Filter expression parser — closes #11

[DaxxSec]

Summary

Replaces the flat substring-split filter engine in PacketAnalysisWindowController with a real tokenizer + recursive-descent parser + AST evaluator. Closes the three pre-existing bugs filed in #11.

The three review bugs, before/after

#1 Suspicious TLDs filter is wildly over-broad — `dns and (tk or ml or ga or cf or gq)`

• Before: " or " split fired first, fell through to substring matching against the info field. "ml" matched every packet whose info contains "html", "xml", or "smtp". A DFIR analyst trusting the label was being misled at the worst possible moment.
• After: `dns and (info contains ".tk" or info contains ".ml" or …)` — parens are real, leading-`.` substrings only match actual TLD references. Test `testSuspiciousTLDsFilterRespectsParens` pins this against HTML traffic.

#2 Non-Standard Ports excludes legitimate non-standard ports — `tcp and not 80 and not 443 and not 22 and not 53`

• Before: "not 80" became `!info.contains("80")`. Port 8080 → contains "80" → excluded. Port 5300 → contains "53" → excluded. The filter that was supposed to surface non-standard ports actually hid them.
• After: `tcp and port != 80 and port != 443 and port != 22 and port != 53` — numeric comparison on the parsed port. Test `testNonStandardPortsExcludesByNumericComparisonNotSubstring` verifies 8080 / 5300 / 4430 pass through correctly.

#3 Eight presets promise semantics the engine couldn't deliver

• Implemented via length predicates (the parser can now express these): "DNS Tunneling (Long Queries)" → `dns and length > 100`, "Large Outbound Transfers" → `tcp and length > 1000`, "ICMP with Payload (Covert Channel)" → `icmp and length > 64`.
• Honestly renamed (require payload / header inspection the parser can't reach): "Non-Browser HTTP (curl/wget/python)" → "HTTP (inspect for non-browser UA manually)"; the four TLS variants collapsed to two ("All TLS / SSL" + an "(inspect handshake/SNI/certs manually)" prompt); "Short TCP Connections (Beacon)" → "TCP (inspect for short-connection beacons manually)"; "Base64 in HTTP" → "HTTP (inspect for base64 payloads manually)"; "Port Scanning (SYN Flood)" → "TCP (inspect for SYN-flood patterns manually)". `showFilterInfo` now prompts the analyst on what to inspect by hand.

Grammar

```
expr ::= orExpr
orExpr ::= andExpr ( "or" andExpr )*
andExpr ::= notExpr ( "and" notExpr )*
notExpr ::= "not" notExpr | atom
atom ::= "(" expr ")" | predicate
predicate ::= protocol | "port" op N | "length" op N
| "ip.addr"/"ip.src"/"ip.dst" op IP
| "info" "contains" "string"
| identifier # legacy bare-protocol or substring
| identifier N # sugar: "tcp 80" → tcp AND port == 80
op ::= == | != | < | > | <= | >=
```

Files

• New: `SecVF/PacketFilter.swift` (~380 lines) — `PacketFilter`, `PacketLike`, tokenizer, recursive-descent parser, AST + evaluator
• New: `SecVF/Tests/PacketFilterTests.swift` — 17 passing tests
• `PacketAnalysisWindowController.swift` — `passesFilter` now uses the compiled AST; `setCurrentFilter` caches compile result so per-packet evaluation doesn't re-parse
• `PacketFilterPresets.swift` — rewritten preset catalog with correct filter strings + honest titles
• `PacketCaptureManager.swift` — `CapturedPacket` now conforms to `PacketLike` (zero-cost protocol)

Test plan

• `xcodebuild build` succeeds locally
• `xcodebuild test` — 267 / 267 passing (up from 249), one pre-existing flaky network test skipped as before
• CI gate (`test.yml`) will run the same suite on this PR
• Manually: open Packet Analysis window, type each preset's filter, verify packets pass/fail as expected
• Manually: type a malformed filter into the live field, verify the table doesn't go empty (compile-fail falls back to no-filter)

Closes #11

🤖 Generated with Claude Code