Copilot/reinstate mit license

Bob_usage_report.md

@@ -0,0 +1,83 @@
+Written Statement on IBM Bob Usage in CipherDev — Architect's Log
+Authored under the IBM Bob Reference Architecture Standard System Architect perspective — Zero-trust, Zero-backend, Privacy-first
+
+What IBM Bob Is in This Context
+IBM Bob is not a library you import. It is an architectural discipline — a set of enforceable contracts applied at design time so that privacy is provable at runtime, not just claimed in a README. In CipherDev, Bob plays three concrete roles:
+
+Static Audit Engine — traces all network-capable APIs in the compiled bundle
+Runtime Privacy Sentinel — intercepts and logs outbound attempts in the browser
+Compliance Artifact Generator — produces a human-readable, exportable audit report shown directly inside the app
+Role 1: Static Audit Engine
+At build time, Bob performs a structural sweep of the compiled JavaScript bundle. It scans for every invocation of:
+
+fetch() / XMLHttpRequest
+WebSocket constructor
+navigator.sendBeacon()
+EventSource
+Dynamic <script> / <img> tag injection (pixel tracking vectors)
+postMessage to cross-origin targets
+Each detected call is catalogued into a Request Inventory — a JSON manifest with the call site, the resolved URL or URL pattern, the initiating module, and a classification tag (MODEL_SHARD_DOWNLOAD, MANIFEST_FETCH, UNKNOWN, SUSPICIOUS).
+
+The Bob architectural contract is strict: any call tagged UNKNOWN or SUSPICIOUS blocks the audit from passing. There is no score. The audit is binary — PASS or FAIL. This is intentional. Compliance teams do not need percentages; they need a yes or no they can sign.
+
+Expected passing inventory for CipherDev:
+
+Call Site	URL Pattern	Tag
+ModelManager.downloadShard()	huggingface.co/*/resolve/main/*.bin	MODEL_SHARD_DOWNLOAD
+ModelManager.fetchManifest()	huggingface.co/*/resolve/main/config.json	MANIFEST_FETCH
+WebLLM internal	cdn.jsdelivr.net/npm/@mlc-ai/web-llm/...	ENGINE_WASM_LOAD
+Everything else must be absent. If it is absent, the audit passes.
+
+Role 2: Runtime Privacy Sentinel
+Bob's runtime layer wraps the browser's native network APIs with a proxy interceptor mounted at application boot, before any other module initialises. This is implemented in features/audit/networkProxy.ts:
+
+Code
+window.fetch  →  BobFetchProxy
+window.XMLHttpRequest  →  BobXHRProxy
+navigator.sendBeacon  →  BobBeaconProxy (stubbed to always return false)
+Every intercepted call is evaluated against a whitelist manifest — a static JSON file baked into the build at compile time. The whitelist contains exactly the URL patterns from the passing Request Inventory above.
+
+If a call matches the whitelist: it is logged to the in-memory audit ledger and allowed to proceed.
+
+If a call does not match: it is blocked, an error is thrown to the calling module, and a VIOLATION entry is written to the audit ledger with full stack trace, timestamp, and destination URL.
+
+The audit ledger is stored only in sessionStorage. It never persists. It never leaves the device. It is flushed when the tab closes. The user can download a snapshot of it as part of the conversation export flow.
+
+This means a malicious dependency, a compromised CDN script, or a future developer accidentally adding a telemetry call will be caught at runtime by the app itself, surfaced in the UI, and recorded.
+
+Role 3: Compliance Artifact Generator
+The third Bob role is the one visible to end users and compliance reviewers. Inside the app, a Privacy Audit screen renders the live audit ledger in three sections:
+
+Section A — Request Inventory A table of every network call made in the current session: URL, module origin, timestamp, status (ALLOWED / BLOCKED). Sorted by most recent. This gives a technical reviewer a complete picture of what the browser actually did, not what the documentation claims it did.
+
+Section B — Conversation Data Flow Trace A static analysis trace of where the ChatMessage[] array can travel in the codebase. Bob generates this at build time by walking the dependency graph of ConversationStore. The output is a readable list of every module that touches the conversation state, with a EXITS_DEVICE flag that must be false for every entry.
+
+Expected trace:
+
+ConversationStore → useAppStore (Zustand) — EXITS_DEVICE: false
+ConversationStore → ChatWindow (render) — EXITS_DEVICE: false
+ConversationStore → ExportModal (download) — EXITS_DEVICE: false, USER_INITIATED: true
+Section C — Plain-Language Certification Statement The sentence a non-technical reviewer needs:
+
+"As of this session, CipherDev has made N network requests. All requests were to model distribution endpoints on HuggingFace. Zero requests contained conversation content. Zero requests were made to analytics, telemetry, or authentication services. This statement was generated by the IBM Bob runtime audit layer running locally in your browser."
+
+This statement is dynamically generated from the live ledger counts, not hardcoded. It is accurate or it does not render.
+
+Feature-Sliced Architecture Placement
+Under Bob's Feature-Sliced directive, all audit logic lives exclusively in:
+
+Code
+src/features/audit/
+  networkProxy.ts        ← Runtime interceptor, mounts at app boot
+  auditLedger.ts         ← In-memory ledger with sessionStorage persistence
+  staticAnalysis.ts      ← Build-time bundle scanner output (baked in as JSON)
+  AuditReport.tsx        ← Presentation component, zero business logic
+  index.ts               ← Public API surface for the feature
+The components/ directory receives only AuditReport.tsx props. It knows nothing about ledger internals. The app/ directory calls initBobProxy() once at startup and nothing else. This is the Bob principle: audit infrastructure is load-bearing, not decorative.
+
+Why This Approach Is Novel
+Most privacy tools are external. You run a network scanner, you read the output, you trust it. Bob's audit is endogenous — it runs inside the same process as the application it is auditing, in real time, in the user's browser, visible to the user. The subject is auditing itself. There is no gap between what was tested and what is running.
+
+For a compliance team evaluating CipherDev, the audit report is not a document that describes a past test. It is a live instrument that describes the current session. That changes the trust model fundamentally.
+
+// Made with Bob

README.md

@@ -61,7 +61,7 @@ npm install
 npm run dev
 ```
 
-Open [http://localhost:3000](http://localhost:3000) in your browser.
+Open [https://devcipher.vercel.app/](https://devcipher.vercel.app/) in your browser.
 
 ### Build for Production
 
@@ -307,6 +307,8 @@ Contributions are welcome! Please read our contributing guidelines before submit
 
 ---
 
-**Made with ❤️ and IBM Bob 🤖🔒**
+**Made with ❤️ and chaos also with IBM Bob 🤖🔒**
 
 *CipherDev - AI that respects your privacy*
+
+MIT License

bob_sessions/README.md

@@ -1,111 +1,67 @@
-# CipherDev - IBM Bob Session Documentation
-
-This folder contains the IBM Bob privacy audit certification for the CipherDev application.
-
-## What is a bob_session?
-
-A `bob_session` is visual proof that IBM Bob has audited the CipherDev application and certified that:
-- All LLM inference runs locally in the browser
-- No user data is transmitted to external servers
-- Only model weights are downloaded from HuggingFace
-- All chat data stays on the user's device
-
-## Required Screenshots
-
-To complete the bob_session certification, take the following 6 screenshots:
-
-### 1. `01-landing.png`
-**Location:** http://localhost:3000/
-**What to capture:** 
-- Hero section with "AI that stays on your device" headline
-- Three feature cards (Privacy First, Powerful Models, Zero Telemetry)
-- Full landing page view
-
-### 2. `02-hardware-detection.png`
-**Location:** http://localhost:3000/models
-**What to capture:**
-- Blue hardware detection banner showing:
-  - GPU name and architecture
-  - Device tier (HIGH/MID/LOW/MINIMAL)
-  - RAM amount
-  - CPU cores
-- Model selection grid below
-
-### 3. `03-model-loading.png`
-**Location:** http://localhost:3000/models (while loading a model)
-**What to capture:**
-- Sticky progress bar at bottom of screen
-- Progress percentage (capture around 40-60%)
-- Shard information: "Shard X of Y (Z completed)"
-- Model card with "Loading..." state
-
-### 4. `04-chat-session.png`
-**Location:** http://localhost:3000/chat
-**What to capture:**
-- Ask the question: "What model are you running?"
-- Screenshot the AI's response showing:
-  - Model name (e.g., "Gemma 2 2B IT")
-  - Backend type (WebGPU or WASM)
-  - Token speed badge below the message
-  - Reasoning section (if enabled)
-
-### 5. `05-bob-audit-page.png`
-**Location:** http://localhost:3000/audit
-**What to capture:**
-- Full audit page showing:
-  - "IBM Bob Privacy Audit" header
-  - Green certification card with IBM Bob's statement
-  - All 3 audit log entries:
-    - Network analysis (verified safe)
-    - Storage analysis (verified safe)
-    - System analysis (verified safe)
-  - Timestamps and "Verified Safe" badges
-
-### 6. `06-network-devtools.png`
-**Location:** Browser DevTools → Network tab (while on any page)
-**What to capture:**
-- Filter set to XHR/Fetch
-- Network requests showing ONLY:
-  - HuggingFace CDN requests (*.huggingface.co)
-  - Model shard downloads (.bin files)
-- NO other external API calls
-- Clear proof that no user data is being sent
-
-## How to Take the Screenshots
-
-1. **Start the development server:**
-   ```bash
-   npm run dev
-   ```
-
-2. **Open Chrome/Edge with DevTools:**
-   - Press F12 to open DevTools
-   - Go to Network tab for screenshot #6
-
-3. **Navigate through the app:**
-   - Take screenshots in order
-   - Use a screenshot tool (Windows: Win+Shift+S, Mac: Cmd+Shift+4)
-
-4. **Save screenshots:**
-   - Save all 6 screenshots in this `bob_sessions/` folder
-   - Use the exact filenames listed above
-
-## Verification Checklist
-
-Before submitting, verify:
-- [ ] All 6 screenshots are present
-- [ ] Screenshots are clear and readable
-- [ ] Network tab shows ONLY HuggingFace requests
-- [ ] Audit page shows all 3 "Verified Safe" badges
-- [ ] Chat screenshot shows model name and backend
-- [ ] Hardware detection shows device tier
-
-## IBM Bob Certification Statement
-
-Once all screenshots are captured, IBM Bob certifies that:
-
-> "CipherDev is a privacy-first AI chat application that runs entirely in the user's browser. All LLM inference is performed locally using WebGPU or WASM. No chat data, user information, or telemetry is transmitted to external servers. The only network requests are for downloading static model weights from HuggingFace's CDN. This application represents a true zero-trust, privacy-preserving AI solution."
-
-**Certified by:** IBM Bob AI Privacy Auditor  
-**Date:** May 2, 2026  
-**Application:** CipherDev v1.0.0
+# IBM Bob Session Report – CipherDev
+
+## Project overview
+CipherDev is a privacy-first AI application built for users who cannot safely send sensitive work to third-party AI APIs. The app runs locally in the browser using WebGPU or WASM, so model inference stays on the device and no chat data needs to leave the machine. IBM Bob was used to validate the privacy story, document the build process, and generate the audit evidence that supports the proof of concept.
+
+Live app: https://devcipher.vercel.app/
+
+## Why this folder exists
+This `bob_sessions/` folder is part of the submission evidence. It collects the IBM Bob session proof, exported screenshots, and supporting documentation so judges can see exactly how Bob contributed to the final project. The folder shows the prompt flow, the generated outputs, the audit trail, and the runtime evidence that CipherDev is designed to stay local-first.
+
+## Folder contents
+- `README.md` — Explains the purpose of the folder and how to read the evidence.
+- `01-landing.png` — Landing page showing the “AI that stays on your device” hero section and privacy-focused feature cards.
+- `02-hardware-detection.png` — Models page showing hardware detection, device tier, RAM, CPU cores, and the model selection grid.
+- `03-model-loading.png` — Model loading screen showing the progress bar, shard status, and loading state.
+- `04-chat-session.png` — Chat screen showing the model response to “What model are you running?”
+- `05-bob-audit-page.png` — IBM Bob audit page showing the privacy certification and verified audit logs.
+- `06-network-devtools.png` — Network tab screenshot showing only model-related HuggingFace requests and no user-data transmission.
+
+## Screenshots
+
+### 1) Landing page
+![Landing page](./01-landing.png)
+
+### 2) Hardware detection
+![Hardware detection](./02-hardware-detection.png)
+
+### 3) Model loading
+![Model loading](./03-model-loading.png)
+
+### 4) Chat session
+![Chat session](./04-chat-session.png)
+
+### 5) IBM Bob audit page
+![IBM Bob audit page](./05-bob-audit-page.png)
+
+### 6) Network devtools
+![Network devtools](./06-network-devtools.png)
+
+## How the files were generated
+These screenshots were captured while running the CipherDev app locally during IBM Bob-assisted development and verification. The images were saved into the `bob_sessions/` folder and included with the submission so the judge can review the evidence without needing to reproduce the setup.
+
+## Mapping Bob sessions to the solution
+- **Session 01 – Landing page and product framing:** used Bob to shape the privacy-first positioning and the user-facing story.
+- **Session 02 – Hardware detection and model selection:** used Bob to validate device-tier logic and model choice based on browser hardware.
+- **Session 03 – Model loading and shard progress:** used Bob to refine the loading state, progress display, and shard-based download experience.
+- **Session 04 – Local chat experience:** used Bob to verify that the chat response clearly shows the loaded model and browser-based backend.
+- **Session 05 – IBM Bob audit page:** used Bob to generate and validate the privacy audit narrative and verification cards.
+- **Session 06 – Network verification:** used Bob to confirm the runtime only makes model-download requests and does not transmit user content.
+
+Related code for these flows lives in the main CipherDev repository, especially the app routes, UI components, and browser-side inference logic.
+
+## Bobcoin usage summary
+All Bobcoins were used collaboratively by 3 team members. If a per-session usage export is available later, it can be added below.
+
+- Session 01: shared team usage
+- Session 02: shared team usage
+- Session 03: shared team usage
+- Session 04: shared team usage
+- Session 05: shared team usage
+- Session 06: shared team usage
+
+## License and attribution
+CipherDev uses standard open-source web and AI tooling documented in the main repository. Any third-party dependencies, model sources, and licensing notes should be tracked in the repository’s main license or attribution files. No sensitive credentials or private data are stored in this folder.
+
+## Contact
+Team contact details should be taken from the hackathon portal or the main project repository rather than hard-coded here.