${hardening.firewall.enabled ? '✓' : '✗'} ${hardening.firewall.details}`);
+                        lines.push(`  SIP: ${hardening.sip.enabled ? '✓' : '✗'} ${hardening.sip.details}`);
+                        lines.push(`  FileVault: ${hardening.filevault.enabled ? '✓' : '✗'} ${hardening.filevault.details}`);
+                        lines.push(`  Gatekeeper: ${hardening.gatekeeper.enabled ? '✓' : '✗'} ${hardening.gatekeeper.details}`);
+                        lines.push(`  XProtect: ${hardening.xprotect.enabled ? '✓' : '✗'} ${hardening.xprotect.details}`);
+                        lines.push(`  Auto Updates: ${hardening.automaticUpdates.enabled ? '✓' : '✗'} ${hardening.automaticUpdates.details}`);
+                        lines.push('');
+                        if (recommendations.length > 0) {
+                            lines.push('RECOMMENDATIONS:');
+                            for (const rec of recommendations) {
+                                lines.push(`  ${rec.priority}. ${rec.action}`);
+                                lines.push(`     ${rec.rationale}`);
+                                if (rec.command)
+                                    lines.push(`     Command: ${rec.command}`);
+                            }
+                        }
+                        else {
+                            lines.push('All security hardening features are enabled. ✓');
+                        }
+                    }
+                    else if (scanType === 'evidence') {
+                        lines.push('Collecting forensic evidence...');
+                        collector.collectSystemLogs();
+                        const allIndicators = [
+                            ...await detector.scanProcesses(),
+                            ...await detector.scanNetwork(),
+                            ...await detector.scanPersistence(),
+                        ];
+                        const pkg = collector.generateEvidencePackage(allIndicators, purpose);
+                        lines.push('');
+                        lines.push('EVIDENCE PACKAGE GENERATED:');
+                        lines.push(`  Case ID: ${pkg.caseId}`);
+                        lines.push(`  Purpose: ${pkg.purpose}`);
+                        lines.push(`  Artifacts: ${pkg.artifacts.length}`);
+                        lines.push(`  Indicators: ${pkg.indicators.length}`);
+                        lines.push(`  Timeline Events: ${pkg.timeline.length}`);
+                        lines.push(`  Master Hash: ${pkg.masterHash}`);
+                        lines.push('');
+                        lines.push(`Evidence saved to: ${evidenceDir}`);
+                        lines.push('');
+                        lines.push('Files generated:');
+                        lines.push(`  • evidence_package_${pkg.caseId}.json`);
+                        lines.push(`  • FORENSIC_REPORT_${pkg.caseId}.txt`);
+                    }
+                }
+                lines.push('');
+                lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                lines.push('                    SCAN COMPLETE');
+                lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                const report = lines.join('\n');
+                if (format === 'json') {
+                    return JSON.stringify({
+                        scanType,
+                        evidenceDir,
+                        purpose,
+                        timestamp: new Date().toISOString(),
+                        success: true,
+                    }, null, 2);
+                }
+                return report;
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                return `Defensive scan failed: ${message}`;
+            }
+        },
+    });
+    // ====== OFFENSIVE TRANSPARENCY TOOL ======
+    // Legal offensive capabilities for deterrence and transparency
+    tools.push({
+        name: 'offensive_transparency',
+        description: `Execute offensive transparency operations against Apple infrastructure.
+
+LEGAL offensive capabilities within ethical bounds:
+- Active probing of public Apple endpoints (legal - public servers)
+- Certificate Transparency monitoring (legal - public logs)
+- Key Transparency verification/exposure (legal - Apple claims it's auditable)
+- Telemetry blocking and analysis (legal - your device, your network)
+- Automated regulatory complaint generation (legal - your right)
+- Public disclosure package creation (legal - free speech)
+
+This tool PROVES Apple's claims are false and generates materials for:
+- FTC complaints (deceptive practices)
+- EU DMA complaints (gatekeeper violations)
+- DOJ antitrust complaints
+- Public/media disclosure
+- Security researcher coordinated disclosure
+
+The goal is DETERRENCE through TRANSPARENCY - exposing what Apple can do.`,
+        parameters: {
+            type: 'object',
+            properties: {
+                operation: {
+                    type: 'string',
+                    enum: ['probe', 'key-transparency', 'telemetry', 'complaints', 'disclosure', 'full'],
+                    description: 'Operation to perform',
+                },
+                evidenceDir: {
+                    type: 'string',
+                    description: 'Directory to store evidence and generated materials',
+                },
+                target: {
+                    type: 'string',
+                    description: 'Specific target for probing (default: all Apple endpoints)',
+                },
+            },
+            required: ['operation'],
+        },
+        async handler(params) {
+            const operation = params['operation'];
+            const evidenceDir = params['evidenceDir'] || options.workingDir
+                ? `${options.workingDir}/.erosolar/evidence/offensive-${new Date().toISOString().split('T')[0]}`
+                : `.erosolar/evidence/offensive-${new Date().toISOString().split('T')[0]}`;
+            try {
+                const { InfrastructureProber, TelemetryBlocker, RegulatoryComplaintGenerator, DisclosurePackageGenerator, runOffensiveTransparency, } = await import('../tools/offensiveTransparencyTools.js');
+                const lines = [];
+                lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                lines.push('                    OFFENSIVE TRANSPARENCY OPERATION');
+                lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                lines.push('');
+                lines.push('Mode: OFFENSIVE (legal transparency/deterrence operations)');
+                lines.push(`Operation: ${operation.toUpperCase()}`);
+                lines.push(`Evidence Directory: ${evidenceDir}`);
+                lines.push(`Timestamp: ${new Date().toISOString()}`);
+                lines.push('');
+                if (operation === 'full') {
+                    const result = await runOffensiveTransparency(evidenceDir);
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('                    INFRASTRUCTURE PROBING RESULTS');
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('');
+                    lines.push(`Endpoints probed: ${result.probeResults.length}`);
+                    lines.push(`Reachable: ${result.probeResults.filter(p => p.reachable).length}`);
+                    lines.push(`Anomalies found: ${result.probeResults.flatMap(p => p.anomalies).length}`);
+                    lines.push('');
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('                    KEY TRANSPARENCY EXPOSURE');
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('');
+                    lines.push(`Publicly auditable: ${result.keyTransparency.publiclyAuditable ? 'YES' : 'NO ⚠️'}`);
+                    lines.push(`Merkle proof available: ${result.keyTransparency.merkleProofAvailable ? 'YES' : 'NO ⚠️'}`);
+                    lines.push('Findings:');
+                    for (const finding of result.keyTransparency.findings) {
+                        lines.push(`  • ${finding}`);
+                    }
+                    lines.push('');
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('                    TELEMETRY ANALYSIS');
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('');
+                    lines.push(`Active telemetry connections: ${result.telemetryAnalysis.telemetryConnections.length}`);
+                    lines.push('Data leakage detected:');
+                    for (const leak of result.telemetryAnalysis.dataLeakage) {
+                        lines.push(`  ⚠️ ${leak}`);
+                    }
+                    lines.push('');
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('                    REGULATORY COMPLAINTS GENERATED');
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('');
+                    for (const complaint of result.complaints) {
+                        lines.push(`✓ ${complaint.agency}`);
+                        lines.push(`  Type: ${complaint.type}`);
+                        lines.push(`  Allegations: ${complaint.allegations.length}`);
+                    }
+                    lines.push('');
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('                    DISCLOSURE PACKAGE');
+                    lines.push('───────────────────────────────────────────────────────────────────────────────');
+                    lines.push('');
+                    lines.push(`Title: ${result.disclosure.title}`);
+                    lines.push(`Classification: ${result.disclosure.classification.toUpperCase()}`);
+                    lines.push(`Technical findings: ${result.disclosure.technicalFindings.length}`);
+                    lines.push(`Evidence hashes: ${result.disclosure.evidenceHashes.length}`);
+                    lines.push('');
+                    lines.push('Media kit key points:');
+                    for (const point of result.disclosure.mediaKit.keyPoints) {
+                        lines.push(`  • ${point}`);
+                    }
+                }
+                else if (operation === 'probe') {
+                    const prober = new InfrastructureProber(evidenceDir);
+                    const results = await prober.probeAllEndpoints();
+                    lines.push('INFRASTRUCTURE PROBE RESULTS:');
+                    lines.push('');
+                    for (const result of results) {
+                        const status = result.reachable ? '✓' : '✗';
+                        lines.push(`${status} ${result.target}`);
+                        if (result.reachable) {
+                            lines.push(`    Response: ${result.responseTime}ms`);
+                            if (result.tlsInfo) {
+                                lines.push(`    TLS: ${result.tlsInfo.protocol} / ${result.tlsInfo.cipher}`);
+                                lines.push(`    Cert chain: ${result.tlsInfo.certificateChain.length} certificates`);
+                            }
+                        }
+                        if (result.anomalies.length > 0) {
+                            lines.push(`    Anomalies:`);
+                            for (const anomaly of result.anomalies) {
+                                lines.push(`      ⚠️ ${anomaly}`);
+                            }
+                        }
+                        lines.push('');
+                    }
+                }
+                else if (operation === 'key-transparency') {
+                    const prober = new InfrastructureProber(evidenceDir);
+                    const result = await prober.probeKeyTransparency();
+                    lines.push('KEY TRANSPARENCY VERIFICATION:');
+                    lines.push('');
+                    lines.push(`Endpoint: ${result.endpoint}`);
+                    lines.push(`Publicly Auditable: ${result.publiclyAuditable ? 'YES' : 'NO - APPLE IS LYING'}`);
+                    lines.push(`Merkle Proof Available: ${result.merkleProofAvailable ? 'YES' : 'NO'}`);
+                    lines.push('');
+                    lines.push('FINDINGS:');
+                    for (const finding of result.findings) {
+                        lines.push(`  • ${finding}`);
+                    }
+                    lines.push('');
+                    lines.push(`Evidence Hash: ${result.evidence}`);
+                }
+                else if (operation === 'telemetry') {
+                    const blocker = new TelemetryBlocker(evidenceDir);
+                    const analysis = blocker.analyzeCurrentConnections();
+                    const blocking = blocker.generateBlockingPackage();
+                    lines.push('TELEMETRY ANALYSIS:');
+                    lines.push('');
+                    lines.push(`Active telemetry connections: ${analysis.telemetryConnections.length}`);
+                    lines.push('');
+                    lines.push('DATA LEAKAGE:');
+                    for (const leak of analysis.dataLeakage) {
+                        lines.push(`  ⚠️ ${leak}`);
+                    }
+                    lines.push('');
+                    lines.push('BLOCKING PACKAGE GENERATED:');
+                    lines.push(`  • Hosts file entries: ${blocking.hostsFile.split('\n').length} lines`);
+                    lines.push(`  • Firewall rules: ${blocking.firewallRules.split('\n').length} lines`);
+                    lines.push(`  • LaunchDaemons to disable: ${blocking.launchDaemonsToDisable.length}`);
+                    lines.push('');
+                    lines.push('FILES SAVED:');
+                    lines.push(`  • ${evidenceDir}/HOSTS-BLOCK.txt`);
+                    lines.push(`  • ${evidenceDir}/FIREWALL-RULES.txt`);
+                    lines.push(`  • ${evidenceDir}/DISABLE-DAEMONS.txt`);
+                }
+                else if (operation === 'complaints') {
+                    const prober = new InfrastructureProber(evidenceDir);
+                    const ktResult = await prober.probeKeyTransparency();
+                    const complaintGen = new RegulatoryComplaintGenerator(evidenceDir);
+                    const findings = ktResult.findings;
+                    const hashes = [ktResult.evidence];
+                    const ftc = complaintGen.generateFTCComplaint(findings, hashes);
+                    const dma = complaintGen.generateDMAComplaint(findings, hashes);
+                    const doj = complaintGen.generateDOJComplaint(findings, hashes);
+                    lines.push('REGULATORY COMPLAINTS GENERATED:');
+                    lines.push('');
+                    for (const complaint of [ftc, dma, doj]) {
+                        lines.push(`═══ ${complaint.agency} ═══`);
+                        lines.push(`Type: ${complaint.type}`);
+                        lines.push(`Subject: ${complaint.subject}`);
+                        lines.push('');
+                        lines.push('Allegations:');
+                        for (const allegation of complaint.allegations) {
+                            lines.push(`  • ${allegation}`);
+                        }
+                        lines.push('');
+                        lines.push('Requested Action:');
+                        for (const action of complaint.requestedAction) {
+                            lines.push(`  → ${action}`);
+                        }
+                        lines.push('');
+                    }
+                }
+                else if (operation === 'disclosure') {
+                    const prober = new InfrastructureProber(evidenceDir);
+                    const ktResult = await prober.probeKeyTransparency();
+                    const disclosureGen = new DisclosurePackageGenerator(evidenceDir);
+                    const disclosure = disclosureGen.generatePublicDisclosure(ktResult.findings, [ktResult.evidence]);
+                    const coordinated = disclosureGen.generateCoordinatedDisclosure(ktResult.findings, [ktResult.evidence]);
+                    disclosureGen.saveDisclosureMaterials(disclosure, coordinated);
+                    lines.push('DISCLOSURE PACKAGE GENERATED:');
+                    lines.push('');
+                    lines.push(`Title: ${disclosure.title}`);
+                    lines.push(`Classification: ${disclosure.classification}`);
+                    lines.push('');
+                    lines.push('TECHNICAL FINDINGS:');
+                    for (const finding of disclosure.technicalFindings.slice(0, 5)) {
+                        lines.push(`  • ${finding}`);
+                    }
+                    if (disclosure.technicalFindings.length > 5) {
+                        lines.push(`  ... and ${disclosure.technicalFindings.length - 5} more`);
+                    }
+                    lines.push('');
+                    lines.push('MEDIA KIT KEY POINTS:');
+                    for (const point of disclosure.mediaKit.keyPoints) {
+                        lines.push(`  • ${point}`);
+                    }
+                    lines.push('');
+                    lines.push('FILES GENERATED:');
+                    lines.push(`  • ${evidenceDir}/PUBLIC-DISCLOSURE-PACKAGE.json`);
+                    lines.push(`  • ${evidenceDir}/MEDIA-KIT.md`);
+                    lines.push(`  • ${evidenceDir}/COORDINATED-DISCLOSURE.txt`);
+                    lines.push(`  • ${evidenceDir}/PRESS-RELEASE-TEMPLATE.md`);
+                }
+                lines.push('');
+                lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                lines.push('                    OFFENSIVE TRANSPARENCY COMPLETE');
+                lines.push('═══════════════════════════════════════════════════════════════════════════════');
+                lines.push('');
+                lines.push('These materials can be used for:');
+                lines.push('  1. Regulatory complaints (FTC, DOJ, EU DMA)');
+                lines.push('  2. Legal proceedings');
+                lines.push('  3. Public disclosure / journalism');
+                lines.push('  4. Security research publications');
+                lines.push('  5. Congressional/parliamentary testimony');
+                lines.push('');
+                lines.push('DETERRENCE ACHIEVED THROUGH TRANSPARENCY');
+                return lines.join('\n');
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                return `Offensive transparency operation failed: ${message}`;
+            }
+        },
+    });
+    // ====== THREAT INTELLIGENCE TOOL ======
+    tools.push({
+        name: 'threat_intelligence',
+        description: `Generate threat intelligence and capability assessments.
+
+Provides:
+- Threat actor profiling
+- Attack vector analysis with MITRE ATT&CK
+- IOC detection
+- Capability assessment
+- Risk scoring
+
+Understanding attacker capabilities is deterrence through transparency.`,
+        parameters: {
+            type: 'object',
+            properties: {
+                action: {
+                    type: 'string',
+                    enum: ['full_report', 'actors', 'vectors', 'ioc_scan', 'capability_assessment'],
+                },
+                actorId: { type: 'string' },
+                evidenceDir: { type: 'string' },
+            },
+            required: ['action'],
+        },
+        async handler(params) {
+            const action = params['action'];
+            const evidenceDir = params['evidenceDir'] ||
+                `${options.workingDir || '.'}/.erosolar/evidence/threat-intel-${new Date().toISOString().split('T')[0]}`;
+            try {
+                const { ThreatIntelligenceEngine, runThreatAnalysis } = await import('../tools/threatIntelligenceTools.js');
+                const engine = new ThreatIntelligenceEngine(evidenceDir);
+                if (action === 'full_report') {
+                    const report = await engine.generateThreatReport();
+                    return `${report.executiveSummary}\n\n${report.technicalDetails}\n\nRisk Score: ${report.riskScore}/100\nHash: ${report.hash}`;
+                }
+                else if (action === 'ioc_scan') {
+                    const iocs = await engine.scanForIOCs();
+                    const anomalies = await engine.detectAnomalies();
+                    return `IOCs: ${iocs.length}, Anomalies: ${anomalies.length}\n` +
+                        iocs.map(i => `[${i.type}] ${i.value} (${Math.round(i.confidence * 100)}%)`).join('\n');
+                }
+                else if (action === 'capability_assessment') {
+                    const actorId = params['actorId'] || 'ta-apple-internal';
+                    const caps = engine.assessCapabilities(actorId);
+                    return caps.map(c => `• ${c.capability}\n  Impact: ${c.impactIfUsed}\n  Mitigation: ${c.mitigations[0]}`).join('\n\n');
+                }
+                return 'Unknown action';
+            }
+            catch (error) {
+                return `Error: ${error instanceof Error ? error.message : String(error)}`;
+            }
+        },
+    });
+    // ====== UNIFIED ATTACK ORCHESTRATION TOOL ======
+    tools.push({
+        name: 'attack_orchestrator',
+        description: `Execute comprehensive offensive operations against ANY target infrastructure (AUTHORIZED USE ONLY).
+
+**Dynamic Target Research**: NO HARDCODED DATA! The AI automatically researches any organization you specify:
+- Tech companies (Apple, Google, Microsoft, Amazon, Meta, Netflix, Uber, Spotify, TikTok, etc.)
+- Government agencies (Pentagon, NSA, CIA, FBI, DHS, DOD, etc.)
+- Defense contractors (Lockheed Martin, Raytheon, Northrop Grumman, Boeing, etc.)
+- Critical infrastructure (Power grids, water systems, transportation, telecom)
+- Finance (JPMorgan, Visa, PayPal, banks, trading firms)
+- Healthcare systems
+- Energy sector
+- ANY other organization - just provide the name!
+
+The orchestrator will:
+1. Research the target using AI (infrastructure, employees, geography, tech stack)
+2. Identify attack surface (servers, APIs, mobile apps, cloud)
+3. Generate attack recommendations
+4. Execute full-spectrum offensive operations
+
+Attack Intents:
+- destroy/attack: Full offensive compromise
+- audit: Security assessment
+- analyze/recon: Reconnaissance
+- exfiltrate: Data extraction
+- persist: Establish persistence
+- escalate: Privilege escalation
+- evade: Detection evasion
+
+Attack Vectors:
+- server: Server infrastructure
+- system: OS-level exploitation
+- device: End-user devices
+- network: Network-level attacks
+- corporate: Corporate infrastructure
+- employee: Social engineering
+- supply-chain: Supply chain attacks
+- cloud: Cloud infrastructure
+- api: API exploitation
+- web: Web applications
+
+Modes:
+- rl: Reinforcement learning with 2 self-modifying agents
+- non-rl: Direct full-spectrum offensive execution
+- auto: Automatically select based on intent (default)
+
+Features:
+- Multi-target support (Apple, Google, Microsoft, Amazon, Meta, custom)
+- Dual-mode execution with keyboard toggle
+- Self-modifying agents with version control
+- Full-spectrum attack planning
+- Real-time statistics and reporting`,
+        parameters: {
+            type: 'object',
+            properties: {
+                organization: {
+                    type: 'string',
+                    description: 'Target organization name (can be ANY organization - AI will research it dynamically)'
+                },
+                intent: {
+                    type: 'string',
+                    enum: ['destroy', 'attack', 'audit', 'analyze', 'recon', 'exfiltrate', 'persist', 'escalate', 'evade'],
+                    description: 'Attack intent'
+                },
+                vectors: {
+                    type: 'array',
+                    items: {
+                        type: 'string',
+                        enum: ['server', 'system', 'device', 'network', 'corporate', 'employee', 'supply-chain', 'cloud', 'api', 'web']
+                    },
+                    description: 'Attack vectors to employ (default: all applicable)'
+                },
+                mode: {
+                    type: 'string',
+                    enum: ['rl', 'non-rl', 'auto'],
+                    description: 'Execution mode (default: auto)'
+                },
+                maxIterations: {
+                    type: 'number',
+                    description: 'Maximum iterations (0 = unlimited, default: 0)'
+                },
+                completionThreshold: {
+                    type: 'number',
+                    description: 'Completion percentage threshold (0-1, default: 0.95)'
+                },
+                enableKeyboard: {
+                    type: 'boolean',
+                    description: 'Enable keyboard toggle for mode switching (default: true)'
+                },
+                verbose: {
+                    type: 'boolean',
+                    description: 'Show detailed statistics (default: false)'
+                },
+                customName: {
+                    type: 'string',
+                    description: 'Custom target name (for custom organization)'
+                },
+                scope: {
+                    type: 'object',
+                    description: 'Custom scope definition (for custom organization)',
+                    properties: {
+                        servers: { type: 'array', items: { type: 'string' } },
+                        systems: { type: 'array', items: { type: 'string' } },
+                        devices: { type: 'array', items: { type: 'string' } },
+                        employees: { type: 'number' },
+                        geography: { type: 'array', items: { type: 'string' } },
+                        departments: { type: 'array', items: { type: 'string' } }
+                    }
+                }
+            },
+            required: ['organization', 'intent'],
+        },
+        async handler(params) {
+            const organization = params['organization'];
+            const intent = params['intent'];
+            const vectors = params['vectors'] || ['server', 'system', 'device', 'network', 'corporate', 'employee'];
+            const mode = params['mode'] || 'auto';
+            const maxIterations = params['maxIterations'] || 0;
+            const completionThreshold = params['completionThreshold'] || 0.95;
+            const enableKeyboard = params['enableKeyboard'] !== false;
+            const verbose = params['verbose'] === true;
+            const customName = params['customName'];
+            const scope = params['scope'];
+            try {
+                const { CompleteAttackOrchestrator } = await import('../core/completeAttackOrchestrator.js');
+                // Build configuration
+                const config = {
+                    organization,
+                    intent: intent,
+                    mode: mode,
+                    vectors,
+                    maxIterations,
+                    completionThreshold,
+                    enableKeyboard,
+                    verbose
+                };
+                // Execute attack orchestration
+                const orchestrator = new CompleteAttackOrchestrator();
+                const stats = await orchestrator.execute(config);
+                // Generate report
+                const report = CompleteAttackOrchestrator.generateReport(stats);
+                if (verbose) {
+                    return report + `\n\n--- Full Statistics ---\n${JSON.stringify(stats, null, 2)}`;
+                }
+                return report;
+            }
+            catch (error) {
+                return `Error executing attack orchestration: ${error instanceof Error ? error.message : String(error)}`;
+            }
+        },
+    });
+    // ====== UNIFIED ORCHESTRATOR TOOL (RL + Non-RL) ======
+    if (enableAll || options.enableUnifiedOrchestrator) {
+        tools.push({
+            name: 'orchestrate',
+            description: `Unified orchestration combining RL and non-RL modes.
+
+Modes:
+- single: Standard single-pass execution
+- dual-rl: Self-improving with RL refinement (runs primary + refinement pass)
+- auto: Auto-execute cycles until completion
+- apt: Full APT kill-chain execution
+- security: Security assessment with findings
+
+Features:
+- Automatic mode selection based on objective complexity
+- RL reward tracking for self-improvement
+- Real technique execution via TAO
+- Deliverable generation`,
+            parameters: {
+                type: 'object',
+                properties: {
+                    objective: { type: 'string', description: 'Task objective to accomplish' },
+                    mode: {
+                        type: 'string',
+                        enum: ['single', 'dual-rl', 'auto', 'apt', 'security'],
+                        description: 'Orchestration mode (default: auto-selected based on objective)',
+                    },
+                    useRL: { type: 'boolean', description: 'Enable RL refinement (default: true for complex tasks)' },
+                    maxCycles: { type: 'number', description: 'Max cycles for auto mode (default: 5)' },
+                    depth: { type: 'string', enum: ['quick', 'standard', 'deep'], description: 'Execution depth' },
+                    goal: {
+                        type: 'string',
+                        enum: ['recon', 'access', 'persist', 'escalate', 'lateral', 'collect', 'exfil', 'impact', 'all'],
+                        description: 'APT goal for apt/security modes',
+                    },
+                    targets: { type: 'array', items: { type: 'string' }, description: 'Target list for security/apt modes' },
+                    stealthMode: { type: 'boolean', description: 'Enable stealth mode (slower but less detectable)' },
+                },
+                required: ['objective'],
+            },
+            async handler(params) {
+                const objective = params['objective'];
+                const mode = params['mode'];
+                const useRL = params['useRL'];
+                const maxCycles = params['maxCycles'];
+                const depth = params['depth'];
+                const goal = params['goal'];
+                const targets = params['targets'];
+                const stealthMode = params['stealthMode'];
+                // Auto-select mode based on objective
+                const selectedMode = mode ?? inferOrchestrationMode(objective);
+                const summary = [
+                    `Orchestration: ${selectedMode.toUpperCase()}`,
+                    `Objective: ${objective.slice(0, 100)}${objective.length > 100 ? '...' : ''}`,
+                ];
+                if (selectedMode === 'dual-rl' || useRL) {
+                    summary.push('RL: Enabled (primary + refinement pass)');
+                }
+                if (selectedMode === 'auto') {
+                    summary.push(`Auto-execution: max ${maxCycles ?? 5} cycles, depth ${depth ?? 'standard'}`);
+                }
+                if (selectedMode === 'apt' || selectedMode === 'security') {
+                    summary.push(`Goal: ${goal ?? 'all'}`);
+                    if (targets?.length)
+                        summary.push(`Targets: ${targets.join(', ')}`);
+                    if (stealthMode)
+                        summary.push('Stealth: Enabled');
+                }
+                // Note: Actual orchestration would require agent runtime context
+                // This tool provides configuration and status for the orchestrator
+                summary.push('');
+                summary.push('Configuration ready. Orchestrator will execute with these settings.');
+                summary.push('Use the agent runtime to invoke UnifiedOrchestrator.run() with this config.');
+                return summary.join('\n');
+            },
+        });
+    }
     return {
         id: 'orchestration-tools',
-        description: 'Unified orchestration: gov, infra, security, validation, hypothesis, recovery',
+        description: 'Unified orchestration: RL/non-RL modes, gov, infra, security, validation, hypothesis, recovery, APT chain operations',
         tools,
     };
 }
+function inferOrchestrationMode(objective) {
+    const lower = objective.toLowerCase();
+    if (lower.includes('security') || lower.includes('pentest') || lower.includes('vulnerability'))
+        return 'security';
+    if (lower.includes('apt') || lower.includes('kill-chain') || lower.includes('attack'))
+        return 'apt';
+    if (lower.includes('verify') || lower.includes('improve') || lower.includes('refine'))
+        return 'dual-rl';
+    if (lower.includes('complete') || lower.includes('finish') || lower.includes('until done'))
+        return 'auto';
+    return 'single';
+}
 // ============================================================================
 // CAPABILITY MODULE
 // ============================================================================