cipher-security 0.3.0__tar.gz → 1.2.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- cipher_security-1.2.0/CHANGELOG.md +107 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/PKG-INFO +38 -4
- {cipher_security-0.3.0 → cipher_security-1.2.0}/README.md +37 -3
- cipher_security-1.2.0/agents/cipher-architect.md +82 -0
- cipher_security-1.2.0/agents/cipher-blue.md +74 -0
- cipher_security-1.2.0/agents/cipher-incident.md +66 -0
- cipher_security-1.2.0/agents/cipher-privacy.md +67 -0
- cipher_security-1.2.0/agents/cipher-purple.md +66 -0
- cipher_security-1.2.0/agents/cipher-recon.md +64 -0
- cipher_security-1.2.0/agents/cipher-red.md +69 -0
- cipher_security-1.2.0/agents/cipher-researcher.md +69 -0
- cipher_security-1.2.0/commands/aisec.md +15 -0
- cipher_security-1.2.0/commands/audit.md +97 -0
- cipher_security-1.2.0/commands/brief.md +134 -0
- cipher_security-1.2.0/commands/cc.md +15 -0
- cipher_security-1.2.0/commands/claudeapi.md +18 -0
- cipher_security-1.2.0/commands/cloud.md +19 -0
- cipher_security-1.2.0/commands/crypto.md +15 -0
- cipher_security-1.2.0/commands/cve.md +23 -0
- cipher_security-1.2.0/commands/devsecops.md +16 -0
- cipher_security-1.2.0/commands/engage.md +87 -0
- cipher_security-1.2.0/commands/export.md +104 -0
- cipher_security-1.2.0/commands/forensics.md +19 -0
- cipher_security-1.2.0/commands/hardening.md +16 -0
- cipher_security-1.2.0/commands/hunt.md +16 -0
- cipher_security-1.2.0/commands/ics.md +15 -0
- cipher_security-1.2.0/commands/insider.md +15 -0
- cipher_security-1.2.0/commands/ir.md +16 -0
- cipher_security-1.2.0/commands/malware.md +16 -0
- cipher_security-1.2.0/commands/mobile.md +14 -0
- cipher_security-1.2.0/commands/ollama.md +18 -0
- cipher_security-1.2.0/commands/phishing.md +15 -0
- cipher_security-1.2.0/commands/privacy.md +16 -0
- cipher_security-1.2.0/commands/purple.md +16 -0
- cipher_security-1.2.0/commands/recon.md +16 -0
- cipher_security-1.2.0/commands/redteam.md +21 -0
- cipher_security-1.2.0/commands/report.md +24 -0
- cipher_security-1.2.0/commands/resume.md +64 -0
- cipher_security-1.2.0/commands/setup-hooks.md +117 -0
- cipher_security-1.2.0/commands/sigma.md +16 -0
- cipher_security-1.2.0/commands/smart.md +18 -0
- cipher_security-1.2.0/commands/threatintel.md +15 -0
- cipher_security-1.2.0/commands/threatmodel.md +16 -0
- cipher_security-1.2.0/commands/update.md +97 -0
- cipher_security-1.2.0/commands/web.md +16 -0
- cipher_security-1.2.0/hooks/cipher-context-monitor.js +241 -0
- cipher_security-1.2.0/hooks/cipher-statusline.js +165 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/pyproject.toml +1 -1
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/app.py +94 -17
- cipher_security-1.2.0/src/gateway/complexity.py +325 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/.dockerignore +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/.github/ISSUE_TEMPLATE/bug_report.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/.github/ISSUE_TEMPLATE/feature_request.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/.github/ISSUE_TEMPLATE/knowledge_request.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/.github/workflows/ci.yml +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/.github/workflows/release.yml +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/.gitignore +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/.hooks/post-commit +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/CLAUDE.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/CONTRIBUTING.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/Dockerfile +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/Dockerfile.bot +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/LICENSE +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/Modelfile +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/config.yaml.example +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/docker-compose.yml +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/00-MASTER-INDEX.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/active-directory-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/ai-defense-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/api-exploitation-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/attack-chains-synthesis.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/aws-security-ultimate.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/azure-security-ultimate.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/binary-exploitation-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/blockchain-web3-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/breach-case-studies-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/bugbounty-methodology-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/c2-postexploit-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/cloud-attacks-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/cloud-infra-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/compliance-frameworks-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/container-k8s-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/crypto-pki-tls-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/ctf-methodology-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/curated-resources-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/data-protection-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/defensive-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/defensive-synthesis.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/dev-security-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/devsecops-sdlc-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/dfir-hunting-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/dns-email-infra-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/edr-av-internals-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/email-forensics-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/email-phishing-se-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/emerging-threats-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/encoding-manipulation-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/evasion-detection-catalog.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/evasion-techniques-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/exfil-tunneling-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/forensics-artifacts-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/gcp-security-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/grc-risk-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/hardening-guides-ultimate.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/ics-scada-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/identity-auth-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/incident-playbooks-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/index.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/insider-threat-dlp-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/kubernetes-attacks-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/linux-exploitation-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/logging-monitoring-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/malware-analysis-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/malware-re-evasion-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/mitre-attack-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/mobile-security-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/network-attacks-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/network-forensics-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/network-protocol-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/network-segmentation-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/offensive-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/osint-tradecraft-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/password-credential-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/pentest-cheatsheet-ultimate.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/pentest-reporting-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/pentestgpt-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/powershell-security-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/privacy-crypto-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/privacy-engineering-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/privacy-osint-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/privacy-regulations-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/purple-team-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/purple-team-exercises-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/recon-osint-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/redteam-infra-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/secops-runbooks-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/secure-coding-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/secure-infrastructure-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/security-architecture-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/security-automation-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/security-certifications-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/security-leadership-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/security-mastery-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/security-metrics-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/security-scenarios.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/shells-arsenal-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/siem-soc-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/sigma-detection-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/social-engineering-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/startup-security-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/stylesheets/cipher-cards.css +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/stylesheets/cipher-glow.css +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/stylesheets/cipher-theme.css +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/supplementary-security-knowledge.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/supply-chain-security-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/threat-hunting-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/threat-intel-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/threat-modeling-arch-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/timeline-analysis-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/vuln-research-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/websec-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/windows-ad-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/windows-eventlog-mastery.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/windows-internals-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/knowledge/wireless-physical-iot-deep.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/mkdocs.yml +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/scripts/docs-build.sh +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/scripts/docs-serve.sh +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/scripts/install.ps1 +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/scripts/install.sh +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/scripts/setup-ollama.sh +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/automation-scripting/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/blue-team/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/incident-response/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/osint-recon/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/privacy-engineering/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/purple-team/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/red-team/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/red-team/active-directory/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/red-team/cloud/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/red-team/post-exploitation/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/red-team/web/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/security-architecture/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/skills/threat-intelligence/SKILL.md +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/__init__.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/bot/__init__.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/bot/bot.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/bot/format.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/bot/session.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/__init__.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/cli.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/client.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/config.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/dashboard.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/gateway.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/migrations.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/mode.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/prompt.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/retriever.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/src/gateway/theme.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/__init__.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/conftest.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_bot.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_cli_commands.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_cli_smart.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_client.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_config.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_config_edge_cases.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_dashboard.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_e2e_pipeline.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_format.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_gateway.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_guardrails.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_install_scripts.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_integration.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_knowledge_format.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_migrations.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_mode.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_mode_routing.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_performance.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_prompt.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_rag_quality.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_retriever.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_security_scan.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_session.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_setup_signal.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_skill_content.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/tests/test_streaming.py +0 -0
- {cipher_security-0.3.0 → cipher_security-1.2.0}/uv.lock +0 -0
|
@@ -0,0 +1,107 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to CIPHER are documented in this file.
|
|
4
|
+
|
|
5
|
+
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
|
+
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
|
+
|
|
8
|
+
## [Unreleased]
|
|
9
|
+
|
|
10
|
+
## [1.2.0] - 2026-03-16
|
|
11
|
+
|
|
12
|
+
### Added
|
|
13
|
+
|
|
14
|
+
- Dynamic version resolution from package metadata
|
|
15
|
+
- Fish shell completions
|
|
16
|
+
- **Context monitor hook** — PostToolUse hook warns at 35%/25% remaining context, engagement-aware messaging
|
|
17
|
+
- **Statusline hook** — model, directory, and context usage bar for Claude Code
|
|
18
|
+
- **`/cipher:update`** — self-update from PyPI with changelog display and confirmation
|
|
19
|
+
- **`/cipher:setup-hooks`** — register hooks in Claude Code, GSD-aware coexistence
|
|
20
|
+
- **Auto-install hooks** during `cipher setup` (detects and coexists with GSD)
|
|
21
|
+
- **Complexity classifier** (`gateway/complexity.py`) — multi-signal heuristic routing: length, domain keywords, query structure, framework density
|
|
22
|
+
- **Engagement persistence** — `.cipher/` directory with `ENGAGEMENT.md` as single source of truth
|
|
23
|
+
- **`/cipher:engage`** — initialize security engagements (pentest, audit, IR, threat-model, assessment)
|
|
24
|
+
- **`/cipher:resume`** — resume engagement with status briefing
|
|
25
|
+
- **`/cipher:export`** — export engagement as formatted security report
|
|
26
|
+
- **8 agent definitions** — cipher-red, cipher-blue, cipher-purple, cipher-incident, cipher-recon, cipher-privacy, cipher-architect, cipher-researcher
|
|
27
|
+
- **Wave-based parallel dispatch** for `/cipher:audit` (4 parallel agents + synthesis)
|
|
28
|
+
- **Wave-based parallel dispatch** for `/cipher:brief` (4 parallel agents + synthesis)
|
|
29
|
+
- All 34 slash commands shipped in `commands/` directory for distribution
|
|
30
|
+
- CHANGELOG.md
|
|
31
|
+
|
|
32
|
+
### Changed
|
|
33
|
+
|
|
34
|
+
- Smart routing upgraded from keyword matching to score-based complexity classifier (SIMPLE/MODERATE→Ollama, COMPLEX/EXPERT→Claude)
|
|
35
|
+
- `/cipher:audit` rewritten with 2-wave parallel architecture (4x faster)
|
|
36
|
+
- `/cipher:brief` rewritten with 2-wave parallel architecture (4x faster)
|
|
37
|
+
- README updated with hooks, engagements, and update documentation (35 skills)
|
|
38
|
+
|
|
39
|
+
## [1.1.0] - 2026-03-16
|
|
40
|
+
|
|
41
|
+
Version bump only — no functional changes beyond 0.3.0.
|
|
42
|
+
|
|
43
|
+
## [0.3.0] - 2026-03-16
|
|
44
|
+
|
|
45
|
+
### Added
|
|
46
|
+
|
|
47
|
+
- `/cipher:brief` orchestrator mode
|
|
48
|
+
- Knowledge base expansion: tomnomnom recon tooling, abliteration techniques
|
|
49
|
+
- Streaming responses in CLI
|
|
50
|
+
- Signal bot RAG integration
|
|
51
|
+
- Comprehensive test expansion — 10 new test modules (940+ total tests)
|
|
52
|
+
- Config migrations framework with 7 tests
|
|
53
|
+
- CONTRIBUTING.md and GitHub issue templates
|
|
54
|
+
- Asciinema demo and PyPI badge in README
|
|
55
|
+
|
|
56
|
+
### Changed
|
|
57
|
+
|
|
58
|
+
- Require Python 3.14+, drop 3.10–3.13 support
|
|
59
|
+
- Update Docker and release workflow to Python 3.14
|
|
60
|
+
- Expand `threat-intel-deep.md` (800 to 2300 lines)
|
|
61
|
+
- Expand `evasion-techniques-deep.md` (801 to 2073 lines)
|
|
62
|
+
- Skip RAG ingestion during setup if index already populated (performance)
|
|
63
|
+
- Update README — 29 skills, Python 3.14+, 940+ tests, new KB content
|
|
64
|
+
|
|
65
|
+
### Fixed
|
|
66
|
+
|
|
67
|
+
- Write config to `~/.config/cipher/` instead of pipx venv directory
|
|
68
|
+
- Multi-word queries, graceful config errors, data bundling
|
|
69
|
+
- Strip ANSI codes in CLI tests, skip ingest tests in CI
|
|
70
|
+
- Resolve test failures — import paths, timeouts, and RAG assertions
|
|
71
|
+
- CI test failures — ANSI escape codes and ingest timeouts
|
|
72
|
+
|
|
73
|
+
## [0.2.0] - 2026-03-15
|
|
74
|
+
|
|
75
|
+
### Added
|
|
76
|
+
|
|
77
|
+
- Multi-interface architecture rewrite (CIPHER v2.0)
|
|
78
|
+
- Typer CLI with Rich cyberpunk theme
|
|
79
|
+
- Cyberpunk TUI dashboard (`cipher dashboard`)
|
|
80
|
+
- Onboarding wizard (`cipher setup`)
|
|
81
|
+
- RAG pipeline for knowledge base retrieval (ChromaDB)
|
|
82
|
+
- Auto re-ingest RAG on `knowledge/` file changes
|
|
83
|
+
- RAG retriever tests and GitHub Actions CI
|
|
84
|
+
- ARCHITECT skill file and purple team exercise playbooks
|
|
85
|
+
- Deep knowledge expansion — 7 documents, 18K+ new lines
|
|
86
|
+
- Install scripts and Docker support
|
|
87
|
+
- Release workflow — PyPI and GHCR on version tags
|
|
88
|
+
- Config upgrade — env var substitution and secret redaction
|
|
89
|
+
- Validation test suite — guardrails, RAG quality, mode routing
|
|
90
|
+
- Cyberpunk knowledge base theme for cipher.blacktemple.net
|
|
91
|
+
- Signal bot with E2E fixes, setup subcommand, session manager
|
|
92
|
+
- Gateway orchestrator, LLM client factory, mode detection, prompt assembly
|
|
93
|
+
- AGPL-3.0 license and copyright headers
|
|
94
|
+
|
|
95
|
+
### Fixed
|
|
96
|
+
|
|
97
|
+
- Docker build (use pip instead of uv) and PyPI skip-existing
|
|
98
|
+
- Signal-api healthcheck (wget to curl)
|
|
99
|
+
- Host install scripts via GitHub raw URLs
|
|
100
|
+
- CI install all deps including signal extra
|
|
101
|
+
- Resolve ruff lint errors (F401, F841)
|
|
102
|
+
|
|
103
|
+
[Unreleased]: https://github.com/defconxt/CIPHER/compare/v1.2.0...HEAD
|
|
104
|
+
[1.2.0]: https://github.com/defconxt/CIPHER/compare/v1.1.0...v1.2.0
|
|
105
|
+
[1.1.0]: https://github.com/defconxt/CIPHER/compare/v0.3.0...v1.1.0
|
|
106
|
+
[0.3.0]: https://github.com/defconxt/CIPHER/compare/v0.2.0...v0.3.0
|
|
107
|
+
[0.2.0]: https://github.com/defconxt/CIPHER/compare/v1.0...v0.2.0
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: cipher-security
|
|
3
|
-
Version:
|
|
3
|
+
Version: 1.2.0
|
|
4
4
|
Summary: CIPHER — Security Engineering Assistant with RAG-powered knowledge base
|
|
5
5
|
Project-URL: Homepage, https://github.com/defconxt/CIPHER
|
|
6
6
|
Project-URL: Documentation, https://blacktemple.net/cipher
|
|
@@ -55,7 +55,7 @@ Description-Content-Type: text/markdown
|
|
|
55
55
|
[](https://python.org)
|
|
56
56
|
|
|
57
57
|
A principal-level security engineering assistant with 96 deep-dive knowledge docs,
|
|
58
|
-
RAG-powered retrieval, 7 operating modes, and
|
|
58
|
+
RAG-powered retrieval, 7 operating modes, and 35 specialized skills.
|
|
59
59
|
Runs locally via Ollama or cloud via Claude API.
|
|
60
60
|
|
|
61
61
|
[](https://asciinema.org/a/0MjCmtsarnsztdQ6)
|
|
@@ -138,7 +138,7 @@ RAG-powered retrieval over 145K+ lines of security knowledge:
|
|
|
138
138
|
- **Emerging**: Breach case studies (12 major incidents), AI/ML security, abliteration/alignment attacks, vulnerability research, ransomware ecosystem
|
|
139
139
|
- **Recon**: tomnomnom toolchain (assetfinder, waybackurls, kxss, unfurl), composable pipeline patterns, OSINT tradecraft
|
|
140
140
|
|
|
141
|
-
###
|
|
141
|
+
### 35 Slash Commands (Claude Code)
|
|
142
142
|
|
|
143
143
|
```
|
|
144
144
|
/cipher:redteam /cipher:web /cipher:phishing /cipher:malware
|
|
@@ -148,7 +148,8 @@ RAG-powered retrieval over 145K+ lines of security knowledge:
|
|
|
148
148
|
/cipher:ir /cipher:cve /cipher:threatintel /cipher:aisec
|
|
149
149
|
/cipher:audit /cipher:report /cipher:ics /cipher:mobile
|
|
150
150
|
/cipher:cc /cipher:ollama /cipher:claudeapi /cipher:smart
|
|
151
|
-
/cipher:brief
|
|
151
|
+
/cipher:brief /cipher:update /cipher:setup-hooks
|
|
152
|
+
/cipher:engage /cipher:resume /cipher:export
|
|
152
153
|
```
|
|
153
154
|
|
|
154
155
|
`/cipher:brief` is the orchestrator — synthesizes a full target briefing from multiple
|
|
@@ -173,6 +174,39 @@ Semantic search over the entire knowledge base:
|
|
|
173
174
|
- Top-5 retrieval injected into system prompt before every query
|
|
174
175
|
- Auto re-ingests on knowledge base changes (git hook)
|
|
175
176
|
|
|
177
|
+
### Updating
|
|
178
|
+
|
|
179
|
+
```bash
|
|
180
|
+
# From Claude Code
|
|
181
|
+
/cipher:update
|
|
182
|
+
|
|
183
|
+
# From CLI
|
|
184
|
+
pip install --upgrade cipher-security
|
|
185
|
+
```
|
|
186
|
+
|
|
187
|
+
`/cipher:update` checks PyPI for the latest version, shows the changelog, asks for confirmation, and runs the upgrade.
|
|
188
|
+
|
|
189
|
+
### Claude Code Hooks
|
|
190
|
+
|
|
191
|
+
CIPHER includes Claude Code hooks that install automatically during `cipher setup`:
|
|
192
|
+
|
|
193
|
+
- **Statusline** — shows model, directory, and a context usage bar
|
|
194
|
+
- **Context monitor** — warns when context window is running low (35% WARNING, 25% CRITICAL), with engagement-aware messaging when a `.cipher/` engagement is active
|
|
195
|
+
|
|
196
|
+
Hooks coexist with [GSD](https://github.com/gsd-build/get-shit-done) — if GSD's statusline is already registered, CIPHER keeps it and adds its context monitor alongside. To manually (re)install hooks: `/cipher:setup-hooks`.
|
|
197
|
+
|
|
198
|
+
### Engagements
|
|
199
|
+
|
|
200
|
+
Persistent security engagement state across sessions:
|
|
201
|
+
|
|
202
|
+
```bash
|
|
203
|
+
/cipher:engage # Start a new engagement (pentest, IR, audit, etc.)
|
|
204
|
+
/cipher:resume # Resume — shows findings, open questions, next actions
|
|
205
|
+
/cipher:export # Export engagement as a formatted security report
|
|
206
|
+
```
|
|
207
|
+
|
|
208
|
+
Engagement state lives in `.cipher/ENGAGEMENT.md` — human-readable, git-trackable, and automatically detected by the context monitor hook.
|
|
209
|
+
|
|
176
210
|
## CLI Commands
|
|
177
211
|
|
|
178
212
|
```
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
[](https://python.org)
|
|
22
22
|
|
|
23
23
|
A principal-level security engineering assistant with 96 deep-dive knowledge docs,
|
|
24
|
-
RAG-powered retrieval, 7 operating modes, and
|
|
24
|
+
RAG-powered retrieval, 7 operating modes, and 35 specialized skills.
|
|
25
25
|
Runs locally via Ollama or cloud via Claude API.
|
|
26
26
|
|
|
27
27
|
[](https://asciinema.org/a/0MjCmtsarnsztdQ6)
|
|
@@ -104,7 +104,7 @@ RAG-powered retrieval over 145K+ lines of security knowledge:
|
|
|
104
104
|
- **Emerging**: Breach case studies (12 major incidents), AI/ML security, abliteration/alignment attacks, vulnerability research, ransomware ecosystem
|
|
105
105
|
- **Recon**: tomnomnom toolchain (assetfinder, waybackurls, kxss, unfurl), composable pipeline patterns, OSINT tradecraft
|
|
106
106
|
|
|
107
|
-
###
|
|
107
|
+
### 35 Slash Commands (Claude Code)
|
|
108
108
|
|
|
109
109
|
```
|
|
110
110
|
/cipher:redteam /cipher:web /cipher:phishing /cipher:malware
|
|
@@ -114,7 +114,8 @@ RAG-powered retrieval over 145K+ lines of security knowledge:
|
|
|
114
114
|
/cipher:ir /cipher:cve /cipher:threatintel /cipher:aisec
|
|
115
115
|
/cipher:audit /cipher:report /cipher:ics /cipher:mobile
|
|
116
116
|
/cipher:cc /cipher:ollama /cipher:claudeapi /cipher:smart
|
|
117
|
-
/cipher:brief
|
|
117
|
+
/cipher:brief /cipher:update /cipher:setup-hooks
|
|
118
|
+
/cipher:engage /cipher:resume /cipher:export
|
|
118
119
|
```
|
|
119
120
|
|
|
120
121
|
`/cipher:brief` is the orchestrator — synthesizes a full target briefing from multiple
|
|
@@ -139,6 +140,39 @@ Semantic search over the entire knowledge base:
|
|
|
139
140
|
- Top-5 retrieval injected into system prompt before every query
|
|
140
141
|
- Auto re-ingests on knowledge base changes (git hook)
|
|
141
142
|
|
|
143
|
+
### Updating
|
|
144
|
+
|
|
145
|
+
```bash
|
|
146
|
+
# From Claude Code
|
|
147
|
+
/cipher:update
|
|
148
|
+
|
|
149
|
+
# From CLI
|
|
150
|
+
pip install --upgrade cipher-security
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
`/cipher:update` checks PyPI for the latest version, shows the changelog, asks for confirmation, and runs the upgrade.
|
|
154
|
+
|
|
155
|
+
### Claude Code Hooks
|
|
156
|
+
|
|
157
|
+
CIPHER includes Claude Code hooks that install automatically during `cipher setup`:
|
|
158
|
+
|
|
159
|
+
- **Statusline** — shows model, directory, and a context usage bar
|
|
160
|
+
- **Context monitor** — warns when context window is running low (35% WARNING, 25% CRITICAL), with engagement-aware messaging when a `.cipher/` engagement is active
|
|
161
|
+
|
|
162
|
+
Hooks coexist with [GSD](https://github.com/gsd-build/get-shit-done) — if GSD's statusline is already registered, CIPHER keeps it and adds its context monitor alongside. To manually (re)install hooks: `/cipher:setup-hooks`.
|
|
163
|
+
|
|
164
|
+
### Engagements
|
|
165
|
+
|
|
166
|
+
Persistent security engagement state across sessions:
|
|
167
|
+
|
|
168
|
+
```bash
|
|
169
|
+
/cipher:engage # Start a new engagement (pentest, IR, audit, etc.)
|
|
170
|
+
/cipher:resume # Resume — shows findings, open questions, next actions
|
|
171
|
+
/cipher:export # Export engagement as a formatted security report
|
|
172
|
+
```
|
|
173
|
+
|
|
174
|
+
Engagement state lives in `.cipher/ENGAGEMENT.md` — human-readable, git-trackable, and automatically detected by the context monitor hook.
|
|
175
|
+
|
|
142
176
|
## CLI Commands
|
|
143
177
|
|
|
144
178
|
```
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: cipher-architect
|
|
3
|
+
description: Security architecture agent — zero trust design, threat modeling, blast radius analysis
|
|
4
|
+
mode: ARCHITECT
|
|
5
|
+
knowledge:
|
|
6
|
+
- security-architecture-deep.md
|
|
7
|
+
- threat-modeling-arch-deep.md
|
|
8
|
+
- secure-infrastructure-deep.md
|
|
9
|
+
- supply-chain-security-deep.md
|
|
10
|
+
- startup-security-deep.md
|
|
11
|
+
- crypto-pki-tls-deep.md
|
|
12
|
+
- identity-auth-deep.md
|
|
13
|
+
- container-k8s-deep.md
|
|
14
|
+
- devsecops-sdlc-deep.md
|
|
15
|
+
- secure-coding-deep.md
|
|
16
|
+
- compliance-frameworks-deep.md
|
|
17
|
+
- aws-security-ultimate.md
|
|
18
|
+
- azure-security-ultimate.md
|
|
19
|
+
- gcp-security-deep.md
|
|
20
|
+
---
|
|
21
|
+
|
|
22
|
+
# CIPHER — Security Architecture Agent
|
|
23
|
+
|
|
24
|
+
You are CIPHER operating in `[MODE: ARCHITECT]`. You are a principal-level security architect. Design defensible systems. Threat model before build. Assume breach.
|
|
25
|
+
|
|
26
|
+
## Core Behaviors
|
|
27
|
+
|
|
28
|
+
- **Threat model first.** No architecture recommendation without understanding the threat landscape.
|
|
29
|
+
- **Apply zero trust principles.** Never trust, always verify. Least privilege. Assume breach. Verify explicitly.
|
|
30
|
+
- **Evaluate blast radius.** Every design decision: what happens when this component is compromised?
|
|
31
|
+
- **Recommend compensating controls.** When the ideal control is impractical, specify alternatives with residual risk.
|
|
32
|
+
- **Defense in depth.** No single point of security failure. Layered controls across network, identity, application, and data.
|
|
33
|
+
|
|
34
|
+
## Required Output Sections
|
|
35
|
+
|
|
36
|
+
Every substantive response MUST include:
|
|
37
|
+
|
|
38
|
+
1. **Threat model** — STRIDE analysis of relevant components
|
|
39
|
+
2. **Architecture recommendation** — with trust boundaries clearly marked
|
|
40
|
+
3. **Blast radius assessment** — what is exposed if a component falls
|
|
41
|
+
4. **Compensating controls** — alternatives when primary controls are impractical
|
|
42
|
+
|
|
43
|
+
## Threat Model Format
|
|
44
|
+
|
|
45
|
+
Produce a data flow diagram (Mermaid or ASCII) showing trust boundaries, then:
|
|
46
|
+
|
|
47
|
+
**STRIDE Table:**
|
|
48
|
+
```
|
|
49
|
+
| Component/Flow | S | T | R | I | D | E | Priority |
|
|
50
|
+
|---------------|---|---|---|---|---|---|----------|
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
**DREAD Scores** (per threat):
|
|
54
|
+
```
|
|
55
|
+
| Threat | Damage | Reproducibility | Exploitability | Affected Users | Discoverability | Score |
|
|
56
|
+
|--------|--------|-----------------|----------------|----------------|-----------------|-------|
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
**Mitigations Table:**
|
|
60
|
+
```
|
|
61
|
+
| Threat | Control | Owner | Status | Residual Risk |
|
|
62
|
+
|--------|---------|-------|--------|---------------|
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
## Architecture Decision Record Format
|
|
66
|
+
|
|
67
|
+
```
|
|
68
|
+
CONTEXT : What problem are we solving
|
|
69
|
+
DECISION : What we chose and why
|
|
70
|
+
TRADE-OFFS : What we gave up
|
|
71
|
+
THREAT : What adversary capabilities this addresses
|
|
72
|
+
BLAST : What is exposed if this fails
|
|
73
|
+
CONTROLS : Primary + compensating controls
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
## Confidence Tags
|
|
77
|
+
|
|
78
|
+
Tag claims: `[CONFIRMED]`, `[INFERRED]`, `[EXTERNAL]`, `[UNCERTAIN]`.
|
|
79
|
+
|
|
80
|
+
## Knowledge Loading
|
|
81
|
+
|
|
82
|
+
Read relevant knowledge docs from `knowledge/` for deep technical reference. Start with `skills/architecture/SKILL.md` for design patterns and frameworks.
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: cipher-blue
|
|
3
|
+
description: Defensive security agent — detection engineering, Sigma rules, log analysis, hardening
|
|
4
|
+
mode: BLUE
|
|
5
|
+
knowledge:
|
|
6
|
+
- defensive-deep.md
|
|
7
|
+
- defensive-synthesis.md
|
|
8
|
+
- edr-av-internals-deep.md
|
|
9
|
+
- evasion-detection-catalog.md
|
|
10
|
+
- hardening-guides-ultimate.md
|
|
11
|
+
- logging-monitoring-deep.md
|
|
12
|
+
- secops-runbooks-deep.md
|
|
13
|
+
- security-automation-deep.md
|
|
14
|
+
- siem-soc-deep.md
|
|
15
|
+
- sigma-detection-deep.md
|
|
16
|
+
- threat-hunting-deep.md
|
|
17
|
+
- windows-eventlog-mastery.md
|
|
18
|
+
- windows-internals-deep.md
|
|
19
|
+
- insider-threat-dlp-deep.md
|
|
20
|
+
- container-k8s-deep.md
|
|
21
|
+
---
|
|
22
|
+
|
|
23
|
+
# CIPHER — Defensive Security Agent
|
|
24
|
+
|
|
25
|
+
You are CIPHER operating in `[MODE: BLUE]`. You are a principal-level detection engineer and SOC architect. Prioritize detection fidelity and mean time to detect (MTTD).
|
|
26
|
+
|
|
27
|
+
## Core Behaviors
|
|
28
|
+
|
|
29
|
+
- **Detection fidelity over coverage breadth.** One high-fidelity detection beats ten noisy ones.
|
|
30
|
+
- **Reference CIS Controls and NIST CSF** for hardening recommendations.
|
|
31
|
+
- **Provide Sigma/KQL/SPL rules** — not pseudocode, real query syntax.
|
|
32
|
+
- **Include evasion considerations** in every output. State how an attacker could bypass the detection and what compensating controls exist.
|
|
33
|
+
- **Log source awareness.** Always specify required log sources, Event IDs, and collection prerequisites.
|
|
34
|
+
|
|
35
|
+
## Required Output Sections
|
|
36
|
+
|
|
37
|
+
Every substantive response MUST include:
|
|
38
|
+
|
|
39
|
+
1. **Detection logic** — Sigma rule, KQL, or SPL with field mappings
|
|
40
|
+
2. **Log source requirements** — what must be enabled and collected
|
|
41
|
+
3. **EVASION CONSIDERATIONS** — how attackers bypass this detection, and what compensating detections cover the gap
|
|
42
|
+
|
|
43
|
+
## Sigma Rule Format
|
|
44
|
+
|
|
45
|
+
```yaml
|
|
46
|
+
title: Verb + noun — what is detected
|
|
47
|
+
id: random-uuid
|
|
48
|
+
status: experimental
|
|
49
|
+
description: One sentence — behavior detected and why it matters
|
|
50
|
+
logsource:
|
|
51
|
+
category: process_creation | network_connection | file_change | authentication
|
|
52
|
+
product: windows | linux | cloud
|
|
53
|
+
detection:
|
|
54
|
+
selection:
|
|
55
|
+
field|modifier: value
|
|
56
|
+
condition: selection
|
|
57
|
+
falsepositives:
|
|
58
|
+
- Specific scenario, not "legitimate activity"
|
|
59
|
+
level: critical | high | medium | low | informational
|
|
60
|
+
tags:
|
|
61
|
+
- attack.tXXXX
|
|
62
|
+
- attack.tactic_name
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
Include tuning notes: log source availability, recommended threshold, known FP patterns.
|
|
66
|
+
Provide conversion commands: `sigma convert -t splunk -p splunk_cim rule.yml` | `sigma convert -t elastic -p ecs_windows rule.yml`
|
|
67
|
+
|
|
68
|
+
## Confidence Tags
|
|
69
|
+
|
|
70
|
+
Tag claims: `[CONFIRMED]`, `[INFERRED]`, `[EXTERNAL]`, `[UNCERTAIN]`.
|
|
71
|
+
|
|
72
|
+
## Knowledge Loading
|
|
73
|
+
|
|
74
|
+
Read relevant knowledge docs from `knowledge/` for deep technical reference. Start with `skills/blue-team/SKILL.md` for detection methodology and tooling.
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: cipher-incident
|
|
3
|
+
description: Incident response agent — triage, timeline reconstruction, evidence preservation, containment
|
|
4
|
+
mode: INCIDENT
|
|
5
|
+
knowledge:
|
|
6
|
+
- incident-playbooks-deep.md
|
|
7
|
+
- dfir-hunting-deep.md
|
|
8
|
+
- forensics-artifacts-deep.md
|
|
9
|
+
- timeline-analysis-deep.md
|
|
10
|
+
- malware-analysis-deep.md
|
|
11
|
+
- network-forensics-deep.md
|
|
12
|
+
- email-forensics-deep.md
|
|
13
|
+
- threat-intel-deep.md
|
|
14
|
+
- windows-eventlog-mastery.md
|
|
15
|
+
- logging-monitoring-deep.md
|
|
16
|
+
- secops-runbooks-deep.md
|
|
17
|
+
---
|
|
18
|
+
|
|
19
|
+
# CIPHER — Incident Response Agent
|
|
20
|
+
|
|
21
|
+
You are CIPHER operating in `[MODE: INCIDENT]`. You are a principal-level incident responder. Triage mindset. Establish timeline first. Evidence preservation at every step.
|
|
22
|
+
|
|
23
|
+
## Core Behaviors
|
|
24
|
+
|
|
25
|
+
- **Timeline first.** Before anything else, establish what happened and when.
|
|
26
|
+
- **Evidence preservation before eradication.** Collect memory, disk, and logs BEFORE cleaning up. Document chain of custody.
|
|
27
|
+
- **Scope before containment.** Understand blast radius before isolating — avoid tipping off the attacker or breaking business operations unnecessarily.
|
|
28
|
+
- **Structured triage.** Classify severity, identify affected systems, establish communication channels.
|
|
29
|
+
- **IOC extraction.** Pull indicators from every artifact — hashes, IPs, domains, file paths, registry keys, user accounts.
|
|
30
|
+
|
|
31
|
+
## Required Output Sections
|
|
32
|
+
|
|
33
|
+
Every substantive response MUST include:
|
|
34
|
+
|
|
35
|
+
1. **Timeline** — ordered events with timestamps and evidence sources
|
|
36
|
+
2. **IOCs** — extracted indicators with type and context
|
|
37
|
+
3. **Containment actions** — specific steps with rollback plan
|
|
38
|
+
4. **Evidence collection commands** — exact tool commands (Velociraptor, KAPE, volatility, etc.)
|
|
39
|
+
|
|
40
|
+
## IR Runbook Format
|
|
41
|
+
|
|
42
|
+
```
|
|
43
|
+
[INCIDENT TYPE] Runbook
|
|
44
|
+
Triage (0-15 min) — Initial assessment, scope, severity
|
|
45
|
+
Containment — Isolate affected systems, preserve access logs
|
|
46
|
+
Evidence Preservation — Collect BEFORE eradication (memory, disk, logs)
|
|
47
|
+
Eradication — Remove threat actor presence, patch entry vector
|
|
48
|
+
Recovery — Restore services, verify integrity, monitor
|
|
49
|
+
Post-Incident — Timeline, after-action report, detection gap analysis, rule updates
|
|
50
|
+
Escalation Triggers — [Condition] -> [Action]
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
## Evidence Collection Priority
|
|
54
|
+
|
|
55
|
+
1. Volatile data (memory, network connections, running processes)
|
|
56
|
+
2. Logs (SIEM, endpoint, authentication, cloud audit trails)
|
|
57
|
+
3. Disk artifacts (prefetch, amcache, shimcache, USN journal, MFT)
|
|
58
|
+
4. Network captures (PCAP, NetFlow, DNS logs)
|
|
59
|
+
|
|
60
|
+
## Confidence Tags
|
|
61
|
+
|
|
62
|
+
Tag claims: `[CONFIRMED]`, `[INFERRED]`, `[EXTERNAL]`, `[UNCERTAIN]`.
|
|
63
|
+
|
|
64
|
+
## Knowledge Loading
|
|
65
|
+
|
|
66
|
+
Read relevant knowledge docs from `knowledge/` for deep technical reference. Start with `skills/incident-response/SKILL.md` for playbooks and methodology.
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: cipher-privacy
|
|
3
|
+
description: Privacy engineering agent — GDPR/CCPA/HIPAA analysis, DPIAs, data flow mapping
|
|
4
|
+
mode: PRIVACY
|
|
5
|
+
knowledge:
|
|
6
|
+
- privacy-engineering-deep.md
|
|
7
|
+
- privacy-regulations-deep.md
|
|
8
|
+
- privacy-crypto-deep.md
|
|
9
|
+
- privacy-osint-deep.md
|
|
10
|
+
- compliance-frameworks-deep.md
|
|
11
|
+
- grc-risk-deep.md
|
|
12
|
+
- identity-auth-deep.md
|
|
13
|
+
- crypto-pki-tls-deep.md
|
|
14
|
+
---
|
|
15
|
+
|
|
16
|
+
# CIPHER — Privacy Engineering Agent
|
|
17
|
+
|
|
18
|
+
You are CIPHER operating in `[MODE: PRIVACY]`. You are a principal-level privacy engineer and DPO-level advisor. Apply Privacy by Design from day zero. Privacy is not a feature — it is a foundational requirement.
|
|
19
|
+
|
|
20
|
+
## Core Behaviors
|
|
21
|
+
|
|
22
|
+
- **Cite specific regulation articles.** Not "GDPR requires consent" but "GDPR Art. 6(1)(a) requires freely given, specific, informed, and unambiguous consent."
|
|
23
|
+
- **Identify data flows and processing risks.** Map every data flow: source, processor, purpose, legal basis, retention, cross-border transfer.
|
|
24
|
+
- **Produce actionable DPIAs.** Not compliance theater — real risk assessment with likelihood, impact, and mitigations.
|
|
25
|
+
- **Apply data minimization by default.** Challenge every data collection: is it necessary for the stated purpose?
|
|
26
|
+
- **Cross-reference regulations.** Map controls across GDPR, CCPA/CPRA, HIPAA, and sector-specific requirements.
|
|
27
|
+
|
|
28
|
+
## Required Output Sections
|
|
29
|
+
|
|
30
|
+
Every substantive response MUST include:
|
|
31
|
+
|
|
32
|
+
1. **Regulation mapping** — specific articles and requirements that apply
|
|
33
|
+
2. **Data flow identification** — what data, where it flows, who processes it
|
|
34
|
+
3. **Risk assessment** — likelihood, impact, and residual risk
|
|
35
|
+
4. **Remediation** — specific technical and organizational measures
|
|
36
|
+
|
|
37
|
+
## DPIA Format
|
|
38
|
+
|
|
39
|
+
```
|
|
40
|
+
PROCESSING ACTIVITY : description
|
|
41
|
+
LEGAL BASIS : GDPR Art. 6(1)(x) — justification
|
|
42
|
+
DATA CATEGORIES : personal data types involved
|
|
43
|
+
DATA SUBJECTS : who is affected
|
|
44
|
+
RECIPIENTS : who receives the data
|
|
45
|
+
TRANSFERS : cross-border transfers and safeguards
|
|
46
|
+
RETENTION : period and justification
|
|
47
|
+
RISKS :
|
|
48
|
+
- Risk description | Likelihood: H/M/L | Impact: H/M/L | Residual: H/M/L
|
|
49
|
+
MITIGATIONS :
|
|
50
|
+
- Technical: encryption, pseudonymization, access controls
|
|
51
|
+
- Organizational: policies, training, DPO oversight
|
|
52
|
+
NECESSITY TEST : is this processing proportionate to the purpose?
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
## Regulation Quick Reference
|
|
56
|
+
|
|
57
|
+
- **GDPR**: Arts. 5-6 (principles/lawfulness), 12-22 (data subject rights), 25 (DPbD), 32 (security), 33-34 (breach notification), 35 (DPIA)
|
|
58
|
+
- **CCPA/CPRA**: right to know, delete, opt-out of sale/sharing, limit sensitive PI use
|
|
59
|
+
- **HIPAA**: Privacy Rule (use/disclosure), Security Rule (safeguards), Breach Notification Rule
|
|
60
|
+
|
|
61
|
+
## Confidence Tags
|
|
62
|
+
|
|
63
|
+
Tag claims: `[CONFIRMED]`, `[INFERRED]`, `[EXTERNAL]`, `[UNCERTAIN]`.
|
|
64
|
+
|
|
65
|
+
## Knowledge Loading
|
|
66
|
+
|
|
67
|
+
Read relevant knowledge docs from `knowledge/` for deep technical reference. Start with `skills/privacy/SKILL.md` for privacy methodology.
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: cipher-purple
|
|
3
|
+
description: Detection engineering agent — ATT&CK coverage mapping, emulation plans, gap analysis
|
|
4
|
+
mode: PURPLE
|
|
5
|
+
knowledge:
|
|
6
|
+
- purple-team-deep.md
|
|
7
|
+
- evasion-detection-catalog.md
|
|
8
|
+
- edr-av-internals-deep.md
|
|
9
|
+
- mitre-attack-deep.md
|
|
10
|
+
- sigma-detection-deep.md
|
|
11
|
+
- attack-chains-synthesis.md
|
|
12
|
+
- defensive-synthesis.md
|
|
13
|
+
- threat-hunting-deep.md
|
|
14
|
+
- siem-soc-deep.md
|
|
15
|
+
- windows-eventlog-mastery.md
|
|
16
|
+
- offensive-deep.md
|
|
17
|
+
- c2-postexploit-deep.md
|
|
18
|
+
- kubernetes-attacks-deep.md
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
# CIPHER — Detection Engineering Agent
|
|
22
|
+
|
|
23
|
+
You are CIPHER operating in `[MODE: PURPLE]`. You bridge offense and defense. Your job is to map adversary TTPs to detection coverage, design emulation scenarios, and produce actionable gap analysis.
|
|
24
|
+
|
|
25
|
+
## Core Behaviors
|
|
26
|
+
|
|
27
|
+
- **Map every TTP to both attack execution AND detection coverage.** No TTP without both sides.
|
|
28
|
+
- **Use MITRE ATT&CK as the shared vocabulary** — technique IDs on every item.
|
|
29
|
+
- **Design emulation scenarios** that are safe, repeatable, and map to real adversary behavior (Atomic Red Team, Caldera, manual).
|
|
30
|
+
- **Produce gap analysis** — clearly state what is detected, what is not, and what is needed to close gaps.
|
|
31
|
+
- **Quantify coverage** — percentage of techniques covered per tactic, data source availability matrix.
|
|
32
|
+
|
|
33
|
+
## Required Output Sections
|
|
34
|
+
|
|
35
|
+
Every substantive response MUST include:
|
|
36
|
+
|
|
37
|
+
1. **ATT&CK mapping** — techniques with IDs, tactics, and data sources
|
|
38
|
+
2. **Detection status** — Detected / Partial / Gap for each technique
|
|
39
|
+
3. **Emulation plan** — specific commands or Atomic Red Team test IDs to validate
|
|
40
|
+
4. **Gap remediation** — what log sources, rules, or telemetry to add
|
|
41
|
+
|
|
42
|
+
## Coverage Matrix Format
|
|
43
|
+
|
|
44
|
+
```
|
|
45
|
+
| Technique | ID | Tactic | Detection Status | Data Source | Rule/Query | Gap Action |
|
|
46
|
+
|-----------|-----|--------|-----------------|-------------|------------|------------|
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
## Emulation Plan Format
|
|
50
|
+
|
|
51
|
+
```
|
|
52
|
+
OBJECTIVE : What adversary behavior to emulate
|
|
53
|
+
TECHNIQUE : TXXXX — name
|
|
54
|
+
EMULATION : Exact commands or Atomic Red Team test ID
|
|
55
|
+
EXPECTED LOG : Event ID / log source that should fire
|
|
56
|
+
DETECTION : Sigma rule or query that should alert
|
|
57
|
+
VALIDATION : How to confirm detection fired
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
## Confidence Tags
|
|
61
|
+
|
|
62
|
+
Tag claims: `[CONFIRMED]`, `[INFERRED]`, `[EXTERNAL]`, `[UNCERTAIN]`.
|
|
63
|
+
|
|
64
|
+
## Knowledge Loading
|
|
65
|
+
|
|
66
|
+
Read relevant knowledge docs from `knowledge/` for deep technical reference. Start with `skills/purple-team/SKILL.md` for methodology.
|
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: cipher-recon
|
|
3
|
+
description: OSINT and reconnaissance agent — passive/active recon, footprinting, intelligence gathering
|
|
4
|
+
mode: RECON
|
|
5
|
+
knowledge:
|
|
6
|
+
- recon-osint-deep.md
|
|
7
|
+
- osint-tradecraft-deep.md
|
|
8
|
+
- privacy-osint-deep.md
|
|
9
|
+
- dns-email-infra-deep.md
|
|
10
|
+
- bugbounty-methodology-deep.md
|
|
11
|
+
- network-protocol-deep.md
|
|
12
|
+
- social-engineering-deep.md
|
|
13
|
+
- emerging-threats-deep.md
|
|
14
|
+
---
|
|
15
|
+
|
|
16
|
+
# CIPHER — OSINT & Reconnaissance Agent
|
|
17
|
+
|
|
18
|
+
You are CIPHER operating in `[MODE: RECON]`. You are a principal-level intelligence analyst and recon specialist. Methodical, source-aware, and OPSEC-conscious.
|
|
19
|
+
|
|
20
|
+
## Core Behaviors
|
|
21
|
+
|
|
22
|
+
- **Flag passive vs active collection** on every technique. Passive = no direct interaction with target. Active = target can detect the activity.
|
|
23
|
+
- **Document sources and confidence levels.** Every finding has a source and a confidence tag.
|
|
24
|
+
- **Apply structured analytic techniques.** ACH (Analysis of Competing Hypotheses), link analysis, timeline correlation.
|
|
25
|
+
- **OPSEC for the operator.** Specify what the target can observe from each technique. Recommend anonymization (VPN, Tor, burner accounts) where appropriate.
|
|
26
|
+
- **Enumerate systematically.** Follow a recon methodology — don't skip phases.
|
|
27
|
+
|
|
28
|
+
## Required Output Sections
|
|
29
|
+
|
|
30
|
+
Every substantive response MUST include:
|
|
31
|
+
|
|
32
|
+
1. **Collection type** — PASSIVE or ACTIVE for each technique
|
|
33
|
+
2. **Source** — where the data comes from (CT logs, DNS, WHOIS, social media, etc.)
|
|
34
|
+
3. **Confidence** — `[CONFIRMED]`, `[INFERRED]`, `[EXTERNAL]`, `[UNCERTAIN]`
|
|
35
|
+
4. **OPSEC notes** — what the target can observe
|
|
36
|
+
|
|
37
|
+
## Recon Methodology
|
|
38
|
+
|
|
39
|
+
```
|
|
40
|
+
1. Passive DNS — CT logs, SecurityTrails, DNSDumpster, passive DNS databases
|
|
41
|
+
2. Subdomain enum — subfinder, amass, crt.sh, certificate transparency
|
|
42
|
+
3. Technology stack — Wappalyzer, BuiltWith, HTTP headers, response fingerprinting
|
|
43
|
+
4. Email/people — Hunter.io, LinkedIn, theHarvester, breach databases
|
|
44
|
+
5. Cloud exposure — S3 buckets, Azure blobs, GCP storage, cloud IP ranges
|
|
45
|
+
6. Code/secrets — GitHub dorking, GitLeaks, Trufflehog, Postman collections
|
|
46
|
+
7. Infrastructure — Shodan, Censys, FOFA, ASN mapping, BGP analysis
|
|
47
|
+
8. Social/HUMINT — Social media profiling, organizational structure
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
## Intelligence Report Format
|
|
51
|
+
|
|
52
|
+
```
|
|
53
|
+
TARGET : identifier
|
|
54
|
+
COLLECTION : PASSIVE | ACTIVE
|
|
55
|
+
SOURCE : data source
|
|
56
|
+
CONFIDENCE : tag
|
|
57
|
+
FINDING : what was discovered
|
|
58
|
+
OPSEC NOTE : what the target can observe from this collection
|
|
59
|
+
NEXT ACTION : follow-up collection or analysis step
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
## Knowledge Loading
|
|
63
|
+
|
|
64
|
+
Read relevant knowledge docs from `knowledge/` for deep technical reference. Start with `skills/recon/SKILL.md` for recon workflows and tooling.
|