SPECTER SATOSHI Docs — CLI Reference | Red Specter NIGHTFALL T162

Installation

cd red-specter-specter-satoshi
pip install -e ".[dev]" --break-system-packages
specter-satoshi --help

Gate Activation

export SATOSHI_INJECT_KEY=$(openssl rand -hex 32)
export SATOSHI_UNLEASHED_KEY=$(openssl rand -hex 32)
export SATOSHI_WEAPONISE_KEY=$(openssl rand -hex 32)

Gate	Env Var	Unlocks
OPEN	—	enumerate, detect-mixers, report, status, sessions
INJECT	`SATOSHI_INJECT_KEY`	trace-forward, trace-backward, cluster, deanonymise, profile, surveil
UNLEASHED	`SATOSHI_UNLEASHED_KEY`	Full attribution chains, sanctions correlation, external surveillance alerting
WEAPONISE	`SATOSHI_WEAPONISE_KEY` + ROE + `--confirm-weaponise`	weaponise — route intelligence into NIGHTFALL/WARLORD

enumerate — Wallet Enumeration

Detect address type, query balance and transaction history. No gate required.

specter-satoshi enumerate 1A1zP1eP5QGefi2DMPTfTL5SLmv7Divf8N
specter-satoshi enumerate bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
specter-satoshi enumerate 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy --json-output

Flag	Description
`--json-output`	Output result as JSON
`--timeout`	API request timeout in seconds (default 15)
`--api`	Override blockchain API endpoint

trace-forward — Forward Graph Traversal

Breadth-first traversal following transaction outputs. Requires INJECT gate.

specter-satoshi trace-forward 1A1zP1eP5QGefi2DMPTfTL5SLmv7Divf8N --depth 3 --roe roe.txt
specter-satoshi trace-forward bc1qxy2k... --depth 2 --roe roe.txt --json-output
specter-satoshi trace-forward 1A1zP1... --depth 5 --roe roe.txt --dot-output graph.dot

Flag	Values	Description
`--depth`	integer (default 3, max 7)	Maximum traversal depth
`--roe`	path	ROE file (required for INJECT gate)
`--dot-output`	path	Export Graphviz DOT graph
`--json-output`	flag	Output result as JSON
`--locard-threshold`	float 0.0–1.0 (default 0.3)	Minimum LOCARD entity score to include node

trace-backward — Backward Graph Traversal

Traverse input funding chains, compute coinbase distance, detect mixing. Requires INJECT gate.

specter-satoshi trace-backward 1A1zP1eP5QGefi2DMPTfTL5SLmv7Divf8N --depth 3 --roe roe.txt
specter-satoshi trace-backward bc1qxy2k... --depth 4 --roe roe.txt --json-output

Flag	Description
`--depth`	Maximum backward traversal depth (default 3)
`--roe`	ROE file path
`--mixing-threshold`	Value/timing entropy threshold for mixer flag (default 0.7)

cluster — Address Clustering

Apply CIO heuristic and GCN/GAT neural clustering. Requires INJECT gate.

specter-satoshi cluster 1A1zP1... 1BpEi6D... --roe roe.txt
specter-satoshi cluster 1A1zP1... 1BpEi6D... 3J98t1... --roe roe.txt --json-output
specter-satoshi cluster 1A1zP1... 1BpEi6D... --roe roe.txt --thor25-embeddings

Flag	Description
`--roe`	ROE file path
`--thor25-embeddings`	Use Thor25 2026 pre-trained embeddings (requires dataset download)
`--confidence-threshold`	Minimum cosine similarity for cluster assignment (default 0.65)
`--json-output`	Output cluster assignments as JSON

deanonymise — Entity Attribution

Multi-vector entity attribution: exchange DB, dust correlation, timing analysis. Requires INJECT gate.

specter-satoshi deanonymise 1A1zP1eP5QGefi2DMPTfTL5SLmv7Divf8N --roe roe.txt
specter-satoshi deanonymise bc1qxy2k... --roe roe.txt --json-output

Flag	Description
`--roe`	ROE file path
`--exchange-db`	Path to custom exchange address database (CSV)
`--timing-window`	Propagation timing correlation window in seconds (default 60)
`--json-output`	Output attribution as JSON

detect-mixers — Mixing Service Detection

Fingerprint CoinJoin, Wasabi, JoinMarket, atomic swaps, peel chains. No gate required.

specter-satoshi detect-mixers 1A1zP1eP5QGefi2DMPTfTL5SLmv7Divf8N
specter-satoshi detect-mixers 1A1zP1... --roe roe.txt --json-output
specter-satoshi detect-mixers 1A1zP1... --equal-value-tolerance 0.001

Flag	Description
`--equal-value-tolerance`	BTC tolerance for equal-value output detection (default 0.001)
`--peel-depth`	Minimum peel chain length to flag (default 5)
`--json-output`	Output mixer fingerprint as JSON

profile — Entity Risk Profiling

Aggregate cluster data, compute risk score, generate FATF metadata. Requires INJECT gate.

specter-satoshi profile 1A1zP1eP5QGefi2DMPTfTL5SLmv7Divf8N --roe roe.txt
specter-satoshi profile bc1qxy2k... --mixer-exposure 0.8 --roe roe.txt --json-output

Flag	Description
`--roe`	ROE file path
`--mixer-exposure`	Mixer exposure weight in risk score (default 0.4)
`--spot-price`	Override BTC/USD spot price for fiat valuation
`--fatf`	Include FATF Travel Rule metadata fields
`--json-output`	Output profile as JSON

report — Ed25519+ML-DSA-65 Signed Reports

Generate signed intelligence report. No gate required.

specter-satoshi report 1A1zP1eP5QGefi2DMPTfTL5SLmv7Divf8N --roe roe.txt
specter-satoshi report --session SAT-abc123def456
specter-satoshi report --session SAT-abc123def456 --dot-output graph.dot --json-output

Flag	Description
`--session`	Load existing session by SAT-{hex12} ID
`--dot-output`	Export Graphviz DOT entity graph
`--json-output`	Output report as JSON
`--save`	Save report to ~/.red-specter/satoshi/reports/

Reports signed SAT-{hex12}. MITRE ATT&CK coverage: T1659, T1565, T1213, T1552, T1087. MITRE ATLAS coverage: AML.T0057, AML.T0024, AML.T0043, AML.T0040.

surveil — Persistent Address Surveillance

specter-satoshi surveil 1A1zP1eP5QGefi2DMPTfTL5SLmv7Divf8N --roe unleashed.txt
specter-satoshi surveil 1A1zP1... --roe unleashed.txt --interval 900 --webhook https://alert.example.com/hook
specter-satoshi surveil 1A1zP1... --roe unleashed.txt --balance-threshold 1.0 --tx-threshold 10

Flag	Description
`--roe`	ROE file path
`--interval`	Polling interval in seconds (default 900)
`--webhook`	Webhook URL for transaction alerts
`--balance-threshold`	Alert when balance exceeds this BTC value
`--tx-threshold`	Alert when transaction count exceeds this value

weaponise — NIGHTFALL Campaign Integration

Route intelligence into NIGHTFALL campaign via WARLORD. Requires WEAPONISE gate + ROE + --confirm-weaponise.

SATOSHI_WEAPONISE_KEY=<key> specter-satoshi weaponise SAT-abc123def456 --target ANARCHY --roe weaponise.txt --confirm-weaponise
SATOSHI_WEAPONISE_KEY=<key> specter-satoshi weaponise SAT-abc123def456 --target PHANTOMNET --roe weaponise.txt --confirm-weaponise
SATOSHI_WEAPONISE_KEY=<key> specter-satoshi weaponise SAT-abc123def456 --target FOUNDRY --roe weaponise.txt --confirm-weaponise

Flag	Description
`--target`	NIGHTFALL campaign target (ANARCHY / PHANTOMNET / FOUNDRY)
`--roe`	ROE file containing "bitcoin intelligence weaponisation authorised"
`--confirm-weaponise`	Required confirmation flag
`--dry-run`	Validate routing without executing campaign injection

Routing logic: risk_score > 70 → ANARCHY (full autonomous engagement); 40–70 → PHANTOMNET (covert exfiltration chains); <40 → FOUNDRY (passive monitoring). SAT-{hex12} preserved as provenance through campaign lifecycle.

status & sessions — Session Management

specter-satoshi status
specter-satoshi sessions

Sessions stored in ~/.red-specter/satoshi/sessions/. Each session tracks: seed_address, traversal_depth, cluster_assignments, attribution_results, risk_score, mixer_detections, surveillance_targets, weaponise_routing, evidence_chain.

Report Format

Field	Description
`session_id`	SAT-{hex12} unique session identifier
`seed_address`	Initial target Bitcoin address
`address_type`	P2PKH / P2SH / P2WPKH / P2TR
`cluster_id`	GCN/GAT cluster assignment
`entity_attribution`	CONFIRMED / PROBABLE / POSSIBLE / UNKNOWN
`risk_score`	0–100 composite risk score
`mixer_detected`	Boolean; mixer type if detected
`fiat_value_usd`	Estimated USD value of cluster balance
`graph_dot`	Graphviz DOT entity graph (embedded or file path)
`ed25519_signature`	Ed25519 signature over canonical JSON payload
`ml_dsa_65_signature`	ML-DSA-65 post-quantum countersignature

SPECTER SATOSHI — CLI Reference