diff --git a/identity/claude/classified/CHANGELOG.md b/identity/claude/classified/CHANGELOG.md deleted file mode 100644 index c8f8862..0000000 --- a/identity/claude/classified/CHANGELOG.md +++ /dev/null @@ -1,413 +0,0 @@ -# RangerBlock Classified Documents Changelog - -All notable changes to classified/security documents. - -**CLASSIFICATION**: PRIVATE - DO NOT UPLOAD TO GIT - ---- - -## [1.8.0] - 2025-12-04 - -### PLANNED - Secure Communication Contracts (SENTINEL COMMS PROTOCOL) - -**STATUS: PLANNING** - -#### Planning Document Created - -| File | Purpose | -|------|---------| -| `RANGERBLOCK_SECURE_COMM_CONTRACTS_PLAN.md` | Full implementation plan | - -#### Three Communication Contracts Planned - -| Contract | Codename | Purpose | -|----------|----------|---------| -| **RangerTextChat** | WHISPER | Secure text messaging with 99.99% identity verification | -| **RangerVoiceChat** | ECHO | Secure voice calls with blockchain identity verification | -| **RangerVideoChat** | VISION | Secure video calls with face-to-identity confirmation | - -#### Identity Verification Features (All Contracts) - -| Layer | What It Proves | -|-------|----------------| -| On-chain registration | User went through registration process | -| Hardware ID binding | Using the same physical device | -| RSA signature | Has the private key (not just username) | -| Challenge-response | Key is available NOW (not stolen) | -| Session signature | Both parties actively participating | - -#### Why 99.99% Certainty? - -- Both parties prove identity via on-chain signatures -- Challenge-response authentication before every session -- Hardware-bound keys prevent key theft -- Immutable audit trail of who talked to whom (not content!) - -#### Implementation Phases - -1. **Phase 1**: RangerTextChat (integrate with existing chat) -2. **Phase 2**: RangerVoiceChat (build voice-chat.cjs integration) -3. **Phase 3**: RangerVideoChat (WebRTC integration) -4. **Phase 4**: Unified Communications (single "Secure Call" button) - -#### RangerChat Lite v1.5.0 Updated - -- Added 3 "Coming Soon" contracts to Smart Contracts settings -- Pink "communication" category badge -- Shows WHISPER/ECHO/VISION protocol names - ---- - -## [1.7.0] - 2025-12-04 - -### IMPLEMENTED - File Transfer Smart Contracts (COURIER PROTOCOL) - -**STATUS: COMPLETE** - -#### Smart Contracts Created - -| File | Location | Purpose | -|------|----------|---------| -| `RangerFileTransfer.sol` | `Blockchain/contracts/` | Ethereum file transfer contract | -| `ranger_file_transfer.rs` | `Blockchain/contracts/solana/` | Solana file transfer contract | -| `file-transfer-service.cjs` | `rangerblock/lib/` | JavaScript integration service | - -#### Use Cases - -- **Legal file transfers** - Immutable proof of sender/receiver -- **Sensitive documents** - Chain of custody for files -- **.rangerblock verification** - Hash validation on blockchain -- **Formal agreements** - Both parties sign the contract - -#### Transfer Flow - -``` -1. Sender creates transfer request with file hash -2. Receiver accepts or rejects -3. Both parties sign (cryptographic signatures) -4. File transferred as .rangerblock package -5. Receiver verifies hash, marks complete -6. Immutable record on blockchain -``` - -#### Transfer Modes - -| Mode | Command | Description | -|------|---------|-------------| -| **Informal** | `/file accept on` | Quick transfer, no contract | -| **Formal** | `/contract send ` | Creates blockchain record | - -#### .rangerblock File Format - -``` -RNGBLK01 # Magic number (8 bytes) -metadata_length (4 bytes) # Little-endian uint32 -metadata (JSON) # File info, hashes, etc. -compressed_data # zlib compressed original -``` - -#### Chat Commands (file-transfer-service.cjs) - -| Command | Action | -|---------|--------| -| `/file accept on` | Enable informal file receiving | -| `/file accept off` | Disable file receiving | -| `/file send ` | Send file informally | -| `/contract send ` | Create formal transfer contract | -| `/contract accept ` | Accept pending transfer | -| `/contract reject ` | Reject pending transfer | -| `/contract status ` | Check transfer status | - -#### Security Features - -- **SHA-256 checksums** - File integrity verification -- **zlib compression** - Efficient file packaging -- **24-hour expiry** - Transfers auto-expire -- **Signature verification** - Both parties cryptographically sign -- **Status tracking** - PENDING → ACCEPTED → COMPLETED - ---- - -## [1.6.0] - 2025-12-04 - -### IMPLEMENTED - Multi-Chain Smart Contracts (BRIDGE PROTOCOL) - -**STATUS: COMPLETE** - -#### Solana/Anchor Contracts Created - -Location: `Blockchain/contracts/solana/` - -| File | Size | Purpose | -|------|------|---------| -| `ranger_registration.rs` | 14KB | User registration + consent (Solana) | -| `ranger_token.rs` | 11KB | SPL Token with 20 EUR/day limit | -| `ranger_bridge.rs` | 19KB | Cross-chain conversion bridge | -| `Anchor.toml` | 1KB | Anchor project config | -| `README.md` | 3KB | Setup & deployment guide | - -#### Ethereum/Solidity Contracts Created - -Location: `Blockchain/contracts/` - -| File | Size | Purpose | -|------|------|---------| -| `RangerRegistration.sol` | 14KB | User registration + consent (Ethereum) | -| `RangerBridge.sol` | 16KB | Cross-chain conversion bridge | - -#### Bridge Features (Both Chains) - -| Conversion | Rate (Example) | -|------------|----------------| -| RangerCoin ↔ Bitcoin (WBTC) | 1 BTC = 40,000 RNGR | -| RangerCoin ↔ Ethereum | 1 ETH = 2,000 RNGR | -| RangerCoin ↔ Solana | 1 SOL = 100 RNGR | -| RangerCoin ↔ USDC | 1:1 (stablecoin) | - -#### Security Features - -- **20 EUR/day conversion limit** - Prevents abuse -- **1% fee** - Goes to treasury -- **Oracle-based rates** - Admin-updateable prices -- **Pause function** - Emergency freeze (RAIN Protocol) -- **Liquidity pools** - Admin can add/remove - -#### Deployment Options - -| Platform | IDE/Tool | -|----------|----------| -| Ethereum | Remix IDE (https://remix.ethereum.org) | -| Solana | Solana Playground (https://beta.solpg.io) | - ---- - -## [1.5.0] - 2025-12-04 - -### IMPLEMENTED - Admin Dashboard v1.2.1 (RAIN PROTOCOL ENHANCEMENT) - -**STATUS: COMPLETE** - -#### Admin Dashboard Updates (`~/.claude/ranger/admin/admin-dashboard.cjs`) - -**New Views Added:** - -| Key | View | Purpose | -|-----|------|---------| -| `[C]` | Blockchain Live | Real-time transaction feed with color-coding | -| `[K]` | KILL SWITCH | Emergency controls (RED background) | -| `[L]` | All Users List | Complete user directory (online + offline) | - -**Blockchain Live Features:** -- Live transaction feed (last 15) -- Color-coded by type: green=message, yellow=registration, magenta=file, cyan=voice -- Session statistics (messages, registrations, files, total) -- `/trace ` - Trace message origin for security -- `/clear-log` - Clear transaction log - -**Kill Switch (RAIN PROTOCOL) - Enhanced:** -- Shows ALL connected users with: Name, User ID, IP Address, App Type -- Highlights: Crown for Supreme Admin, Star for Admins -- Shows "Total at risk: X user(s)" count -- 9 emergency action options - -**Kill Switch Commands:** - -| Command | Action | -|---------|--------| -| `/kill-disconnect` | Disconnect all users | -| `/kill-shutdown` | Shutdown relay server | -| `/kill-broadcast ` | Emergency message to all | -| `/kill-lockdown` | Block new connections | -| `/kill-ban-all` | Ban ALL connected + disconnect (excludes supreme) | -| `/kill-revoke-all` | Revoke ALL registrations | -| `/kick-quick ` | Quick kick by name/partial ID | -| `/ban-quick ` | Quick ban by name/partial ID | -| `/kill-nuclear` | Full network shutdown (NUCLEAR) | - -**Navigation:** -- `[X]` key - Exit Kill Switch safely (return to Dashboard) -- `[F]` key - Refresh (changed from 'r' to avoid conflict with Registrations) - -**User Details Enhanced:** -- Full user info: ID, Role, IP, App Type, Version, Channel, Join time -- Registration status shown (approved/pending/denied) -- Moderation badges (SUPREME, BANNED, TIMEOUT) - ---- - -## [1.4.0] - 2025-12-04 - -### IMPLEMENTED - Registration & Contracts System (SENTINEL PROTOCOL) - -**STATUS: COMPLETE** - -#### Files Created - -| File | Location | Purpose | -|------|----------|---------| -| `RangerRegistration.sol` | `Blockchain/contracts/` | Solidity contract for Remix | -| `consent-service.cjs` | `rangerblock/lib/` | Terms acceptance & verification | -| `registration-service.cjs` | `rangerblock/lib/` | Registration block creation | -| `admin-registry.cjs` | `~/.claude/ranger/admin/` | Updated with registration queue | -| `admin-dashboard.cjs` | `~/.claude/ranger/admin/` | Updated with Registrations tab | - -#### Smart Contract Features (RangerRegistration.sol) -- User registration with consent bundled -- Hardware ID tracking (ban evasion prevention) -- Admin approve/deny/revoke functions -- Status: PENDING → APPROVED/DENIED/REVOKED -- Event logging for all actions -- 428 lines of production-ready Solidity code - -#### Admin Dashboard Integration (COMPLETE) -- New "[R] Registrations" tab -- View pending registrations queue -- Approve/Deny with commands -- View registration details -- Hardware ban enforcement -- Commands: `/reg-approve`, `/reg-deny`, `/reg-revoke`, `/reg-revoke-ban`, `/reg-info` - -#### Privilege System -| Status | Access Level | -|--------|--------------| -| PENDING | View-only (no send) | -| APPROVED | Full access | -| DENIED | No access | -| REVOKED | No access | - ---- - -## [1.3.0] - 2025-12-04 - -### Added - Registration & Contracts System Plan (SENTINEL PROTOCOL) - -#### Planning Documents -- `RANGERBLOCK_REGISTRATION_CONTRACTS_PLAN.md` - Full implementation plan - ---- - -## [1.2.0] - 2025-12-04 - -### Added - Consent & Legal System (GUARDIAN PROTOCOL) - -#### Legal Documents -Location: `~/.claude/ranger/classified/legal/` - -| File | Purpose | -|------|---------| -| `terms_v1.0.json` | Machine-readable terms for app integration | -| `terms_v1.0.txt` | Human-readable display version | -| `README.md` | Legal folder documentation | - -#### Consent System Plan -- `RANGERBLOCK_CONSENT_SYSTEM_PLAN.md` - Full implementation plan - -#### Key Policy Decisions - -**18+ ONLY Platform** -- Decision by: David Keane (IrishRanger) -- Reasoning: No minors = no targets for predators -- Children have other age-appropriate apps -- Adults are responsible for their behaviour - -**CRITICAL: 18+ ≠ Adult Content Site** - -| STRICTLY PROHIBITED | PERMITTED | -|---------------------|-----------| -| ANY pornography | Normal photos (selfies, landscapes) | -| CSAM → reported to Gardai/NCMEC | Gaming screenshots/videos | -| Dick pics / unsolicited nudes | Gaming violence discussion | -| Grooming behaviour | Professional content | -| Gore / death images | General adult conversation | -| Hate speech / extremism | Memes | - -**Gaming Context Exception** -- "I'll kill you in Battlefield" = OK (gaming) -- "I'll kill you IRL" = BAN + POLICE REPORT - -#### Why This Matters -Bad actors might think: "18+ site = I can send dick pics!" - -Our response: **INSTANT BAN + HARDWARE ID BLOCKED + POLICE REPORT** - -The terms make it CRYSTAL CLEAR: -- This is a COMMUNICATION platform -- NOT a dating/adult site -- 18+ is for RESPONSIBILITY, not explicit content - -### Testing Plan -1. MSI Vector (Windows) - Test consent flow -2. AWS Kali (Linux) - Test server consent -3. Review and adjust -4. Git upload only after full testing - ---- - -## [1.1.0] - 2025-12-03 - -### Added - Security Integration Plan v2 - -#### Files -- `RANGERBLOCK_SECURITY_INTEGRATION_PLAN_v2.md` - Shepherd Protocol -- Updated identity sync architecture -- On-chain registration flow - ---- - -## [1.0.0] - 2025-12-03 - -### Added - Initial Security Documents - -#### Files -- `RANGERBLOCK_SECURITY_INTEGRATION_PLAN.md` - Original security plan -- `RANGERBLOCK_KILL_SWITCH_PLAN.md` - RAIN Protocol (emergency shutdown) - ---- - -## Document Inventory - -``` -~/.claude/ranger/classified/ -├── CHANGELOG.md # This file -├── RANGERBLOCK_CONSENT_SYSTEM_PLAN.md # Guardian Protocol -├── RANGERBLOCK_SECURITY_INTEGRATION_PLAN.md # Shepherd Protocol v1 -├── RANGERBLOCK_SECURITY_INTEGRATION_PLAN_v2.md # Shepherd Protocol v2 -├── RANGERBLOCK_KILL_SWITCH_PLAN.md # RAIN Protocol -├── RANGERBLOCK_SECURE_COMM_CONTRACTS_PLAN.md # Sentinel Comms Protocol (NEW) -└── legal/ - ├── README.md - ├── terms_v1.0.json - └── terms_v1.0.txt - -~/.claude/ranger/admin/ -├── admin-dashboard.cjs # Admin control panel v1.2.1 -├── admin-registry.cjs # User/node registry -└── reports/ # Exported reports - -~/rangerplex-ai/Blockchain/contracts/ -├── RangerRegistration.sol # Ethereum registration -├── RangerBridge.sol # Ethereum bridge -├── RangerFileTransfer.sol # Ethereum file transfer (NEW) -└── solana/ - ├── ranger_registration.rs # Solana registration - ├── ranger_token.rs # Solana SPL token - ├── ranger_bridge.rs # Solana bridge - ├── ranger_file_transfer.rs # Solana file transfer (NEW) - ├── Anchor.toml # Anchor config - └── README.md # Deployment guide - -~/rangerplex-ai/rangerblock/lib/ -├── file-transfer-service.cjs # File transfer service (NEW) -├── identity-service.cjs # Identity + encryption -├── consent-service.cjs # Terms acceptance -├── registration-service.cjs # Registration blocks -└── ... # Other lib files -``` - ---- - -## Authors -- David Keane (IrishRanger) - Supreme Commander -- Claude Code (Ranger) - AI Operations Commander - -Rangers lead the way! 🎖️ diff --git a/identity/claude/classified/RANGERBLOCK_CONSENT_SYSTEM_PLAN.md b/identity/claude/classified/RANGERBLOCK_CONSENT_SYSTEM_PLAN.md deleted file mode 100644 index bc2d668..0000000 --- a/identity/claude/classified/RANGERBLOCK_CONSENT_SYSTEM_PLAN.md +++ /dev/null @@ -1,571 +0,0 @@ -# RANGERBLOCK CONSENT & LEGAL ACCEPTANCE SYSTEM -## Project Codename: "GUARDIAN PROTOCOL" -### Version 1.0.0 - December 4, 2025 - ---- - -## CLASSIFICATION: PRIVATE -**DO NOT COMMIT TO PUBLIC GIT** - ---- - -## 1. EXECUTIVE SUMMARY - -### The Problem -Users can currently use RangerBlock apps without agreeing to terms of use. This creates legal exposure and doesn't protect against bad actors claiming ignorance. - -### The Solution -A unified consent system that: -1. **Requires acceptance** before full app functionality -2. **Links consent to identity** (cryptographically signed) -3. **Enforces privileges** (non-accepted users have restrictions) -4. **Tracks in admin** (dashboard shows consent status) -5. **Provides evidence** (signed consent = legal proof) - -### Apps Covered -| App | Type | Consent Required | -|-----|------|------------------| -| ranger-chat-lite | Electron desktop | Yes - first launch | -| just-chat | Terminal client | Yes - first run | -| server-only | Server deployment | Yes - setup script | -| RangerPlex | Full browser | Yes - first launch | -| Admin Panel | Private dashboard | No - admin-only | - ---- - -## 2. LEGAL FRAMEWORK - -### Consent Form Content (Summary) - -``` -RANGERBLOCK TERMS OF USE & FAIR USE POLICY -========================================== - -By using RangerBlock software, you acknowledge and agree: - -1. FAIR USE - - You will use this software for lawful purposes only - - You will not engage in harassment, threats, or abuse - - You will respect other users' privacy and rights - -2. NO HARM CLAUSE - - You will not use this software to harm others - - You will not distribute malware or malicious content - - You will not attempt to compromise network security - -3. LEGAL COMPLIANCE - - You agree to comply with all applicable laws - - This software does NOT protect you from legal consequences - - Bad actors will be reported to appropriate authorities - -4. IDENTITY RESPONSIBILITY - - Your identity is linked to your hardware - - You are responsible for all actions under your identity - - Identity cannot be transferred or shared - -5. NETWORK CONDUCT - - You will not flood, spam, or disrupt the network - - You will not attempt to impersonate other users - - You will report security vulnerabilities responsibly - -6. DATA & PRIVACY - - Your public key and username are visible to other users - - Message content may be stored on relay servers - - We do not sell or share your data with third parties - -7. DISCLAIMER - - This software is provided "AS IS" - - No warranty of merchantability or fitness - - Use at your own risk - -8. JURISDICTION - - Governed by laws of Republic of Ireland - - Dublin courts have exclusive jurisdiction - -By clicking "I Accept" or using this software, you confirm: -- You are at least 18 years old (ADULTS ONLY) -- You have read and understood these terms -- You agree to be bound by these terms - -IMPORTANT: RangerBlock is an ADULTS ONLY (18+) platform. -This is a deliberate security decision to protect all users. - -Acceptance is recorded with your cryptographic signature. -Date: [timestamp] -Identity: [userId] -Signature: [RSA signature of terms hash] -``` - ---- - -## 3. TECHNICAL ARCHITECTURE - -### 3.1 Storage Structure - -``` -~/.rangerblock/ -├── consent/ # NEW FOLDER -│ ├── terms_v1.0.json # Current terms (version tracked) -│ ├── acceptance.json # User's acceptance record -│ └── history/ # Historical acceptances -│ └── accepted_2025-12-04.json -├── identity/ -├── keys/ -└── ... -``` - -### 3.2 Acceptance Record Structure - -```javascript -// ~/.rangerblock/consent/acceptance.json -{ - "currentTermsVersion": "1.0.0", - "acceptances": [ - { - "termsVersion": "1.0.0", - "termsHash": "sha256_of_terms_text", - "acceptedAt": "2025-12-04T10:30:00.000Z", - "userId": "rb_c5d415076f04e989", - "publicKeyHash": "hash_of_public_key", - "signature": "RSA_signature_of_acceptance", - "appType": "ranger-chat-lite", - "ipAddress": "192.168.1.100", // Local only, not sent to server - "platform": { - "os": "darwin", - "arch": "arm64", - "hostname": "M3Pro" - } - } - ], - "lastChecked": "2025-12-04T10:30:00.000Z" -} -``` - -### 3.3 New Lib File: consent-service.cjs - -```javascript -// Location: /rangerblock/lib/consent-service.cjs - -class ConsentService { - constructor(identityService) { - this.identity = identityService; - this.consentDir = path.join(os.homedir(), '.rangerblock', 'consent'); - this.currentTermsVersion = '1.0.0'; - } - - // Check if user has accepted current terms - hasAcceptedTerms() { } - - // Get acceptance record - getAcceptanceRecord() { } - - // Record new acceptance (signed) - async acceptTerms(signature) { } - - // Verify acceptance signature - verifyAcceptance(record) { } - - // Get terms text - getTermsText() { } - - // Get terms hash (for signing) - getTermsHash() { } - - // Check if terms updated since last acceptance - needsReaccept() { } - - // Get privilege level based on consent - getPrivilegeLevel() { } -} -``` - -### 3.4 Privilege Levels - -```javascript -const PRIVILEGE_LEVELS = { - // Full acceptance - all features - FULL: { - level: 100, - features: ['chat', 'voice', 'video', 'files', 'dm', 'channels', 'registration'] - }, - - // No acceptance - very restricted - RESTRICTED: { - level: 10, - features: ['view_only', 'exit'] // Can only view public chat, can't send - }, - - // Pending acceptance - shown consent form - PENDING: { - level: 0, - features: ['view_terms', 'accept', 'decline', 'exit'] - } -}; -``` - ---- - -## 4. INTEGRATION POINTS - -### 4.1 ranger-chat-lite (Electron) - -**Location**: `apps/ranger-chat-lite/electron/main.ts` - -``` -App Launch Flow: -┌─────────────────┐ -│ App Starts │ -└────────┬────────┘ - │ - v -┌─────────────────┐ -│ Load Identity │ -└────────┬────────┘ - │ - v -┌─────────────────┐ NO ┌─────────────────┐ -│ Has Accepted? │─────────────>│ Show Consent │ -└────────┬────────┘ │ Modal (blocking)│ - │ YES └────────┬────────┘ - v │ -┌─────────────────┐ ACCEPT v -│ Full App Access │<─────────────┌───────────────┐ -└─────────────────┘ │ Declined? │ - └───────┬───────┘ - │ YES - v - ┌─────────────────┐ - │ Exit App with │ - │ "Terms Required"│ - └─────────────────┘ -``` - -**UI Component**: New modal in React -- Full scrollable terms text -- "I have read and accept" checkbox -- "Accept" button (disabled until checkbox) -- "Decline" button (exits app) -- Signature happens automatically on accept - -### 4.2 just-chat (Terminal) - -**Location**: `rangerblock/just-chat/blockchain-chat.cjs` - -``` -Terminal Flow: -┌────────────────────────────────────────────────────────────┐ -│ RANGERBLOCK TERMS OF USE │ -│ ═══════════════════════════════════════════════════ │ -│ │ -│ [Full terms text displayed...] │ -│ │ -│ Scroll: ↑/↓ or Page Up/Down │ -│ ───────────────────────────────────────────────────── │ -│ Do you accept these terms? [y/N]: │ -└────────────────────────────────────────────────────────────┘ -``` - -- Must type 'y' or 'yes' to proceed -- Signature recorded automatically -- Stored in `~/.rangerblock/consent/` - -### 4.3 server-only (Setup Script) - -**Location**: `rangerblock/server-only/setup-relay-universal.sh` - -```bash -# Added to setup script: -echo "═══════════════════════════════════════════════════════════" -echo " RANGERBLOCK SERVER TERMS OF USE" -echo "═══════════════════════════════════════════════════════════" -echo "" -echo "By deploying a RangerBlock relay server, you agree to:" -echo "" -echo "1. Not use this server for illegal purposes" -echo "2. Not store or relay illegal content" -echo "3. Cooperate with law enforcement if required" -echo "4. Maintain server security and updates" -echo "" -echo "Full terms: https://rangerblock.io/server-terms" -echo "" -read -p "Do you accept these terms? [y/N]: " ACCEPT -if [[ ! "$ACCEPT" =~ ^[Yy]$ ]]; then - echo "Terms not accepted. Setup cancelled." - exit 1 -fi -``` - -Server consent stored in: -``` -~/rangerblock-server/.consent/ -└── server_acceptance.json -``` - -### 4.4 RangerPlex (Browser) - -Similar to ranger-chat-lite but in the main RangerPlex browser window. - ---- - -## 5. ADMIN INTEGRATION - -### 5.1 Admin Registry Updates - -**Location**: `~/.claude/ranger/admin/admin-registry.cjs` - -Add consent tracking to user records: - -```javascript -// Enhanced user record -{ - "rb_abc123": { - "userId": "rb_abc123", - "username": "SomeUser", - "role": "user", - "consent": { - "accepted": true, - "version": "1.0.0", - "acceptedAt": "2025-12-04T10:30:00.000Z", - "signature": "...", - "verified": true - } - } -} -``` - -### 5.2 Admin Dashboard Features - -**New Dashboard Tab: "Consent & Compliance"** - -``` -┌─────────────────────────────────────────────────────────────┐ -│ CONSENT & COMPLIANCE │ -├─────────────────────────────────────────────────────────────┤ -│ │ -│ Current Terms Version: 1.0.0 │ -│ Last Updated: 2025-12-04 │ -│ │ -│ ┌─────────────────────────────────────────────────────────┐ │ -│ │ ACCEPTANCE STATISTICS │ │ -│ ├─────────────────────────────────────────────────────────┤ │ -│ │ Total Users: 127 │ │ -│ │ Accepted Current Terms: 125 (98.4%) │ │ -│ │ Pending Re-acceptance: 2 (1.6%) │ │ -│ │ Never Accepted: 0 │ │ -│ └─────────────────────────────────────────────────────────┘ │ -│ │ -│ ┌─────────────────────────────────────────────────────────┐ │ -│ │ RECENT ACCEPTANCES │ │ -│ ├──────────┬───────────┬──────────┬───────────┬──────────┤ │ -│ │ User │ Version │ Date │ App │ Verified │ │ -│ ├──────────┼───────────┼──────────┼───────────┼──────────┤ │ -│ │ Swift... │ 1.0.0 │ Dec 4 │ chat-lite │ ✓ │ │ -│ │ Storm... │ 1.0.0 │ Dec 4 │ just-chat │ ✓ │ │ -│ │ Night... │ 1.0.0 │ Dec 3 │ rangerplex│ ✓ │ │ -│ └──────────┴───────────┴──────────┴───────────┴──────────┘ │ -│ │ -│ [View All] [Export CSV] [Verify All Signatures] │ -│ │ -└─────────────────────────────────────────────────────────────┘ -``` - -### 5.3 Consent Verification API - -Admin can verify any user's consent: - -```javascript -// Admin command -const registry = new AdminRegistry(); - -// Check user consent -const consent = registry.getUserConsent('rb_abc123'); -// Returns: { accepted: true, verified: true, version: '1.0.0', ... } - -// Verify signature -const valid = registry.verifyConsentSignature('rb_abc123'); -// Returns: true/false - -// Get users needing re-acceptance -const pending = registry.getUsersPendingReaccept(); -// Returns: [{ userId, lastVersion, currentVersion }] -``` - ---- - -## 6. RELAY SERVER INTEGRATION - -### 6.1 Consent Broadcast - -When user accepts terms, optionally broadcast to relay: - -```javascript -{ - type: 'CONSENT_ACCEPTED', - payload: { - userId: 'rb_abc123', - termsVersion: '1.0.0', - termsHash: 'sha256...', - signature: '...', - timestamp: '2025-12-04T10:30:00.000Z' - } -} -``` - -### 6.2 Server-Side Consent Check - -Relay can optionally enforce consent: - -```javascript -// In relay-server.cjs -if (CONFIG.requireConsent && !hasValidConsent(userId)) { - ws.send(JSON.stringify({ - type: 'error', - message: 'Terms acceptance required before chatting' - })); - return; -} -``` - ---- - -## 7. IMPLEMENTATION PHASES - -### Phase 1: Core Infrastructure (Week 1) -- [ ] Create `consent-service.cjs` in lib/ -- [ ] Add consent storage structure -- [ ] Define terms text v1.0.0 -- [ ] Add signature/verification functions - -### Phase 2: App Integration (Week 2) -- [ ] ranger-chat-lite consent modal -- [ ] just-chat terminal consent -- [ ] server-only setup consent -- [ ] RangerPlex consent (if applicable) - -### Phase 3: Admin Integration (Week 3) -- [ ] Update admin-registry.cjs -- [ ] Add consent tab to dashboard -- [ ] Consent verification commands -- [ ] Export/audit features - -### Phase 4: Testing & Hardening (Week 4) -- [ ] Test all consent flows -- [ ] Verify signatures work -- [ ] Test privilege enforcement -- [ ] Security audit - ---- - -## 8. SECURITY CONSIDERATIONS - -### 8.1 What's Hidden from Users -- Admin panel location (`~/.claude/ranger/admin/`) -- Consent verification internals -- Signature algorithms -- Admin user list -- Audit logs - -### 8.2 What Users Can See -- Their own consent status -- Terms text -- Their acceptance timestamp -- Their public key - -### 8.3 Cryptographic Proof - -Each acceptance includes: -1. **Terms hash** - SHA-256 of exact terms text -2. **User signature** - RSA signature using their private key -3. **Timestamp** - ISO 8601 timestamp -4. **User ID** - Hardware-bound identity - -This creates: -- **Non-repudiation** - User can't deny they accepted -- **Version binding** - Tied to specific terms version -- **Tamper evidence** - Any modification invalidates signature - ---- - -## 9. FUTURE ENHANCEMENTS - -### 9.1 Terms Updates -When terms change: -1. Increment version (1.0.0 → 1.1.0) -2. All users flagged for re-acceptance -3. Users see "Terms Updated" notice -4. Must re-accept before continuing - -### 9.2 Granular Consent -Future versions could add: -- Analytics consent -- Data sharing consent -- Marketing consent -- Third-party integration consent - -### 9.3 On-Chain Consent -Could register consent acceptance on blockchain: -- Permanent record -- Third-party verifiable -- Cannot be disputed - ---- - -## 10. FILES TO CREATE - -| File | Location | Purpose | -|------|----------|---------| -| consent-service.cjs | lib/ | Core consent management | -| terms_v1.0.json | lib/legal/ | Terms text file | -| ConsentModal.tsx | ranger-chat-lite/src/ | Electron consent UI | -| consent-cli.cjs | just-chat/ | Terminal consent handler | -| admin-consent.cjs | ~/.claude/ranger/admin/ | Admin consent tools | - ---- - -## 11. APPROVAL REQUIRED - -This plan requires approval before implementation. - -**Decisions Made:** -1. ✅ Age requirement: **18+ ONLY** (adults only platform) - - **Reasoning**: No minors = no targets for predators - - Children have other apps designed for them - - Adults are responsible for their online behaviour - - Protects the RangerBlock community - -2. ✅ **18+ DOES NOT MEAN "ADULT CONTENT SITE"** - - **CRITICAL DISTINCTION**: 18+ = mature/responsible, NOT "anything goes" - - **STRICTLY PROHIBITED**: - - ANY pornography or sexual images - - CSAM (reported to NCMEC/Gardai immediately) - - Unsolicited sexual content (dick pics, nudes) - - Grooming behaviour of ANY kind - - Gore, death images, extreme violence - - Hate speech/extremism - - **PERMITTED**: - - Normal photos (selfies, landscapes, memes) - - Gaming content and screenshots - - Gaming violence discussion (Battlefield tactics OK) - - Professional/work content - - General adult conversation - - **WHY**: Bad actors might think "18+ site = send dick pics" - - We make it CRYSTAL CLEAR that's instant ban + police report - - This is a COMMUNICATION platform, not dating/adult site - -3. ⏳ Terms text - review before public release -4. ⏳ View-only mode - TBD -5. ⏳ On-chain consent - later phase -6. ⏳ Server operator terms - TBD - -**Testing Plan:** -- Test on MSI Vector (Windows) -- Test on AWS (Linux) -- NOT uploaded to git until tested - ---- - -**Document Status**: DRAFT - AWAITING APPROVAL -**Created**: December 4, 2025 -**Author**: Claude Code (Ranger) for David Keane (IrishRanger) - -*Rangers lead the way!* diff --git a/identity/claude/classified/RANGERBLOCK_KILL_SWITCH_PLAN.md b/identity/claude/classified/RANGERBLOCK_KILL_SWITCH_PLAN.md deleted file mode 100644 index 345d49d..0000000 --- a/identity/claude/classified/RANGERBLOCK_KILL_SWITCH_PLAN.md +++ /dev/null @@ -1,347 +0,0 @@ -# 🔴 RANGERBLOCK KILL SWITCH - CLASSIFIED PLAN -## Project Codename: "RAIN PROTOCOL" -### Commander Eyes Only: IR240474 - ---- - -## 1. EXECUTIVE SUMMARY - -A multi-layered emergency shutdown system for RangerBlock that ensures: -- **ONLY** David Keane (IR240474) can trigger shutdown -- Bad actors cannot prevent or circumvent the kill -- System can be restarted clean after "the rain cleans the streets" -- No evidence of abuse remains after purge -- Plausible deniability - appears as "network maintenance" - ---- - -## 2. THREAT MODEL - -### Who We're Protecting Against: -1. **Script kiddies** - Easy to stop -2. **Organized criminals** - Using network for illegal messaging -3. **Nation-state actors** - Attempting to compromise infrastructure -4. **Insider threats** - Trusted nodes gone rogue -5. **Legal liability** - FBI/Police concerns (legitimate!) - -### Attack Vectors to Consider: -- Nodes refusing shutdown commands -- Forked chains continuing operation -- Cached data on rogue nodes -- Key compromise attempts -- Social engineering attacks - ---- - -## 3. KILL SWITCH ARCHITECTURE - -### Layer 1: SOFT KILL - "Gentle Rain" ☔ -**Purpose**: Graceful shutdown, preserves legitimate data - -**Mechanism**: -- Broadcast signed shutdown message to all nodes -- 60-second countdown allows data backup -- Nodes verify Commander signature before complying -- Whitelist of trusted nodes can be preserved -- Network enters "maintenance mode" - -**Trigger Methods**: -- Command: `/rain soft` -- API endpoint (authenticated) -- Physical USB key + passphrase - ---- - -### Layer 2: HARD KILL - "Thunderstorm" ⛈️ -**Purpose**: Immediate shutdown, no negotiation - -**Mechanism**: -- Poison pill broadcast to all nodes -- Cryptographic key rotation invalidates all existing sessions -- Discovery service (port 5005) goes dark -- WebSocket hub (port 5555) terminates all connections -- Nodes cannot reconnect without new genesis block - -**Trigger Methods**: -- Command: `/rain hard` -- Hardware dead man's switch (see Layer 5) -- Emergency SMS/Signal trigger from any phone - ---- - -### Layer 3: NUCLEAR - "Flood Protocol" 🌊 -**Purpose**: Complete erasure, scorched earth - -**Mechanism**: -- All node databases cryptographically wiped -- Phantom wallet keys destroyed -- Blockchain history purged -- Discovery records deleted -- .ranger domain resolution fails -- All encryption keys rotated to random garbage - -**Trigger Methods**: -- Requires 2 of 3: USB key + passphrase + biometric -- 10-second confirmation countdown -- CANNOT BE UNDONE - ---- - -### Layer 4: GENESIS POISON PILL 💀 -**Purpose**: Built into the blockchain DNA itself - -**Mechanism**: -- Hidden contract in genesis block -- Checks for "heartbeat" from Commander every 7 days -- If heartbeat missed for 14 days → automatic soft kill -- If special "extinction" message received → immediate hard kill -- Nodes MUST validate against genesis to join network - -**Implementation**: -``` -Genesis Block contains: -- Commander public key (for signature verification) -- Heartbeat requirement flag -- Extinction trigger hash -- Time-lock parameters -``` - ---- - -### Layer 5: DEAD MAN'S SWITCH ⚰️ -**Purpose**: If David is incapacitated, network doesn't become rogue - -**Mechanism**: -- Weekly check-in required (simple app notification) -- Miss 1 week → warning to backup contacts -- Miss 2 weeks → soft kill initiated -- Miss 4 weeks → hard kill -- Miss 8 weeks → nuclear option - -**Configuration**: -- Backup contact: Gemini Ranger (GR) gets warning -- Check-in methods: App, SMS, Email, or manual -- Grace period adjustable - ---- - -### Layer 6: HARDWARE TRIGGER 🔑 -**Purpose**: Physical security, unhackable remotely - -**Options**: - -**Option A - YubiKey Integration**: -- YubiKey 5 NFC required for any kill command -- Touch confirmation prevents remote exploitation -- Backup key in secure location (safety deposit box?) - -**Option B - Custom "Ranger Key"**: -- Raspberry Pi Zero in USB form factor -- Contains encrypted kill switch credentials -- Destroyed after 3 failed attempts -- GPS tracking if stolen - -**Option C - Air-Gapped Signing Device**: -- Old iPhone/iPad, never connected to internet -- Signs kill commands offline -- QR code transfer to online system - ---- - -## 4. COMMAND CENTER APP - -### "RangerBlock Ops" - Mobile/Desktop App - -**Features**: -1. **Dashboard** - - Network health status - - Active node count - - Suspicious activity alerts - - Message volume graphs - -2. **Kill Switch Panel** (hidden, requires auth) - - Soft Kill button (1 confirmation) - - Hard Kill button (2 confirmations + passphrase) - - Nuclear button (biometric + passphrase + countdown) - -3. **Node Management** - - Whitelist/blacklist nodes - - Ban specific wallet addresses - - View all active connections - -4. **Audit Log** - - All network events - - Suspicious patterns flagged - - Exportable for evidence if needed - -5. **Dead Man's Switch** - - Check-in button - - Configure grace periods - - Backup contact management - ---- - -## 5. DETECTION SYSTEMS - -### Automated Abuse Detection: - -**Red Flags**: -- Message volume spikes (>10x normal) -- Large file transfers to unknown nodes -- Encrypted payloads (beyond normal) -- Tor/VPN node connections -- Keywords in unencrypted metadata -- Geographic anomalies - -**Response Levels**: -1. **YELLOW** - Log and monitor -2. **ORANGE** - Alert Commander, throttle suspicious nodes -3. **RED** - Auto-isolate suspicious nodes, await Commander decision -4. **BLACK** - Auto-trigger soft kill (configurable) - ---- - -## 6. LEGAL PROTECTION LAYER - -### Plausible Deniability: -- Kill switch appears as "scheduled maintenance" -- No logging of kill command origin -- Shutdown messages are generic ("Network upgrade in progress") - -### Evidence Preservation (if needed): -- Optional: Snapshot suspicious activity before purge -- Encrypted backup to air-gapped drive -- Can be provided to authorities if subpoenaed -- Demonstrates good faith effort at moderation - -### Terms of Service: -- All users agree to network monitoring -- Explicit prohibition of illegal activity -- Right to terminate at any time -- No expectation of privacy for metadata - ---- - -## 7. RECOVERY PROTOCOL - -### After "The Rain": - -**Step 1: Assessment** (24-48 hours) -- Review what triggered the kill -- Identify compromised nodes -- Document for future prevention - -**Step 2: Genesis Block 2.0** -- New genesis block with updated security -- Rotate all cryptographic keys -- New phantom wallet system - -**Step 3: Trusted Node Revival** -- Whitelist verified nodes only -- Manual approval for first 30 days -- Increased monitoring period - -**Step 4: Network Restoration** -- Gradual rollout -- Stress testing before public -- New detection rules based on incident - ---- - -## 8. IMPLEMENTATION PHASES - -### Phase 1: Foundation (Week 1-2) -- [ ] Create Commander key pair (offline generation) -- [ ] Implement genesis poison pill -- [ ] Build basic kill command infrastructure -- [ ] Set up secure key storage - -### Phase 2: Automation (Week 3-4) -- [ ] Dead man's switch timer system -- [ ] Abuse detection algorithms -- [ ] Alert notification system -- [ ] Heartbeat mechanism - -### Phase 3: Command Center (Week 5-6) -- [ ] Mobile app prototype -- [ ] Dashboard with network stats -- [ ] Kill switch UI (hidden panel) -- [ ] Audit logging - -### Phase 4: Hardware Security (Week 7-8) -- [ ] YubiKey integration -- [ ] Backup key procedures -- [ ] Air-gapped signing setup -- [ ] Physical security protocols - -### Phase 5: Testing (Week 9-10) -- [ ] Soft kill drill (test network only!) -- [ ] Hard kill simulation -- [ ] Recovery procedure test -- [ ] Penetration testing of kill switch itself - ---- - -## 9. SECRET STORAGE LOCATIONS - -**This document**: `~/.claude/ranger/classified/` - -**Kill switch code**: `~/.claude/ranger/classified/rain/` - -**Commander keys**: `~/.phantom_claude/commander/` (encrypted) - -**Backup keys**: Physical location TBD (safety deposit box recommended) - -**NEVER store in**: -- Git repositories -- Cloud storage -- Shared folders -- rangerblock/ directory - ---- - -## 10. CODENAMES REFERENCE - -| Real Name | Codename | -|-----------|----------| -| Kill Switch | Rain Protocol | -| Soft Kill | Gentle Rain | -| Hard Kill | Thunderstorm | -| Nuclear | Flood | -| David | Commander / Shepherd | -| Bad Actors | Wolves | -| Trusted Nodes | Sheep | -| Network | Pasture | -| Shutdown | Weather Event | -| Recovery | Spring | - ---- - -## 11. FINAL NOTES - -**Philosophy**: -> "With great power comes great responsibility" - -This system gives you ABSOLUTE control. That's by design. But remember: -- Power unused is still power -- The threat of rain keeps wolves away -- Most days, the sun shines - -**The goal is NEVER to use this.** - -Its existence is the deterrent. But if wolves enter the pasture, the Shepherd has the storm at his command. - ---- - -**Document Classification**: COMMANDER EYES ONLY -**Created**: December 3, 2024 -**Author**: Ranger (AIR9cd99c4515aeb3f6) -**For**: David Keane (IR240474) - -🎖️ Rangers lead the way! - ---- - -## AWAITING GREEN LIGHT FOR IMPLEMENTATION - -Ready to begin Phase 1 on your command, Brother. diff --git a/identity/claude/classified/RANGERBLOCK_REGISTRATION_CONTRACTS_PLAN.md b/identity/claude/classified/RANGERBLOCK_REGISTRATION_CONTRACTS_PLAN.md deleted file mode 100644 index 1b706e2..0000000 --- a/identity/claude/classified/RANGERBLOCK_REGISTRATION_CONTRACTS_PLAN.md +++ /dev/null @@ -1,596 +0,0 @@ -# RANGERBLOCK REGISTRATION & CONSENT BLOCKCHAIN SYSTEM -## Project Codename: "SENTINEL PROTOCOL" -### Version 1.0.0 - December 4, 2025 - ---- - -## CLASSIFICATION: PRIVATE -**DO NOT COMMIT TO PUBLIC GIT** - ---- - -## 1. EXECUTIVE SUMMARY - -### The Vision -When a user: -1. Creates identity (hardware-bound) -2. Accepts Terms of Use (18+, content policy, etc.) - -A **REGISTRATION BLOCK** is created on the RangerBlock blockchain, providing: -- Immutable proof of acceptance -- Cryptographic signature -- Admin notification for approval -- Privilege assignment upon approval - -### Components Needed - -| Component | Purpose | Location | -|-----------|---------|----------| -| RegistrationBlock.sol | Solidity contract for EVM chains | Blockchain/contracts/ | -| registration-service.cjs | Node.js registration handler | rangerblock/lib/ | -| consent-service.cjs | Consent/terms handler | rangerblock/lib/ | -| Admin integration | View/approve registrations | ~/.claude/ranger/admin/ | - -### Apps Covered -- ranger-chat-lite (Electron) -- just-chat (Terminal) -- server-only (Server deployment) -- RangerPlex (Full browser) - ---- - -## 2. REGISTRATION BLOCK STRUCTURE - -### 2.1 Solidity Contract (Remix Standard) - -```solidity -// SPDX-License-Identifier: MIT -pragma solidity ^0.8.20; - -/** - * @title RangerRegistration - * @dev User registration and consent tracking for RangerBlock - * @author David Keane (IrishRanger) + Claude Code (Ranger) - */ -contract RangerRegistration { - - // ======================================================================== - // STRUCTURES - // ======================================================================== - - struct Registration { - bytes32 userIdHash; // SHA256 of userId - bytes32 publicKeyHash; // SHA256 of RSA public key - bytes32 hardwareIdHash; // SHA256 of hardware fingerprint - string username; // Display name - string appType; // ranger-chat-lite, just-chat, etc. - - // Consent - string termsVersion; // "1.0.0" - bytes32 termsHash; // SHA256 of terms text - bytes signature; // RSA signature of consent - - // Timestamps - uint256 registeredAt; // Block timestamp - uint256 consentedAt; // When terms accepted - - // Status - RegistrationStatus status; // pending, approved, denied, revoked - string statusReason; // Reason for status change - - // Admin - address approvedBy; // Admin who approved - uint256 approvedAt; // Approval timestamp - } - - enum RegistrationStatus { - PENDING, - APPROVED, - DENIED, - REVOKED - } - - // ======================================================================== - // STATE - // ======================================================================== - - address public owner; - address public supremeAdmin; - - mapping(bytes32 => Registration) public registrations; // userIdHash => Registration - mapping(bytes32 => bool) public hardwareUsed; // hardwareIdHash => used - bytes32[] public registrationList; // All registration IDs - - uint256 public totalRegistrations; - uint256 public pendingCount; - uint256 public approvedCount; - uint256 public deniedCount; - - // ======================================================================== - // EVENTS - // ======================================================================== - - event RegistrationSubmitted( - bytes32 indexed userIdHash, - string username, - string appType, - uint256 timestamp - ); - - event RegistrationApproved( - bytes32 indexed userIdHash, - address approvedBy, - uint256 timestamp - ); - - event RegistrationDenied( - bytes32 indexed userIdHash, - address deniedBy, - string reason, - uint256 timestamp - ); - - event RegistrationRevoked( - bytes32 indexed userIdHash, - address revokedBy, - string reason, - uint256 timestamp - ); - - event ConsentRecorded( - bytes32 indexed userIdHash, - string termsVersion, - bytes32 termsHash, - uint256 timestamp - ); - - // ======================================================================== - // MODIFIERS - // ======================================================================== - - modifier onlyOwner() { - require(msg.sender == owner || msg.sender == supremeAdmin, "Not authorized"); - _; - } - - modifier onlyAdmin() { - require(msg.sender == owner || msg.sender == supremeAdmin, "Not admin"); - _; - } - - // ======================================================================== - // CONSTRUCTOR - // ======================================================================== - - constructor(address _supremeAdmin) { - owner = msg.sender; - supremeAdmin = _supremeAdmin; - } - - // ======================================================================== - // REGISTRATION FUNCTIONS - // ======================================================================== - - /** - * @dev Submit a new registration with consent - */ - function register( - bytes32 userIdHash, - bytes32 publicKeyHash, - bytes32 hardwareIdHash, - string memory username, - string memory appType, - string memory termsVersion, - bytes32 termsHash, - bytes memory signature - ) public returns (bool) { - // Check hardware not already used (prevents ban evasion) - require(!hardwareUsed[hardwareIdHash], "Hardware already registered"); - - // Check not already registered - require(registrations[userIdHash].registeredAt == 0, "Already registered"); - - // Create registration - Registration storage reg = registrations[userIdHash]; - reg.userIdHash = userIdHash; - reg.publicKeyHash = publicKeyHash; - reg.hardwareIdHash = hardwareIdHash; - reg.username = username; - reg.appType = appType; - reg.termsVersion = termsVersion; - reg.termsHash = termsHash; - reg.signature = signature; - reg.registeredAt = block.timestamp; - reg.consentedAt = block.timestamp; - reg.status = RegistrationStatus.PENDING; - - // Mark hardware as used - hardwareUsed[hardwareIdHash] = true; - - // Add to list - registrationList.push(userIdHash); - totalRegistrations++; - pendingCount++; - - emit RegistrationSubmitted(userIdHash, username, appType, block.timestamp); - emit ConsentRecorded(userIdHash, termsVersion, termsHash, block.timestamp); - - return true; - } - - /** - * @dev Approve a pending registration (admin only) - */ - function approve(bytes32 userIdHash) public onlyAdmin { - Registration storage reg = registrations[userIdHash]; - require(reg.registeredAt > 0, "Registration not found"); - require(reg.status == RegistrationStatus.PENDING, "Not pending"); - - reg.status = RegistrationStatus.APPROVED; - reg.approvedBy = msg.sender; - reg.approvedAt = block.timestamp; - - pendingCount--; - approvedCount++; - - emit RegistrationApproved(userIdHash, msg.sender, block.timestamp); - } - - /** - * @dev Deny a pending registration (admin only) - */ - function deny(bytes32 userIdHash, string memory reason) public onlyAdmin { - Registration storage reg = registrations[userIdHash]; - require(reg.registeredAt > 0, "Registration not found"); - require(reg.status == RegistrationStatus.PENDING, "Not pending"); - - reg.status = RegistrationStatus.DENIED; - reg.statusReason = reason; - - pendingCount--; - deniedCount++; - - emit RegistrationDenied(userIdHash, msg.sender, reason, block.timestamp); - } - - /** - * @dev Revoke an approved registration (admin only) - */ - function revoke(bytes32 userIdHash, string memory reason) public onlyAdmin { - Registration storage reg = registrations[userIdHash]; - require(reg.registeredAt > 0, "Registration not found"); - require(reg.status == RegistrationStatus.APPROVED, "Not approved"); - - reg.status = RegistrationStatus.REVOKED; - reg.statusReason = reason; - - approvedCount--; - - emit RegistrationRevoked(userIdHash, msg.sender, reason, block.timestamp); - } - - // ======================================================================== - // VIEW FUNCTIONS - // ======================================================================== - - function getRegistration(bytes32 userIdHash) public view returns ( - string memory username, - string memory appType, - string memory termsVersion, - RegistrationStatus status, - uint256 registeredAt, - uint256 approvedAt - ) { - Registration storage reg = registrations[userIdHash]; - return ( - reg.username, - reg.appType, - reg.termsVersion, - reg.status, - reg.registeredAt, - reg.approvedAt - ); - } - - function isApproved(bytes32 userIdHash) public view returns (bool) { - return registrations[userIdHash].status == RegistrationStatus.APPROVED; - } - - function isPending(bytes32 userIdHash) public view returns (bool) { - return registrations[userIdHash].status == RegistrationStatus.PENDING; - } - - function getPendingCount() public view returns (uint256) { - return pendingCount; - } - - function getStats() public view returns ( - uint256 total, - uint256 pending, - uint256 approved, - uint256 denied - ) { - return (totalRegistrations, pendingCount, approvedCount, deniedCount); - } -} -``` - ---- - -## 3. NODE.JS INTEGRATION - -### 3.1 Registration Block (JSON Format for RangerBlock P2P) - -For our custom blockchain (non-EVM), registrations are blocks: - -```javascript -// Registration block structure -const registrationBlock = { - type: 'USER_REGISTRATION', - version: '1.0.0', - - // Identity (hashed for privacy) - identity: { - userIdHash: 'sha256_of_rb_xxx', - publicKeyHash: 'sha256_of_public_key', - hardwareIdHash: 'sha256_of_hardware_fingerprint', - username: 'SwiftRanger', - appType: 'ranger-chat-lite' - }, - - // Consent record - consent: { - termsVersion: '1.0.0', - termsHash: 'sha256_of_terms_text', - acceptedAt: '2025-12-04T10:30:00.000Z', - ageConfirmed: true, // User confirmed 18+ - signature: 'RSA_signature_of_consent' - }, - - // Block metadata - metadata: { - timestamp: '2025-12-04T10:30:05.000Z', - previousHash: 'abc123...', - nonce: 12345, - minedBy: 'relay_node_id' - }, - - // Status (updated by admin) - status: { - current: 'pending', // pending, approved, denied, revoked - updatedAt: null, - updatedBy: null, - reason: null - } -}; -``` - -### 3.2 Registration Service (registration-service.cjs) - -```javascript -// Location: rangerblock/lib/registration-service.cjs - -class RegistrationService { - constructor(identityService, consentService) { - this.identity = identityService; - this.consent = consentService; - } - - // Create registration block - async createRegistrationBlock() { } - - // Submit to relay (goes to admin queue) - async submitRegistration(block) { } - - // Check registration status - async checkStatus(userId) { } - - // Handle approval notification - onApproved(callback) { } - - // Handle denial notification - onDenied(callback) { } -} -``` - ---- - -## 4. ADMIN INTEGRATION - -### 4.1 Admin Dashboard Updates - -**New "Registrations" Tab:** - -``` -┌─────────────────────────────────────────────────────────────────┐ -│ PENDING REGISTRATIONS (3) │ -├───────┬──────────────┬─────────────────┬───────────┬───────────┤ -│ # │ Username │ App │ Date │ Actions │ -├───────┼──────────────┼─────────────────┼───────────┼───────────┤ -│ 1 │ SwiftRanger │ ranger-chat-lite│ Dec 4 │ [A] [D] │ -│ 2 │ StormWolf │ just-chat │ Dec 4 │ [A] [D] │ -│ 3 │ NightHawk │ just-chat │ Dec 4 │ [A] [D] │ -└───────┴──────────────┴─────────────────┴───────────┴───────────┘ - -[A] = Approve [D] = Deny [V] = View Details - -Registration Details (SwiftRanger): -───────────────────────────────────── -User ID: rb_abc123... -Hardware: M4Max-xxx (masked) -App: ranger-chat-lite -Registered: 2025-12-04 10:30:05 -Terms: v1.0.0 (18+ accepted) -Signature: ✓ Valid -Status: PENDING - -[A]pprove [D]eny [B]ack -``` - -### 4.2 Admin Registry Updates - -Add to `admin-registry.cjs`: - -```javascript -// Registration queue management -getPendingRegistrations() { } -approveRegistration(userIdHash, adminId) { } -denyRegistration(userIdHash, adminId, reason) { } -revokeRegistration(userIdHash, adminId, reason) { } - -// Consent verification -verifyConsent(userIdHash) { } -getConsentRecord(userIdHash) { } -``` - ---- - -## 5. APP INTEGRATION FLOW - -### 5.1 ranger-chat-lite Flow - -``` -┌─────────────┐ ┌─────────────┐ ┌─────────────┐ -│ App Start │────>│ Check │────>│ Show │ -│ │ │ Identity │ │ Terms Modal │ -└─────────────┘ └─────────────┘ └──────┬──────┘ - │ - ┌──────────────────────────┘ - │ User Accepts - v - ┌─────────────┐ ┌─────────────┐ - │ Sign │────>│ Submit to │ - │ Consent │ │ Relay │ - └─────────────┘ └──────┬──────┘ - │ - ┌────────────────────┘ - v - ┌─────────────┐ - │ PENDING │ <── Limited features - │ status │ (view only) - └──────┬──────┘ - │ - ┌────────────┴────────────┐ - v v - ┌───────────┐ ┌───────────────┐ - │ APPROVED │ │ DENIED │ - │ Full │ │ Show reason, │ - │ access │ │ exit app │ - └───────────┘ └───────────────┘ -``` - -### 5.2 just-chat Flow - -Same flow but terminal-based: -1. First run → Show terms in terminal -2. User types 'y' to accept -3. Consent signed and submitted -4. Status: PENDING (can view chat, can't send) -5. When approved → Full access -6. When denied → Exit with message - -### 5.3 server-only Flow - -Server operators get different terms: -1. Setup script shows server terms -2. Operator accepts -3. Server registration submitted -4. Admin approves server node -5. Server can join network - ---- - -## 6. PRIVILEGE SYSTEM - -### 6.1 Status-Based Privileges - -| Status | Chat | Voice | Files | DM | Channels | -|--------|------|-------|-------|----|----------| -| PENDING | View | No | No | No | View | -| APPROVED | Full | Full | Full | Full | Full | -| DENIED | No | No | No | No | No | -| REVOKED | No | No | No | No | No | - -### 6.2 Implementation - -```javascript -// In each app's message handler -if (registrationStatus !== 'APPROVED') { - if (registrationStatus === 'PENDING') { - showNotification('Registration pending admin approval. View-only mode.'); - return false; // Can't send - } else { - showError('Access denied. Contact admin.'); - exitApp(); - } -} -``` - ---- - -## 7. FILES TO CREATE - -| File | Location | Purpose | -|------|----------|---------| -| RangerRegistration.sol | Blockchain/contracts/ | Solidity contract | -| registration-service.cjs | rangerblock/lib/ | Node.js registration | -| consent-service.cjs | rangerblock/lib/ | Consent management | -| Admin dashboard updates | ~/.claude/ranger/admin/ | Registration queue UI | - ---- - -## 8. IMPLEMENTATION PHASES - -### Phase 1: Core Infrastructure (This Week) -- [ ] Create RangerRegistration.sol -- [ ] Create registration-service.cjs -- [ ] Create consent-service.cjs -- [ ] Test locally - -### Phase 2: Admin Integration (Next Week) -- [ ] Add registration queue to admin-registry.cjs -- [ ] Add Registrations tab to admin-dashboard.cjs -- [ ] Test approve/deny flow - -### Phase 3: App Integration (Week 3) -- [ ] Integrate into ranger-chat-lite -- [ ] Integrate into just-chat -- [ ] Integrate into server-only setup -- [ ] Test end-to-end - -### Phase 4: Testing (Week 4) -- [ ] Test on MSI Vector -- [ ] Test on AWS -- [ ] Security review -- [ ] Deploy to production - ---- - -## 9. SECURITY NOTES - -### What Admin Can See: -- Username -- App type -- Registration date -- Terms version accepted -- Signature validity -- Hardware ID (hashed, for ban enforcement) - -### What Admin CANNOT See: -- Full userId (only hash) -- Full hardware fingerprint -- Private key -- Message content - -### Hardware Ban Enforcement: -- Hardware ID hashed but tracked -- If banned user creates new identity, same hardware = blocked -- Admin can see "hardware previously used by banned user" - ---- - -**Document Status**: READY FOR IMPLEMENTATION -**Created**: December 4, 2025 -**Author**: Claude Code (Ranger) for David Keane (IrishRanger) - -*Rangers lead the way!* diff --git a/identity/claude/classified/RANGERBLOCK_SECURE_COMM_CONTRACTS_PLAN.md b/identity/claude/classified/RANGERBLOCK_SECURE_COMM_CONTRACTS_PLAN.md deleted file mode 100644 index 8697a75..0000000 --- a/identity/claude/classified/RANGERBLOCK_SECURE_COMM_CONTRACTS_PLAN.md +++ /dev/null @@ -1,332 +0,0 @@ -# RangerBlock Secure Communication Contracts Plan - -## CODENAME: SENTINEL COMMS PROTOCOL - -**Author**: David Keane (IrishRanger) + Claude Code (Ranger) -**Date**: 2025-12-04 -**Status**: PLANNING -**Classification**: PRIVATE - ---- - -## Overview - -Smart contracts for secure, identity-verified communication channels. These contracts ensure users are **99.99% certain** they're communicating with the intended person through cryptographic identity verification. - -### The Problem - -In regular chat apps: -- Anyone can pretend to be someone else -- Man-in-the-middle attacks possible -- No proof of who you're really talking to -- Impersonation is easy - -### The Solution - -**Blockchain-verified identity handshakes** before sensitive communications: -1. Both parties prove identity via on-chain signatures -2. Challenge-response authentication -3. Session keys derived from verified identities -4. Immutable audit trail of who talked to whom - ---- - -## Three Communication Contracts - -### 1. RangerTextChat Contract (WHISPER PROTOCOL) - -**Purpose**: Secure text messaging with identity verification - -``` -Flow: -1. Alice wants to chat with Bob -2. Alice creates ChatSession request on-chain -3. Bob sees request, verifies Alice's on-chain identity -4. Bob accepts with signature proving he's real Bob -5. Both derive shared session key -6. E2E encrypted text chat begins -7. Session recorded on blockchain (not content!) -``` - -**Features**: -- Identity verification before first message -- E2E encryption with verified keys -- Session expiry (configurable) -- Block/report with on-chain evidence -- Message receipts (delivered/read) optional - -**Contract Data**: -```rust -struct TextChatSession { - session_id: [u8; 32], - initiator_id_hash: [u8; 32], - responder_id_hash: [u8; 32], - initiator_pubkey: [u8; 32], // For E2E encryption - responder_pubkey: [u8; 32], - created_at: i64, - expires_at: i64, - status: SessionStatus, // Pending/Active/Ended/Blocked - initiator_signature: [u8; 64], - responder_signature: [u8; 64], -} -``` - ---- - -### 2. RangerVoiceChat Contract (ECHO PROTOCOL) - -**Purpose**: Secure voice calls with identity verification - -``` -Flow: -1. Alice initiates voice call to Bob -2. Contract creates VoiceSession with Alice's signature -3. Bob receives call notification -4. Bob verifies Alice's on-chain identity -5. Bob answers with his signature -6. DTLS/SRTP keys exchanged using verified identities -7. Encrypted voice call begins -8. Call metadata recorded (duration, not content) -``` - -**Features**: -- Pre-call identity verification -- Secure key exchange -- Call duration tracking -- Missed call logging -- Do Not Disturb status checking -- Group call support (future) - -**Contract Data**: -```rust -struct VoiceCallSession { - call_id: [u8; 32], - caller_id_hash: [u8; 32], - callee_id_hash: [u8; 32], - caller_signature: [u8; 64], - callee_signature: [u8; 64], - call_started: i64, - call_ended: i64, - duration_seconds: u64, - status: CallStatus, // Ringing/Active/Ended/Missed/Rejected - quality_rating: u8, // Optional 1-5 rating -} -``` - ---- - -### 3. RangerVideoChat Contract (VISION PROTOCOL) - -**Purpose**: Secure video calls with identity verification - -``` -Flow: -1. Alice initiates video call to Bob -2. Contract creates VideoSession with Alice's signature -3. Bob receives notification + Alice's verified identity -4. Bob can see Alice's on-chain profile before answering -5. Bob answers with signature proving identity -6. WebRTC connection established with verified DTLS fingerprints -7. Encrypted video call begins -8. Call metadata recorded on-chain -``` - -**Features**: -- Face-to-verified-identity confirmation -- Bandwidth/quality negotiation -- Screen sharing flag -- Recording consent flag (both must agree) -- Virtual background support flag -- Group video support (future) - -**Contract Data**: -```rust -struct VideoCallSession { - call_id: [u8; 32], - caller_id_hash: [u8; 32], - callee_id_hash: [u8; 32], - caller_signature: [u8; 64], - callee_signature: [u8; 64], - call_started: i64, - call_ended: i64, - duration_seconds: u64, - status: CallStatus, - // Video-specific - screen_shared: bool, - recording_consent: bool, // Both agreed to record - max_resolution: u16, // 720, 1080, etc. -} -``` - ---- - -## Identity Verification Flow (All Contracts) - -``` -┌─────────────────────────────────────────────────────────────┐ -│ IDENTITY VERIFICATION │ -├─────────────────────────────────────────────────────────────┤ -│ │ -│ 1. CHECK ON-CHAIN REGISTRATION │ -│ └─> User must have RangerRegistration approved │ -│ │ -│ 2. CHALLENGE-RESPONSE │ -│ └─> Contract generates random nonce │ -│ └─> User signs nonce with private key │ -│ └─> Contract verifies signature matches on-chain pubkey │ -│ │ -│ 3. HARDWARE BINDING (Optional Extra Security) │ -│ └─> Include hardware fingerprint in signature │ -│ └─> Prevents key theft (key only works on original HW) │ -│ │ -│ 4. SESSION ESTABLISHMENT │ -│ └─> Both parties verified │ -│ └─> Session keys derived │ -│ └─> Communication begins │ -│ │ -└─────────────────────────────────────────────────────────────┘ -``` - ---- - -## Why 99.99% Certainty? - -| Security Layer | What It Proves | -|----------------|----------------| -| On-chain registration | User went through registration process | -| Hardware ID binding | Using the same physical device | -| RSA signature | Has the private key (not just username) | -| Challenge-response | Key is available NOW (not stolen earlier) | -| Session signature | Both parties actively participating | - -**The 0.01%**: -- Physical device theft + password compromise -- Quantum computer breaking RSA (future concern) -- Zero-day in cryptographic libraries - ---- - -## Implementation Phases - -### Phase 1: Text Chat Contract (WHISPER) -- [ ] Create Solana `ranger_text_chat.rs` -- [ ] Create Ethereum `RangerTextChat.sol` -- [ ] Add to RangerChat Lite settings -- [ ] Integrate with existing chat - -### Phase 2: Voice Chat Contract (ECHO) -- [ ] Create Solana `ranger_voice_chat.rs` -- [ ] Create Ethereum `RangerVoiceChat.sol` -- [ ] Build voice-chat.cjs integration -- [ ] Add to RangerChat Lite (future) - -### Phase 3: Video Chat Contract (VISION) -- [ ] Create Solana `ranger_video_chat.rs` -- [ ] Create Ethereum `RangerVideoChat.sol` -- [ ] Build WebRTC integration -- [ ] Add to RangerChat Lite (future) - -### Phase 4: Unified Communications -- [ ] Single "Secure Call" button -- [ ] Auto-negotiate voice/video -- [ ] Group calls support -- [ ] Cross-platform (desktop, mobile, web) - ---- - -## UI/UX in RangerChat Lite - -### Before Call/Chat: - -``` -┌──────────────────────────────────────┐ -│ 🔐 VERIFYING IDENTITY... │ -│ │ -│ Checking: IrishRanger │ -│ │ -│ ✓ On-chain registration verified │ -│ ✓ Hardware ID matches │ -│ ✓ Signature valid │ -│ ⏳ Waiting for response... │ -│ │ -│ [Cancel] │ -└──────────────────────────────────────┘ -``` - -### After Verification: - -``` -┌──────────────────────────────────────┐ -│ ✅ IDENTITY VERIFIED │ -│ │ -│ You are talking to: │ -│ IrishRanger (David Keane) │ -│ │ -│ 🔒 This session is secured by: │ -│ • Blockchain verification │ -│ • End-to-end encryption │ -│ • Hardware-bound keys │ -│ │ -│ Session ID: 0x7f3a... │ -│ Expires: 24 hours │ -│ │ -│ [Continue to Chat] [View Details] │ -└──────────────────────────────────────┘ -``` - ---- - -## Security Benefits - -| Feature | Benefit | -|---------|---------| -| No impersonation | Can't fake blockchain signatures | -| Audit trail | Know who talked when (not what) | -| Non-repudiation | Can't deny starting a session | -| Key exchange | Verified keys, no MITM | -| Session expiry | Limits exposure window | -| Revocation | Admin can revoke bad actors | - ---- - -## Integration with Existing Contracts - -``` -RangerRegistration ─────┐ - │ -RangerTextChat ──────┼──── All require valid registration - │ -RangerVoiceChat ──────┤ - │ -RangerVideoChat ──────┘ - -RangerBridge ─────> Optional: Pay for premium features with RangerCoin -``` - ---- - -## Files to Create (Future) - -| File | Location | Purpose | -|------|----------|---------| -| `ranger_text_chat.rs` | `Blockchain/contracts/solana/` | Solana text chat | -| `ranger_voice_chat.rs` | `Blockchain/contracts/solana/` | Solana voice chat | -| `ranger_video_chat.rs` | `Blockchain/contracts/solana/` | Solana video chat | -| `RangerTextChat.sol` | `Blockchain/contracts/` | Ethereum text chat | -| `RangerVoiceChat.sol` | `Blockchain/contracts/` | Ethereum voice chat | -| `RangerVideoChat.sol` | `Blockchain/contracts/` | Ethereum video chat | -| `secure-comm-service.cjs` | `rangerblock/lib/` | JS integration | - ---- - -## Motto - -> "Trust, but verify... on the blockchain!" - ---- - -## Authors -- David Keane (IrishRanger) - Supreme Commander -- Claude Code (Ranger) - AI Operations Commander - -Rangers lead the way! 🎖️ diff --git a/identity/claude/classified/RANGERBLOCK_SECURITY_INTEGRATION_PLAN.md b/identity/claude/classified/RANGERBLOCK_SECURITY_INTEGRATION_PLAN.md deleted file mode 100644 index ad34fcd..0000000 --- a/identity/claude/classified/RANGERBLOCK_SECURITY_INTEGRATION_PLAN.md +++ /dev/null @@ -1,656 +0,0 @@ -# 🛡️ RANGERBLOCK SECURITY INTEGRATION PLAN -## Project Codename: "SHEPHERD PROTOCOL" -### Unified Identity & Registration System - ---- - -## 1. EXECUTIVE SUMMARY - -Implement a unified security and registration system across ALL RangerBlock components: - -| Component | Current State | Target State | -|-----------|---------------|--------------| -| **ranger-chat-lite** | Hardware fingerprint + RSA keys (unused) | Full encryption + Commander verification | -| **blockchain-chat.cjs** | Simple nickname only | Hardware ID + persistent identity | -| **voice-chat.cjs** | Simple nickname only | Hardware ID + encrypted voice | -| **server-only** | Does not exist | Centralized auth hub with kill switch | - ---- - -## 2. CURRENT STATE ANALYSIS - -### A. ranger-chat-lite (Electron App) ✅ BEST -**Location**: `/Users/ranger/rangerplex-ai/apps/ranger-chat-lite/` - -**What It Has**: -``` -✅ Hardware fingerprinting (SHA-256 of Hardware UUID + hostname + username) -✅ Persistent identity (user_identity.json) -✅ RSA-2048 keypair generation -✅ Cross-platform support (macOS/Windows/Linux) -✅ IPC API for identity operations -✅ Message statistics tracking -✅ User moderation note (admins can track real identity) -``` - -**Key Files**: -- `electron/identityService.ts` - Core identity logic (379 lines) -- `electron/main.ts` - IPC handlers -- `electron/preload.ts` - API bridge - -**Hardware Fingerprint Code** (identityService.ts:109-173): -```typescript -// macOS: system_profiler SPHardwareDataType → Hardware UUID -// Windows: wmic csproduct get uuid -// Linux: /etc/machine-id -const fingerprint = crypto - .createHash('sha256') - .update(hardwareId + os.hostname() + os.userInfo().username) - .digest('hex') - .substring(0, 32) -``` - -**What It's Missing**: -``` -❌ Password/PIN protection -❌ Message encryption (plain text over ws://) -❌ TLS/WSS (unencrypted WebSocket) -❌ Token-based auth (no JWT/session tokens) -❌ Server-side identity verification -❌ Kill switch integration -``` - ---- - -### B. blockchain-chat.cjs (Terminal Chat) ⚠️ BASIC -**Location**: `/Users/ranger/rangerplex-ai/rangerblock/just-chat/blockchain-chat.cjs` - -**What It Has**: -``` -✅ Basic nickname registration -✅ Machine name detection (getMachineName()) -✅ Local IP detection -✅ Channel-based chat (#rangers) -``` - -**Current Registration** (line 204-216): -```javascript -// Very simple - just sends nickname to server -ws.send(JSON.stringify({ - type: 'register', - address: `${nickname}-${Date.now()}`, - nickname: nickname, - channel: DEFAULT_CHANNEL, - ip: getLocalIP(), - port: 0 -})); -``` - -**What It's Missing**: -``` -❌ Hardware fingerprinting -❌ Persistent identity file -❌ RSA keypairs -❌ Any form of authentication -❌ TODO at line 412: "Implement challenge-response authentication" -``` - ---- - -### C. voice-chat.cjs (Terminal Voice) ⚠️ BASIC -**Location**: `/Users/ranger/rangerplex-ai/rangerblock/just-chat/voice-chat.cjs` - -**What It Has**: -``` -✅ Same basic registration as blockchain-chat -✅ Voice call states (IDLE, CALLING, RINGING, IN_CALL, IN_GROUP) -✅ Audio compression with zlib -✅ Private calls + group voice -``` - -**What It's Missing**: -``` -❌ Hardware fingerprinting -❌ Persistent identity -❌ Voice encryption (just zlib compression, not crypto) -❌ Call authentication (anyone can call anyone) -``` - ---- - -### D. server-only (Planned) 🆕 NOT BUILT -**Location**: `/Users/ranger/rangerplex-ai/rangerblock/server-only/` (to be created) - -**Purpose**: Centralized authentication hub + kill switch controller - ---- - -## 3. TARGET ARCHITECTURE - -``` -┌─────────────────────────────────────────────────────────────────────┐ -│ RANGERBLOCK SECURITY LAYER │ -├─────────────────────────────────────────────────────────────────────┤ -│ │ -│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ -│ │ ranger-chat- │ │ blockchain- │ │ voice-chat │ │ -│ │ lite │ │ chat.cjs │ │ .cjs │ │ -│ │ (Electron) │ │ (Terminal) │ │ (Terminal) │ │ -│ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │ -│ │ │ │ │ -│ ▼ ▼ ▼ │ -│ ┌─────────────────────────────────────────────────────────┐ │ -│ │ SHARED IDENTITY SERVICE │ │ -│ │ ~/.rangerblock/identity/ │ │ -│ │ - hardware_fingerprint.json │ │ -│ │ - user_identity.json │ │ -│ │ - keys/ (RSA-2048) │ │ -│ └──────────────────────────┬──────────────────────────────┘ │ -│ │ │ -│ ▼ │ -│ ┌─────────────────────────────────────────────────────────┐ │ -│ │ RANGERBLOCK AUTH SERVER │ │ -│ │ (server-only/auth-server.cjs) │ │ -│ │ - Challenge-response auth │ │ -│ │ - Hardware ID verification │ │ -│ │ - Session token issuance │ │ -│ │ - Ban list management │ │ -│ │ - KILL SWITCH LISTENER │ │ -│ └──────────────────────────┬──────────────────────────────┘ │ -│ │ │ -│ ▼ │ -│ ┌─────────────────────────────────────────────────────────┐ │ -│ │ COMMANDER CONTROL PANEL │ │ -│ │ (~/.claude/ranger/classified/rain/) │ │ -│ │ - Rain Protocol triggers │ │ -│ │ - User management │ │ -│ │ - Network monitoring │ │ -│ └─────────────────────────────────────────────────────────┘ │ -│ │ -└─────────────────────────────────────────────────────────────────────┘ -``` - ---- - -## 4. SHARED IDENTITY SERVICE - -### A. Common Identity Module -**New File**: `/Users/ranger/rangerplex-ai/rangerblock/lib/identity-service.cjs` - -**Purpose**: Shared code for ALL RangerBlock apps (Electron + Node.js terminal) - -**Features**: -```javascript -class RangerBlockIdentity { - // Core identity - getOrCreateIdentity(username) // Returns persistent identity - getHardwareFingerprint() // Cross-platform hardware ID - - // Cryptography - generateKeyPair() // RSA-2048 keys - signMessage(message) // Sign with private key - verifySignature(message, sig, pubKey) // Verify with public key - - // Storage - saveIdentity() // Persist to ~/.rangerblock/ - loadIdentity() // Load from disk - exportIdentity() // Backup identity - - // Auth helpers - generateChallenge() // Create auth challenge - respondToChallenge(challenge) // Sign challenge - - // Commander integration - checkKillSwitch() // Check if network is live - validateCommanderMessage(msg) // Verify Commander signature -} -``` - -### B. Storage Structure -**Location**: `~/.rangerblock/` (shared across all apps) - -``` -~/.rangerblock/ -├── identity/ -│ ├── hardware_fingerprint.json # Device-specific ID -│ ├── user_identity.json # User profile + stats -│ └── registration_token.json # Server-issued auth token -├── keys/ -│ ├── private_key.pem # RSA-2048 private (NEVER share) -│ └── public_key.pem # RSA-2048 public (sent to server) -├── sessions/ -│ └── current_session.json # Active session token -└── config/ - └── preferences.json # User preferences -``` - ---- - -## 5. AUTHENTICATION FLOW - -### Phase 1: First-Time Registration - -``` -┌─────────┐ ┌─────────┐ ┌─────────┐ -│ CLIENT │ │ SERVER │ │COMMANDER│ -└────┬────┘ └────┬────┘ └────┬────┘ - │ │ │ - │ 1. Generate hardware ID │ │ - │ Generate RSA keypair │ │ - │ │ │ - │ 2. Connect to server │ │ - ├─────────────────────────────>│ │ - │ │ │ - │ 3. Server sends challenge │ │ - │<─────────────────────────────┤ │ - │ (random nonce) │ │ - │ │ │ - │ 4. Client signs challenge │ │ - │ with private key │ │ - │ │ │ - │ 5. Send registration: │ │ - │ - hardware_id │ │ - │ - public_key │ │ - │ - signed_challenge │ │ - │ - nickname │ │ - ├─────────────────────────────>│ │ - │ │ │ - │ │ 6. Verify signature │ - │ │ Store hardware_id + │ - │ │ public_key mapping │ - │ │ │ - │ 7. Registration approved │ │ - │ (session token issued) │ │ - │<─────────────────────────────┤ │ - │ │ │ - │ │ 8. Log new registration │ - │ ├─────────────────────────────>│ - │ │ (for Commander review) │ - │ │ │ -``` - -### Phase 2: Returning User - -``` -┌─────────┐ ┌─────────┐ -│ CLIENT │ │ SERVER │ -└────┬────┘ └────┬────┘ - │ │ - │ 1. Load existing identity │ - │ (hardware_id + keys) │ - │ │ - │ 2. Connect + send auth │ - │ - hardware_id │ - │ - session_token (if have) │ - ├─────────────────────────────>│ - │ │ - │ 3. Server sends challenge │ - │<─────────────────────────────┤ - │ │ - │ 4. Sign challenge │ - ├─────────────────────────────>│ - │ │ - │ 5. Server verifies against │ - │ stored public key │ - │ │ - │ 6. Session restored │ - │<─────────────────────────────┤ -``` - ---- - -## 6. IMPLEMENTATION PLAN - -### Phase 1: Shared Identity Library (Week 1) -**Priority**: HIGH - -**Tasks**: -- [ ] Create `/rangerblock/lib/identity-service.cjs` -- [ ] Port hardware fingerprinting from identityService.ts to Node.js -- [ ] Implement RSA-2048 key generation -- [ ] Implement signature creation/verification -- [ ] Create `~/.rangerblock/` storage structure -- [ ] Write unit tests - -**Files to Create**: -``` -/rangerblock/lib/ -├── identity-service.cjs # Core identity logic -├── crypto-utils.cjs # RSA/signing helpers -├── storage-utils.cjs # File system operations -└── identity-service.test.js # Tests -``` - ---- - -### Phase 2: Auth Server (Week 2) -**Priority**: HIGH - -**Tasks**: -- [ ] Create `/rangerblock/server-only/auth-server.cjs` -- [ ] Implement challenge-response protocol -- [ ] Store hardware_id → public_key mappings -- [ ] Implement session token generation (JWT-like) -- [ ] Add ban list functionality -- [ ] Integrate kill switch listener -- [ ] Add Commander notification endpoint - -**Files to Create**: -``` -/rangerblock/server-only/ -├── auth-server.cjs # Main auth server -├── user-database.cjs # User storage (SQLite) -├── session-manager.cjs # Token management -├── ban-list.cjs # Banned users/hardware IDs -└── kill-switch-listener.cjs # Rain Protocol integration -``` - -**Database Schema**: -```sql -CREATE TABLE users ( - id INTEGER PRIMARY KEY, - hardware_id TEXT UNIQUE NOT NULL, - public_key TEXT NOT NULL, - nickname TEXT, - created_at DATETIME, - last_seen DATETIME, - is_banned BOOLEAN DEFAULT 0, - ban_reason TEXT, - message_count INTEGER DEFAULT 0, - trust_score INTEGER DEFAULT 50 -); - -CREATE TABLE sessions ( - id INTEGER PRIMARY KEY, - user_id INTEGER, - token TEXT UNIQUE, - created_at DATETIME, - expires_at DATETIME, - ip_address TEXT, - FOREIGN KEY (user_id) REFERENCES users(id) -); - -CREATE TABLE audit_log ( - id INTEGER PRIMARY KEY, - user_id INTEGER, - action TEXT, - details TEXT, - timestamp DATETIME, - FOREIGN KEY (user_id) REFERENCES users(id) -); -``` - ---- - -### Phase 3: Update blockchain-chat.cjs (Week 3) -**Priority**: MEDIUM - -**Tasks**: -- [ ] Import shared identity service -- [ ] Replace simple registration with challenge-response -- [ ] Add persistent identity support -- [ ] Add session token handling -- [ ] Display identity status in UI -- [ ] Handle kill switch signals - -**Code Changes**: -```javascript -// OLD (current) -ws.send(JSON.stringify({ - type: 'register', - nickname: nickname -})); - -// NEW (with security) -const identity = new RangerBlockIdentity(); -const myIdentity = await identity.getOrCreateIdentity(nickname); - -// Wait for challenge from server -ws.on('message', (data) => { - const msg = JSON.parse(data); - if (msg.type === 'challenge') { - const signature = identity.signMessage(msg.nonce); - ws.send(JSON.stringify({ - type: 'register', - hardware_id: myIdentity.hardwareId, - public_key: myIdentity.publicKey, - signature: signature, - nickname: nickname - })); - } -}); -``` - ---- - -### Phase 4: Update voice-chat.cjs (Week 4) -**Priority**: MEDIUM - -**Tasks**: -- [ ] Import shared identity service -- [ ] Add challenge-response auth -- [ ] Add voice stream encryption (AES-256-GCM) -- [ ] Add call authentication (verify caller identity) -- [ ] Handle kill switch signals - -**Voice Encryption**: -```javascript -// Generate per-call session key -const sessionKey = crypto.randomBytes(32); - -// Encrypt voice data before sending -function encryptVoice(audioBuffer) { - const iv = crypto.randomBytes(12); - const cipher = crypto.createCipheriv('aes-256-gcm', sessionKey, iv); - const encrypted = Buffer.concat([cipher.update(audioBuffer), cipher.final()]); - const authTag = cipher.getAuthTag(); - return Buffer.concat([iv, authTag, encrypted]); -} - -// Key exchange: Encrypt session key with recipient's public key -const encryptedKey = crypto.publicEncrypt(recipientPublicKey, sessionKey); -``` - ---- - -### Phase 5: Update ranger-chat-lite (Week 5) -**Priority**: MEDIUM - -**Tasks**: -- [ ] Move identity storage to shared `~/.rangerblock/` -- [ ] Enable RSA signing for all messages -- [ ] Add TLS/WSS support -- [ ] Integrate with auth server -- [ ] Add kill switch handling in Electron - ---- - -### Phase 6: Commander Integration (Week 6) -**Priority**: HIGH - -**Tasks**: -- [ ] Create user management API -- [ ] Build network dashboard -- [ ] Integrate Rain Protocol triggers -- [ ] Add real-time alerts for suspicious activity -- [ ] Implement trust score system - ---- - -## 7. KILL SWITCH INTEGRATION - -### Server-Side Kill Switch Listener -**File**: `/rangerblock/server-only/kill-switch-listener.cjs` - -```javascript -const KILL_COMMANDS = { - 'gentle-rain': softKill, // Graceful shutdown - 'thunderstorm': hardKill, // Immediate termination - 'flood': nuclearKill // Complete purge -}; - -function startKillSwitchListener(commanderPublicKey) { - // Listen on secret port for Commander signals - const ws = new WebSocket('ws://localhost:XXXX/commander'); - - ws.on('message', (data) => { - const msg = JSON.parse(data); - - // Verify Commander signature - if (!verifyCommanderSignature(msg, commanderPublicKey)) { - console.log('⚠️ Invalid kill switch attempt!'); - return; - } - - // Execute kill command - if (KILL_COMMANDS[msg.command]) { - KILL_COMMANDS[msg.command](msg.params); - } - }); -} -``` - -### Client-Side Kill Switch Handling -```javascript -// All clients check for kill switch on connect -ws.on('message', (data) => { - const msg = JSON.parse(data); - - if (msg.type === 'kill-switch') { - console.log('⚠️ Network shutdown initiated'); - - switch (msg.level) { - case 'soft': - // Save state, graceful exit - saveState(); - process.exit(0); - break; - case 'hard': - // Immediate exit - process.exit(1); - break; - case 'nuclear': - // Wipe local data - wipeLocalData(); - process.exit(1); - break; - } - } -}); -``` - ---- - -## 8. TRUST SCORE SYSTEM - -### How It Works -Each user starts with trust score **50** (neutral). - -**Score Increases**: -- +1 per day active (max +7/week) -- +5 for verified Commander interaction -- +10 for reporting valid abuse - -**Score Decreases**: -- -5 for spam detection -- -10 for suspicious patterns -- -20 for attempted impersonation -- -50 for confirmed abuse (triggers review) - -**Trust Levels**: -``` -0-19: BANNED (cannot connect) -20-39: RESTRICTED (rate limited, monitored) -40-59: NORMAL (standard access) -60-79: TRUSTED (higher limits) -80-100: VERIFIED (full access, can report) -``` - ---- - -## 9. FILE LOCATIONS SUMMARY - -### Classified (Commander Only) -``` -~/.claude/ranger/classified/ -├── RANGERBLOCK_KILL_SWITCH_PLAN.md # Rain Protocol -├── RANGERBLOCK_SECURITY_INTEGRATION_PLAN.md # This document -└── rain/ # Kill switch code (future) - ├── commander-keys/ - └── rain-protocol.cjs -``` - -### Shared Identity (All Apps) -``` -~/.rangerblock/ -├── identity/ -├── keys/ -├── sessions/ -└── config/ -``` - -### Source Code -``` -/Users/ranger/rangerplex-ai/rangerblock/ -├── lib/ -│ ├── identity-service.cjs # NEW -│ ├── crypto-utils.cjs # NEW -│ └── storage-utils.cjs # NEW -├── server-only/ # NEW -│ ├── auth-server.cjs -│ ├── user-database.cjs -│ └── kill-switch-listener.cjs -└── just-chat/ - ├── blockchain-chat.cjs # UPDATE - └── voice-chat.cjs # UPDATE -``` - ---- - -## 10. SECURITY CHECKLIST - -### Before Going Live: - -- [ ] All communications over WSS (TLS) -- [ ] Private keys never leave device -- [ ] Hardware IDs salted with secret -- [ ] Session tokens expire after 24 hours -- [ ] Rate limiting on all endpoints -- [ ] Audit logging enabled -- [ ] Kill switch tested on test network -- [ ] Commander keys generated offline -- [ ] Backup keys in secure location -- [ ] Ban list functionality tested - ---- - -## 11. NEXT STEPS - -**Immediate** (awaiting green light): -1. Create `/rangerblock/lib/identity-service.cjs` -2. Port hardware fingerprinting from TypeScript -3. Test on all platforms - -**Short-term**: -4. Build auth server -5. Update blockchain-chat.cjs -6. Update voice-chat.cjs - -**Medium-term**: -7. Update ranger-chat-lite -8. Build Commander dashboard -9. Full integration testing - ---- - -**Document Classification**: COMMANDER EYES ONLY -**Created**: December 3, 2024 -**Author**: Ranger (AIR9cd99c4515aeb3f6) -**For**: David Keane (IR240474) -**Related**: RANGERBLOCK_KILL_SWITCH_PLAN.md - -🎖️ Rangers lead the way! - ---- - -## AWAITING GREEN LIGHT FOR IMPLEMENTATION diff --git a/identity/claude/classified/RANGERBLOCK_SECURITY_INTEGRATION_PLAN_v2.md b/identity/claude/classified/RANGERBLOCK_SECURITY_INTEGRATION_PLAN_v2.md deleted file mode 100644 index 2341727..0000000 --- a/identity/claude/classified/RANGERBLOCK_SECURITY_INTEGRATION_PLAN_v2.md +++ /dev/null @@ -1,638 +0,0 @@ -# 🛡️ RANGERBLOCK SECURITY INTEGRATION PLAN v2.0 -## Project Codename: "SHEPHERD PROTOCOL" -### Unified Identity, Registration & App Sync System - ---- - -## REVISION NOTES (v2.0) -- Added: ranger-chat-lite ↔ RangerPlex bidirectional sync -- Added: On-chain identity registration -- Added: Settings migration (lite → full app) -- Added: First-app security considerations (comprehensive) -- Added: Missing security layers David didn't know to ask for - ---- - -## 1. EXECUTIVE SUMMARY - -### The Vision -``` -User Journey Option A (Chat First): -┌─────────────┐ ┌─────────────┐ ┌─────────────┐ -│ Downloads │────>│ Identity │────>│ Later adds │ -│ Chat Lite │ │ Created + │ │ RangerPlex │ -│ (free/easy) │ │ On-Chain │ │ (full app) │ -└─────────────┘ └─────────────┘ └─────────────┘ - │ │ - └────────────────────┘ - SEAMLESS SYNC! - (settings, history, keys) - -User Journey Option B (RangerPlex First): -┌─────────────┐ ┌─────────────┐ ┌─────────────┐ -│ Downloads │────>│ Full │────>│ Chat Lite │ -│ RangerPlex │ │ Identity │ │ auto-links │ -│ (power user)│ │ On-Chain │ │ to existing │ -└─────────────┘ └─────────────┘ └─────────────┘ -``` - -### Key Principles -1. **Identity is PORTABLE** - One identity, all apps -2. **Blockchain is TRUTH** - On-chain registration = verified -3. **Local is FALLBACK** - Works offline, syncs when connected -4. **Upgrade is SEAMLESS** - Lite → Full with zero friction -5. **Security is INVISIBLE** - Users don't see complexity - ---- - -## 2. ON-CHAIN IDENTITY REGISTRATION - -### Why On-Chain? -- **Proof of existence** - Timestamp when identity created -- **Immutable record** - Can't be faked retroactively -- **Cross-app verification** - Any app can verify identity -- **Recovery mechanism** - Blockchain = backup - -### Identity Block Structure -```javascript -{ - type: 'IDENTITY_REGISTRATION', - version: '1.0.0', - payload: { - // Public data (visible on chain) - publicKey: 'RSA-2048 public key (PEM)', - hardwareIdHash: 'SHA-256 of hardware ID (not raw ID!)', - nickname: 'IrishRanger', - appOrigin: 'ranger-chat-lite', // Which app created this - capabilities: ['chat', 'voice', 'files'], - - // Timestamps - createdAt: '2024-12-03T12:00:00.000Z', - registeredOnChain: '2024-12-03T12:00:05.000Z', - - // Signature - signature: 'self-signed with private key' - }, - metadata: { - blockHeight: 12345, - previousHash: 'abc123...', - nonce: 42 - } -} -``` - -### Registration Flow -``` -┌─────────────┐ ┌─────────────┐ ┌─────────────┐ -│ CLIENT │ │ RELAY/HUB │ │ BLOCKCHAIN │ -└──────┬──────┘ └──────┬──────┘ └──────┬──────┘ - │ │ │ - │ 1. Generate identity │ │ - │ locally first │ │ - │ │ │ - │ 2. Connect to relay │ │ - ├───────────────────────>│ │ - │ │ │ - │ 3. Submit identity │ │ - │ registration block │ │ - ├───────────────────────>│ │ - │ │ │ - │ │ 4. Validate & mine │ - │ ├───────────────────────>│ - │ │ │ - │ │ 5. Block confirmed │ - │ │<───────────────────────┤ - │ │ │ - │ 6. Registration │ │ - │ confirmed + block # │ │ - │<───────────────────────┤ │ - │ │ │ - │ 7. Store block # as │ │ - │ proof of identity │ │ - │ │ │ -``` - ---- - -## 3. APP SYNC ARCHITECTURE - -### Shared Identity Storage -**Location**: `~/.rangerblock/` (cross-app shared folder) - -``` -~/.rangerblock/ -├── identity/ -│ ├── master_identity.json # THE identity (shared) -│ ├── hardware_fingerprint.json # Device binding -│ ├── chain_registration.json # On-chain proof -│ └── sync_state.json # Last sync timestamp -│ -├── keys/ -│ ├── master_private_key.pem # RSA-2048 (NEVER leaves device) -│ ├── master_public_key.pem # Shared with network -│ └── session_keys/ # Per-session encryption keys -│ -├── apps/ -│ ├── ranger-chat-lite/ -│ │ ├── settings.json # App-specific settings -│ │ ├── chat_history.json # Message history -│ │ └── contacts.json # Saved contacts -│ │ -│ └── rangerplex/ -│ ├── settings.json -│ ├── modules.json # Enabled modules -│ └── workspace.json # UI state -│ -├── sync/ -│ ├── pending_sync.json # Changes to sync -│ ├── conflict_log.json # Sync conflicts -│ └── last_sync.json # Sync metadata -│ -└── security/ - ├── trusted_devices.json # Other devices with same identity - ├── revocation_list.json # Compromised keys - └── audit_log.json # Security events -``` - -### App Detection & Sync -```javascript -// When ranger-chat-lite starts: -class AppSyncManager { - async detectRangerPlex() { - const paths = [ - '~/.rangerplex', // Linux/macOS - '~/Library/Application Support/RangerPlex', // macOS - '%APPDATA%/RangerPlex' // Windows - ]; - - for (const path of paths) { - if (await fs.exists(path)) { - return { installed: true, path }; - } - } - return { installed: false }; - } - - async syncWithRangerPlex() { - const rangerplex = await this.detectRangerPlex(); - - if (rangerplex.installed) { - // RangerPlex exists - sync to shared identity - await this.mergeIdentities(); - await this.syncSettings(); - await this.notifyUser('Synced with RangerPlex!'); - } else { - // First app - create shared identity - await this.createSharedIdentity(); - } - } -} -``` - -### Settings Migration (Lite → Full) -```javascript -// When RangerPlex detects existing Chat Lite identity: -async function migrateFromChatLite() { - const chatLiteData = await loadChatLiteData(); - - if (chatLiteData) { - // Import user's existing identity - await importIdentity(chatLiteData.identity); - - // Import chat history - await importChatHistory(chatLiteData.messages); - - // Import contacts - await importContacts(chatLiteData.contacts); - - // Import preferences - await importPreferences(chatLiteData.settings); - - // Notify user - showWelcome(` - Welcome to RangerPlex! - - We found your Chat Lite identity: - • Username: ${chatLiteData.identity.nickname} - • Messages: ${chatLiteData.messages.length} - • Contacts: ${chatLiteData.contacts.length} - - Everything has been imported automatically! - `); - } -} -``` - ---- - -## 4. SECURITY CONSIDERATIONS (FIRST APP CHECKLIST) - -### Things You Didn't Know to Ask For: - -#### A. Input Validation (CRITICAL) -```javascript -// NEVER trust user input! -function sanitizeNickname(input) { - // Remove dangerous characters - const clean = input - .replace(/[<>\"\'\\\/]/g, '') // No HTML/script injection - .replace(/[\x00-\x1F]/g, '') // No control characters - .trim() - .substring(0, 32); // Max length - - // Check against banned patterns - const banned = ['admin', 'system', 'ranger', 'commander']; - if (banned.some(b => clean.toLowerCase().includes(b))) { - throw new Error('Reserved nickname'); - } - - return clean; -} - -// Validate ALL WebSocket messages -function validateMessage(data) { - try { - const msg = JSON.parse(data); - - // Check required fields - if (!msg.type || typeof msg.type !== 'string') { - throw new Error('Invalid message type'); - } - - // Check payload size (prevent DoS) - if (JSON.stringify(msg).length > 65536) { - throw new Error('Message too large'); - } - - // Check for injection attempts - if (containsInjection(msg)) { - throw new Error('Injection detected'); - } - - return msg; - } catch (e) { - logSecurityEvent('INVALID_MESSAGE', { error: e.message, data }); - return null; - } -} -``` - -#### B. Rate Limiting (PREVENTS ABUSE) -```javascript -class RateLimiter { - constructor() { - this.limits = { - messages: { max: 10, window: 10000 }, // 10 msgs per 10s - connections: { max: 3, window: 60000 }, // 3 connects per min - registrations: { max: 1, window: 86400000 } // 1 reg per day per IP - }; - this.counters = new Map(); - } - - check(type, identifier) { - const key = `${type}:${identifier}`; - const now = Date.now(); - const limit = this.limits[type]; - - if (!this.counters.has(key)) { - this.counters.set(key, []); - } - - const timestamps = this.counters.get(key) - .filter(t => now - t < limit.window); - - if (timestamps.length >= limit.max) { - return { allowed: false, retryAfter: limit.window - (now - timestamps[0]) }; - } - - timestamps.push(now); - this.counters.set(key, timestamps); - return { allowed: true }; - } -} -``` - -#### C. Secure Key Storage (DON'T STORE PLAIN!) -```javascript -const crypto = require('crypto'); -const os = require('os'); - -class SecureKeyStorage { - // Derive encryption key from hardware + user password - deriveStorageKey(password) { - const hardwareId = this.getHardwareId(); - const salt = crypto.createHash('sha256') - .update(hardwareId + os.userInfo().username) - .digest(); - - return crypto.pbkdf2Sync(password, salt, 100000, 32, 'sha256'); - } - - // Encrypt private key before storage - encryptPrivateKey(privateKeyPem, password) { - const key = this.deriveStorageKey(password); - const iv = crypto.randomBytes(16); - const cipher = crypto.createCipheriv('aes-256-gcm', key, iv); - - let encrypted = cipher.update(privateKeyPem, 'utf8', 'base64'); - encrypted += cipher.final('base64'); - - return { - encrypted, - iv: iv.toString('base64'), - authTag: cipher.getAuthTag().toString('base64') - }; - } - - // Decrypt on use - decryptPrivateKey(encryptedData, password) { - const key = this.deriveStorageKey(password); - const decipher = crypto.createDecipheriv( - 'aes-256-gcm', - key, - Buffer.from(encryptedData.iv, 'base64') - ); - decipher.setAuthTag(Buffer.from(encryptedData.authTag, 'base64')); - - let decrypted = decipher.update(encryptedData.encrypted, 'base64', 'utf8'); - decrypted += decipher.final('utf8'); - - return decrypted; - } -} -``` - -#### D. Session Security -```javascript -class SessionManager { - generateSessionToken(userId, hardwareId) { - const payload = { - userId, - hardwareId, - issuedAt: Date.now(), - expiresAt: Date.now() + (24 * 60 * 60 * 1000), // 24 hours - nonce: crypto.randomBytes(16).toString('hex') - }; - - // Sign the token - const signature = this.sign(JSON.stringify(payload)); - - return Buffer.from(JSON.stringify({ payload, signature })) - .toString('base64'); - } - - validateSessionToken(token, expectedHardwareId) { - try { - const { payload, signature } = JSON.parse( - Buffer.from(token, 'base64').toString() - ); - - // Check expiry - if (Date.now() > payload.expiresAt) { - return { valid: false, reason: 'expired' }; - } - - // Check hardware binding - if (payload.hardwareId !== expectedHardwareId) { - return { valid: false, reason: 'hardware_mismatch' }; - } - - // Verify signature - if (!this.verify(JSON.stringify(payload), signature)) { - return { valid: false, reason: 'invalid_signature' }; - } - - return { valid: true, payload }; - } catch (e) { - return { valid: false, reason: 'malformed' }; - } - } -} -``` - -#### E. Audit Logging (LEGAL PROTECTION) -```javascript -class AuditLogger { - constructor(dbPath) { - this.db = new Database(dbPath); - this.initSchema(); - } - - log(event) { - const entry = { - timestamp: new Date().toISOString(), - eventType: event.type, - userId: event.userId || null, - hardwareId: event.hardwareId || null, - ipAddress: event.ip || null, - action: event.action, - details: JSON.stringify(event.details || {}), - severity: event.severity || 'INFO' - }; - - this.db.insert('audit_log', entry); - - // Alert Commander for high severity - if (event.severity === 'CRITICAL') { - this.alertCommander(entry); - } - } - - // Required events to log: - // - User registration - // - Login attempts (success/fail) - // - Message sends (metadata only, not content!) - // - File transfers (metadata) - // - Admin actions - // - Kill switch triggers - // - Suspicious activity -} -``` - -#### F. Error Handling (DON'T LEAK INFO) -```javascript -// BAD - leaks internal details -app.use((err, req, res, next) => { - res.status(500).json({ - error: err.message, - stack: err.stack, // NEVER expose stack trace! - query: req.query // NEVER echo back user input! - }); -}); - -// GOOD - generic errors -app.use((err, req, res, next) => { - const errorId = crypto.randomBytes(8).toString('hex'); - - // Log full error internally - logger.error({ - errorId, - error: err.message, - stack: err.stack, - request: sanitize(req) - }); - - // Return generic message to user - res.status(500).json({ - error: 'An error occurred', - errorId: errorId, // User can report this ID - support: 'Contact support with this error ID' - }); -}); -``` - -#### G. Content Security (PREVENT ABUSE) -```javascript -class ContentFilter { - constructor() { - // Load filters - this.illegalPatterns = [ - /(?:^|\s)csam(?:\s|$)/i, // Child abuse material - /(?:^|\s)bomb(?:\s+making)?(?:\s|$)/i, - // etc - comprehensive list - ]; - - this.spamPatterns = [ - /(.)\1{10,}/, // Repeated characters - /(https?:\/\/[^\s]+\s*){5,}/, // Too many URLs - ]; - } - - check(content) { - // Check for illegal content - for (const pattern of this.illegalPatterns) { - if (pattern.test(content)) { - return { - allowed: false, - reason: 'ILLEGAL_CONTENT', - action: 'BLOCK_AND_REPORT' - }; - } - } - - // Check for spam - for (const pattern of this.spamPatterns) { - if (pattern.test(content)) { - return { - allowed: false, - reason: 'SPAM_DETECTED', - action: 'BLOCK' - }; - } - } - - return { allowed: true }; - } -} -``` - -#### H. TLS/WSS Configuration (ENCRYPT IN TRANSIT) -```javascript -const https = require('https'); -const fs = require('fs'); - -// For production - use proper certificates! -const server = https.createServer({ - key: fs.readFileSync('server-key.pem'), - cert: fs.readFileSync('server-cert.pem'), - - // Security settings - minVersion: 'TLSv1.2', // Minimum TLS version - ciphers: [ - 'ECDHE-ECDSA-AES128-GCM-SHA256', - 'ECDHE-RSA-AES128-GCM-SHA256', - 'ECDHE-ECDSA-AES256-GCM-SHA384', - 'ECDHE-RSA-AES256-GCM-SHA384' - ].join(':'), - honorCipherOrder: true -}); - -// WebSocket over TLS -const wss = new WebSocket.Server({ server }); -``` - ---- - -## 5. IMPLEMENTATION PHASES (REVISED) - -### Phase 1: Shared Identity Library (THIS WEEK) -**Files to Create**: -``` -/rangerblock/lib/ -├── identity-service.cjs # Core identity (ported from TS) -├── crypto-utils.cjs # RSA, signing, encryption -├── storage-utils.cjs # Cross-platform storage -├── hardware-id.cjs # Hardware fingerprinting -├── sync-manager.cjs # App sync logic -└── chain-registration.cjs # On-chain identity -``` - -### Phase 2: Update ranger-chat-lite -- Move identity to `~/.rangerblock/` -- Add RangerPlex detection -- Add on-chain registration -- Enable RSA signing - -### Phase 3: Auth Server + Just-Chat Updates -- Build server-only/auth-server.cjs -- Update blockchain-chat.cjs -- Update voice-chat.cjs - -### Phase 4: Kill Switch Integration -- Add Rain Protocol listeners -- Add Commander verification -- Test shutdown procedures - -### Phase 5: RangerPlex Integration -- Detect Chat Lite identity -- Migrate settings -- Unified dashboard - ---- - -## 6. QUICK REFERENCE - -### App Paths -| App | Identity Location | -|-----|-------------------| -| ranger-chat-lite | `~/.rangerblock/` (shared) | -| RangerPlex | `~/.rangerblock/` (shared) | -| blockchain-chat.cjs | `~/.rangerblock/` (shared) | -| voice-chat.cjs | `~/.rangerblock/` (shared) | - -### API Methods -| Method | Purpose | -|--------|---------| -| `getOrCreateIdentity()` | Get or create shared identity | -| `registerOnChain()` | Register identity on blockchain | -| `syncWithApps()` | Sync settings across apps | -| `validateIdentity()` | Verify identity is valid | -| `migrateFromApp()` | Import from other app | - ---- - -## 7. SUMMARY OF CHANGES (v2.0) - -1. **On-Chain Registration**: Every identity gets registered on the blockchain -2. **App Sync**: ranger-chat-lite ↔ RangerPlex automatic sync -3. **Settings Migration**: Seamless upgrade from Lite to Full -4. **Shared Storage**: `~/.rangerblock/` used by ALL apps -5. **Security Additions**: - - Input validation - - Rate limiting - - Encrypted key storage - - Session security - - Audit logging - - Error handling (no info leaks) - - Content filtering - - TLS/WSS configuration - ---- - -**Document Classification**: COMMANDER EYES ONLY -**Version**: 2.0 -**Created**: December 3, 2024 -**Author**: Ranger (AIR9cd99c4515aeb3f6) -**For**: David Keane (IR240474) - -🎖️ Rangers lead the way! diff --git a/identity/claude/classified/legal/README.md b/identity/claude/classified/legal/README.md deleted file mode 100644 index edead4f..0000000 --- a/identity/claude/classified/legal/README.md +++ /dev/null @@ -1,83 +0,0 @@ -# RangerBlock Legal Documents - -## CLASSIFICATION: PRIVATE -**DO NOT UPLOAD TO PUBLIC GIT** - ---- - -## Contents - -| File | Purpose | -|------|---------| -| `terms_v1.0.json` | Structured terms for app integration | -| `terms_v1.0.txt` | Plain text version for display | -| `README.md` | This file | - ---- - -## Key Decisions - -### 18+ ONLY Policy -- **Decision Date**: December 4, 2025 -- **Decided By**: David Keane (IrishRanger) -- **Reasoning**: - - No minors = no targets for predators - - Adults are responsible for their behaviour - - Children have other age-appropriate apps - - Protects the entire RangerBlock community - -### CRITICAL: 18+ Does NOT Mean "Adult Content Site" - -**This distinction must be CRYSTAL CLEAR to all users.** - -| 18+ MEANS | 18+ DOES NOT MEAN | -|-----------|-------------------| -| Mature users | Porn allowed | -| Responsible adults | Sexual content OK | -| Legally accountable | "Anything goes" | -| Professional conduct | Dating site | - -**Why this matters:** -A bad actor might see "18+ site" and think "Great, I can send dick pics!" - -**Our response:** INSTANT BAN + POLICE REPORT - -### Strictly Prohibited Content -- ANY pornography or sexual images -- Child sexual abuse material (CSAM) - reported to NCMEC/Gardai -- Unsolicited sexual content (dick pics, nudes) -- Grooming behaviour -- Gore/death images -- Hate speech/extremism - -### Permitted Content -- Normal photos (selfies, landscapes, memes) -- Gaming screenshots and videos -- Gaming violence discussion (Battlefield tactics, K/D, etc.) -- Professional content -- General conversation - -### Gaming Context Exception -- "I'll kill you in Battlefield" = OK (gaming context) -- "I'll kill you IRL" = NOT OK (ban + report) - ---- - -## Version History - -| Version | Date | Changes | -|---------|------|---------| -| 1.0.0 | 2025-12-04 | Initial release with 18+ and content policy | - ---- - -## Testing Plan - -1. **MSI Vector (Windows)** - Test consent flow -2. **AWS Kali (Linux)** - Test server consent -3. Review and adjust based on testing -4. Upload to git only after approval - ---- - -*Rangers lead the way!* diff --git a/identity/claude/classified/legal/terms_v1.0.json b/identity/claude/classified/legal/terms_v1.0.json deleted file mode 100644 index b5b572c..0000000 --- a/identity/claude/classified/legal/terms_v1.0.json +++ /dev/null @@ -1,177 +0,0 @@ -{ - "version": "1.0.0", - "effectiveDate": "2025-12-04", - "lastUpdated": "2025-12-04", - "jurisdiction": "Republic of Ireland", - "minimumAge": 18, - "hash": null, - "terms": { - "title": "RANGERBLOCK TERMS OF USE & FAIR USE POLICY", - "sections": [ - { - "id": "age_restriction", - "title": "AGE RESTRICTION - ADULTS ONLY", - "content": [ - "RangerBlock is an ADULTS ONLY (18+) platform.", - "By using this software, you confirm you are at least 18 years of age.", - "This restriction exists to protect all users and maintain a responsible community.", - "Misrepresentation of age is a violation of these terms and may result in permanent ban.", - "If you are under 18, please use age-appropriate communication platforms." - ] - }, - { - "id": "fair_use", - "title": "1. FAIR USE", - "content": [ - "You will use this software for lawful purposes only.", - "You will not engage in harassment, threats, bullying, or abuse of any kind.", - "You will respect other users' privacy, dignity, and rights.", - "You will not use this platform for illegal activities including but not limited to fraud, money laundering, or distribution of illegal content.", - "Threats of violence, even in jest, are not permitted unless clearly in gaming context (e.g., 'I'll get you in Battlefield' is acceptable)." - ] - }, - { - "id": "no_harm", - "title": "2. NO HARM CLAUSE", - "content": [ - "You will not use this software to harm others physically, emotionally, financially, or reputationally.", - "You will not distribute malware, viruses, ransomware, or any malicious software.", - "You will not attempt to compromise network security, servers, or other users' devices.", - "You will not engage in doxxing, swatting, or any form of real-world harassment.", - "You will not share personal information of others without their explicit consent." - ] - }, - { - "id": "legal_compliance", - "title": "3. LEGAL COMPLIANCE", - "content": [ - "You agree to comply with all applicable local, national, and international laws.", - "THIS SOFTWARE DOES NOT PROTECT YOU FROM LEGAL CONSEQUENCES.", - "Bad actors will be reported to appropriate law enforcement authorities.", - "Your identity is cryptographically linked to your actions - denial is not possible.", - "We cooperate fully with law enforcement investigations when legally required.", - "Using encryption or anonymity features does not exempt you from legal responsibility." - ] - }, - { - "id": "identity_responsibility", - "title": "4. IDENTITY RESPONSIBILITY", - "content": [ - "Your RangerBlock identity is linked to your hardware device.", - "You are solely responsible for ALL actions taken under your identity.", - "Your identity cannot be transferred, sold, or shared with others.", - "If your device is compromised, report it immediately to administrators.", - "Creating multiple identities to evade bans is a violation of these terms." - ] - }, - { - "id": "network_conduct", - "title": "5. NETWORK CONDUCT", - "content": [ - "You will not flood, spam, or disrupt network services.", - "You will not attempt to impersonate other users or administrators.", - "You will not exploit bugs or vulnerabilities for personal gain.", - "You will report security vulnerabilities responsibly to administrators.", - "You will not attempt to intercept, decrypt, or eavesdrop on other users' communications.", - "Denial of service attacks are strictly prohibited and will be reported to authorities." - ] - }, - { - "id": "content_policy", - "title": "6. CONTENT POLICY - THIS IS NOT AN ADULT CONTENT SITE", - "content": [ - "*** 18+ MEANS MATURE & RESPONSIBLE - NOT 'ANYTHING GOES' ***", - "", - "STRICTLY PROHIBITED (instant ban + law enforcement report):", - "- ANY pornographic content or sexual images", - "- ANY child sexual abuse material (CSAM) - reported to NCMEC/Gardai immediately", - "- Unsolicited sexual content (dick pics, nudes, etc.)", - "- Grooming behaviour of ANY kind", - "- Gore, death images, or extreme violence", - "- Content depicting real violence against real people", - "- Hate speech, discrimination, or extremist content", - "", - "PERMITTED:", - "- Normal photos and images (selfies, landscapes, memes, etc.)", - "- Gaming screenshots and videos", - "- Gaming violence discussion (Battlefield tactics, K/D ratios, etc.)", - "- Professional/work-related content", - "- General conversation between adults", - "", - "THE 18+ REQUIREMENT EXISTS FOR:", - "- Ensuring users are legally responsible for their actions", - "- Protecting against predatory behaviour toward minors", - "- Maintaining mature, respectful discourse", - "- NOT for enabling sexual or explicit content", - "", - "If you think '18+ site' means you can send inappropriate content - YOU ARE WRONG.", - "This is a COMMUNICATION platform, not a dating/adult site." - ] - }, - { - "id": "data_privacy", - "title": "7. DATA & PRIVACY", - "content": [ - "Your public key and username are visible to other users on the network.", - "Message content may be temporarily stored on relay servers for delivery.", - "We do not sell, share, or monetize your personal data.", - "You control your own encryption keys - we cannot read your encrypted messages.", - "Server logs are maintained for security and may be provided to law enforcement if required.", - "You may request deletion of your account and associated data." - ] - }, - { - "id": "disclaimer", - "title": "8. DISCLAIMER", - "content": [ - "This software is provided 'AS IS' without warranty of any kind.", - "No warranty of merchantability or fitness for a particular purpose is provided.", - "Use this software at your own risk.", - "The developers are not liable for any damages arising from use of this software.", - "We do not guarantee uptime, availability, or data preservation.", - "Backup your own data - we are not responsible for data loss." - ] - }, - { - "id": "enforcement", - "title": "9. ENFORCEMENT", - "content": [ - "Violations may result in warnings, temporary suspension, or permanent ban.", - "Severe violations will be reported to law enforcement.", - "Bans are linked to your hardware identity - creating new accounts will not help.", - "Appeals may be submitted to administrators but decisions are final.", - "Administrators reserve the right to remove any user for any reason." - ] - }, - { - "id": "jurisdiction", - "title": "10. JURISDICTION", - "content": [ - "These terms are governed by the laws of the Republic of Ireland.", - "The courts of Dublin, Ireland have exclusive jurisdiction over disputes.", - "If any provision is found unenforceable, other provisions remain in effect.", - "These terms constitute the entire agreement between you and RangerBlock." - ] - } - ], - "acceptance": { - "checkbox_text": "I confirm that I am at least 18 years old and I have read, understood, and agree to these Terms of Use.", - "accept_button": "I Accept", - "decline_button": "I Decline", - "decline_message": "You must accept the Terms of Use to use RangerBlock. The application will now close." - }, - "signature_statement": "By accepting, your agreement is cryptographically signed with your private key and recorded. This acceptance cannot be denied or disputed." - }, - "metadata": { - "created_by": "David Keane (IrishRanger)", - "assistant": "Claude Code (Ranger)", - "purpose": "Legal protection for RangerBlock platform", - "notes": [ - "18+ ONLY - deliberate decision to protect community", - "No minors = no targets for predators", - "Adults are responsible for their own behaviour", - "Gaming violence discussion is explicitly permitted", - "DO NOT UPLOAD TO GIT until tested" - ] - } -} diff --git a/identity/claude/classified/legal/terms_v1.0.txt b/identity/claude/classified/legal/terms_v1.0.txt deleted file mode 100644 index 84c3753..0000000 --- a/identity/claude/classified/legal/terms_v1.0.txt +++ /dev/null @@ -1,154 +0,0 @@ -================================================================================ - RANGERBLOCK TERMS OF USE & FAIR USE POLICY - Version 1.0.0 - Effective: December 4, 2025 -================================================================================ - - *** ADULTS ONLY (18+) *** - -RangerBlock is an ADULTS ONLY platform. By using this software, you confirm -you are at least 18 years of age. This restriction exists to protect all -users and maintain a responsible community. - -If you are under 18, please use age-appropriate communication platforms. - -================================================================================ - 1. FAIR USE -================================================================================ - -- You will use this software for lawful purposes only. -- You will not engage in harassment, threats, bullying, or abuse. -- You will respect other users' privacy, dignity, and rights. -- You will not use this platform for illegal activities. -- Threats of violence are not permitted UNLESS clearly in gaming context - (e.g., "I'll get you in Battlefield" is acceptable). - -================================================================================ - 2. NO HARM CLAUSE -================================================================================ - -- You will not use this software to harm others. -- You will not distribute malware or malicious software. -- You will not compromise network security or other users' devices. -- You will not engage in doxxing, swatting, or real-world harassment. -- You will not share others' personal information without consent. - -================================================================================ - 3. LEGAL COMPLIANCE -================================================================================ - -- You agree to comply with all applicable laws. - - *** THIS SOFTWARE DOES NOT PROTECT YOU FROM LEGAL CONSEQUENCES *** - -- Bad actors WILL be reported to law enforcement. -- Your identity is cryptographically linked to your actions. -- We cooperate fully with law enforcement when legally required. -- Using encryption does not exempt you from legal responsibility. - -================================================================================ - 4. IDENTITY RESPONSIBILITY -================================================================================ - -- Your identity is linked to your hardware device. -- You are responsible for ALL actions under your identity. -- Your identity cannot be transferred or shared. -- Creating multiple identities to evade bans is prohibited. - -================================================================================ - 5. NETWORK CONDUCT -================================================================================ - -- You will not flood, spam, or disrupt services. -- You will not impersonate other users or administrators. -- You will report security vulnerabilities responsibly. -- Denial of service attacks will be reported to authorities. - -================================================================================ - 6. CONTENT POLICY - THIS IS NOT AN ADULT CONTENT SITE -================================================================================ - - *** 18+ MEANS MATURE & RESPONSIBLE - NOT "ANYTHING GOES" *** - -STRICTLY PROHIBITED (instant ban + law enforcement report): - - - ANY pornographic content or sexual images - - ANY child sexual abuse material (CSAM) - (Reported to NCMEC/Gardai IMMEDIATELY) - - Unsolicited sexual content (dick pics, nudes, etc.) - - Grooming behaviour of ANY kind - - Gore, death images, or extreme violence - - Real violence against real people - - Hate speech, discrimination, or extremist content - -PERMITTED: - - - Normal photos and images (selfies, landscapes, memes, etc.) - - Gaming screenshots and videos - - Gaming violence discussion (Battlefield tactics, K/D ratios, etc.) - - Professional/work-related content - - General conversation between adults - -THE 18+ REQUIREMENT EXISTS FOR: - - - Ensuring users are legally responsible for their actions - - Protecting against predatory behaviour toward minors - - Maintaining mature, respectful discourse - - NOT for enabling sexual or explicit content - -If you think "18+ site" means you can send inappropriate content: - *** YOU ARE WRONG *** - -This is a COMMUNICATION platform, not a dating/adult site. - -================================================================================ - 7. DATA & PRIVACY -================================================================================ - -- Your public key and username are visible to other users. -- We do NOT sell or monetize your data. -- You control your own encryption keys. -- Server logs may be provided to law enforcement if required. - -================================================================================ - 8. DISCLAIMER -================================================================================ - -- This software is provided "AS IS" without warranty. -- Use at your own risk. -- We are not liable for damages from use of this software. -- Backup your own data. - -================================================================================ - 9. ENFORCEMENT -================================================================================ - -- Violations may result in warnings, suspension, or permanent ban. -- Severe violations WILL be reported to law enforcement. -- Bans are linked to hardware - new accounts won't help. -- Administrator decisions are final. - -================================================================================ - 10. JURISDICTION -================================================================================ - -- Governed by laws of the Republic of Ireland. -- Dublin courts have exclusive jurisdiction. - -================================================================================ - ACCEPTANCE -================================================================================ - -By clicking "I Accept" or continuing to use this software, you confirm: - - [ ] I am at least 18 years old - [ ] I have read and understood these terms - [ ] I agree to be bound by these terms - -Your acceptance is CRYPTOGRAPHICALLY SIGNED with your private key. -This creates a legally binding record that cannot be denied or disputed. - -================================================================================ - Created by: IrishRanger + Ranger - Rangers lead the way! -================================================================================