erosolar-cli 2.1.270 → 2.1.272

package/dist/core/unifiedFraudOrchestrator.d.ts

@@ -1,738 +0,0 @@
-/**
- * Unified Tech Fraud Investigation Orchestrator
- *
- * Purpose: Coordinate investigation of tech company fraud across multiple vectors:
- * - Apple iMessage PQ3 (key substitution, false E2E claims)
- * - Google Gmail (hidden threads, draft manipulation, unauthorized access)
- * - Google Chrome (browser hijacking, session control, surveillance)
- * - Cross-platform evidence correlation
- *
- * This orchestrator:
- * 1. Manages investigation workflows across multiple targets
- * 2. Correlates evidence across different fraud vectors
- * 3. Detects patterns indicating coordinated manipulation
- * 4. Generates unified legal evidence packages
- * 5. Maintains cryptographic chain of custody
- */
-import { EventEmitter } from 'node:events';
-import { iMessageVerificationEngine, APPLE_PQ3_CLAIMS } from './iMessageVerification.js';
-export type InvestigationTarget = 'apple' | 'google' | 'meta' | 'microsoft' | 'amazon';
-export type FraudVector = 'imessage_key_substitution' | 'imessage_false_e2e' | 'gmail_hidden_threads' | 'gmail_draft_manipulation' | 'gmail_unauthorized_access' | 'gmail_filter_tampering' | 'chrome_unauthorized_launch' | 'chrome_session_hijacking' | 'chrome_history_manipulation' | 'chrome_extension_injection' | 'cross_platform_surveillance' | 'coordinated_manipulation';
-export interface Investigation {
-    id: string;
-    name: string;
-    target: InvestigationTarget;
-    vectors: FraudVector[];
-    status: 'planning' | 'active' | 'collecting' | 'analyzing' | 'complete' | 'suspended';
-    created: string;
-    lastActivity: string;
-    evidenceChainId: string;
-    findings: Finding[];
-    correlations: EvidenceCorrelation[];
-    hash: string;
-}
-export interface Finding {
-    id: string;
-    timestamp: string;
-    vector: FraudVector;
-    severity: 'low' | 'medium' | 'high' | 'critical';
-    title: string;
-    description: string;
-    technicalDetails: Record<string, unknown>;
-    evidenceIds: string[];
-    legalImplications: LegalImplication;
-    hash: string;
-}
-export interface LegalImplication {
-    fraudType: string;
-    applicableLaws: string[];
-    potentialDamages: string;
-    recommendations: string[];
-}
-export interface EvidenceCorrelation {
-    id: string;
-    timestamp: string;
-    findingIds: string[];
-    correlationType: 'temporal' | 'behavioral' | 'technical' | 'pattern';
-    description: string;
-    confidence: number;
-    implications: string;
-    hash: string;
-}
-export interface GmailThreadObservation {
-    id: string;
-    timestamp: string;
-    threadId: string;
-    messageIds: string[];
-    subject: string;
-    labels: string[];
-    isVisible: boolean;
-    isInSearch: boolean;
-    lastMessageDate: string;
-    participantCount: number;
-    captureMethod: 'api' | 'ui_scrape' | 'network_capture' | 'takeout';
-    rawData?: string;
-    hash: string;
-}
-export interface GmailDraftObservation {
-    id: string;
-    timestamp: string;
-    draftId: string;
-    threadId?: string;
-    subject: string;
-    recipientCount: number;
-    bodyHash: string;
-    bodyLength: number;
-    hasAttachments: boolean;
-    createdAt: string;
-    modifiedAt: string;
-    captureMethod: 'api' | 'ui_scrape' | 'network_capture';
-    previousObservationId?: string;
-    changes?: DraftChange[];
-    hash: string;
-}
-export interface DraftChange {
-    type: 'created' | 'modified' | 'deleted' | 'sent_without_user' | 'content_changed';
-    field?: string;
-    previousValue?: string;
-    newValue?: string;
-    userInitiated: boolean;
-    suspicionLevel: 'normal' | 'suspicious' | 'highly_suspicious';
-    reason: string;
-}
-export interface GmailFilterObservation {
-    id: string;
-    timestamp: string;
-    filterId: string;
-    criteria: {
-        from?: string;
-        to?: string;
-        subject?: string;
-        hasWords?: string;
-        excludeWords?: string;
-    };
-    actions: {
-        skipInbox?: boolean;
-        markRead?: boolean;
-        archive?: boolean;
-        delete?: boolean;
-        forward?: string;
-        label?: string;
-    };
-    createdByUser: boolean;
-    createdAt?: string;
-    hash: string;
-}
-export interface GmailAccessLog {
-    id: string;
-    timestamp: string;
-    accessType: 'login' | 'api_access' | 'imap' | 'pop' | 'oauth_grant' | 'security_event';
-    ipAddress: string;
-    location?: string;
-    userAgent?: string;
-    deviceType?: string;
-    wasUser: boolean;
-    suspicious: boolean;
-    reason?: string;
-    hash: string;
-}
-export interface ChromeProcessObservation {
-    id: string;
-    timestamp: string;
-    pid: number;
-    parentPid: number;
-    commandLine: string[];
-    profilePath?: string;
-    startTime: string;
-    userInitiated: boolean;
-    launchSource?: 'user' | 'system' | 'script' | 'unknown' | 'remote';
-    suspicionLevel: 'normal' | 'suspicious' | 'highly_suspicious';
-    reason?: string;
-    networkConnections?: NetworkConnection[];
-    hash: string;
-}
-export interface NetworkConnection {
-    localPort: number;
-    remoteIp: string;
-    remotePort: number;
-    state: string;
-    protocol: string;
-}
-export interface ChromeSessionObservation {
-    id: string;
-    timestamp: string;
-    profileId: string;
-    tabs: ChromeTabInfo[];
-    cookies: ChromeCookieInfo[];
-    localStorage: ChromeStorageInfo[];
-    syncStatus: 'synced' | 'local_only' | 'sync_disabled';
-    lastSyncTime?: string;
-    anomalies: SessionAnomaly[];
-    hash: string;
-}
-export interface ChromeTabInfo {
-    tabId: number;
-    url: string;
-    title: string;
-    active: boolean;
-    createdAt: string;
-    lastAccessed: string;
-}
-export interface ChromeCookieInfo {
-    domain: string;
-    name: string;
-    valueHash: string;
-    secure: boolean;
-    httpOnly: boolean;
-    sameSite: string;
-    expirationDate?: number;
-}
-export interface ChromeStorageInfo {
-    origin: string;
-    keyCount: number;
-    totalSize: number;
-    sensitiveKeys: string[];
-}
-export interface SessionAnomaly {
-    type: 'unexpected_tab' | 'cookie_injection' | 'storage_modification' | 'sync_without_user' | 'profile_access' | 'extension_activity';
-    severity: 'low' | 'medium' | 'high' | 'critical';
-    description: string;
-    evidence: string;
-}
-export interface ChromeHistoryObservation {
-    id: string;
-    timestamp: string;
-    captureMethod: 'sqlite' | 'api' | 'ui_scrape';
-    entryCount: number;
-    dateRange: {
-        start: string;
-        end: string;
-    };
-    deletedEntries?: HistoryDeletion[];
-    unexpectedEntries?: UnexpectedHistoryEntry[];
-    hash: string;
-}
-export interface HistoryDeletion {
-    approximateTime: string;
-    entriesAffected: number;
-    urlPatterns?: string[];
-    userInitiated: boolean;
-}
-export interface UnexpectedHistoryEntry {
-    url: string;
-    visitTime: string;
-    transitionType: string;
-    suspicionReason: string;
-}
-export declare const GOOGLE_GMAIL_CLAIMS: {
-    user_control: {
-        claim: string;
-        source: string;
-        verifiable: string;
-        reason: string;
-    };
-    no_email_scanning_for_ads: {
-        claim: string;
-        source: string;
-        verifiable: boolean;
-        reason: string;
-    };
-    confidential_mode: {
-        claim: string;
-        source: string;
-        verifiable: boolean;
-        reason: string;
-    };
-    security_alerts: {
-        claim: string;
-        source: string;
-        verifiable: string;
-        reason: string;
-    };
-    search_accuracy: {
-        claim: string;
-        source: string;
-        verifiable: boolean;
-        reason: string;
-    };
-    draft_integrity: {
-        claim: string;
-        source: string;
-        verifiable: boolean;
-        reason: string;
-    };
-};
-export declare const GOOGLE_CHROME_CLAIMS: {
-    safe_browsing: {
-        claim: string;
-        source: string;
-        verifiable: string;
-        reason: string;
-    };
-    sync_privacy: {
-        claim: string;
-        source: string;
-        verifiable: boolean;
-        reason: string;
-    };
-    user_control_history: {
-        claim: string;
-        source: string;
-        verifiable: string;
-        reason: string;
-    };
-    no_unauthorized_access: {
-        claim: string;
-        source: string;
-        verifiable: boolean;
-        reason: string;
-    };
-    extension_security: {
-        claim: string;
-        source: string;
-        verifiable: string;
-        reason: string;
-    };
-};
-export declare class GmailInvestigationEngine {
-    private storageDir;
-    private threadObservations;
-    private draftObservations;
-    private filterObservations;
-    private accessLogs;
-    private findings;
-    constructor(storageDir: string);
-    initialize(): Promise<void>;
-    /**
-     * Record observation of Gmail threads.
-     * Compare with previous observations to detect hidden threads.
-     *
-     * Detection methods:
-     * 1. Compare UI-visible threads vs API-returned threads
-     * 2. Compare search results vs direct thread access
-     * 3. Compare current state vs Google Takeout export
-     * 4. Monitor for threads that disappear from search but still exist
-     */
-    recordThreadObservation(params: {
-        threadId: string;
-        messageIds: string[];
-        subject: string;
-        labels: string[];
-        isVisible: boolean;
-        isInSearch: boolean;
-        lastMessageDate: string;
-        participantCount: number;
-        captureMethod: 'api' | 'ui_scrape' | 'network_capture' | 'takeout';
-        rawData?: string;
-    }): Promise<{
-        observation: GmailThreadObservation;
-        anomalyDetected: boolean;
-        finding?: Finding;
-    }>;
-    /**
-     * Compare multiple capture methods to detect discrepancies.
-     * If API shows different threads than UI or Takeout, that's manipulation.
-     */
-    crossReferenceThreadSources(params: {
-        apiThreadIds: string[];
-        uiThreadIds: string[];
-        takeoutThreadIds?: string[];
-        imapThreadIds?: string[];
-    }): Promise<{
-        discrepancies: Array<{
-            threadId: string;
-            presentIn: string[];
-            missingFrom: string[];
-            implication: string;
-        }>;
-        finding?: Finding;
-    }>;
-    /**
-     * Record observation of a draft.
-     * Detect unauthorized modifications, deletions, or sends.
-     */
-    recordDraftObservation(params: {
-        draftId: string;
-        threadId?: string;
-        subject: string;
-        recipientCount: number;
-        bodyContent: string;
-        hasAttachments: boolean;
-        createdAt: string;
-        modifiedAt: string;
-        captureMethod: 'api' | 'ui_scrape' | 'network_capture';
-    }): Promise<{
-        observation: GmailDraftObservation;
-        changes: DraftChange[];
-        finding?: Finding;
-    }>;
-    /**
-     * Detect drafts that were sent without user action.
-     * This is a critical fraud indicator.
-     */
-    detectUnauthorizedDraftSend(params: {
-        draftId: string;
-        sentMessageId: string;
-        sentAt: string;
-        userWasActive: boolean;
-        userLocation?: string;
-        sendingIp?: string;
-    }): Promise<Finding>;
-    /**
-     * Record account access and detect unauthorized access.
-     */
-    recordAccessLog(params: {
-        accessType: 'login' | 'api_access' | 'imap' | 'pop' | 'oauth_grant' | 'security_event';
-        ipAddress: string;
-        location?: string;
-        userAgent?: string;
-        deviceType?: string;
-        wasUser: boolean;
-    }): Promise<{
-        log: GmailAccessLog;
-        finding?: Finding;
-    }>;
-    /**
-     * Record and detect unauthorized Gmail filters.
-     * Google could add filters to hide specific emails.
-     */
-    recordFilterObservation(params: {
-        filterId: string;
-        criteria: GmailFilterObservation['criteria'];
-        actions: GmailFilterObservation['actions'];
-        createdByUser: boolean;
-        createdAt?: string;
-    }): Promise<{
-        observation: GmailFilterObservation;
-        finding?: Finding;
-    }>;
-    private persistThreadObservation;
-    private persistDraftObservation;
-    private persistAccessLog;
-    private persistFilterObservation;
-    private createFinding;
-    private getLegalImplications;
-    getFindings(): Finding[];
-    getThreadObservations(threadId: string): GmailThreadObservation[];
-    getDraftObservations(draftId: string): GmailDraftObservation[];
-}
-export declare class ChromeInvestigationEngine {
-    private storageDir;
-    private processObservations;
-    private sessionObservations;
-    private historyObservations;
-    private findings;
-    constructor(storageDir: string);
-    initialize(): Promise<void>;
-    /**
-     * Record Chrome process observation.
-     * Detect unauthorized browser launches.
-     */
-    recordProcessObservation(params: {
-        pid: number;
-        parentPid: number;
-        commandLine: string[];
-        profilePath?: string;
-        startTime: string;
-        userInitiated: boolean;
-        networkConnections?: NetworkConnection[];
-    }): Promise<{
-        observation: ChromeProcessObservation;
-        finding?: Finding;
-    }>;
-    /**
-     * Record Chrome session state.
-     * Detect session hijacking and unauthorized modifications.
-     */
-    recordSessionObservation(params: {
-        profileId: string;
-        tabs: ChromeTabInfo[];
-        cookies: ChromeCookieInfo[];
-        localStorage: ChromeStorageInfo[];
-        syncStatus: 'synced' | 'local_only' | 'sync_disabled';
-        lastSyncTime?: string;
-    }): Promise<{
-        observation: ChromeSessionObservation;
-        anomalies: SessionAnomaly[];
-        finding?: Finding;
-    }>;
-    /**
-     * Record Chrome history state.
-     * Detect unauthorized deletions or additions.
-     */
-    recordHistoryObservation(params: {
-        captureMethod: 'sqlite' | 'api' | 'ui_scrape';
-        entryCount: number;
-        dateRange: {
-            start: string;
-            end: string;
-        };
-        entries: Array<{
-            url: string;
-            visitTime: string;
-            transitionType: string;
-        }>;
-    }): Promise<{
-        observation: ChromeHistoryObservation;
-        finding?: Finding;
-    }>;
-    private persistProcessObservation;
-    private persistSessionObservation;
-    private persistHistoryObservation;
-    private createFinding;
-    private getLegalImplications;
-    getFindings(): Finding[];
-    getProcessObservations(): ChromeProcessObservation[];
-}
-export declare class UnifiedFraudOrchestrator extends EventEmitter {
-    protected storageDir: string;
-    private integrityEngine;
-    private iMessageEngine;
-    protected gmailEngine: GmailInvestigationEngine;
-    protected chromeEngine: ChromeInvestigationEngine;
-    protected investigations: Map<string, Investigation>;
-    private correlations;
-    constructor(workingDir?: string);
-    initialize(): Promise<void>;
-    createInvestigation(params: {
-        name: string;
-        target: InvestigationTarget;
-        vectors: FraudVector[];
-    }): Promise<Investigation>;
-    updateInvestigationStatus(investigationId: string, status: Investigation['status']): Promise<Investigation>;
-    getIMessageEngine(): iMessageVerificationEngine;
-    getGmailEngine(): GmailInvestigationEngine;
-    getChromeEngine(): ChromeInvestigationEngine;
-    /**
-     * Correlate findings across different fraud vectors.
-     * Detect patterns that indicate coordinated manipulation.
-     */
-    correlateFindings(investigationId: string): Promise<EvidenceCorrelation[]>;
-    generateUnifiedReport(investigationId: string): Promise<{
-        investigation: Investigation;
-        summary: {
-            target: InvestigationTarget;
-            vectorsInvestigated: FraudVector[];
-            totalFindings: number;
-            criticalFindings: number;
-            correlations: number;
-        };
-        byVector: Record<FraudVector, {
-            findings: Finding[];
-            severity: 'low' | 'medium' | 'high' | 'critical';
-        }>;
-        correlations: EvidenceCorrelation[];
-        legalSummary: {
-            fraudTypes: string[];
-            applicableLaws: string[];
-            recommendations: string[];
-        };
-        claims: {
-            apple?: typeof APPLE_PQ3_CLAIMS;
-            google_gmail?: typeof GOOGLE_GMAIL_CLAIMS;
-            google_chrome?: typeof GOOGLE_CHROME_CLAIMS;
-        };
-    }>;
-    exportForLitigation(investigationId: string, outputDir: string): Promise<string>;
-    private generateLegalDocument;
-    private persistInvestigation;
-    loadInvestigation(investigationId: string): Promise<Investigation | null>;
-    getInvestigations(): Investigation[];
-}
-/**
- * Attack chains model multi-step attack sequences where each step enables the next.
- * Detecting partial chains is evidence of an ongoing attack.
- * Detecting complete chains is irrefutable evidence of coordinated fraud.
- */
-export type AttackChainPhase = 'reconnaissance' | 'initial_access' | 'execution' | 'persistence' | 'exfiltration' | 'impact';
-export interface AttackChainStep {
-    id: string;
-    phase: AttackChainPhase;
-    name: string;
-    description: string;
-    indicators: string[];
-    requiredPriorSteps: string[];
-    vectors: FraudVector[];
-    detectionMethods: string[];
-}
-export interface AttackChain {
-    id: string;
-    name: string;
-    target: InvestigationTarget;
-    description: string;
-    steps: AttackChainStep[];
-    minimumStepsForEvidence: number;
-    legalImplications: LegalImplication;
-}
-export interface AttackChainObservation {
-    id: string;
-    timestamp: string;
-    chainId: string;
-    stepId: string;
-    findingId: string;
-    confidence: number;
-    evidence: string;
-    hash: string;
-}
-export interface AttackChainProgress {
-    chainId: string;
-    chainName: string;
-    target: InvestigationTarget;
-    observedSteps: AttackChainObservation[];
-    completionPercentage: number;
-    currentPhase: AttackChainPhase;
-    riskLevel: 'low' | 'medium' | 'high' | 'critical';
-    isComplete: boolean;
-    nextExpectedSteps: AttackChainStep[];
-}
-export declare const GOOGLE_SURVEILLANCE_CHAIN: AttackChain;
-export declare const GOOGLE_DRAFT_EXPLOITATION_CHAIN: AttackChain;
-export declare const APPLE_IMESSAGE_MITM_CHAIN: AttackChain;
-export declare const APPLE_CONTACT_KEY_BYPASS_CHAIN: AttackChain;
-export declare const CROSS_PLATFORM_SURVEILLANCE_CHAIN: AttackChain;
-export declare const ATTACK_CHAIN_REGISTRY: AttackChain[];
-export declare class AttackChainDetector {
-    private storageDir;
-    private observations;
-    private progressCache;
-    constructor(storageDir: string);
-    initialize(): Promise<void>;
-    /**
-     * Record an observation that matches an attack chain step.
-     */
-    recordObservation(params: {
-        chainId: string;
-        stepId: string;
-        findingId: string;
-        confidence: number;
-        evidence: string;
-    }): Promise<AttackChainObservation>;
-    /**
-     * Automatically detect which attack chain steps match a finding.
-     */
-    detectChainSteps(finding: Finding): Promise<AttackChainObservation[]>;
-    /**
-     * Get current progress for an attack chain.
-     */
-    getChainProgress(chainId: string): Promise<AttackChainProgress>;
-    /**
-     * Get all attack chain progress.
-     */
-    getAllProgress(): Promise<AttackChainProgress[]>;
-    /**
-     * Get chains relevant to a specific target.
-     */
-    getChainsForTarget(target: InvestigationTarget): AttackChain[];
-    /**
-     * Analyze findings and detect complete or partial attack chains.
-     */
-    analyzeFindings(findings: Finding[]): Promise<{
-        completeChains: AttackChainProgress[];
-        partialChains: AttackChainProgress[];
-        activeThreats: AttackChainProgress[];
-    }>;
-    /**
-     * Generate attack chain report.
-     */
-    generateChainReport(chainId: string): Promise<{
-        chain: AttackChain;
-        progress: AttackChainProgress;
-        timeline: Array<{
-            step: AttackChainStep;
-            observation: AttackChainObservation | null;
-        }>;
-        gaps: AttackChainStep[];
-        evidenceStrength: 'weak' | 'moderate' | 'strong' | 'irrefutable';
-        legalReadiness: 'insufficient' | 'preliminary' | 'actionable' | 'prosecution_ready';
-    }>;
-    private updateProgress;
-    private persistObservation;
-    private persistProgress;
-}
-declare module './unifiedFraudOrchestrator.js' {
-    interface UnifiedFraudOrchestrator {
-        attackChainDetector: AttackChainDetector;
-        initializeAttackChains(): Promise<void>;
-        detectAttackChains(investigationId: string): Promise<{
-            completeChains: AttackChainProgress[];
-            partialChains: AttackChainProgress[];
-            activeThreats: AttackChainProgress[];
-        }>;
-        getAttackChainReport(chainId: string): Promise<ReturnType<AttackChainDetector['generateChainReport']>>;
-    }
-}
-/**
- * Comprehensive definitions of government and defense products/systems
- * offered by major tech companies. Essential for understanding:
- * - Attack surface for government targets
- * - Data sharing agreements and access points
- * - Compliance frameworks and certifications
- * - Potential surveillance/backdoor vectors
- */
-export interface GovDefenseProduct {
-    id: string;
-    name: string;
-    vendor: InvestigationTarget;
-    category: 'cloud' | 'productivity' | 'security' | 'ai_ml' | 'communications' | 'infrastructure' | 'analytics' | 'identity' | 'hardware' | 'services';
-    subcategory?: string;
-    description: string;
-    targetCustomers: ('federal' | 'dod' | 'ic' | 'state_local' | 'defense_contractors' | 'allied_nations')[];
-    certifications: string[];
-    dataResidency: string[];
-    knownContracts?: string[];
-    securityConcerns: string[];
-    accessPoints: string[];
-    integrations: string[];
-}
-export interface GovDefenseVendorProfile {
-    vendor: InvestigationTarget;
-    govDivision?: string;
-    annualGovRevenue?: string;
-    fedRampStatus: string[];
-    primaryContracts: string[];
-    products: GovDefenseProduct[];
-    dataAccessCapabilities: string[];
-    knownBackdoors: string[];
-    lawEnforcementCooperation: string;
-}
-export declare const GOOGLE_GOV_PRODUCTS: GovDefenseProduct[];
-export declare const GOOGLE_GOV_PROFILE: GovDefenseVendorProfile;
-export declare const APPLE_GOV_PRODUCTS: GovDefenseProduct[];
-export declare const APPLE_GOV_PROFILE: GovDefenseVendorProfile;
-export declare const MICROSOFT_GOV_PRODUCTS: GovDefenseProduct[];
-export declare const MICROSOFT_GOV_PROFILE: GovDefenseVendorProfile;
-export declare const AMAZON_GOV_PRODUCTS: GovDefenseProduct[];
-export declare const AMAZON_GOV_PROFILE: GovDefenseVendorProfile;
-export declare const META_GOV_PRODUCTS: GovDefenseProduct[];
-export declare const META_GOV_PROFILE: GovDefenseVendorProfile;
-export declare const GOV_DEFENSE_VENDOR_REGISTRY: GovDefenseVendorProfile[];
-export declare const ALL_GOV_DEFENSE_PRODUCTS: GovDefenseProduct[];
-/**
- * Get all government products for a specific vendor.
- */
-export declare function getGovProductsByVendor(vendor: InvestigationTarget): GovDefenseProduct[];
-/**
- * Get government vendor profile.
- */
-export declare function getGovVendorProfile(vendor: InvestigationTarget): GovDefenseVendorProfile | undefined;
-/**
- * Get all products matching a category.
- */
-export declare function getGovProductsByCategory(category: GovDefenseProduct['category']): GovDefenseProduct[];
-/**
- * Get all products with specific certification.
- */
-export declare function getGovProductsByCertification(certification: string): GovDefenseProduct[];
-/**
- * Get all products targeting specific customer type.
- */
-export declare function getGovProductsByCustomerType(customerType: 'federal' | 'dod' | 'ic' | 'state_local' | 'defense_contractors' | 'allied_nations'): GovDefenseProduct[];
-/**
- * Get security concerns summary across all vendors.
- */
-export declare function getSecurityConcernsSummary(): Record<string, string[]>;
-/**
- * Get access points summary - how vendors can access government data.
- */
-export declare function getAccessPointsSummary(): Record<string, string[]>;
-//# sourceMappingURL=unifiedFraudOrchestrator.d.ts.map