CIPHER v5: Killing the Python Bridge
The Bridge Problem
CIPHER started as a Claude Code skill file, grew into a Python backend, and eventually got a Node.js CLI bolted on front. The CLI talked to the Python engine over a JSON-RPC subprocess bridge. It worked — barely.
The bridge needed stdout isolation hacks because Python libraries (Rich, Typer) like to print to stdout, which corrupted the JSON-RPC channel. Every command spawned a Python process. Cold start went from instant to noticeable. Two package managers, two test frameworks, two sets of dependencies. Debugging protocol issues at 2am was nobody's idea of fun.
I'd been telling myself "ship fast, rewrite later." Later showed up.
What Changed
Rewrote everything. The Python gateway, memory engine, scanning pipeline, autonomous framework, REST API, MCP server, benchmark harness, Signal bot — all of it, from scratch, in Node.js.
The memory engine moved from Python SQLite + ChromaDB to better-sqlite3 with FTS5. Same full-text search, same RRF fusion, no vector database dependency. The scanning pipeline still shells out to Nuclei and Katana since those are Go binaries anyway. Everything else is native JavaScript.
Cold start dropped from ~200ms to 25ms. The bridge is gone. npm install -g cipher-security is the entire install.
The Numbers
| Before | After | |
|---|---|---|
| Runtime | Python + Node.js | Node.js |
| Install | pip + npm | npm |
| Cold start | ~200ms | 25ms |
| Commands | 25 (7 routed to Python) | 29 (all native) |
| Tests | 1,724 pytest | 1,097 vitest |
| Docker base | python:3.13-slim | node:22-slim |
The test count went down because the Python test suite had a lot of integration tests that were really testing the bridge plumbing, not the actual security logic. The vitest suite tests the actual behavior.
New Stuff That Came With the Rewrite
Compliance engine with 39 frameworks — I'd been wanting to build this for a while but didn't want to add more Python. The rewrite was the excuse. 1,151 control IDs across NIST 800-53, SOC2, PCI DSS, HIPAA, GDPR, EU AI Act, the whole alphabet soup. Feed it scan findings and it tells you what's failing and what to fix first.
REST API — 14 endpoints with HMAC auth and rate limiting. cipher api --no-auth --port 8443 and you have a running security service. Useful for wiring into CI/CD or building internal dashboards.
OpenAI proxy — this one's fun. Point any OpenAI-compatible agent at CIPHER and it automatically injects relevant security skill context into the system prompt. Your agent asks about SQL injection, CIPHER adds the right technique material before the query hits the LLM.
What's Next
The autonomous framework has configs for all 7 modes but real end-to-end execution — where the agent reasons, uses tools, and produces validated output — is still mostly the RED mode benchmark stuff. Getting BLUE mode to autonomously generate correct Sigma rules, or INCIDENT mode to produce a real forensic timeline, is the next push. The framework is there, the validators are there, it just needs more tuning on the prompt/tool side.
Install
npm install -g cipher-security
That's it.