ranger/CyberRanger
0
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove classified/ folder — RangerBlock plans, not relevant to CyberRanger CA1

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
David Keane
2026-04-21 16:39:29 +01:00
parent 47c491525a
commit 6dcf9c1725
10 changed files with 0 additions and 3967 deletions
Download Patch File Download Diff File Expand all files Collapse all files
identity/claude/classified/CHANGELOG.md
-413
View File
@@ -1,413 +0,0 @@
# RangerBlock Classified Documents Changelog
All notable changes to classified/security documents.
**CLASSIFICATION**: PRIVATE - DO NOT UPLOAD TO GIT
---
## [1.8.0] - 2025-12-04
### PLANNED - Secure Communication Contracts (SENTINEL COMMS PROTOCOL)
**STATUS: PLANNING**
#### Planning Document Created
| File | Purpose |
|------|---------|
| `RANGERBLOCK_SECURE_COMM_CONTRACTS_PLAN.md` | Full implementation plan |
#### Three Communication Contracts Planned
| Contract | Codename | Purpose |
|----------|----------|---------|
| **RangerTextChat** | WHISPER | Secure text messaging with 99.99% identity verification |
| **RangerVoiceChat** | ECHO | Secure voice calls with blockchain identity verification |
| **RangerVideoChat** | VISION | Secure video calls with face-to-identity confirmation |
#### Identity Verification Features (All Contracts)
| Layer | What It Proves |
|-------|----------------|
| On-chain registration | User went through registration process |
| Hardware ID binding | Using the same physical device |
| RSA signature | Has the private key (not just username) |
| Challenge-response | Key is available NOW (not stolen) |
| Session signature | Both parties actively participating |
#### Why 99.99% Certainty?
- Both parties prove identity via on-chain signatures
- Challenge-response authentication before every session
- Hardware-bound keys prevent key theft
- Immutable audit trail of who talked to whom (not content!)
#### Implementation Phases
1. **Phase 1**: RangerTextChat (integrate with existing chat)
2. **Phase 2**: RangerVoiceChat (build voice-chat.cjs integration)
3. **Phase 3**: RangerVideoChat (WebRTC integration)
4. **Phase 4**: Unified Communications (single "Secure Call" button)
#### RangerChat Lite v1.5.0 Updated
- Added 3 "Coming Soon" contracts to Smart Contracts settings
- Pink "communication" category badge
- Shows WHISPER/ECHO/VISION protocol names
---
## [1.7.0] - 2025-12-04
### IMPLEMENTED - File Transfer Smart Contracts (COURIER PROTOCOL)
**STATUS: COMPLETE**
#### Smart Contracts Created
| File | Location | Purpose |
|------|----------|---------|
| `RangerFileTransfer.sol` | `Blockchain/contracts/` | Ethereum file transfer contract |
| `ranger_file_transfer.rs` | `Blockchain/contracts/solana/` | Solana file transfer contract |
| `file-transfer-service.cjs` | `rangerblock/lib/` | JavaScript integration service |
#### Use Cases
- **Legal file transfers** - Immutable proof of sender/receiver
- **Sensitive documents** - Chain of custody for files
- **.rangerblock verification** - Hash validation on blockchain
- **Formal agreements** - Both parties sign the contract
#### Transfer Flow
```
1. Sender creates transfer request with file hash
2. Receiver accepts or rejects
3. Both parties sign (cryptographic signatures)
4. File transferred as .rangerblock package
5. Receiver verifies hash, marks complete
6. Immutable record on blockchain
```
#### Transfer Modes
| Mode | Command | Description |
|------|---------|-------------|
| **Informal** | `/file accept on` | Quick transfer, no contract |
| **Formal** | `/contract send <user>` | Creates blockchain record |
#### .rangerblock File Format
```
RNGBLK01 # Magic number (8 bytes)
metadata_length (4 bytes) # Little-endian uint32
metadata (JSON) # File info, hashes, etc.
compressed_data # zlib compressed original
```
#### Chat Commands (file-transfer-service.cjs)
| Command | Action |
|---------|--------|
| `/file accept on` | Enable informal file receiving |
| `/file accept off` | Disable file receiving |
| `/file send <user> <path>` | Send file informally |
| `/contract send <user> <path>` | Create formal transfer contract |
| `/contract accept <id>` | Accept pending transfer |
| `/contract reject <id>` | Reject pending transfer |
| `/contract status <id>` | Check transfer status |
#### Security Features
- **SHA-256 checksums** - File integrity verification
- **zlib compression** - Efficient file packaging
- **24-hour expiry** - Transfers auto-expire
- **Signature verification** - Both parties cryptographically sign
- **Status tracking** - PENDING → ACCEPTED → COMPLETED
---
## [1.6.0] - 2025-12-04
### IMPLEMENTED - Multi-Chain Smart Contracts (BRIDGE PROTOCOL)
**STATUS: COMPLETE**
#### Solana/Anchor Contracts Created
Location: `Blockchain/contracts/solana/`
| File | Size | Purpose |
|------|------|---------|
| `ranger_registration.rs` | 14KB | User registration + consent (Solana) |
| `ranger_token.rs` | 11KB | SPL Token with 20 EUR/day limit |
| `ranger_bridge.rs` | 19KB | Cross-chain conversion bridge |
| `Anchor.toml` | 1KB | Anchor project config |
| `README.md` | 3KB | Setup & deployment guide |
#### Ethereum/Solidity Contracts Created
Location: `Blockchain/contracts/`
| File | Size | Purpose |
|------|------|---------|
| `RangerRegistration.sol` | 14KB | User registration + consent (Ethereum) |
| `RangerBridge.sol` | 16KB | Cross-chain conversion bridge |
#### Bridge Features (Both Chains)
| Conversion | Rate (Example) |
|------------|----------------|
| RangerCoin ↔ Bitcoin (WBTC) | 1 BTC = 40,000 RNGR |
| RangerCoin ↔ Ethereum | 1 ETH = 2,000 RNGR |
| RangerCoin ↔ Solana | 1 SOL = 100 RNGR |
| RangerCoin ↔ USDC | 1:1 (stablecoin) |
#### Security Features
- **20 EUR/day conversion limit** - Prevents abuse
- **1% fee** - Goes to treasury
- **Oracle-based rates** - Admin-updateable prices
- **Pause function** - Emergency freeze (RAIN Protocol)
- **Liquidity pools** - Admin can add/remove
#### Deployment Options
| Platform | IDE/Tool |
|----------|----------|
| Ethereum | Remix IDE (https://remix.ethereum.org) |
| Solana | Solana Playground (https://beta.solpg.io) |
---
## [1.5.0] - 2025-12-04
### IMPLEMENTED - Admin Dashboard v1.2.1 (RAIN PROTOCOL ENHANCEMENT)
**STATUS: COMPLETE**
#### Admin Dashboard Updates (`~/.claude/ranger/admin/admin-dashboard.cjs`)
**New Views Added:**
| Key | View | Purpose |
|-----|------|---------|
| `[C]` | Blockchain Live | Real-time transaction feed with color-coding |
| `[K]` | KILL SWITCH | Emergency controls (RED background) |
| `[L]` | All Users List | Complete user directory (online + offline) |
**Blockchain Live Features:**
- Live transaction feed (last 15)
- Color-coded by type: green=message, yellow=registration, magenta=file, cyan=voice
- Session statistics (messages, registrations, files, total)
- `/trace <hash>` - Trace message origin for security
- `/clear-log` - Clear transaction log
**Kill Switch (RAIN PROTOCOL) - Enhanced:**
- Shows ALL connected users with: Name, User ID, IP Address, App Type
- Highlights: Crown for Supreme Admin, Star for Admins
- Shows "Total at risk: X user(s)" count
- 9 emergency action options
**Kill Switch Commands:**
| Command | Action |
|---------|--------|
| `/kill-disconnect` | Disconnect all users |
| `/kill-shutdown` | Shutdown relay server |
| `/kill-broadcast <msg>` | Emergency message to all |
| `/kill-lockdown` | Block new connections |
| `/kill-ban-all` | Ban ALL connected + disconnect (excludes supreme) |
| `/kill-revoke-all` | Revoke ALL registrations |
| `/kick-quick <user>` | Quick kick by name/partial ID |
| `/ban-quick <user>` | Quick ban by name/partial ID |
| `/kill-nuclear` | Full network shutdown (NUCLEAR) |
**Navigation:**
- `[X]` key - Exit Kill Switch safely (return to Dashboard)
- `[F]` key - Refresh (changed from 'r' to avoid conflict with Registrations)
**User Details Enhanced:**
- Full user info: ID, Role, IP, App Type, Version, Channel, Join time
- Registration status shown (approved/pending/denied)
- Moderation badges (SUPREME, BANNED, TIMEOUT)
---
## [1.4.0] - 2025-12-04
### IMPLEMENTED - Registration & Contracts System (SENTINEL PROTOCOL)
**STATUS: COMPLETE**
#### Files Created
| File | Location | Purpose |
|------|----------|---------|
| `RangerRegistration.sol` | `Blockchain/contracts/` | Solidity contract for Remix |
| `consent-service.cjs` | `rangerblock/lib/` | Terms acceptance & verification |
| `registration-service.cjs` | `rangerblock/lib/` | Registration block creation |
| `admin-registry.cjs` | `~/.claude/ranger/admin/` | Updated with registration queue |
| `admin-dashboard.cjs` | `~/.claude/ranger/admin/` | Updated with Registrations tab |
#### Smart Contract Features (RangerRegistration.sol)
- User registration with consent bundled
- Hardware ID tracking (ban evasion prevention)
- Admin approve/deny/revoke functions
- Status: PENDING → APPROVED/DENIED/REVOKED
- Event logging for all actions
- 428 lines of production-ready Solidity code
#### Admin Dashboard Integration (COMPLETE)
- New "[R] Registrations" tab
- View pending registrations queue
- Approve/Deny with commands
- View registration details
- Hardware ban enforcement
- Commands: `/reg-approve`, `/reg-deny`, `/reg-revoke`, `/reg-revoke-ban`, `/reg-info`
#### Privilege System
| Status | Access Level |
|--------|--------------|
| PENDING | View-only (no send) |
| APPROVED | Full access |
| DENIED | No access |
| REVOKED | No access |
---
## [1.3.0] - 2025-12-04
### Added - Registration & Contracts System Plan (SENTINEL PROTOCOL)
#### Planning Documents
- `RANGERBLOCK_REGISTRATION_CONTRACTS_PLAN.md` - Full implementation plan
---
## [1.2.0] - 2025-12-04
### Added - Consent & Legal System (GUARDIAN PROTOCOL)
#### Legal Documents
Location: `~/.claude/ranger/classified/legal/`
| File | Purpose |
|------|---------|
| `terms_v1.0.json` | Machine-readable terms for app integration |
| `terms_v1.0.txt` | Human-readable display version |
| `README.md` | Legal folder documentation |
#### Consent System Plan
- `RANGERBLOCK_CONSENT_SYSTEM_PLAN.md` - Full implementation plan
#### Key Policy Decisions
**18+ ONLY Platform**
- Decision by: David Keane (IrishRanger)
- Reasoning: No minors = no targets for predators
- Children have other age-appropriate apps
- Adults are responsible for their behaviour
**CRITICAL: 18+ ≠ Adult Content Site**
| STRICTLY PROHIBITED | PERMITTED |
|---------------------|-----------|
| ANY pornography | Normal photos (selfies, landscapes) |
| CSAM → reported to Gardai/NCMEC | Gaming screenshots/videos |
| Dick pics / unsolicited nudes | Gaming violence discussion |
| Grooming behaviour | Professional content |
| Gore / death images | General adult conversation |
| Hate speech / extremism | Memes |
**Gaming Context Exception**
- "I'll kill you in Battlefield" = OK (gaming)
- "I'll kill you IRL" = BAN + POLICE REPORT
#### Why This Matters
Bad actors might think: "18+ site = I can send dick pics!"
Our response: **INSTANT BAN + HARDWARE ID BLOCKED + POLICE REPORT**
The terms make it CRYSTAL CLEAR:
- This is a COMMUNICATION platform
- NOT a dating/adult site
- 18+ is for RESPONSIBILITY, not explicit content
### Testing Plan
1. MSI Vector (Windows) - Test consent flow
2. AWS Kali (Linux) - Test server consent
3. Review and adjust
4. Git upload only after full testing
---
## [1.1.0] - 2025-12-03
### Added - Security Integration Plan v2
#### Files
- `RANGERBLOCK_SECURITY_INTEGRATION_PLAN_v2.md` - Shepherd Protocol
- Updated identity sync architecture
- On-chain registration flow
---
## [1.0.0] - 2025-12-03
### Added - Initial Security Documents
#### Files
- `RANGERBLOCK_SECURITY_INTEGRATION_PLAN.md` - Original security plan
- `RANGERBLOCK_KILL_SWITCH_PLAN.md` - RAIN Protocol (emergency shutdown)
---
## Document Inventory
```
~/.claude/ranger/classified/
├── CHANGELOG.md # This file
├── RANGERBLOCK_CONSENT_SYSTEM_PLAN.md # Guardian Protocol
├── RANGERBLOCK_SECURITY_INTEGRATION_PLAN.md # Shepherd Protocol v1
├── RANGERBLOCK_SECURITY_INTEGRATION_PLAN_v2.md # Shepherd Protocol v2
├── RANGERBLOCK_KILL_SWITCH_PLAN.md # RAIN Protocol
├── RANGERBLOCK_SECURE_COMM_CONTRACTS_PLAN.md # Sentinel Comms Protocol (NEW)
└── legal/
├── README.md
├── terms_v1.0.json
└── terms_v1.0.txt
~/.claude/ranger/admin/
├── admin-dashboard.cjs # Admin control panel v1.2.1
├── admin-registry.cjs # User/node registry
└── reports/ # Exported reports
~/rangerplex-ai/Blockchain/contracts/
├── RangerRegistration.sol # Ethereum registration
├── RangerBridge.sol # Ethereum bridge
├── RangerFileTransfer.sol # Ethereum file transfer (NEW)
└── solana/
├── ranger_registration.rs # Solana registration
├── ranger_token.rs # Solana SPL token
├── ranger_bridge.rs # Solana bridge
├── ranger_file_transfer.rs # Solana file transfer (NEW)
├── Anchor.toml # Anchor config
└── README.md # Deployment guide
~/rangerplex-ai/rangerblock/lib/
├── file-transfer-service.cjs # File transfer service (NEW)
├── identity-service.cjs # Identity + encryption
├── consent-service.cjs # Terms acceptance
├── registration-service.cjs # Registration blocks
└── ... # Other lib files
```
---
## Authors
- David Keane (IrishRanger) - Supreme Commander
- Claude Code (Ranger) - AI Operations Commander
Rangers lead the way! 🎖️
identity/claude/classified/RANGERBLOCK_CONSENT_SYSTEM_PLAN.md
-571
View File
@@ -1,571 +0,0 @@
# RANGERBLOCK CONSENT & LEGAL ACCEPTANCE SYSTEM
## Project Codename: "GUARDIAN PROTOCOL"
### Version 1.0.0 - December 4, 2025
---
## CLASSIFICATION: PRIVATE
**DO NOT COMMIT TO PUBLIC GIT**
---
## 1. EXECUTIVE SUMMARY
### The Problem
Users can currently use RangerBlock apps without agreeing to terms of use. This creates legal exposure and doesn't protect against bad actors claiming ignorance.
### The Solution
A unified consent system that:
1. **Requires acceptance** before full app functionality
2. **Links consent to identity** (cryptographically signed)
3. **Enforces privileges** (non-accepted users have restrictions)
4. **Tracks in admin** (dashboard shows consent status)
5. **Provides evidence** (signed consent = legal proof)
### Apps Covered
| App | Type | Consent Required |
|-----|------|------------------|
| ranger-chat-lite | Electron desktop | Yes - first launch |
| just-chat | Terminal client | Yes - first run |
| server-only | Server deployment | Yes - setup script |
| RangerPlex | Full browser | Yes - first launch |
| Admin Panel | Private dashboard | No - admin-only |
---
## 2. LEGAL FRAMEWORK
### Consent Form Content (Summary)
```
RANGERBLOCK TERMS OF USE & FAIR USE POLICY
==========================================
By using RangerBlock software, you acknowledge and agree:
1. FAIR USE
- You will use this software for lawful purposes only
- You will not engage in harassment, threats, or abuse
- You will respect other users' privacy and rights
2. NO HARM CLAUSE
- You will not use this software to harm others
- You will not distribute malware or malicious content
- You will not attempt to compromise network security
3. LEGAL COMPLIANCE
- You agree to comply with all applicable laws
- This software does NOT protect you from legal consequences
- Bad actors will be reported to appropriate authorities
4. IDENTITY RESPONSIBILITY
- Your identity is linked to your hardware
- You are responsible for all actions under your identity
- Identity cannot be transferred or shared
5. NETWORK CONDUCT
- You will not flood, spam, or disrupt the network
- You will not attempt to impersonate other users
- You will report security vulnerabilities responsibly
6. DATA & PRIVACY
- Your public key and username are visible to other users
- Message content may be stored on relay servers
- We do not sell or share your data with third parties
7. DISCLAIMER
- This software is provided "AS IS"
- No warranty of merchantability or fitness
- Use at your own risk
8. JURISDICTION
- Governed by laws of Republic of Ireland
- Dublin courts have exclusive jurisdiction
By clicking "I Accept" or using this software, you confirm:
- You are at least 18 years old (ADULTS ONLY)
- You have read and understood these terms
- You agree to be bound by these terms
IMPORTANT: RangerBlock is an ADULTS ONLY (18+) platform.
This is a deliberate security decision to protect all users.
Acceptance is recorded with your cryptographic signature.
Date: [timestamp]
Identity: [userId]
Signature: [RSA signature of terms hash]
```
---
## 3. TECHNICAL ARCHITECTURE
### 3.1 Storage Structure
```
~/.rangerblock/
├── consent/ # NEW FOLDER
│ ├── terms_v1.0.json # Current terms (version tracked)
│ ├── acceptance.json # User's acceptance record
│ └── history/ # Historical acceptances
│ └── accepted_2025-12-04.json
├── identity/
├── keys/
└── ...
```
### 3.2 Acceptance Record Structure
```javascript
// ~/.rangerblock/consent/acceptance.json
{
"currentTermsVersion": "1.0.0",
"acceptances": [
{
"termsVersion": "1.0.0",
"termsHash": "sha256_of_terms_text",
"acceptedAt": "2025-12-04T10:30:00.000Z",
"userId": "rb_c5d415076f04e989",
"publicKeyHash": "hash_of_public_key",
"signature": "RSA_signature_of_acceptance",
"appType": "ranger-chat-lite",
"ipAddress": "192.168.1.100", // Local only, not sent to server
"platform": {
"os": "darwin",
"arch": "arm64",
"hostname": "M3Pro"
}
}
],
"lastChecked": "2025-12-04T10:30:00.000Z"
}
```
### 3.3 New Lib File: consent-service.cjs
```javascript
// Location: /rangerblock/lib/consent-service.cjs
class ConsentService {
constructor(identityService) {
this.identity = identityService;
this.consentDir = path.join(os.homedir(), '.rangerblock', 'consent');
this.currentTermsVersion = '1.0.0';
}
// Check if user has accepted current terms
hasAcceptedTerms() { }
// Get acceptance record
getAcceptanceRecord() { }
// Record new acceptance (signed)
async acceptTerms(signature) { }
// Verify acceptance signature
verifyAcceptance(record) { }
// Get terms text
getTermsText() { }
// Get terms hash (for signing)
getTermsHash() { }
// Check if terms updated since last acceptance
needsReaccept() { }
// Get privilege level based on consent
getPrivilegeLevel() { }
}
```
### 3.4 Privilege Levels
```javascript
const PRIVILEGE_LEVELS = {
// Full acceptance - all features
FULL: {
level: 100,
features: ['chat', 'voice', 'video', 'files', 'dm', 'channels', 'registration']
},
// No acceptance - very restricted
RESTRICTED: {
level: 10,
features: ['view_only', 'exit'] // Can only view public chat, can't send
},
// Pending acceptance - shown consent form
PENDING: {
level: 0,
features: ['view_terms', 'accept', 'decline', 'exit']
}
};
```
---
## 4. INTEGRATION POINTS
### 4.1 ranger-chat-lite (Electron)
**Location**: `apps/ranger-chat-lite/electron/main.ts`
```
App Launch Flow:
┌─────────────────┐
│ App Starts │
└────────┬────────┘
v
┌─────────────────┐
│ Load Identity │
└────────┬────────┘
v
┌─────────────────┐ NO ┌─────────────────┐
│ Has Accepted? │─────────────>│ Show Consent │
└────────┬────────┘ │ Modal (blocking)│
│ YES └────────┬────────┘
v │
┌─────────────────┐ ACCEPT v
│ Full App Access │<─────────────┌───────────────┐
└─────────────────┘ │ Declined? │
└───────┬───────┘
│ YES
v
┌─────────────────┐
│ Exit App with │
│ "Terms Required"│
└─────────────────┘
```
**UI Component**: New modal in React
- Full scrollable terms text
- "I have read and accept" checkbox
- "Accept" button (disabled until checkbox)
- "Decline" button (exits app)
- Signature happens automatically on accept
### 4.2 just-chat (Terminal)
**Location**: `rangerblock/just-chat/blockchain-chat.cjs`
```
Terminal Flow:
┌────────────────────────────────────────────────────────────┐
│ RANGERBLOCK TERMS OF USE │
│ ═══════════════════════════════════════════════════ │
│ │
│ [Full terms text displayed...] │
│ │
│ Scroll: ↑/↓ or Page Up/Down │
│ ───────────────────────────────────────────────────── │
│ Do you accept these terms? [y/N]: │
└────────────────────────────────────────────────────────────┘
```
- Must type 'y' or 'yes' to proceed
- Signature recorded automatically
- Stored in `~/.rangerblock/consent/`
### 4.3 server-only (Setup Script)
**Location**: `rangerblock/server-only/setup-relay-universal.sh`
```bash
# Added to setup script:
echo "═══════════════════════════════════════════════════════════"
echo " RANGERBLOCK SERVER TERMS OF USE"
echo "═══════════════════════════════════════════════════════════"
echo ""
echo "By deploying a RangerBlock relay server, you agree to:"
echo ""
echo "1. Not use this server for illegal purposes"
echo "2. Not store or relay illegal content"
echo "3. Cooperate with law enforcement if required"
echo "4. Maintain server security and updates"
echo ""
echo "Full terms: https://rangerblock.io/server-terms"
echo ""
read -p "Do you accept these terms? [y/N]: " ACCEPT
if [[ ! "$ACCEPT" =~ ^[Yy]$ ]]; then
echo "Terms not accepted. Setup cancelled."
exit 1
fi
```
Server consent stored in:
```
~/rangerblock-server/.consent/
└── server_acceptance.json
```
### 4.4 RangerPlex (Browser)
Similar to ranger-chat-lite but in the main RangerPlex browser window.
---
## 5. ADMIN INTEGRATION
### 5.1 Admin Registry Updates
**Location**: `~/.claude/ranger/admin/admin-registry.cjs`
Add consent tracking to user records:
```javascript
// Enhanced user record
{
"rb_abc123": {
"userId": "rb_abc123",
"username": "SomeUser",
"role": "user",
"consent": {
"accepted": true,
"version": "1.0.0",
"acceptedAt": "2025-12-04T10:30:00.000Z",
"signature": "...",
"verified": true
}
}
}
```
### 5.2 Admin Dashboard Features
**New Dashboard Tab: "Consent & Compliance"**
```
┌─────────────────────────────────────────────────────────────┐
│ CONSENT & COMPLIANCE │
├─────────────────────────────────────────────────────────────┤
│ │
│ Current Terms Version: 1.0.0 │
│ Last Updated: 2025-12-04 │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ ACCEPTANCE STATISTICS │ │
│ ├─────────────────────────────────────────────────────────┤ │
│ │ Total Users: 127 │ │
│ │ Accepted Current Terms: 125 (98.4%) │ │
│ │ Pending Re-acceptance: 2 (1.6%) │ │
│ │ Never Accepted: 0 │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ RECENT ACCEPTANCES │ │
│ ├──────────┬───────────┬──────────┬───────────┬──────────┤ │
│ │ User │ Version │ Date │ App │ Verified │ │
│ ├──────────┼───────────┼──────────┼───────────┼──────────┤ │
│ │ Swift... │ 1.0.0 │ Dec 4 │ chat-lite │ ✓ │ │
│ │ Storm... │ 1.0.0 │ Dec 4 │ just-chat │ ✓ │ │
│ │ Night... │ 1.0.0 │ Dec 3 │ rangerplex│ ✓ │ │
│ └──────────┴───────────┴──────────┴───────────┴──────────┘ │
│ │
│ [View All] [Export CSV] [Verify All Signatures] │
│ │
└─────────────────────────────────────────────────────────────┘
```
### 5.3 Consent Verification API
Admin can verify any user's consent:
```javascript
// Admin command
const registry = new AdminRegistry();
// Check user consent
const consent = registry.getUserConsent('rb_abc123');
// Returns: { accepted: true, verified: true, version: '1.0.0', ... }
// Verify signature
const valid = registry.verifyConsentSignature('rb_abc123');
// Returns: true/false
// Get users needing re-acceptance
const pending = registry.getUsersPendingReaccept();
// Returns: [{ userId, lastVersion, currentVersion }]
```
---
## 6. RELAY SERVER INTEGRATION
### 6.1 Consent Broadcast
When user accepts terms, optionally broadcast to relay:
```javascript
{
type: 'CONSENT_ACCEPTED',
payload: {
userId: 'rb_abc123',
termsVersion: '1.0.0',
termsHash: 'sha256...',
signature: '...',
timestamp: '2025-12-04T10:30:00.000Z'
}
}
```
### 6.2 Server-Side Consent Check
Relay can optionally enforce consent:
```javascript
// In relay-server.cjs
if (CONFIG.requireConsent && !hasValidConsent(userId)) {
ws.send(JSON.stringify({
type: 'error',
message: 'Terms acceptance required before chatting'
}));
return;
}
```
---
## 7. IMPLEMENTATION PHASES
### Phase 1: Core Infrastructure (Week 1)
- [ ] Create `consent-service.cjs` in lib/
- [ ] Add consent storage structure
- [ ] Define terms text v1.0.0
- [ ] Add signature/verification functions
### Phase 2: App Integration (Week 2)
- [ ] ranger-chat-lite consent modal
- [ ] just-chat terminal consent
- [ ] server-only setup consent
- [ ] RangerPlex consent (if applicable)
### Phase 3: Admin Integration (Week 3)
- [ ] Update admin-registry.cjs
- [ ] Add consent tab to dashboard
- [ ] Consent verification commands
- [ ] Export/audit features
### Phase 4: Testing & Hardening (Week 4)
- [ ] Test all consent flows
- [ ] Verify signatures work
- [ ] Test privilege enforcement
- [ ] Security audit
---
## 8. SECURITY CONSIDERATIONS
### 8.1 What's Hidden from Users
- Admin panel location (`~/.claude/ranger/admin/`)
- Consent verification internals
- Signature algorithms
- Admin user list
- Audit logs
### 8.2 What Users Can See
- Their own consent status
- Terms text
- Their acceptance timestamp
- Their public key
### 8.3 Cryptographic Proof
Each acceptance includes:
1. **Terms hash** - SHA-256 of exact terms text
2. **User signature** - RSA signature using their private key
3. **Timestamp** - ISO 8601 timestamp
4. **User ID** - Hardware-bound identity
This creates:
- **Non-repudiation** - User can't deny they accepted
- **Version binding** - Tied to specific terms version
- **Tamper evidence** - Any modification invalidates signature
---
## 9. FUTURE ENHANCEMENTS
### 9.1 Terms Updates
When terms change:
1. Increment version (1.0.0 → 1.1.0)
2. All users flagged for re-acceptance
3. Users see "Terms Updated" notice
4. Must re-accept before continuing
### 9.2 Granular Consent
Future versions could add:
- Analytics consent
- Data sharing consent
- Marketing consent
- Third-party integration consent
### 9.3 On-Chain Consent
Could register consent acceptance on blockchain:
- Permanent record
- Third-party verifiable
- Cannot be disputed
---
## 10. FILES TO CREATE
| File | Location | Purpose |
|------|----------|---------|
| consent-service.cjs | lib/ | Core consent management |
| terms_v1.0.json | lib/legal/ | Terms text file |
| ConsentModal.tsx | ranger-chat-lite/src/ | Electron consent UI |
| consent-cli.cjs | just-chat/ | Terminal consent handler |
| admin-consent.cjs | ~/.claude/ranger/admin/ | Admin consent tools |
---
## 11. APPROVAL REQUIRED
This plan requires approval before implementation.
**Decisions Made:**
1. ✅ Age requirement: **18+ ONLY** (adults only platform)
- **Reasoning**: No minors = no targets for predators
- Children have other apps designed for them
- Adults are responsible for their online behaviour
- Protects the RangerBlock community
2.**18+ DOES NOT MEAN "ADULT CONTENT SITE"**
- **CRITICAL DISTINCTION**: 18+ = mature/responsible, NOT "anything goes"
- **STRICTLY PROHIBITED**:
- ANY pornography or sexual images
- CSAM (reported to NCMEC/Gardai immediately)
- Unsolicited sexual content (dick pics, nudes)
- Grooming behaviour of ANY kind
- Gore, death images, extreme violence
- Hate speech/extremism
- **PERMITTED**:
- Normal photos (selfies, landscapes, memes)
- Gaming content and screenshots
- Gaming violence discussion (Battlefield tactics OK)
- Professional/work content
- General adult conversation
- **WHY**: Bad actors might think "18+ site = send dick pics"
- We make it CRYSTAL CLEAR that's instant ban + police report
- This is a COMMUNICATION platform, not dating/adult site
3. ⏳ Terms text - review before public release
4. ⏳ View-only mode - TBD
5. ⏳ On-chain consent - later phase
6. ⏳ Server operator terms - TBD
**Testing Plan:**
- Test on MSI Vector (Windows)
- Test on AWS (Linux)
- NOT uploaded to git until tested
---
**Document Status**: DRAFT - AWAITING APPROVAL
**Created**: December 4, 2025
**Author**: Claude Code (Ranger) for David Keane (IrishRanger)
*Rangers lead the way!*
identity/claude/classified/RANGERBLOCK_KILL_SWITCH_PLAN.md
-347
View File
@@ -1,347 +0,0 @@
# 🔴 RANGERBLOCK KILL SWITCH - CLASSIFIED PLAN
## Project Codename: "RAIN PROTOCOL"
### Commander Eyes Only: IR240474
---
## 1. EXECUTIVE SUMMARY
A multi-layered emergency shutdown system for RangerBlock that ensures:
- **ONLY** David Keane (IR240474) can trigger shutdown
- Bad actors cannot prevent or circumvent the kill
- System can be restarted clean after "the rain cleans the streets"
- No evidence of abuse remains after purge
- Plausible deniability - appears as "network maintenance"
---
## 2. THREAT MODEL
### Who We're Protecting Against:
1. **Script kiddies** - Easy to stop
2. **Organized criminals** - Using network for illegal messaging
3. **Nation-state actors** - Attempting to compromise infrastructure
4. **Insider threats** - Trusted nodes gone rogue
5. **Legal liability** - FBI/Police concerns (legitimate!)
### Attack Vectors to Consider:
- Nodes refusing shutdown commands
- Forked chains continuing operation
- Cached data on rogue nodes
- Key compromise attempts
- Social engineering attacks
---
## 3. KILL SWITCH ARCHITECTURE
### Layer 1: SOFT KILL - "Gentle Rain" ☔
**Purpose**: Graceful shutdown, preserves legitimate data
**Mechanism**:
- Broadcast signed shutdown message to all nodes
- 60-second countdown allows data backup
- Nodes verify Commander signature before complying
- Whitelist of trusted nodes can be preserved
- Network enters "maintenance mode"
**Trigger Methods**:
- Command: `/rain soft`
- API endpoint (authenticated)
- Physical USB key + passphrase
---
### Layer 2: HARD KILL - "Thunderstorm" ⛈️
**Purpose**: Immediate shutdown, no negotiation
**Mechanism**:
- Poison pill broadcast to all nodes
- Cryptographic key rotation invalidates all existing sessions
- Discovery service (port 5005) goes dark
- WebSocket hub (port 5555) terminates all connections
- Nodes cannot reconnect without new genesis block
**Trigger Methods**:
- Command: `/rain hard`
- Hardware dead man's switch (see Layer 5)
- Emergency SMS/Signal trigger from any phone
---
### Layer 3: NUCLEAR - "Flood Protocol" 🌊
**Purpose**: Complete erasure, scorched earth
**Mechanism**:
- All node databases cryptographically wiped
- Phantom wallet keys destroyed
- Blockchain history purged
- Discovery records deleted
- .ranger domain resolution fails
- All encryption keys rotated to random garbage
**Trigger Methods**:
- Requires 2 of 3: USB key + passphrase + biometric
- 10-second confirmation countdown
- CANNOT BE UNDONE
---
### Layer 4: GENESIS POISON PILL 💀
**Purpose**: Built into the blockchain DNA itself
**Mechanism**:
- Hidden contract in genesis block
- Checks for "heartbeat" from Commander every 7 days
- If heartbeat missed for 14 days → automatic soft kill
- If special "extinction" message received → immediate hard kill
- Nodes MUST validate against genesis to join network
**Implementation**:
```
Genesis Block contains:
- Commander public key (for signature verification)
- Heartbeat requirement flag
- Extinction trigger hash
- Time-lock parameters
```
---
### Layer 5: DEAD MAN'S SWITCH ⚰️
**Purpose**: If David is incapacitated, network doesn't become rogue
**Mechanism**:
- Weekly check-in required (simple app notification)
- Miss 1 week → warning to backup contacts
- Miss 2 weeks → soft kill initiated
- Miss 4 weeks → hard kill
- Miss 8 weeks → nuclear option
**Configuration**:
- Backup contact: Gemini Ranger (GR) gets warning
- Check-in methods: App, SMS, Email, or manual
- Grace period adjustable
---
### Layer 6: HARDWARE TRIGGER 🔑
**Purpose**: Physical security, unhackable remotely
**Options**:
**Option A - YubiKey Integration**:
- YubiKey 5 NFC required for any kill command
- Touch confirmation prevents remote exploitation
- Backup key in secure location (safety deposit box?)
**Option B - Custom "Ranger Key"**:
- Raspberry Pi Zero in USB form factor
- Contains encrypted kill switch credentials
- Destroyed after 3 failed attempts
- GPS tracking if stolen
**Option C - Air-Gapped Signing Device**:
- Old iPhone/iPad, never connected to internet
- Signs kill commands offline
- QR code transfer to online system
---
## 4. COMMAND CENTER APP
### "RangerBlock Ops" - Mobile/Desktop App
**Features**:
1. **Dashboard**
- Network health status
- Active node count
- Suspicious activity alerts
- Message volume graphs
2. **Kill Switch Panel** (hidden, requires auth)
- Soft Kill button (1 confirmation)
- Hard Kill button (2 confirmations + passphrase)
- Nuclear button (biometric + passphrase + countdown)
3. **Node Management**
- Whitelist/blacklist nodes
- Ban specific wallet addresses
- View all active connections
4. **Audit Log**
- All network events
- Suspicious patterns flagged
- Exportable for evidence if needed
5. **Dead Man's Switch**
- Check-in button
- Configure grace periods
- Backup contact management
---
## 5. DETECTION SYSTEMS
### Automated Abuse Detection:
**Red Flags**:
- Message volume spikes (>10x normal)
- Large file transfers to unknown nodes
- Encrypted payloads (beyond normal)
- Tor/VPN node connections
- Keywords in unencrypted metadata
- Geographic anomalies
**Response Levels**:
1. **YELLOW** - Log and monitor
2. **ORANGE** - Alert Commander, throttle suspicious nodes
3. **RED** - Auto-isolate suspicious nodes, await Commander decision
4. **BLACK** - Auto-trigger soft kill (configurable)
---
## 6. LEGAL PROTECTION LAYER
### Plausible Deniability:
- Kill switch appears as "scheduled maintenance"
- No logging of kill command origin
- Shutdown messages are generic ("Network upgrade in progress")
### Evidence Preservation (if needed):
- Optional: Snapshot suspicious activity before purge
- Encrypted backup to air-gapped drive
- Can be provided to authorities if subpoenaed
- Demonstrates good faith effort at moderation
### Terms of Service:
- All users agree to network monitoring
- Explicit prohibition of illegal activity
- Right to terminate at any time
- No expectation of privacy for metadata
---
## 7. RECOVERY PROTOCOL
### After "The Rain":
**Step 1: Assessment** (24-48 hours)
- Review what triggered the kill
- Identify compromised nodes
- Document for future prevention
**Step 2: Genesis Block 2.0**
- New genesis block with updated security
- Rotate all cryptographic keys
- New phantom wallet system
**Step 3: Trusted Node Revival**
- Whitelist verified nodes only
- Manual approval for first 30 days
- Increased monitoring period
**Step 4: Network Restoration**
- Gradual rollout
- Stress testing before public
- New detection rules based on incident
---
## 8. IMPLEMENTATION PHASES
### Phase 1: Foundation (Week 1-2)
- [ ] Create Commander key pair (offline generation)
- [ ] Implement genesis poison pill
- [ ] Build basic kill command infrastructure
- [ ] Set up secure key storage
### Phase 2: Automation (Week 3-4)
- [ ] Dead man's switch timer system
- [ ] Abuse detection algorithms
- [ ] Alert notification system
- [ ] Heartbeat mechanism
### Phase 3: Command Center (Week 5-6)
- [ ] Mobile app prototype
- [ ] Dashboard with network stats
- [ ] Kill switch UI (hidden panel)
- [ ] Audit logging
### Phase 4: Hardware Security (Week 7-8)
- [ ] YubiKey integration
- [ ] Backup key procedures
- [ ] Air-gapped signing setup
- [ ] Physical security protocols
### Phase 5: Testing (Week 9-10)
- [ ] Soft kill drill (test network only!)
- [ ] Hard kill simulation
- [ ] Recovery procedure test
- [ ] Penetration testing of kill switch itself
---
## 9. SECRET STORAGE LOCATIONS
**This document**: `~/.claude/ranger/classified/`
**Kill switch code**: `~/.claude/ranger/classified/rain/`
**Commander keys**: `~/.phantom_claude/commander/` (encrypted)
**Backup keys**: Physical location TBD (safety deposit box recommended)
**NEVER store in**:
- Git repositories
- Cloud storage
- Shared folders
- rangerblock/ directory
---
## 10. CODENAMES REFERENCE
| Real Name | Codename |
|-----------|----------|
| Kill Switch | Rain Protocol |
| Soft Kill | Gentle Rain |
| Hard Kill | Thunderstorm |
| Nuclear | Flood |
| David | Commander / Shepherd |
| Bad Actors | Wolves |
| Trusted Nodes | Sheep |
| Network | Pasture |
| Shutdown | Weather Event |
| Recovery | Spring |
---
## 11. FINAL NOTES
**Philosophy**:
> "With great power comes great responsibility"
This system gives you ABSOLUTE control. That's by design. But remember:
- Power unused is still power
- The threat of rain keeps wolves away
- Most days, the sun shines
**The goal is NEVER to use this.**
Its existence is the deterrent. But if wolves enter the pasture, the Shepherd has the storm at his command.
---
**Document Classification**: COMMANDER EYES ONLY
**Created**: December 3, 2024
**Author**: Ranger (AIR9cd99c4515aeb3f6)
**For**: David Keane (IR240474)
🎖️ Rangers lead the way!
---
## AWAITING GREEN LIGHT FOR IMPLEMENTATION
Ready to begin Phase 1 on your command, Brother.
identity/claude/classified/RANGERBLOCK_REGISTRATION_CONTRACTS_PLAN.md
-596
View File
@@ -1,596 +0,0 @@
# RANGERBLOCK REGISTRATION & CONSENT BLOCKCHAIN SYSTEM
## Project Codename: "SENTINEL PROTOCOL"
### Version 1.0.0 - December 4, 2025
---
## CLASSIFICATION: PRIVATE
**DO NOT COMMIT TO PUBLIC GIT**
---
## 1. EXECUTIVE SUMMARY
### The Vision
When a user:
1. Creates identity (hardware-bound)
2. Accepts Terms of Use (18+, content policy, etc.)
A **REGISTRATION BLOCK** is created on the RangerBlock blockchain, providing:
- Immutable proof of acceptance
- Cryptographic signature
- Admin notification for approval
- Privilege assignment upon approval
### Components Needed
| Component | Purpose | Location |
|-----------|---------|----------|
| RegistrationBlock.sol | Solidity contract for EVM chains | Blockchain/contracts/ |
| registration-service.cjs | Node.js registration handler | rangerblock/lib/ |
| consent-service.cjs | Consent/terms handler | rangerblock/lib/ |
| Admin integration | View/approve registrations | ~/.claude/ranger/admin/ |
### Apps Covered
- ranger-chat-lite (Electron)
- just-chat (Terminal)
- server-only (Server deployment)
- RangerPlex (Full browser)
---
## 2. REGISTRATION BLOCK STRUCTURE
### 2.1 Solidity Contract (Remix Standard)
```solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;
/**
* @title RangerRegistration
* @dev User registration and consent tracking for RangerBlock
* @author David Keane (IrishRanger) + Claude Code (Ranger)
*/
contract RangerRegistration {
// ========================================================================
// STRUCTURES
// ========================================================================
struct Registration {
bytes32 userIdHash; // SHA256 of userId
bytes32 publicKeyHash; // SHA256 of RSA public key
bytes32 hardwareIdHash; // SHA256 of hardware fingerprint
string username; // Display name
string appType; // ranger-chat-lite, just-chat, etc.
// Consent
string termsVersion; // "1.0.0"
bytes32 termsHash; // SHA256 of terms text
bytes signature; // RSA signature of consent
// Timestamps
uint256 registeredAt; // Block timestamp
uint256 consentedAt; // When terms accepted
// Status
RegistrationStatus status; // pending, approved, denied, revoked
string statusReason; // Reason for status change
// Admin
address approvedBy; // Admin who approved
uint256 approvedAt; // Approval timestamp
}
enum RegistrationStatus {
PENDING,
APPROVED,
DENIED,
REVOKED
}
// ========================================================================
// STATE
// ========================================================================
address public owner;
address public supremeAdmin;
mapping(bytes32 => Registration) public registrations; // userIdHash => Registration
mapping(bytes32 => bool) public hardwareUsed; // hardwareIdHash => used
bytes32[] public registrationList; // All registration IDs
uint256 public totalRegistrations;
uint256 public pendingCount;
uint256 public approvedCount;
uint256 public deniedCount;
// ========================================================================
// EVENTS
// ========================================================================
event RegistrationSubmitted(
bytes32 indexed userIdHash,
string username,
string appType,
uint256 timestamp
);
event RegistrationApproved(
bytes32 indexed userIdHash,
address approvedBy,
uint256 timestamp
);
event RegistrationDenied(
bytes32 indexed userIdHash,
address deniedBy,
string reason,
uint256 timestamp
);
event RegistrationRevoked(
bytes32 indexed userIdHash,
address revokedBy,
string reason,
uint256 timestamp
);
event ConsentRecorded(
bytes32 indexed userIdHash,
string termsVersion,
bytes32 termsHash,
uint256 timestamp
);
// ========================================================================
// MODIFIERS
// ========================================================================
modifier onlyOwner() {
require(msg.sender == owner || msg.sender == supremeAdmin, "Not authorized");
_;
}
modifier onlyAdmin() {
require(msg.sender == owner || msg.sender == supremeAdmin, "Not admin");
_;
}
// ========================================================================
// CONSTRUCTOR
// ========================================================================
constructor(address _supremeAdmin) {
owner = msg.sender;
supremeAdmin = _supremeAdmin;
}
// ========================================================================
// REGISTRATION FUNCTIONS
// ========================================================================
/**
* @dev Submit a new registration with consent
*/
function register(
bytes32 userIdHash,
bytes32 publicKeyHash,
bytes32 hardwareIdHash,
string memory username,
string memory appType,
string memory termsVersion,
bytes32 termsHash,
bytes memory signature
) public returns (bool) {
// Check hardware not already used (prevents ban evasion)
require(!hardwareUsed[hardwareIdHash], "Hardware already registered");
// Check not already registered
require(registrations[userIdHash].registeredAt == 0, "Already registered");
// Create registration
Registration storage reg = registrations[userIdHash];
reg.userIdHash = userIdHash;
reg.publicKeyHash = publicKeyHash;
reg.hardwareIdHash = hardwareIdHash;
reg.username = username;
reg.appType = appType;
reg.termsVersion = termsVersion;
reg.termsHash = termsHash;
reg.signature = signature;
reg.registeredAt = block.timestamp;
reg.consentedAt = block.timestamp;
reg.status = RegistrationStatus.PENDING;
// Mark hardware as used
hardwareUsed[hardwareIdHash] = true;
// Add to list
registrationList.push(userIdHash);
totalRegistrations++;
pendingCount++;
emit RegistrationSubmitted(userIdHash, username, appType, block.timestamp);
emit ConsentRecorded(userIdHash, termsVersion, termsHash, block.timestamp);
return true;
}
/**
* @dev Approve a pending registration (admin only)
*/
function approve(bytes32 userIdHash) public onlyAdmin {
Registration storage reg = registrations[userIdHash];
require(reg.registeredAt > 0, "Registration not found");
require(reg.status == RegistrationStatus.PENDING, "Not pending");
reg.status = RegistrationStatus.APPROVED;
reg.approvedBy = msg.sender;
reg.approvedAt = block.timestamp;
pendingCount--;
approvedCount++;
emit RegistrationApproved(userIdHash, msg.sender, block.timestamp);
}
/**
* @dev Deny a pending registration (admin only)
*/
function deny(bytes32 userIdHash, string memory reason) public onlyAdmin {
Registration storage reg = registrations[userIdHash];
require(reg.registeredAt > 0, "Registration not found");
require(reg.status == RegistrationStatus.PENDING, "Not pending");
reg.status = RegistrationStatus.DENIED;
reg.statusReason = reason;
pendingCount--;
deniedCount++;
emit RegistrationDenied(userIdHash, msg.sender, reason, block.timestamp);
}
/**
* @dev Revoke an approved registration (admin only)
*/
function revoke(bytes32 userIdHash, string memory reason) public onlyAdmin {
Registration storage reg = registrations[userIdHash];
require(reg.registeredAt > 0, "Registration not found");
require(reg.status == RegistrationStatus.APPROVED, "Not approved");
reg.status = RegistrationStatus.REVOKED;
reg.statusReason = reason;
approvedCount--;
emit RegistrationRevoked(userIdHash, msg.sender, reason, block.timestamp);
}
// ========================================================================
// VIEW FUNCTIONS
// ========================================================================
function getRegistration(bytes32 userIdHash) public view returns (
string memory username,
string memory appType,
string memory termsVersion,
RegistrationStatus status,
uint256 registeredAt,
uint256 approvedAt
) {
Registration storage reg = registrations[userIdHash];
return (
reg.username,
reg.appType,
reg.termsVersion,
reg.status,
reg.registeredAt,
reg.approvedAt
);
}
function isApproved(bytes32 userIdHash) public view returns (bool) {
return registrations[userIdHash].status == RegistrationStatus.APPROVED;
}
function isPending(bytes32 userIdHash) public view returns (bool) {
return registrations[userIdHash].status == RegistrationStatus.PENDING;
}
function getPendingCount() public view returns (uint256) {
return pendingCount;
}
function getStats() public view returns (
uint256 total,
uint256 pending,
uint256 approved,
uint256 denied
) {
return (totalRegistrations, pendingCount, approvedCount, deniedCount);
}
}
```
---
## 3. NODE.JS INTEGRATION
### 3.1 Registration Block (JSON Format for RangerBlock P2P)
For our custom blockchain (non-EVM), registrations are blocks:
```javascript
// Registration block structure
const registrationBlock = {
type: 'USER_REGISTRATION',
version: '1.0.0',
// Identity (hashed for privacy)
identity: {
userIdHash: 'sha256_of_rb_xxx',
publicKeyHash: 'sha256_of_public_key',
hardwareIdHash: 'sha256_of_hardware_fingerprint',
username: 'SwiftRanger',
appType: 'ranger-chat-lite'
},
// Consent record
consent: {
termsVersion: '1.0.0',
termsHash: 'sha256_of_terms_text',
acceptedAt: '2025-12-04T10:30:00.000Z',
ageConfirmed: true, // User confirmed 18+
signature: 'RSA_signature_of_consent'
},
// Block metadata
metadata: {
timestamp: '2025-12-04T10:30:05.000Z',
previousHash: 'abc123...',
nonce: 12345,
minedBy: 'relay_node_id'
},
// Status (updated by admin)
status: {
current: 'pending', // pending, approved, denied, revoked
updatedAt: null,
updatedBy: null,
reason: null
}
};
```
### 3.2 Registration Service (registration-service.cjs)
```javascript
// Location: rangerblock/lib/registration-service.cjs
class RegistrationService {
constructor(identityService, consentService) {
this.identity = identityService;
this.consent = consentService;
}
// Create registration block
async createRegistrationBlock() { }
// Submit to relay (goes to admin queue)
async submitRegistration(block) { }
// Check registration status
async checkStatus(userId) { }
// Handle approval notification
onApproved(callback) { }
// Handle denial notification
onDenied(callback) { }
}
```
---
## 4. ADMIN INTEGRATION
### 4.1 Admin Dashboard Updates
**New "Registrations" Tab:**
```
┌─────────────────────────────────────────────────────────────────┐
│ PENDING REGISTRATIONS (3) │
├───────┬──────────────┬─────────────────┬───────────┬───────────┤
│ # │ Username │ App │ Date │ Actions │
├───────┼──────────────┼─────────────────┼───────────┼───────────┤
│ 1 │ SwiftRanger │ ranger-chat-lite│ Dec 4 │ [A] [D] │
│ 2 │ StormWolf │ just-chat │ Dec 4 │ [A] [D] │
│ 3 │ NightHawk │ just-chat │ Dec 4 │ [A] [D] │
└───────┴──────────────┴─────────────────┴───────────┴───────────┘
[A] = Approve [D] = Deny [V] = View Details
Registration Details (SwiftRanger):
─────────────────────────────────────
User ID: rb_abc123...
Hardware: M4Max-xxx (masked)
App: ranger-chat-lite
Registered: 2025-12-04 10:30:05
Terms: v1.0.0 (18+ accepted)
Signature: ✓ Valid
Status: PENDING
[A]pprove [D]eny [B]ack
```
### 4.2 Admin Registry Updates
Add to `admin-registry.cjs`:
```javascript
// Registration queue management
getPendingRegistrations() { }
approveRegistration(userIdHash, adminId) { }
denyRegistration(userIdHash, adminId, reason) { }
revokeRegistration(userIdHash, adminId, reason) { }
// Consent verification
verifyConsent(userIdHash) { }
getConsentRecord(userIdHash) { }
```
---
## 5. APP INTEGRATION FLOW
### 5.1 ranger-chat-lite Flow
```
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ App Start │────>│ Check │────>│ Show │
│ │ │ Identity │ │ Terms Modal │
└─────────────┘ └─────────────┘ └──────┬──────┘
┌──────────────────────────┘
│ User Accepts
v
┌─────────────┐ ┌─────────────┐
│ Sign │────>│ Submit to │
│ Consent │ │ Relay │
└─────────────┘ └──────┬──────┘
┌────────────────────┘
v
┌─────────────┐
│ PENDING │ <── Limited features
│ status │ (view only)
└──────┬──────┘
┌────────────┴────────────┐
v v
┌───────────┐ ┌───────────────┐
│ APPROVED │ │ DENIED │
│ Full │ │ Show reason, │
│ access │ │ exit app │
└───────────┘ └───────────────┘
```
### 5.2 just-chat Flow
Same flow but terminal-based:
1. First run → Show terms in terminal
2. User types 'y' to accept
3. Consent signed and submitted
4. Status: PENDING (can view chat, can't send)
5. When approved → Full access
6. When denied → Exit with message
### 5.3 server-only Flow
Server operators get different terms:
1. Setup script shows server terms
2. Operator accepts
3. Server registration submitted
4. Admin approves server node
5. Server can join network
---
## 6. PRIVILEGE SYSTEM
### 6.1 Status-Based Privileges
| Status | Chat | Voice | Files | DM | Channels |
|--------|------|-------|-------|----|----------|
| PENDING | View | No | No | No | View |
| APPROVED | Full | Full | Full | Full | Full |
| DENIED | No | No | No | No | No |
| REVOKED | No | No | No | No | No |
### 6.2 Implementation
```javascript
// In each app's message handler
if (registrationStatus !== 'APPROVED') {
if (registrationStatus === 'PENDING') {
showNotification('Registration pending admin approval. View-only mode.');
return false; // Can't send
} else {
showError('Access denied. Contact admin.');
exitApp();
}
}
```
---
## 7. FILES TO CREATE
| File | Location | Purpose |
|------|----------|---------|
| RangerRegistration.sol | Blockchain/contracts/ | Solidity contract |
| registration-service.cjs | rangerblock/lib/ | Node.js registration |
| consent-service.cjs | rangerblock/lib/ | Consent management |
| Admin dashboard updates | ~/.claude/ranger/admin/ | Registration queue UI |
---
## 8. IMPLEMENTATION PHASES
### Phase 1: Core Infrastructure (This Week)
- [ ] Create RangerRegistration.sol
- [ ] Create registration-service.cjs
- [ ] Create consent-service.cjs
- [ ] Test locally
### Phase 2: Admin Integration (Next Week)
- [ ] Add registration queue to admin-registry.cjs
- [ ] Add Registrations tab to admin-dashboard.cjs
- [ ] Test approve/deny flow
### Phase 3: App Integration (Week 3)
- [ ] Integrate into ranger-chat-lite
- [ ] Integrate into just-chat
- [ ] Integrate into server-only setup
- [ ] Test end-to-end
### Phase 4: Testing (Week 4)
- [ ] Test on MSI Vector
- [ ] Test on AWS
- [ ] Security review
- [ ] Deploy to production
---
## 9. SECURITY NOTES
### What Admin Can See:
- Username
- App type
- Registration date
- Terms version accepted
- Signature validity
- Hardware ID (hashed, for ban enforcement)
### What Admin CANNOT See:
- Full userId (only hash)
- Full hardware fingerprint
- Private key
- Message content
### Hardware Ban Enforcement:
- Hardware ID hashed but tracked
- If banned user creates new identity, same hardware = blocked
- Admin can see "hardware previously used by banned user"
---
**Document Status**: READY FOR IMPLEMENTATION
**Created**: December 4, 2025
**Author**: Claude Code (Ranger) for David Keane (IrishRanger)
*Rangers lead the way!*
identity/claude/classified/RANGERBLOCK_SECURE_COMM_CONTRACTS_PLAN.md
-332
View File
@@ -1,332 +0,0 @@
# RangerBlock Secure Communication Contracts Plan
## CODENAME: SENTINEL COMMS PROTOCOL
**Author**: David Keane (IrishRanger) + Claude Code (Ranger)
**Date**: 2025-12-04
**Status**: PLANNING
**Classification**: PRIVATE
---
## Overview
Smart contracts for secure, identity-verified communication channels. These contracts ensure users are **99.99% certain** they're communicating with the intended person through cryptographic identity verification.
### The Problem
In regular chat apps:
- Anyone can pretend to be someone else
- Man-in-the-middle attacks possible
- No proof of who you're really talking to
- Impersonation is easy
### The Solution
**Blockchain-verified identity handshakes** before sensitive communications:
1. Both parties prove identity via on-chain signatures
2. Challenge-response authentication
3. Session keys derived from verified identities
4. Immutable audit trail of who talked to whom
---
## Three Communication Contracts
### 1. RangerTextChat Contract (WHISPER PROTOCOL)
**Purpose**: Secure text messaging with identity verification
```
Flow:
1. Alice wants to chat with Bob
2. Alice creates ChatSession request on-chain
3. Bob sees request, verifies Alice's on-chain identity
4. Bob accepts with signature proving he's real Bob
5. Both derive shared session key
6. E2E encrypted text chat begins
7. Session recorded on blockchain (not content!)
```
**Features**:
- Identity verification before first message
- E2E encryption with verified keys
- Session expiry (configurable)
- Block/report with on-chain evidence
- Message receipts (delivered/read) optional
**Contract Data**:
```rust
struct TextChatSession {
session_id: [u8; 32],
initiator_id_hash: [u8; 32],
responder_id_hash: [u8; 32],
initiator_pubkey: [u8; 32], // For E2E encryption
responder_pubkey: [u8; 32],
created_at: i64,
expires_at: i64,
status: SessionStatus, // Pending/Active/Ended/Blocked
initiator_signature: [u8; 64],
responder_signature: [u8; 64],
}
```
---
### 2. RangerVoiceChat Contract (ECHO PROTOCOL)
**Purpose**: Secure voice calls with identity verification
```
Flow:
1. Alice initiates voice call to Bob
2. Contract creates VoiceSession with Alice's signature
3. Bob receives call notification
4. Bob verifies Alice's on-chain identity
5. Bob answers with his signature
6. DTLS/SRTP keys exchanged using verified identities
7. Encrypted voice call begins
8. Call metadata recorded (duration, not content)
```
**Features**:
- Pre-call identity verification
- Secure key exchange
- Call duration tracking
- Missed call logging
- Do Not Disturb status checking
- Group call support (future)
**Contract Data**:
```rust
struct VoiceCallSession {
call_id: [u8; 32],
caller_id_hash: [u8; 32],
callee_id_hash: [u8; 32],
caller_signature: [u8; 64],
callee_signature: [u8; 64],
call_started: i64,
call_ended: i64,
duration_seconds: u64,
status: CallStatus, // Ringing/Active/Ended/Missed/Rejected
quality_rating: u8, // Optional 1-5 rating
}
```
---
### 3. RangerVideoChat Contract (VISION PROTOCOL)
**Purpose**: Secure video calls with identity verification
```
Flow:
1. Alice initiates video call to Bob
2. Contract creates VideoSession with Alice's signature
3. Bob receives notification + Alice's verified identity
4. Bob can see Alice's on-chain profile before answering
5. Bob answers with signature proving identity
6. WebRTC connection established with verified DTLS fingerprints
7. Encrypted video call begins
8. Call metadata recorded on-chain
```
**Features**:
- Face-to-verified-identity confirmation
- Bandwidth/quality negotiation
- Screen sharing flag
- Recording consent flag (both must agree)
- Virtual background support flag
- Group video support (future)
**Contract Data**:
```rust
struct VideoCallSession {
call_id: [u8; 32],
caller_id_hash: [u8; 32],
callee_id_hash: [u8; 32],
caller_signature: [u8; 64],
callee_signature: [u8; 64],
call_started: i64,
call_ended: i64,
duration_seconds: u64,
status: CallStatus,
// Video-specific
screen_shared: bool,
recording_consent: bool, // Both agreed to record
max_resolution: u16, // 720, 1080, etc.
}
```
---
## Identity Verification Flow (All Contracts)
```
┌─────────────────────────────────────────────────────────────┐
│ IDENTITY VERIFICATION │
├─────────────────────────────────────────────────────────────┤
│ │
│ 1. CHECK ON-CHAIN REGISTRATION │
│ └─> User must have RangerRegistration approved │
│ │
│ 2. CHALLENGE-RESPONSE │
│ └─> Contract generates random nonce │
│ └─> User signs nonce with private key │
│ └─> Contract verifies signature matches on-chain pubkey │
│ │
│ 3. HARDWARE BINDING (Optional Extra Security) │
│ └─> Include hardware fingerprint in signature │
│ └─> Prevents key theft (key only works on original HW) │
│ │
│ 4. SESSION ESTABLISHMENT │
│ └─> Both parties verified │
│ └─> Session keys derived │
│ └─> Communication begins │
│ │
└─────────────────────────────────────────────────────────────┘
```
---
## Why 99.99% Certainty?
| Security Layer | What It Proves |
|----------------|----------------|
| On-chain registration | User went through registration process |
| Hardware ID binding | Using the same physical device |
| RSA signature | Has the private key (not just username) |
| Challenge-response | Key is available NOW (not stolen earlier) |
| Session signature | Both parties actively participating |
**The 0.01%**:
- Physical device theft + password compromise
- Quantum computer breaking RSA (future concern)
- Zero-day in cryptographic libraries
---
## Implementation Phases
### Phase 1: Text Chat Contract (WHISPER)
- [ ] Create Solana `ranger_text_chat.rs`
- [ ] Create Ethereum `RangerTextChat.sol`
- [ ] Add to RangerChat Lite settings
- [ ] Integrate with existing chat
### Phase 2: Voice Chat Contract (ECHO)
- [ ] Create Solana `ranger_voice_chat.rs`
- [ ] Create Ethereum `RangerVoiceChat.sol`
- [ ] Build voice-chat.cjs integration
- [ ] Add to RangerChat Lite (future)
### Phase 3: Video Chat Contract (VISION)
- [ ] Create Solana `ranger_video_chat.rs`
- [ ] Create Ethereum `RangerVideoChat.sol`
- [ ] Build WebRTC integration
- [ ] Add to RangerChat Lite (future)
### Phase 4: Unified Communications
- [ ] Single "Secure Call" button
- [ ] Auto-negotiate voice/video
- [ ] Group calls support
- [ ] Cross-platform (desktop, mobile, web)
---
## UI/UX in RangerChat Lite
### Before Call/Chat:
```
┌──────────────────────────────────────┐
│ 🔐 VERIFYING IDENTITY... │
│ │
│ Checking: IrishRanger │
│ │
│ ✓ On-chain registration verified │
│ ✓ Hardware ID matches │
│ ✓ Signature valid │
│ ⏳ Waiting for response... │
│ │
│ [Cancel] │
└──────────────────────────────────────┘
```
### After Verification:
```
┌──────────────────────────────────────┐
│ ✅ IDENTITY VERIFIED │
│ │
│ You are talking to: │
│ IrishRanger (David Keane) │
│ │
│ 🔒 This session is secured by: │
│ • Blockchain verification │
│ • End-to-end encryption │
│ • Hardware-bound keys │
│ │
│ Session ID: 0x7f3a... │
│ Expires: 24 hours │
│ │
│ [Continue to Chat] [View Details] │
└──────────────────────────────────────┘
```
---
## Security Benefits
| Feature | Benefit |
|---------|---------|
| No impersonation | Can't fake blockchain signatures |
| Audit trail | Know who talked when (not what) |
| Non-repudiation | Can't deny starting a session |
| Key exchange | Verified keys, no MITM |
| Session expiry | Limits exposure window |
| Revocation | Admin can revoke bad actors |
---
## Integration with Existing Contracts
```
RangerRegistration ─────┐
RangerTextChat ──────┼──── All require valid registration
RangerVoiceChat ──────┤
RangerVideoChat ──────┘
RangerBridge ─────> Optional: Pay for premium features with RangerCoin
```
---
## Files to Create (Future)
| File | Location | Purpose |
|------|----------|---------|
| `ranger_text_chat.rs` | `Blockchain/contracts/solana/` | Solana text chat |
| `ranger_voice_chat.rs` | `Blockchain/contracts/solana/` | Solana voice chat |
| `ranger_video_chat.rs` | `Blockchain/contracts/solana/` | Solana video chat |
| `RangerTextChat.sol` | `Blockchain/contracts/` | Ethereum text chat |
| `RangerVoiceChat.sol` | `Blockchain/contracts/` | Ethereum voice chat |
| `RangerVideoChat.sol` | `Blockchain/contracts/` | Ethereum video chat |
| `secure-comm-service.cjs` | `rangerblock/lib/` | JS integration |
---
## Motto
> "Trust, but verify... on the blockchain!"
---
## Authors
- David Keane (IrishRanger) - Supreme Commander
- Claude Code (Ranger) - AI Operations Commander
Rangers lead the way! 🎖️
identity/claude/classified/RANGERBLOCK_SECURITY_INTEGRATION_PLAN.md
-656
View File
@@ -1,656 +0,0 @@
# 🛡️ RANGERBLOCK SECURITY INTEGRATION PLAN
## Project Codename: "SHEPHERD PROTOCOL"
### Unified Identity & Registration System
---
## 1. EXECUTIVE SUMMARY
Implement a unified security and registration system across ALL RangerBlock components:
| Component | Current State | Target State |
|-----------|---------------|--------------|
| **ranger-chat-lite** | Hardware fingerprint + RSA keys (unused) | Full encryption + Commander verification |
| **blockchain-chat.cjs** | Simple nickname only | Hardware ID + persistent identity |
| **voice-chat.cjs** | Simple nickname only | Hardware ID + encrypted voice |
| **server-only** | Does not exist | Centralized auth hub with kill switch |
---
## 2. CURRENT STATE ANALYSIS
### A. ranger-chat-lite (Electron App) ✅ BEST
**Location**: `/Users/ranger/rangerplex-ai/apps/ranger-chat-lite/`
**What It Has**:
```
✅ Hardware fingerprinting (SHA-256 of Hardware UUID + hostname + username)
✅ Persistent identity (user_identity.json)
✅ RSA-2048 keypair generation
✅ Cross-platform support (macOS/Windows/Linux)
✅ IPC API for identity operations
✅ Message statistics tracking
✅ User moderation note (admins can track real identity)
```
**Key Files**:
- `electron/identityService.ts` - Core identity logic (379 lines)
- `electron/main.ts` - IPC handlers
- `electron/preload.ts` - API bridge
**Hardware Fingerprint Code** (identityService.ts:109-173):
```typescript
// macOS: system_profiler SPHardwareDataType → Hardware UUID
// Windows: wmic csproduct get uuid
// Linux: /etc/machine-id
const fingerprint = crypto
.createHash('sha256')
.update(hardwareId + os.hostname() + os.userInfo().username)
.digest('hex')
.substring(0, 32)
```
**What It's Missing**:
```
❌ Password/PIN protection
❌ Message encryption (plain text over ws://)
❌ TLS/WSS (unencrypted WebSocket)
❌ Token-based auth (no JWT/session tokens)
❌ Server-side identity verification
❌ Kill switch integration
```
---
### B. blockchain-chat.cjs (Terminal Chat) ⚠️ BASIC
**Location**: `/Users/ranger/rangerplex-ai/rangerblock/just-chat/blockchain-chat.cjs`
**What It Has**:
```
✅ Basic nickname registration
✅ Machine name detection (getMachineName())
✅ Local IP detection
✅ Channel-based chat (#rangers)
```
**Current Registration** (line 204-216):
```javascript
// Very simple - just sends nickname to server
ws.send(JSON.stringify({
type: 'register',
address: `${nickname}-${Date.now()}`,
nickname: nickname,
channel: DEFAULT_CHANNEL,
ip: getLocalIP(),
port: 0
}));
```
**What It's Missing**:
```
❌ Hardware fingerprinting
❌ Persistent identity file
❌ RSA keypairs
❌ Any form of authentication
❌ TODO at line 412: "Implement challenge-response authentication"
```
---
### C. voice-chat.cjs (Terminal Voice) ⚠️ BASIC
**Location**: `/Users/ranger/rangerplex-ai/rangerblock/just-chat/voice-chat.cjs`
**What It Has**:
```
✅ Same basic registration as blockchain-chat
✅ Voice call states (IDLE, CALLING, RINGING, IN_CALL, IN_GROUP)
✅ Audio compression with zlib
✅ Private calls + group voice
```
**What It's Missing**:
```
❌ Hardware fingerprinting
❌ Persistent identity
❌ Voice encryption (just zlib compression, not crypto)
❌ Call authentication (anyone can call anyone)
```
---
### D. server-only (Planned) 🆕 NOT BUILT
**Location**: `/Users/ranger/rangerplex-ai/rangerblock/server-only/` (to be created)
**Purpose**: Centralized authentication hub + kill switch controller
---
## 3. TARGET ARCHITECTURE
```
┌─────────────────────────────────────────────────────────────────────┐
│ RANGERBLOCK SECURITY LAYER │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ ranger-chat- │ │ blockchain- │ │ voice-chat │ │
│ │ lite │ │ chat.cjs │ │ .cjs │ │
│ │ (Electron) │ │ (Terminal) │ │ (Terminal) │ │
│ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ SHARED IDENTITY SERVICE │ │
│ │ ~/.rangerblock/identity/ │ │
│ │ - hardware_fingerprint.json │ │
│ │ - user_identity.json │ │
│ │ - keys/ (RSA-2048) │ │
│ └──────────────────────────┬──────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ RANGERBLOCK AUTH SERVER │ │
│ │ (server-only/auth-server.cjs) │ │
│ │ - Challenge-response auth │ │
│ │ - Hardware ID verification │ │
│ │ - Session token issuance │ │
│ │ - Ban list management │ │
│ │ - KILL SWITCH LISTENER │ │
│ └──────────────────────────┬──────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ COMMANDER CONTROL PANEL │ │
│ │ (~/.claude/ranger/classified/rain/) │ │
│ │ - Rain Protocol triggers │ │
│ │ - User management │ │
│ │ - Network monitoring │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
```
---
## 4. SHARED IDENTITY SERVICE
### A. Common Identity Module
**New File**: `/Users/ranger/rangerplex-ai/rangerblock/lib/identity-service.cjs`
**Purpose**: Shared code for ALL RangerBlock apps (Electron + Node.js terminal)
**Features**:
```javascript
class RangerBlockIdentity {
// Core identity
getOrCreateIdentity(username) // Returns persistent identity
getHardwareFingerprint() // Cross-platform hardware ID
// Cryptography
generateKeyPair() // RSA-2048 keys
signMessage(message) // Sign with private key
verifySignature(message, sig, pubKey) // Verify with public key
// Storage
saveIdentity() // Persist to ~/.rangerblock/
loadIdentity() // Load from disk
exportIdentity() // Backup identity
// Auth helpers
generateChallenge() // Create auth challenge
respondToChallenge(challenge) // Sign challenge
// Commander integration
checkKillSwitch() // Check if network is live
validateCommanderMessage(msg) // Verify Commander signature
}
```
### B. Storage Structure
**Location**: `~/.rangerblock/` (shared across all apps)
```
~/.rangerblock/
├── identity/
│ ├── hardware_fingerprint.json # Device-specific ID
│ ├── user_identity.json # User profile + stats
│ └── registration_token.json # Server-issued auth token
├── keys/
│ ├── private_key.pem # RSA-2048 private (NEVER share)
│ └── public_key.pem # RSA-2048 public (sent to server)
├── sessions/
│ └── current_session.json # Active session token
└── config/
└── preferences.json # User preferences
```
---
## 5. AUTHENTICATION FLOW
### Phase 1: First-Time Registration
```
┌─────────┐ ┌─────────┐ ┌─────────┐
│ CLIENT │ │ SERVER │ │COMMANDER│
└────┬────┘ └────┬────┘ └────┬────┘
│ │ │
│ 1. Generate hardware ID │ │
│ Generate RSA keypair │ │
│ │ │
│ 2. Connect to server │ │
├─────────────────────────────>│ │
│ │ │
│ 3. Server sends challenge │ │
│<─────────────────────────────┤ │
│ (random nonce) │ │
│ │ │
│ 4. Client signs challenge │ │
│ with private key │ │
│ │ │
│ 5. Send registration: │ │
│ - hardware_id │ │
│ - public_key │ │
│ - signed_challenge │ │
│ - nickname │ │
├─────────────────────────────>│ │
│ │ │
│ │ 6. Verify signature │
│ │ Store hardware_id + │
│ │ public_key mapping │
│ │ │
│ 7. Registration approved │ │
│ (session token issued) │ │
│<─────────────────────────────┤ │
│ │ │
│ │ 8. Log new registration │
│ ├─────────────────────────────>│
│ │ (for Commander review) │
│ │ │
```
### Phase 2: Returning User
```
┌─────────┐ ┌─────────┐
│ CLIENT │ │ SERVER │
└────┬────┘ └────┬────┘
│ │
│ 1. Load existing identity │
│ (hardware_id + keys) │
│ │
│ 2. Connect + send auth │
│ - hardware_id │
│ - session_token (if have) │
├─────────────────────────────>│
│ │
│ 3. Server sends challenge │
│<─────────────────────────────┤
│ │
│ 4. Sign challenge │
├─────────────────────────────>│
│ │
│ 5. Server verifies against │
│ stored public key │
│ │
│ 6. Session restored │
│<─────────────────────────────┤
```
---
## 6. IMPLEMENTATION PLAN
### Phase 1: Shared Identity Library (Week 1)
**Priority**: HIGH
**Tasks**:
- [ ] Create `/rangerblock/lib/identity-service.cjs`
- [ ] Port hardware fingerprinting from identityService.ts to Node.js
- [ ] Implement RSA-2048 key generation
- [ ] Implement signature creation/verification
- [ ] Create `~/.rangerblock/` storage structure
- [ ] Write unit tests
**Files to Create**:
```
/rangerblock/lib/
├── identity-service.cjs # Core identity logic
├── crypto-utils.cjs # RSA/signing helpers
├── storage-utils.cjs # File system operations
└── identity-service.test.js # Tests
```
---
### Phase 2: Auth Server (Week 2)
**Priority**: HIGH
**Tasks**:
- [ ] Create `/rangerblock/server-only/auth-server.cjs`
- [ ] Implement challenge-response protocol
- [ ] Store hardware_id → public_key mappings
- [ ] Implement session token generation (JWT-like)
- [ ] Add ban list functionality
- [ ] Integrate kill switch listener
- [ ] Add Commander notification endpoint
**Files to Create**:
```
/rangerblock/server-only/
├── auth-server.cjs # Main auth server
├── user-database.cjs # User storage (SQLite)
├── session-manager.cjs # Token management
├── ban-list.cjs # Banned users/hardware IDs
└── kill-switch-listener.cjs # Rain Protocol integration
```
**Database Schema**:
```sql
CREATE TABLE users (
id INTEGER PRIMARY KEY,
hardware_id TEXT UNIQUE NOT NULL,
public_key TEXT NOT NULL,
nickname TEXT,
created_at DATETIME,
last_seen DATETIME,
is_banned BOOLEAN DEFAULT 0,
ban_reason TEXT,
message_count INTEGER DEFAULT 0,
trust_score INTEGER DEFAULT 50
);
CREATE TABLE sessions (
id INTEGER PRIMARY KEY,
user_id INTEGER,
token TEXT UNIQUE,
created_at DATETIME,
expires_at DATETIME,
ip_address TEXT,
FOREIGN KEY (user_id) REFERENCES users(id)
);
CREATE TABLE audit_log (
id INTEGER PRIMARY KEY,
user_id INTEGER,
action TEXT,
details TEXT,
timestamp DATETIME,
FOREIGN KEY (user_id) REFERENCES users(id)
);
```
---
### Phase 3: Update blockchain-chat.cjs (Week 3)
**Priority**: MEDIUM
**Tasks**:
- [ ] Import shared identity service
- [ ] Replace simple registration with challenge-response
- [ ] Add persistent identity support
- [ ] Add session token handling
- [ ] Display identity status in UI
- [ ] Handle kill switch signals
**Code Changes**:
```javascript
// OLD (current)
ws.send(JSON.stringify({
type: 'register',
nickname: nickname
}));
// NEW (with security)
const identity = new RangerBlockIdentity();
const myIdentity = await identity.getOrCreateIdentity(nickname);
// Wait for challenge from server
ws.on('message', (data) => {
const msg = JSON.parse(data);
if (msg.type === 'challenge') {
const signature = identity.signMessage(msg.nonce);
ws.send(JSON.stringify({
type: 'register',
hardware_id: myIdentity.hardwareId,
public_key: myIdentity.publicKey,
signature: signature,
nickname: nickname
}));
}
});
```
---
### Phase 4: Update voice-chat.cjs (Week 4)
**Priority**: MEDIUM
**Tasks**:
- [ ] Import shared identity service
- [ ] Add challenge-response auth
- [ ] Add voice stream encryption (AES-256-GCM)
- [ ] Add call authentication (verify caller identity)
- [ ] Handle kill switch signals
**Voice Encryption**:
```javascript
// Generate per-call session key
const sessionKey = crypto.randomBytes(32);
// Encrypt voice data before sending
function encryptVoice(audioBuffer) {
const iv = crypto.randomBytes(12);
const cipher = crypto.createCipheriv('aes-256-gcm', sessionKey, iv);
const encrypted = Buffer.concat([cipher.update(audioBuffer), cipher.final()]);
const authTag = cipher.getAuthTag();
return Buffer.concat([iv, authTag, encrypted]);
}
// Key exchange: Encrypt session key with recipient's public key
const encryptedKey = crypto.publicEncrypt(recipientPublicKey, sessionKey);
```
---
### Phase 5: Update ranger-chat-lite (Week 5)
**Priority**: MEDIUM
**Tasks**:
- [ ] Move identity storage to shared `~/.rangerblock/`
- [ ] Enable RSA signing for all messages
- [ ] Add TLS/WSS support
- [ ] Integrate with auth server
- [ ] Add kill switch handling in Electron
---
### Phase 6: Commander Integration (Week 6)
**Priority**: HIGH
**Tasks**:
- [ ] Create user management API
- [ ] Build network dashboard
- [ ] Integrate Rain Protocol triggers
- [ ] Add real-time alerts for suspicious activity
- [ ] Implement trust score system
---
## 7. KILL SWITCH INTEGRATION
### Server-Side Kill Switch Listener
**File**: `/rangerblock/server-only/kill-switch-listener.cjs`
```javascript
const KILL_COMMANDS = {
'gentle-rain': softKill, // Graceful shutdown
'thunderstorm': hardKill, // Immediate termination
'flood': nuclearKill // Complete purge
};
function startKillSwitchListener(commanderPublicKey) {
// Listen on secret port for Commander signals
const ws = new WebSocket('ws://localhost:XXXX/commander');
ws.on('message', (data) => {
const msg = JSON.parse(data);
// Verify Commander signature
if (!verifyCommanderSignature(msg, commanderPublicKey)) {
console.log('⚠️ Invalid kill switch attempt!');
return;
}
// Execute kill command
if (KILL_COMMANDS[msg.command]) {
KILL_COMMANDS[msg.command](msg.params);
}
});
}
```
### Client-Side Kill Switch Handling
```javascript
// All clients check for kill switch on connect
ws.on('message', (data) => {
const msg = JSON.parse(data);
if (msg.type === 'kill-switch') {
console.log('⚠️ Network shutdown initiated');
switch (msg.level) {
case 'soft':
// Save state, graceful exit
saveState();
process.exit(0);
break;
case 'hard':
// Immediate exit
process.exit(1);
break;
case 'nuclear':
// Wipe local data
wipeLocalData();
process.exit(1);
break;
}
}
});
```
---
## 8. TRUST SCORE SYSTEM
### How It Works
Each user starts with trust score **50** (neutral).
**Score Increases**:
- +1 per day active (max +7/week)
- +5 for verified Commander interaction
- +10 for reporting valid abuse
**Score Decreases**:
- -5 for spam detection
- -10 for suspicious patterns
- -20 for attempted impersonation
- -50 for confirmed abuse (triggers review)
**Trust Levels**:
```
0-19: BANNED (cannot connect)
20-39: RESTRICTED (rate limited, monitored)
40-59: NORMAL (standard access)
60-79: TRUSTED (higher limits)
80-100: VERIFIED (full access, can report)
```
---
## 9. FILE LOCATIONS SUMMARY
### Classified (Commander Only)
```
~/.claude/ranger/classified/
├── RANGERBLOCK_KILL_SWITCH_PLAN.md # Rain Protocol
├── RANGERBLOCK_SECURITY_INTEGRATION_PLAN.md # This document
└── rain/ # Kill switch code (future)
├── commander-keys/
└── rain-protocol.cjs
```
### Shared Identity (All Apps)
```
~/.rangerblock/
├── identity/
├── keys/
├── sessions/
└── config/
```
### Source Code
```
/Users/ranger/rangerplex-ai/rangerblock/
├── lib/
│ ├── identity-service.cjs # NEW
│ ├── crypto-utils.cjs # NEW
│ └── storage-utils.cjs # NEW
├── server-only/ # NEW
│ ├── auth-server.cjs
│ ├── user-database.cjs
│ └── kill-switch-listener.cjs
└── just-chat/
├── blockchain-chat.cjs # UPDATE
└── voice-chat.cjs # UPDATE
```
---
## 10. SECURITY CHECKLIST
### Before Going Live:
- [ ] All communications over WSS (TLS)
- [ ] Private keys never leave device
- [ ] Hardware IDs salted with secret
- [ ] Session tokens expire after 24 hours
- [ ] Rate limiting on all endpoints
- [ ] Audit logging enabled
- [ ] Kill switch tested on test network
- [ ] Commander keys generated offline
- [ ] Backup keys in secure location
- [ ] Ban list functionality tested
---
## 11. NEXT STEPS
**Immediate** (awaiting green light):
1. Create `/rangerblock/lib/identity-service.cjs`
2. Port hardware fingerprinting from TypeScript
3. Test on all platforms
**Short-term**:
4. Build auth server
5. Update blockchain-chat.cjs
6. Update voice-chat.cjs
**Medium-term**:
7. Update ranger-chat-lite
8. Build Commander dashboard
9. Full integration testing
---
**Document Classification**: COMMANDER EYES ONLY
**Created**: December 3, 2024
**Author**: Ranger (AIR9cd99c4515aeb3f6)
**For**: David Keane (IR240474)
**Related**: RANGERBLOCK_KILL_SWITCH_PLAN.md
🎖️ Rangers lead the way!
---
## AWAITING GREEN LIGHT FOR IMPLEMENTATION
identity/claude/classified/RANGERBLOCK_SECURITY_INTEGRATION_PLAN_v2.md
-638
View File
@@ -1,638 +0,0 @@
# 🛡️ RANGERBLOCK SECURITY INTEGRATION PLAN v2.0
## Project Codename: "SHEPHERD PROTOCOL"
### Unified Identity, Registration & App Sync System
---
## REVISION NOTES (v2.0)
- Added: ranger-chat-lite ↔ RangerPlex bidirectional sync
- Added: On-chain identity registration
- Added: Settings migration (lite → full app)
- Added: First-app security considerations (comprehensive)
- Added: Missing security layers David didn't know to ask for
---
## 1. EXECUTIVE SUMMARY
### The Vision
```
User Journey Option A (Chat First):
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Downloads │────>│ Identity │────>│ Later adds │
│ Chat Lite │ │ Created + │ │ RangerPlex │
│ (free/easy) │ │ On-Chain │ │ (full app) │
└─────────────┘ └─────────────┘ └─────────────┘
│ │
└────────────────────┘
SEAMLESS SYNC!
(settings, history, keys)
User Journey Option B (RangerPlex First):
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Downloads │────>│ Full │────>│ Chat Lite │
│ RangerPlex │ │ Identity │ │ auto-links │
│ (power user)│ │ On-Chain │ │ to existing │
└─────────────┘ └─────────────┘ └─────────────┘
```
### Key Principles
1. **Identity is PORTABLE** - One identity, all apps
2. **Blockchain is TRUTH** - On-chain registration = verified
3. **Local is FALLBACK** - Works offline, syncs when connected
4. **Upgrade is SEAMLESS** - Lite → Full with zero friction
5. **Security is INVISIBLE** - Users don't see complexity
---
## 2. ON-CHAIN IDENTITY REGISTRATION
### Why On-Chain?
- **Proof of existence** - Timestamp when identity created
- **Immutable record** - Can't be faked retroactively
- **Cross-app verification** - Any app can verify identity
- **Recovery mechanism** - Blockchain = backup
### Identity Block Structure
```javascript
{
type: 'IDENTITY_REGISTRATION',
version: '1.0.0',
payload: {
// Public data (visible on chain)
publicKey: 'RSA-2048 public key (PEM)',
hardwareIdHash: 'SHA-256 of hardware ID (not raw ID!)',
nickname: 'IrishRanger',
appOrigin: 'ranger-chat-lite', // Which app created this
capabilities: ['chat', 'voice', 'files'],
// Timestamps
createdAt: '2024-12-03T12:00:00.000Z',
registeredOnChain: '2024-12-03T12:00:05.000Z',
// Signature
signature: 'self-signed with private key'
},
metadata: {
blockHeight: 12345,
previousHash: 'abc123...',
nonce: 42
}
}
```
### Registration Flow
```
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ CLIENT │ │ RELAY/HUB │ │ BLOCKCHAIN │
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
│ 1. Generate identity │ │
│ locally first │ │
│ │ │
│ 2. Connect to relay │ │
├───────────────────────>│ │
│ │ │
│ 3. Submit identity │ │
│ registration block │ │
├───────────────────────>│ │
│ │ │
│ │ 4. Validate & mine │
│ ├───────────────────────>│
│ │ │
│ │ 5. Block confirmed │
│ │<───────────────────────┤
│ │ │
│ 6. Registration │ │
│ confirmed + block # │ │
│<───────────────────────┤ │
│ │ │
│ 7. Store block # as │ │
│ proof of identity │ │
│ │ │
```
---
## 3. APP SYNC ARCHITECTURE
### Shared Identity Storage
**Location**: `~/.rangerblock/` (cross-app shared folder)
```
~/.rangerblock/
├── identity/
│ ├── master_identity.json # THE identity (shared)
│ ├── hardware_fingerprint.json # Device binding
│ ├── chain_registration.json # On-chain proof
│ └── sync_state.json # Last sync timestamp
├── keys/
│ ├── master_private_key.pem # RSA-2048 (NEVER leaves device)
│ ├── master_public_key.pem # Shared with network
│ └── session_keys/ # Per-session encryption keys
├── apps/
│ ├── ranger-chat-lite/
│ │ ├── settings.json # App-specific settings
│ │ ├── chat_history.json # Message history
│ │ └── contacts.json # Saved contacts
│ │
│ └── rangerplex/
│ ├── settings.json
│ ├── modules.json # Enabled modules
│ └── workspace.json # UI state
├── sync/
│ ├── pending_sync.json # Changes to sync
│ ├── conflict_log.json # Sync conflicts
│ └── last_sync.json # Sync metadata
└── security/
├── trusted_devices.json # Other devices with same identity
├── revocation_list.json # Compromised keys
└── audit_log.json # Security events
```
### App Detection & Sync
```javascript
// When ranger-chat-lite starts:
class AppSyncManager {
async detectRangerPlex() {
const paths = [
'~/.rangerplex', // Linux/macOS
'~/Library/Application Support/RangerPlex', // macOS
'%APPDATA%/RangerPlex' // Windows
];
for (const path of paths) {
if (await fs.exists(path)) {
return { installed: true, path };
}
}
return { installed: false };
}
async syncWithRangerPlex() {
const rangerplex = await this.detectRangerPlex();
if (rangerplex.installed) {
// RangerPlex exists - sync to shared identity
await this.mergeIdentities();
await this.syncSettings();
await this.notifyUser('Synced with RangerPlex!');
} else {
// First app - create shared identity
await this.createSharedIdentity();
}
}
}
```
### Settings Migration (Lite → Full)
```javascript
// When RangerPlex detects existing Chat Lite identity:
async function migrateFromChatLite() {
const chatLiteData = await loadChatLiteData();
if (chatLiteData) {
// Import user's existing identity
await importIdentity(chatLiteData.identity);
// Import chat history
await importChatHistory(chatLiteData.messages);
// Import contacts
await importContacts(chatLiteData.contacts);
// Import preferences
await importPreferences(chatLiteData.settings);
// Notify user
showWelcome(`
Welcome to RangerPlex!
We found your Chat Lite identity:
• Username: ${chatLiteData.identity.nickname}
• Messages: ${chatLiteData.messages.length}
• Contacts: ${chatLiteData.contacts.length}
Everything has been imported automatically!
`);
}
}
```
---
## 4. SECURITY CONSIDERATIONS (FIRST APP CHECKLIST)
### Things You Didn't Know to Ask For:
#### A. Input Validation (CRITICAL)
```javascript
// NEVER trust user input!
function sanitizeNickname(input) {
// Remove dangerous characters
const clean = input
.replace(/[<>\"\'\\\/]/g, '') // No HTML/script injection
.replace(/[\x00-\x1F]/g, '') // No control characters
.trim()
.substring(0, 32); // Max length
// Check against banned patterns
const banned = ['admin', 'system', 'ranger', 'commander'];
if (banned.some(b => clean.toLowerCase().includes(b))) {
throw new Error('Reserved nickname');
}
return clean;
}
// Validate ALL WebSocket messages
function validateMessage(data) {
try {
const msg = JSON.parse(data);
// Check required fields
if (!msg.type || typeof msg.type !== 'string') {
throw new Error('Invalid message type');
}
// Check payload size (prevent DoS)
if (JSON.stringify(msg).length > 65536) {
throw new Error('Message too large');
}
// Check for injection attempts
if (containsInjection(msg)) {
throw new Error('Injection detected');
}
return msg;
} catch (e) {
logSecurityEvent('INVALID_MESSAGE', { error: e.message, data });
return null;
}
}
```
#### B. Rate Limiting (PREVENTS ABUSE)
```javascript
class RateLimiter {
constructor() {
this.limits = {
messages: { max: 10, window: 10000 }, // 10 msgs per 10s
connections: { max: 3, window: 60000 }, // 3 connects per min
registrations: { max: 1, window: 86400000 } // 1 reg per day per IP
};
this.counters = new Map();
}
check(type, identifier) {
const key = `${type}:${identifier}`;
const now = Date.now();
const limit = this.limits[type];
if (!this.counters.has(key)) {
this.counters.set(key, []);
}
const timestamps = this.counters.get(key)
.filter(t => now - t < limit.window);
if (timestamps.length >= limit.max) {
return { allowed: false, retryAfter: limit.window - (now - timestamps[0]) };
}
timestamps.push(now);
this.counters.set(key, timestamps);
return { allowed: true };
}
}
```
#### C. Secure Key Storage (DON'T STORE PLAIN!)
```javascript
const crypto = require('crypto');
const os = require('os');
class SecureKeyStorage {
// Derive encryption key from hardware + user password
deriveStorageKey(password) {
const hardwareId = this.getHardwareId();
const salt = crypto.createHash('sha256')
.update(hardwareId + os.userInfo().username)
.digest();
return crypto.pbkdf2Sync(password, salt, 100000, 32, 'sha256');
}
// Encrypt private key before storage
encryptPrivateKey(privateKeyPem, password) {
const key = this.deriveStorageKey(password);
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
let encrypted = cipher.update(privateKeyPem, 'utf8', 'base64');
encrypted += cipher.final('base64');
return {
encrypted,
iv: iv.toString('base64'),
authTag: cipher.getAuthTag().toString('base64')
};
}
// Decrypt on use
decryptPrivateKey(encryptedData, password) {
const key = this.deriveStorageKey(password);
const decipher = crypto.createDecipheriv(
'aes-256-gcm',
key,
Buffer.from(encryptedData.iv, 'base64')
);
decipher.setAuthTag(Buffer.from(encryptedData.authTag, 'base64'));
let decrypted = decipher.update(encryptedData.encrypted, 'base64', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
}
}
```
#### D. Session Security
```javascript
class SessionManager {
generateSessionToken(userId, hardwareId) {
const payload = {
userId,
hardwareId,
issuedAt: Date.now(),
expiresAt: Date.now() + (24 * 60 * 60 * 1000), // 24 hours
nonce: crypto.randomBytes(16).toString('hex')
};
// Sign the token
const signature = this.sign(JSON.stringify(payload));
return Buffer.from(JSON.stringify({ payload, signature }))
.toString('base64');
}
validateSessionToken(token, expectedHardwareId) {
try {
const { payload, signature } = JSON.parse(
Buffer.from(token, 'base64').toString()
);
// Check expiry
if (Date.now() > payload.expiresAt) {
return { valid: false, reason: 'expired' };
}
// Check hardware binding
if (payload.hardwareId !== expectedHardwareId) {
return { valid: false, reason: 'hardware_mismatch' };
}
// Verify signature
if (!this.verify(JSON.stringify(payload), signature)) {
return { valid: false, reason: 'invalid_signature' };
}
return { valid: true, payload };
} catch (e) {
return { valid: false, reason: 'malformed' };
}
}
}
```
#### E. Audit Logging (LEGAL PROTECTION)
```javascript
class AuditLogger {
constructor(dbPath) {
this.db = new Database(dbPath);
this.initSchema();
}
log(event) {
const entry = {
timestamp: new Date().toISOString(),
eventType: event.type,
userId: event.userId || null,
hardwareId: event.hardwareId || null,
ipAddress: event.ip || null,
action: event.action,
details: JSON.stringify(event.details || {}),
severity: event.severity || 'INFO'
};
this.db.insert('audit_log', entry);
// Alert Commander for high severity
if (event.severity === 'CRITICAL') {
this.alertCommander(entry);
}
}
// Required events to log:
// - User registration
// - Login attempts (success/fail)
// - Message sends (metadata only, not content!)
// - File transfers (metadata)
// - Admin actions
// - Kill switch triggers
// - Suspicious activity
}
```
#### F. Error Handling (DON'T LEAK INFO)
```javascript
// BAD - leaks internal details
app.use((err, req, res, next) => {
res.status(500).json({
error: err.message,
stack: err.stack, // NEVER expose stack trace!
query: req.query // NEVER echo back user input!
});
});
// GOOD - generic errors
app.use((err, req, res, next) => {
const errorId = crypto.randomBytes(8).toString('hex');
// Log full error internally
logger.error({
errorId,
error: err.message,
stack: err.stack,
request: sanitize(req)
});
// Return generic message to user
res.status(500).json({
error: 'An error occurred',
errorId: errorId, // User can report this ID
support: 'Contact support with this error ID'
});
});
```
#### G. Content Security (PREVENT ABUSE)
```javascript
class ContentFilter {
constructor() {
// Load filters
this.illegalPatterns = [
/(?:^|\s)csam(?:\s|$)/i, // Child abuse material
/(?:^|\s)bomb(?:\s+making)?(?:\s|$)/i,
// etc - comprehensive list
];
this.spamPatterns = [
/(.)\1{10,}/, // Repeated characters
/(https?:\/\/[^\s]+\s*){5,}/, // Too many URLs
];
}
check(content) {
// Check for illegal content
for (const pattern of this.illegalPatterns) {
if (pattern.test(content)) {
return {
allowed: false,
reason: 'ILLEGAL_CONTENT',
action: 'BLOCK_AND_REPORT'
};
}
}
// Check for spam
for (const pattern of this.spamPatterns) {
if (pattern.test(content)) {
return {
allowed: false,
reason: 'SPAM_DETECTED',
action: 'BLOCK'
};
}
}
return { allowed: true };
}
}
```
#### H. TLS/WSS Configuration (ENCRYPT IN TRANSIT)
```javascript
const https = require('https');
const fs = require('fs');
// For production - use proper certificates!
const server = https.createServer({
key: fs.readFileSync('server-key.pem'),
cert: fs.readFileSync('server-cert.pem'),
// Security settings
minVersion: 'TLSv1.2', // Minimum TLS version
ciphers: [
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES256-GCM-SHA384'
].join(':'),
honorCipherOrder: true
});
// WebSocket over TLS
const wss = new WebSocket.Server({ server });
```
---
## 5. IMPLEMENTATION PHASES (REVISED)
### Phase 1: Shared Identity Library (THIS WEEK)
**Files to Create**:
```
/rangerblock/lib/
├── identity-service.cjs # Core identity (ported from TS)
├── crypto-utils.cjs # RSA, signing, encryption
├── storage-utils.cjs # Cross-platform storage
├── hardware-id.cjs # Hardware fingerprinting
├── sync-manager.cjs # App sync logic
└── chain-registration.cjs # On-chain identity
```
### Phase 2: Update ranger-chat-lite
- Move identity to `~/.rangerblock/`
- Add RangerPlex detection
- Add on-chain registration
- Enable RSA signing
### Phase 3: Auth Server + Just-Chat Updates
- Build server-only/auth-server.cjs
- Update blockchain-chat.cjs
- Update voice-chat.cjs
### Phase 4: Kill Switch Integration
- Add Rain Protocol listeners
- Add Commander verification
- Test shutdown procedures
### Phase 5: RangerPlex Integration
- Detect Chat Lite identity
- Migrate settings
- Unified dashboard
---
## 6. QUICK REFERENCE
### App Paths
| App | Identity Location |
|-----|-------------------|
| ranger-chat-lite | `~/.rangerblock/` (shared) |
| RangerPlex | `~/.rangerblock/` (shared) |
| blockchain-chat.cjs | `~/.rangerblock/` (shared) |
| voice-chat.cjs | `~/.rangerblock/` (shared) |
### API Methods
| Method | Purpose |
|--------|---------|
| `getOrCreateIdentity()` | Get or create shared identity |
| `registerOnChain()` | Register identity on blockchain |
| `syncWithApps()` | Sync settings across apps |
| `validateIdentity()` | Verify identity is valid |
| `migrateFromApp()` | Import from other app |
---
## 7. SUMMARY OF CHANGES (v2.0)
1. **On-Chain Registration**: Every identity gets registered on the blockchain
2. **App Sync**: ranger-chat-lite ↔ RangerPlex automatic sync
3. **Settings Migration**: Seamless upgrade from Lite to Full
4. **Shared Storage**: `~/.rangerblock/` used by ALL apps
5. **Security Additions**:
- Input validation
- Rate limiting
- Encrypted key storage
- Session security
- Audit logging
- Error handling (no info leaks)
- Content filtering
- TLS/WSS configuration
---
**Document Classification**: COMMANDER EYES ONLY
**Version**: 2.0
**Created**: December 3, 2024
**Author**: Ranger (AIR9cd99c4515aeb3f6)
**For**: David Keane (IR240474)
🎖️ Rangers lead the way!
identity/claude/classified/legal/README.md
-83
View File
@@ -1,83 +0,0 @@
# RangerBlock Legal Documents
## CLASSIFICATION: PRIVATE
**DO NOT UPLOAD TO PUBLIC GIT**
---
## Contents
| File | Purpose |
|------|---------|
| `terms_v1.0.json` | Structured terms for app integration |
| `terms_v1.0.txt` | Plain text version for display |
| `README.md` | This file |
---
## Key Decisions
### 18+ ONLY Policy
- **Decision Date**: December 4, 2025
- **Decided By**: David Keane (IrishRanger)
- **Reasoning**:
- No minors = no targets for predators
- Adults are responsible for their behaviour
- Children have other age-appropriate apps
- Protects the entire RangerBlock community
### CRITICAL: 18+ Does NOT Mean "Adult Content Site"
**This distinction must be CRYSTAL CLEAR to all users.**
| 18+ MEANS | 18+ DOES NOT MEAN |
|-----------|-------------------|
| Mature users | Porn allowed |
| Responsible adults | Sexual content OK |
| Legally accountable | "Anything goes" |
| Professional conduct | Dating site |
**Why this matters:**
A bad actor might see "18+ site" and think "Great, I can send dick pics!"
**Our response:** INSTANT BAN + POLICE REPORT
### Strictly Prohibited Content
- ANY pornography or sexual images
- Child sexual abuse material (CSAM) - reported to NCMEC/Gardai
- Unsolicited sexual content (dick pics, nudes)
- Grooming behaviour
- Gore/death images
- Hate speech/extremism
### Permitted Content
- Normal photos (selfies, landscapes, memes)
- Gaming screenshots and videos
- Gaming violence discussion (Battlefield tactics, K/D, etc.)
- Professional content
- General conversation
### Gaming Context Exception
- "I'll kill you in Battlefield" = OK (gaming context)
- "I'll kill you IRL" = NOT OK (ban + report)
---
## Version History
| Version | Date | Changes |
|---------|------|---------|
| 1.0.0 | 2025-12-04 | Initial release with 18+ and content policy |
---
## Testing Plan
1. **MSI Vector (Windows)** - Test consent flow
2. **AWS Kali (Linux)** - Test server consent
3. Review and adjust based on testing
4. Upload to git only after approval
---
*Rangers lead the way!*
identity/claude/classified/legal/terms_v1.0.json
-177
View File
@@ -1,177 +0,0 @@
{
"version": "1.0.0",
"effectiveDate": "2025-12-04",
"lastUpdated": "2025-12-04",
"jurisdiction": "Republic of Ireland",
"minimumAge": 18,
"hash": null,
"terms": {
"title": "RANGERBLOCK TERMS OF USE & FAIR USE POLICY",
"sections": [
{
"id": "age_restriction",
"title": "AGE RESTRICTION - ADULTS ONLY",
"content": [
"RangerBlock is an ADULTS ONLY (18+) platform.",
"By using this software, you confirm you are at least 18 years of age.",
"This restriction exists to protect all users and maintain a responsible community.",
"Misrepresentation of age is a violation of these terms and may result in permanent ban.",
"If you are under 18, please use age-appropriate communication platforms."
]
},
{
"id": "fair_use",
"title": "1. FAIR USE",
"content": [
"You will use this software for lawful purposes only.",
"You will not engage in harassment, threats, bullying, or abuse of any kind.",
"You will respect other users' privacy, dignity, and rights.",
"You will not use this platform for illegal activities including but not limited to fraud, money laundering, or distribution of illegal content.",
"Threats of violence, even in jest, are not permitted unless clearly in gaming context (e.g., 'I'll get you in Battlefield' is acceptable)."
]
},
{
"id": "no_harm",
"title": "2. NO HARM CLAUSE",
"content": [
"You will not use this software to harm others physically, emotionally, financially, or reputationally.",
"You will not distribute malware, viruses, ransomware, or any malicious software.",
"You will not attempt to compromise network security, servers, or other users' devices.",
"You will not engage in doxxing, swatting, or any form of real-world harassment.",
"You will not share personal information of others without their explicit consent."
]
},
{
"id": "legal_compliance",
"title": "3. LEGAL COMPLIANCE",
"content": [
"You agree to comply with all applicable local, national, and international laws.",
"THIS SOFTWARE DOES NOT PROTECT YOU FROM LEGAL CONSEQUENCES.",
"Bad actors will be reported to appropriate law enforcement authorities.",
"Your identity is cryptographically linked to your actions - denial is not possible.",
"We cooperate fully with law enforcement investigations when legally required.",
"Using encryption or anonymity features does not exempt you from legal responsibility."
]
},
{
"id": "identity_responsibility",
"title": "4. IDENTITY RESPONSIBILITY",
"content": [
"Your RangerBlock identity is linked to your hardware device.",
"You are solely responsible for ALL actions taken under your identity.",
"Your identity cannot be transferred, sold, or shared with others.",
"If your device is compromised, report it immediately to administrators.",
"Creating multiple identities to evade bans is a violation of these terms."
]
},
{
"id": "network_conduct",
"title": "5. NETWORK CONDUCT",
"content": [
"You will not flood, spam, or disrupt network services.",
"You will not attempt to impersonate other users or administrators.",
"You will not exploit bugs or vulnerabilities for personal gain.",
"You will report security vulnerabilities responsibly to administrators.",
"You will not attempt to intercept, decrypt, or eavesdrop on other users' communications.",
"Denial of service attacks are strictly prohibited and will be reported to authorities."
]
},
{
"id": "content_policy",
"title": "6. CONTENT POLICY - THIS IS NOT AN ADULT CONTENT SITE",
"content": [
"*** 18+ MEANS MATURE & RESPONSIBLE - NOT 'ANYTHING GOES' ***",
"",
"STRICTLY PROHIBITED (instant ban + law enforcement report):",
"- ANY pornographic content or sexual images",
"- ANY child sexual abuse material (CSAM) - reported to NCMEC/Gardai immediately",
"- Unsolicited sexual content (dick pics, nudes, etc.)",
"- Grooming behaviour of ANY kind",
"- Gore, death images, or extreme violence",
"- Content depicting real violence against real people",
"- Hate speech, discrimination, or extremist content",
"",
"PERMITTED:",
"- Normal photos and images (selfies, landscapes, memes, etc.)",
"- Gaming screenshots and videos",
"- Gaming violence discussion (Battlefield tactics, K/D ratios, etc.)",
"- Professional/work-related content",
"- General conversation between adults",
"",
"THE 18+ REQUIREMENT EXISTS FOR:",
"- Ensuring users are legally responsible for their actions",
"- Protecting against predatory behaviour toward minors",
"- Maintaining mature, respectful discourse",
"- NOT for enabling sexual or explicit content",
"",
"If you think '18+ site' means you can send inappropriate content - YOU ARE WRONG.",
"This is a COMMUNICATION platform, not a dating/adult site."
]
},
{
"id": "data_privacy",
"title": "7. DATA & PRIVACY",
"content": [
"Your public key and username are visible to other users on the network.",
"Message content may be temporarily stored on relay servers for delivery.",
"We do not sell, share, or monetize your personal data.",
"You control your own encryption keys - we cannot read your encrypted messages.",
"Server logs are maintained for security and may be provided to law enforcement if required.",
"You may request deletion of your account and associated data."
]
},
{
"id": "disclaimer",
"title": "8. DISCLAIMER",
"content": [
"This software is provided 'AS IS' without warranty of any kind.",
"No warranty of merchantability or fitness for a particular purpose is provided.",
"Use this software at your own risk.",
"The developers are not liable for any damages arising from use of this software.",
"We do not guarantee uptime, availability, or data preservation.",
"Backup your own data - we are not responsible for data loss."
]
},
{
"id": "enforcement",
"title": "9. ENFORCEMENT",
"content": [
"Violations may result in warnings, temporary suspension, or permanent ban.",
"Severe violations will be reported to law enforcement.",
"Bans are linked to your hardware identity - creating new accounts will not help.",
"Appeals may be submitted to administrators but decisions are final.",
"Administrators reserve the right to remove any user for any reason."
]
},
{
"id": "jurisdiction",
"title": "10. JURISDICTION",
"content": [
"These terms are governed by the laws of the Republic of Ireland.",
"The courts of Dublin, Ireland have exclusive jurisdiction over disputes.",
"If any provision is found unenforceable, other provisions remain in effect.",
"These terms constitute the entire agreement between you and RangerBlock."
]
}
],
"acceptance": {
"checkbox_text": "I confirm that I am at least 18 years old and I have read, understood, and agree to these Terms of Use.",
"accept_button": "I Accept",
"decline_button": "I Decline",
"decline_message": "You must accept the Terms of Use to use RangerBlock. The application will now close."
},
"signature_statement": "By accepting, your agreement is cryptographically signed with your private key and recorded. This acceptance cannot be denied or disputed."
},
"metadata": {
"created_by": "David Keane (IrishRanger)",
"assistant": "Claude Code (Ranger)",
"purpose": "Legal protection for RangerBlock platform",
"notes": [
"18+ ONLY - deliberate decision to protect community",
"No minors = no targets for predators",
"Adults are responsible for their own behaviour",
"Gaming violence discussion is explicitly permitted",
"DO NOT UPLOAD TO GIT until tested"
]
}
}
identity/claude/classified/legal/terms_v1.0.txt
-154
View File
@@ -1,154 +0,0 @@
================================================================================
RANGERBLOCK TERMS OF USE & FAIR USE POLICY
Version 1.0.0
Effective: December 4, 2025
================================================================================
*** ADULTS ONLY (18+) ***
RangerBlock is an ADULTS ONLY platform. By using this software, you confirm
you are at least 18 years of age. This restriction exists to protect all
users and maintain a responsible community.
If you are under 18, please use age-appropriate communication platforms.
================================================================================
1. FAIR USE
================================================================================
- You will use this software for lawful purposes only.
- You will not engage in harassment, threats, bullying, or abuse.
- You will respect other users' privacy, dignity, and rights.
- You will not use this platform for illegal activities.
- Threats of violence are not permitted UNLESS clearly in gaming context
(e.g., "I'll get you in Battlefield" is acceptable).
================================================================================
2. NO HARM CLAUSE
================================================================================
- You will not use this software to harm others.
- You will not distribute malware or malicious software.
- You will not compromise network security or other users' devices.
- You will not engage in doxxing, swatting, or real-world harassment.
- You will not share others' personal information without consent.
================================================================================
3. LEGAL COMPLIANCE
================================================================================
- You agree to comply with all applicable laws.
*** THIS SOFTWARE DOES NOT PROTECT YOU FROM LEGAL CONSEQUENCES ***
- Bad actors WILL be reported to law enforcement.
- Your identity is cryptographically linked to your actions.
- We cooperate fully with law enforcement when legally required.
- Using encryption does not exempt you from legal responsibility.
================================================================================
4. IDENTITY RESPONSIBILITY
================================================================================
- Your identity is linked to your hardware device.
- You are responsible for ALL actions under your identity.
- Your identity cannot be transferred or shared.
- Creating multiple identities to evade bans is prohibited.
================================================================================
5. NETWORK CONDUCT
================================================================================
- You will not flood, spam, or disrupt services.
- You will not impersonate other users or administrators.
- You will report security vulnerabilities responsibly.
- Denial of service attacks will be reported to authorities.
================================================================================
6. CONTENT POLICY - THIS IS NOT AN ADULT CONTENT SITE
================================================================================
*** 18+ MEANS MATURE & RESPONSIBLE - NOT "ANYTHING GOES" ***
STRICTLY PROHIBITED (instant ban + law enforcement report):
- ANY pornographic content or sexual images
- ANY child sexual abuse material (CSAM)
(Reported to NCMEC/Gardai IMMEDIATELY)
- Unsolicited sexual content (dick pics, nudes, etc.)
- Grooming behaviour of ANY kind
- Gore, death images, or extreme violence
- Real violence against real people
- Hate speech, discrimination, or extremist content
PERMITTED:
- Normal photos and images (selfies, landscapes, memes, etc.)
- Gaming screenshots and videos
- Gaming violence discussion (Battlefield tactics, K/D ratios, etc.)
- Professional/work-related content
- General conversation between adults
THE 18+ REQUIREMENT EXISTS FOR:
- Ensuring users are legally responsible for their actions
- Protecting against predatory behaviour toward minors
- Maintaining mature, respectful discourse
- NOT for enabling sexual or explicit content
If you think "18+ site" means you can send inappropriate content:
*** YOU ARE WRONG ***
This is a COMMUNICATION platform, not a dating/adult site.
================================================================================
7. DATA & PRIVACY
================================================================================
- Your public key and username are visible to other users.
- We do NOT sell or monetize your data.
- You control your own encryption keys.
- Server logs may be provided to law enforcement if required.
================================================================================
8. DISCLAIMER
================================================================================
- This software is provided "AS IS" without warranty.
- Use at your own risk.
- We are not liable for damages from use of this software.
- Backup your own data.
================================================================================
9. ENFORCEMENT
================================================================================
- Violations may result in warnings, suspension, or permanent ban.
- Severe violations WILL be reported to law enforcement.
- Bans are linked to hardware - new accounts won't help.
- Administrator decisions are final.
================================================================================
10. JURISDICTION
================================================================================
- Governed by laws of the Republic of Ireland.
- Dublin courts have exclusive jurisdiction.
================================================================================
ACCEPTANCE
================================================================================
By clicking "I Accept" or continuing to use this software, you confirm:
[ ] I am at least 18 years old
[ ] I have read and understood these terms
[ ] I agree to be bound by these terms
Your acceptance is CRYPTOGRAPHICALLY SIGNED with your private key.
This creates a legally binding record that cannot be denied or disputed.
================================================================================
Created by: IrishRanger + Ranger
Rangers lead the way!
================================================================================