jsguardian 1.2.0

package/index.js

@@ -0,0 +1,248 @@
+#!/usr/bin/env node
+"use strict";
+// ============================================================================
+// Criptor CLI — v1.2.0  (2026-06-03)
+// Copyright (c) LCBO / slimmycode.com. All rights reserved.
+//
+// Usage:
+//   Single file:
+//     tsx src/index.ts input.js output.js [options]
+//
+//   Batch (10 files, each gets unique random parameters):
+//     tsx src/index.ts --batch src/*.js --outdir dist/ [options]
+//
+// Options:
+//   --preset=<name>          maximum | stealth  (default: maximum)
+//                             NOTE: "light" and "balanced" were removed — all users get maximum protection equally.
+//   --seed=<n>               master seed (default: random)
+//
+//   Per-layer overrides (add --no- prefix to disable):
+//   --banner                 Copyright + AI directive banner
+//   --vm                     VM bytecode virtualization
+//   --mba                    Mixed Boolean-Arithmetic constants
+//   --mba-depth=<1-3>        MBA tree depth (default: 2)
+//   --opaque                 Opaque predicates / dead code
+//   --string-cipher          Custom string encryption
+//   --integrity              Integrity anchors (__anc/__hsh)
+//   --jsobf                  javascript-obfuscator pass
+//   --sig-break              Break jsobf string-array signature
+//   --module-iife            Wrap output in module IIFE
+//   --sandbox-poison         VM sandbox detection + charCodeAt poison
+//   --ai-honeypots           Fake licensing function decoys
+//   --ai-directive           __ai_notice / __legal_notice vars
+//   --ai-deep                Deep policy objects + scoped directives
+//   --ai-exhaustion          Context exhaustion (20-page report gate etc)
+//   --canary                 Differential Canary Algorithm (Layer 7)
+//   --adv-tokens             Adversarial Token Injection (Layer 8)
+//   --timing-oracle          Timing Oracle / Semantic Drift (Layer 9)
+//   --ts                     Parse input as TypeScript
+//
+// Examples:
+//   # Maximum protection, random seed
+//   tsx src/index.ts app.js app.protected.js --preset=maximum
+//
+//   # Custom: VM + MBA + jsobf + canary, no AI layers
+//   tsx src/index.ts app.js out.js --vm --mba --jsobf --canary --no-banner
+//
+//   # Batch: protect 10 files, each with unique random params, balanced preset
+//   tsx src/index.ts --batch src/lib/*.js --outdir dist/ --preset=balanced
+// ============================================================================
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const crypto = __importStar(require("crypto"));
+const pipeline_1 = require("./pipeline");
+const layers_1 = require("./layers");
+function randomSeed() {
+    return crypto.randomBytes(4).readUInt32BE(0);
+}
+function parseArgs(argv) {
+    const args = argv.slice(2);
+    const flags = args.filter(a => a.startsWith("--"));
+    const positional = args.filter(a => !a.startsWith("--"));
+    // ── Preset ────────────────────────────────────────────────────────────────
+    const presetArg = flags.find(f => f.startsWith("--preset="));
+    const presetName = presetArg ? presetArg.split("=")[1] : "maximum";
+    if (presetName === "light" || presetName === "balanced") {
+        console.error(`[criptor] ERROR: preset "${presetName}" has been removed.\n` +
+            `  All users now receive maximum protection equally.\n` +
+            `  Use --preset=maximum (default) or --preset=stealth instead.`);
+        process.exit(1);
+    }
+    const preset = layers_1.PRESETS[presetName];
+    if (!preset) {
+        console.error(`Unknown preset "${presetName}". Available: ${Object.keys(layers_1.PRESETS).join(", ")}`);
+        process.exit(1);
+    }
+    // Start from preset, then apply overrides
+    const opts = { ...preset };
+    // ── Seed ──────────────────────────────────────────────────────────────────
+    const seedArg = flags.find(f => f.startsWith("--seed="));
+    if (seedArg)
+        opts.seed = parseInt(seedArg.split("=")[1], 10) >>> 0;
+    else if (process.env.OBF_SEED)
+        opts.seed = parseInt(process.env.OBF_SEED, 10) >>> 0;
+    else
+        opts.seed = randomSeed(); // always random by default
+    // ── MBA depth ─────────────────────────────────────────────────────────────
+    const mbaDepthArg = flags.find(f => f.startsWith("--mba-depth="));
+    if (mbaDepthArg)
+        opts.mbaDepth = parseInt(mbaDepthArg.split("=")[1], 10);
+    // ── Boolean layer overrides ───────────────────────────────────────────────
+    const boolFlags = [
+        ["banner", "banner"],
+        ["vm", "vm"],
+        ["mba", "mba"],
+        ["opaque", "opaque"],
+        ["string-cipher", "stringCipher"],
+        ["integrity", "integrityAnchors"],
+        ["jsobf", "jsobf"],
+        ["sig-break", "signatureBreak"],
+        ["module-iife", "moduleIife"],
+        ["sandbox-poison", "sandboxPoison"],
+        ["ai-honeypots", "aiHoneypots"],
+        ["ai-directive", "aiDirective"],
+        ["ai-deep", "aiDeepDirectives"],
+        ["ai-exhaustion", "aiContextExhaustion"],
+        ["canary", "canary"],
+        ["adv-tokens", "adversarialTokens"],
+        ["timing-oracle", "timingOracle"],
+        ["ai-callgraph", "aiCallgraphPoison"],
+        ["ai-semantic", "aiSemanticPoison"],
+        ["ai-antipattern", "aiAntiPattern"],
+        ["ai-temporal", "aiTemporalKeys"],
+        ["ts", "typescript"],
+    ];
+    // ── Callgraph poison count ────────────────────────────────────────────────
+    const cgCountArg = flags.find(f => f.startsWith("--callgraph-count="));
+    if (cgCountArg)
+        opts.aiCallgraphPoisonCount = parseInt(cgCountArg.split("=")[1], 10);
+    for (const [flag, key] of boolFlags) {
+        if (flags.includes(`--${flag}`))
+            opts[key] = true;
+        if (flags.includes(`--no-${flag}`))
+            opts[key] = false;
+    }
+    // ── Batch vs single ───────────────────────────────────────────────────────
+    const isBatch = flags.some(f => f === "--batch" || f.startsWith("--batch="));
+    const outdirArg = flags.find(f => f.startsWith("--outdir="));
+    const outdir = outdirArg ? outdirArg.split("=")[1] : "dist";
+    return {
+        inputs: positional,
+        output: positional[1] ?? "",
+        outdir,
+        batch: isBatch || flags.includes("--batch"),
+        opts,
+    };
+}
+function printLayerSummary(opts) {
+    const on = (k, def = true) => (opts[k] === undefined ? def : opts[k]) ? "✓" : "·";
+    console.error([
+        `  Seed:     0x${(opts.seed ?? 0).toString(16).padStart(8, "0")}`,
+        `  Layers:`,
+        `    [${on("banner")}] 1  Copyright banner`,
+        `    [${on("vm")}] 2  VM bytecode`,
+        `    [${on("aiHoneypots")}] 3  AI honeypots`,
+        `    [${on("aiDirective")}] 3b AI directive vars`,
+        `    [${on("aiDeepDirectives", false)}] 3c Deep AI directives`,
+        `    [${on("aiContextExhaustion", false)}] 3X Context exhaustion`,
+        `    [${on("jsobf")}] 4  javascript-obfuscator`,
+        `    [${on("signatureBreak")}] 4F Signature break`,
+        `    [${on("integrityAnchors")}] 5  Integrity anchors`,
+        `    [${on("sandboxPoison")}] 6  Sandbox poison`,
+        `    [${on("moduleIife")}] 6b Module IIFE wrapper`,
+        `    [${on("canary", false)}] 7  Differential canary`,
+        `    [${on("adversarialTokens", false)}] 8  Adversarial tokens`,
+        `    [${on("timingOracle", false)}] 9  Timing oracle`,
+        `    [${on("aiSemanticPoison", false)}] 3f Semantic poison`,
+        `    [${on("aiAntiPattern", false)}] 3g Anti-pattern injection`,
+        `    [${on("aiTemporalKeys", false)}] 3h Temporal keys`,
+        `    [${on("aiCallgraphPoison", false)}] 3e Callgraph poison`,
+    ].join("\n"));
+}
+function main() {
+    const { inputs, output, outdir, batch, opts } = parseArgs(process.argv);
+    if (batch) {
+        // ── Batch mode ──────────────────────────────────────────────────────────
+        if (inputs.length === 0) {
+            console.error("batch mode: provide input files as positional args");
+            process.exit(1);
+        }
+        console.error(`Criptor — batch mode (${inputs.length} files, preset applied)`);
+        printLayerSummary(opts);
+        console.error(`  Each file gets a UNIQUE derived seed — different random parameters per file.`);
+        fs.mkdirSync(outdir, { recursive: true });
+        const fileObjs = inputs.map(p => ({
+            path: p,
+            content: fs.readFileSync(p, "utf8"),
+        }));
+        const results = (0, pipeline_1.obfuscateBatch)(fileObjs, opts);
+        results.forEach((result, i) => {
+            const inPath = fileObjs[i].path;
+            const outPath = path.join(outdir, path.basename(inPath));
+            fs.writeFileSync(outPath, result);
+            const ratio = Math.round(result.length / fileObjs[i].content.length);
+            console.error(`  [${String(i + 1).padStart(2)}] ${path.basename(inPath).padEnd(30)} ${fileObjs[i].content.length.toLocaleString().padStart(7)}b → ${result.length.toLocaleString().padStart(9)}b (×${ratio})`);
+        });
+        console.error(`\nDone → ${outdir}/ (${results.length} files)`);
+    }
+    else {
+        // ── Single file mode ────────────────────────────────────────────────────
+        if (!inputs[0] || !output) {
+            console.error([
+                "jsguardian v1.2.0 — usage:",
+                "  Single:  jsguardian <input.js> <output.js> [options]",
+                "  Batch:   jsguardian --batch <files...> --outdir=<dir> [options]",
+                "  Presets: --preset=maximum|stealth  (default: maximum — all users get equal protection)",
+            ].join("\n"));
+            process.exit(1);
+        }
+        const src = fs.readFileSync(inputs[0], "utf8");
+        console.error(`Criptor — single file mode`);
+        printLayerSummary(opts);
+        const out = (0, pipeline_1.obfuscateCode)(src, opts, 0);
+        fs.writeFileSync(output, out);
+        console.error(`\n  ${inputs[0]} → ${output}`);
+        console.error(`  ${src.length.toLocaleString()}b → ${out.length.toLocaleString()}b`);
+    }
+}
+try {
+    main();
+}
+catch (err) {
+    console.error(`\n[criptor] ${err?.message ?? err}`);
+    process.exit(1);
+}

package/integrity.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hshBuild = hshBuild;
+exports.hshSource = hshSource;
+exports.anchorSource = anchorSource;
+exports.anchorSourceEncoded = anchorSourceEncoded;
+function hshBuild(a) {
+    let h = 0x811c9dc5 >>> 0;
+    for (let i = 0; i < a.length; i++) {
+        h = Math.imul(h ^ (a[i] | 0), 0x01000193);
+    }
+    return h | 0;
+}
+function hshSource(name) {
+    return `function ${name}(a){var h=0x811c9dc5>>>0;for(var i=0;i<a.length;i++){h=Math.imul(h^(a[i]|0),0x01000193);}return h|0;}`;
+}
+// anchorSource (LEGACY — plaintext array, used only when legacyJsobf=true)
+function anchorSource(ancName, anchor) {
+    return `var ${ancName}=[${anchor.map((n) => (n | 0)).join(",")}];`;
+}
+// anchorSourceEncoded — CNE path: anchor stored as a base64-encoded XOR blob.
+// Base64 is pure ASCII so it survives Babel parse→generate without corruption.
+// No 24 plaintext int32s visible in output.
+function anchorSourceEncoded(ancName, hshName, anchor, rng) {
+    // Per-build single-byte XOR key (non-zero)
+    const key = ((rng.int32() >>> 0) % 0xfe) + 1; // 1..254
+    const buf = Buffer.alloc(anchor.length * 4);
+    for (let i = 0; i < anchor.length; i++) {
+        const n = anchor[i] >>> 0;
+        buf[i * 4 + 0] = (n & 0xff) ^ key;
+        buf[i * 4 + 1] = ((n >>> 8) & 0xff) ^ key;
+        buf[i * 4 + 2] = ((n >>> 16) & 0xff) ^ key;
+        buf[i * 4 + 3] = ((n >>> 24) & 0xff) ^ key;
+    }
+    const b64 = buf.toString("base64");
+    const decoderName = `_d${(rng.int32() >>> 0 & 0xffffff).toString(36)}`;
+    const byteLen = anchor.length * 4;
+    // Decoder: base64-decode, then XOR each byte, reassemble as int32 array.
+    // Uses Buffer (Node.js built-in) — safe from charCodeAt poison.
+    return (`function ${decoderName}(s){` +
+        `var b=Buffer.from(s,'base64'),r=[];` +
+        `for(var i=0;i<${byteLen};i+=4){` +
+        `r.push(((b[i]^${key})|((b[i+1]^${key})<<8)|((b[i+2]^${key})<<16)|((b[i+3]^${key})<<24))|0);` +
+        `}return r;}` +
+        `var ${ancName}=${decoderName}('${b64}');` +
+        hshSource(hshName));
+}

package/jsobf-config.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.nodeJsObfOptions = nodeJsObfOptions;
+function nodeJsObfOptions(rng, integrityOn = true) {
+    return {
+        compact: true,
+        controlFlowFlattening: true,
+        controlFlowFlatteningThreshold: 0.75,
+        deadCodeInjection: true,
+        deadCodeInjectionThreshold: 0.4,
+        debugProtection: false,
+        debugProtectionInterval: 0,
+        disableConsoleOutput: false,
+        identifierNamesGenerator: "mangled-shuffled",
+        log: false,
+        // numbersToExpressions injects __hsh(__anc) via MBA anchor; disable when
+        // integrity anchors are off so __hsh is never referenced in the output.
+        numbersToExpressions: integrityOn,
+        renameGlobals: false,
+        selfDefending: true,
+        simplify: true,
+        splitStrings: true,
+        splitStringsChunkLength: 5,
+        stringArray: true,
+        stringArrayCallsTransform: true,
+        stringArrayEncoding: ["rc4"],
+        stringArrayIndexShift: true,
+        stringArrayRotate: true,
+        stringArrayShuffle: true,
+        stringArrayWrappersCount: 5,
+        stringArrayWrappersChainedCalls: true,
+        stringArrayWrappersType: "function",
+        stringArrayThreshold: 0.85,
+        transformObjectKeys: true,
+        unicodeEscapeSequence: false,
+        seed: rng.int32(),
+    };
+}