@iacmp/cli 1.1.0

package/dist/commands/audit-all.js

@@ -0,0 +1,1039 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/commands/audit-all.ts
+var audit_all_exports = {};
+__export(audit_all_exports, {
+  default: () => AuditAll
+});
+module.exports = __toCommonJS(audit_all_exports);
+var import_core5 = require("@oclif/core");
+
+// src/commands/audit-security.ts
+var import_core = require("@oclif/core");
+var import_chalk = __toESM(require("chalk"));
+
+// src/audit.ts
+var fs2 = __toESM(require("fs"));
+var path = __toESM(require("path"));
+
+// src/utils.ts
+var fs = __toESM(require("fs"));
+function readJsonFile(filePath) {
+  let content;
+  try {
+    content = fs.readFileSync(filePath, "utf-8");
+  } catch (e) {
+    throw new Error(`Falha ao ler '${filePath}': ${errMessage(e)}`);
+  }
+  try {
+    return JSON.parse(content);
+  } catch (e) {
+    throw new Error(`JSON inv\xE1lido em '${filePath}': ${errMessage(e)}`);
+  }
+}
+function errMessage(e) {
+  if (e instanceof Error) return e.message;
+  if (typeof e === "string") return e;
+  try {
+    return JSON.stringify(e);
+  } catch {
+    return String(e);
+  }
+}
+
+// src/audit.ts
+function readConfig(cwd) {
+  const configPath = path.join(cwd, "iacmp.json");
+  if (!fs2.existsSync(configPath)) throw new Error("iacmp.json n\xE3o encontrado. Rode: iacmp init");
+  const config = readJsonFile(configPath);
+  return {
+    name: config.name ?? path.basename(cwd),
+    provider: config.provider ?? "aws"
+  };
+}
+function resolveTsNode(projectDir) {
+  const dirs = [];
+  let dir = projectDir;
+  for (let i = 0; i < 5; i++) {
+    dirs.push(dir);
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  for (const d of dirs) {
+    const tsNodePath = path.join(d, "node_modules", "ts-node");
+    if (fs2.existsSync(tsNodePath)) return tsNodePath;
+  }
+  return null;
+}
+function findStackFiles(dir) {
+  const entries = fs2.readdirSync(dir, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...findStackFiles(full));
+    } else if (entry.name.endsWith(".ts") || entry.name.endsWith(".js")) {
+      files.push(full);
+    }
+  }
+  return files;
+}
+function loadStacks(cwd) {
+  const stacksDir = path.join(cwd, "stacks");
+  if (!fs2.existsSync(stacksDir)) throw new Error("Diret\xF3rio stacks/ n\xE3o encontrado.");
+  const stackFiles = findStackFiles(stacksDir);
+  if (stackFiles.length === 0) throw new Error("Nenhuma stack encontrada em stacks/");
+  const tsNodePath = resolveTsNode(cwd);
+  if (tsNodePath) {
+    require(tsNodePath).register({
+      transpileOnly: true,
+      skipProject: true,
+      compilerOptions: {
+        target: "ES2022",
+        module: "commonjs",
+        moduleResolution: "node",
+        esModuleInterop: true,
+        strict: false,
+        skipLibCheck: true
+      }
+    });
+  }
+  const result = [];
+  for (const stackPath of stackFiles) {
+    const stackName = path.basename(stackPath).replace(/\.(ts|js)$/, "");
+    try {
+      const mod = require(stackPath);
+      const raw = mod.default ?? mod.stack ?? mod;
+      if (!raw || typeof raw !== "object" || !("constructs" in raw)) {
+        console.warn(`[audit] ${path.basename(stackPath)} n\xE3o exporta uma Stack v\xE1lida \u2014 ignorado.`);
+        continue;
+      }
+      result.push({ name: stackName, stack: raw });
+    } catch (err) {
+      console.warn(`[audit] falha ao carregar ${path.basename(stackPath)}: ${errMessage(err)}`);
+    }
+  }
+  return result;
+}
+function saveReport(cwd, commandName, content) {
+  const auditDir = path.join(cwd, "audit");
+  if (!fs2.existsSync(auditDir)) fs2.mkdirSync(auditDir, { recursive: true });
+  const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+  const fileName = `${commandName}-${date}.md`;
+  const filePath = path.join(auditDir, fileName);
+  fs2.writeFileSync(filePath, content, "utf-8");
+  return path.join("audit", fileName);
+}
+function today() {
+  return (/* @__PURE__ */ new Date()).toLocaleDateString("pt-BR");
+}
+
+// src/commands/audit-security.ts
+function shouldFail(failOn, critical, warnings) {
+  if (failOn === "critical") return critical > 0;
+  if (failOn === "warning") return critical > 0 || warnings > 0;
+  return false;
+}
+function analyzeStack(stackName, stack) {
+  const findings = [];
+  const ok = [];
+  for (const c of stack.constructs) {
+    const p = c.props;
+    let hasIssue = false;
+    if (c.type === "Storage.Bucket") {
+      if (p.publicAccess === true) {
+        findings.push({
+          level: "critical",
+          stackName,
+          construct: c,
+          title: `Storage.Bucket '${c.id}' \u2014 public access enabled`,
+          problem: "publicAccess is enabled. Anyone can read/list objects in this bucket.",
+          recommendation: "Set `publicAccess: false` unless this is an intentional static website bucket."
+        });
+        hasIssue = true;
+      }
+      if (p.versioning !== true) {
+        findings.push({
+          level: "warning",
+          stackName,
+          construct: c,
+          title: `Storage.Bucket '${c.id}' \u2014 versioning disabled`,
+          problem: "Versioning is not enabled. Deleted or overwritten objects cannot be recovered.",
+          recommendation: "Set `versioning: true` to enable object rollback."
+        });
+        hasIssue = true;
+      }
+    }
+    if (c.type === "Database.SQL") {
+      if (p.multiAz !== true) {
+        findings.push({
+          level: "warning",
+          stackName,
+          construct: c,
+          title: `Database.SQL '${c.id}' \u2014 no Multi-AZ`,
+          problem: "multiAz is not enabled. A failure in the availability zone will make the database unavailable.",
+          recommendation: "Set `multiAz: true` for high availability."
+        });
+        hasIssue = true;
+      }
+    }
+    if (c.type === "Function.Lambda") {
+      if (p.memory === void 0 || p.memory === null) {
+        findings.push({
+          level: "warning",
+          stackName,
+          construct: c,
+          title: `Function.Lambda '${c.id}' \u2014 memory not defined`,
+          problem: "memory is not set. The function will use the provider default, which may be insufficient.",
+          recommendation: "Set `memory` explicitly (e.g. 256 or 512 MB)."
+        });
+        hasIssue = true;
+      }
+    }
+    if (c.type === "Network.VPC") {
+      if (p.cidr === void 0 || p.cidr === null) {
+        findings.push({
+          level: "warning",
+          stackName,
+          construct: c,
+          title: `Network.VPC '${c.id}' \u2014 default CIDR`,
+          problem: "cidr is not defined. The provider default CIDR may conflict with existing networks.",
+          recommendation: 'Set `cidr` explicitly (e.g. "10.0.0.0/16").'
+        });
+        hasIssue = true;
+      }
+    }
+    if (c.type === "Compute.Instance") {
+      if (p.publicAccess === true) {
+        findings.push({
+          level: "critical",
+          stackName,
+          construct: c,
+          title: `Compute.Instance '${c.id}' \u2014 public access enabled`,
+          problem: "publicAccess is enabled. The instance is directly exposed to the internet.",
+          recommendation: "Disable public access and use a load balancer or bastion host."
+        });
+        hasIssue = true;
+      }
+    }
+    if (!hasIssue) ok.push(c);
+  }
+  return { findings, ok };
+}
+var AuditSecurity = class _AuditSecurity extends import_core.Command {
+  static description = "Audit stacks for security issues";
+  static examples = [
+    "$ iacmp audit-security",
+    "$ iacmp audit-security --fail-on=critical",
+    "$ iacmp audit-security --fail-on=warning"
+  ];
+  static flags = {
+    "fail-on": import_core.Flags.string({
+      description: "Sai com exit 1 quando h\xE1 achados no n\xEDvel indicado",
+      options: ["critical", "warning", "none"],
+      default: "none"
+    })
+  };
+  async run() {
+    const { flags } = await this.parse(_AuditSecurity);
+    const failOn = flags["fail-on"];
+    const cwd = process.cwd();
+    let config;
+    try {
+      config = readConfig(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    let stacks;
+    try {
+      stacks = loadStacks(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    const allFindings = [];
+    const allOk = [];
+    for (const { name, stack } of stacks) {
+      const { findings, ok } = analyzeStack(name, stack);
+      allFindings.push(...findings);
+      allOk.push(...ok);
+    }
+    const critical = allFindings.filter((f) => f.level === "critical");
+    const warnings = allFindings.filter((f) => f.level === "warning");
+    this.log(import_chalk.default.bold("\nSecurity Audit"));
+    this.log("\u2500".repeat(40));
+    this.log(`Critical issues: ${critical.length > 0 ? import_chalk.default.red(critical.length) : import_chalk.default.green(0)}`);
+    this.log(`Warnings:        ${warnings.length > 0 ? import_chalk.default.yellow(warnings.length) : import_chalk.default.green(0)}`);
+    this.log(`OK:              ${import_chalk.default.green(allOk.length)}`);
+    this.log("");
+    for (const f of critical) {
+      this.log(`${import_chalk.default.red("\u2717 [CRITICAL]")} ${f.title}`);
+    }
+    for (const f of warnings) {
+      this.log(`${import_chalk.default.yellow("\u26A0 [WARNING]")} ${f.title}`);
+    }
+    for (const c of allOk) {
+      this.log(`${import_chalk.default.green("\u2713")} ${c.type} '${c.id}' \u2014 OK`);
+    }
+    let md = `# Security Audit Report \u2014 ${config.name}
+`;
+    md += `Date: ${today()}
+`;
+    md += `Provider: ${config.provider}
+
+`;
+    md += `## Summary
+`;
+    md += `- Critical issues: ${critical.length}
+`;
+    md += `- Warnings: ${warnings.length}
+`;
+    md += `- OK: ${allOk.length}
+
+`;
+    md += `## Findings
+
+`;
+    for (const f of allFindings) {
+      const label = f.level === "critical" ? "CRITICAL" : "WARNING";
+      md += `### [${label}] ${f.title}
+`;
+      md += `Stack: ${f.stackName}
+`;
+      md += `Resource: ${f.construct.id} (${f.construct.type})
+`;
+      md += `Problem: ${f.problem}
+`;
+      md += `Recommendation: ${f.recommendation}
+
+`;
+    }
+    if (allOk.length > 0) {
+      md += `## Resources with no issues
+`;
+      for (const c of allOk) {
+        md += `- ${c.type} '${c.id}' \u2014 OK
+`;
+      }
+      md += "\n";
+    }
+    const relPath = saveReport(cwd, "security", md);
+    this.log(`
+Report saved to ${relPath}`);
+    if (shouldFail(failOn, critical.length, warnings.length)) {
+      this.exit(1);
+    }
+  }
+};
+
+// src/commands/audit-ha.ts
+var import_core2 = require("@oclif/core");
+var import_chalk2 = __toESM(require("chalk"));
+function shouldFail2(failOn, critical, warnings) {
+  if (failOn === "critical") return critical > 0;
+  if (failOn === "warning") return critical > 0 || warnings > 0;
+  return false;
+}
+function analyzeStack2(stackName, stack) {
+  const findings = [];
+  const constructs = stack.constructs;
+  for (const c of constructs) {
+    const p = c.props;
+    if (c.type === "Database.SQL") {
+      if (p.multiAz !== true) {
+        findings.push({
+          status: "no-ha",
+          stackName,
+          constructId: c.id,
+          constructType: c.type,
+          title: `Database.SQL '${c.id}' \u2014 Single-AZ`,
+          detail: "multiAz is not enabled. A failure in the AZ will make the database unavailable.",
+          recommendation: "Set `multiAz: true`."
+        });
+      } else {
+        findings.push({
+          status: "ha-ok",
+          stackName,
+          constructId: c.id,
+          constructType: c.type,
+          title: `Database.SQL '${c.id}' \u2014 Multi-AZ enabled`,
+          detail: "Database is configured with Multi-AZ.",
+          recommendation: ""
+        });
+      }
+    }
+    if (c.type === "Network.VPC") {
+      const maxAzs = p.maxAzs;
+      if (maxAzs === void 0 || maxAzs === null || maxAzs < 2) {
+        findings.push({
+          status: "no-ha",
+          stackName,
+          constructId: c.id,
+          constructType: c.type,
+          title: `Network.VPC '${c.id}' \u2014 single AZ`,
+          detail: `maxAzs is ${maxAzs ?? "not defined"} (< 2). The network is restricted to a single availability zone.`,
+          recommendation: "Set `maxAzs: 2` or more."
+        });
+      } else {
+        findings.push({
+          status: "ha-ok",
+          stackName,
+          constructId: c.id,
+          constructType: c.type,
+          title: `Network.VPC '${c.id}' \u2014 ${maxAzs} AZs`,
+          detail: `Network is configured with ${maxAzs} availability zones.`,
+          recommendation: ""
+        });
+      }
+    }
+    if (c.type === "Function.Lambda") {
+      findings.push({
+        status: "ha-ok",
+        stackName,
+        constructId: c.id,
+        constructType: c.type,
+        title: `Function.Lambda '${c.id}' \u2014 native HA`,
+        detail: "Lambda functions are distributed across multiple AZs by the provider by default.",
+        recommendation: ""
+      });
+    }
+    if (c.type === "Storage.Bucket") {
+      findings.push({
+        status: "ha-ok",
+        stackName,
+        constructId: c.id,
+        constructType: c.type,
+        title: `Storage.Bucket '${c.id}' \u2014 native HA`,
+        detail: "Object storage buckets are automatically replicated by the provider.",
+        recommendation: ""
+      });
+    }
+  }
+  const vpcs = constructs.filter((c) => c.type === "Network.VPC");
+  if (vpcs.length === 0) {
+    findings.push({
+      status: "info",
+      stackName,
+      constructId: "stack",
+      constructType: "Stack",
+      title: `Stack '${stackName}' \u2014 no VPC`,
+      detail: "No Network.VPC found in the stack. No network isolation is defined.",
+      recommendation: "Consider adding a VPC to isolate network resources."
+    });
+  }
+  const instances = constructs.filter((c) => c.type === "Compute.Instance");
+  if (instances.length === 1) {
+    findings.push({
+      status: "info",
+      stackName,
+      constructId: instances[0].id,
+      constructType: "Compute.Instance",
+      title: `Compute.Instance '${instances[0].id}' \u2014 no redundancy`,
+      detail: "Only 1 compute instance found. If it fails, there is no backup instance.",
+      recommendation: "Add more instances or configure auto-scaling."
+    });
+  } else if (instances.length > 1) {
+    for (const inst of instances) {
+      findings.push({
+        status: "ha-ok",
+        stackName,
+        constructId: inst.id,
+        constructType: "Compute.Instance",
+        title: `Compute.Instance '${inst.id}' \u2014 redundancy detected`,
+        detail: `${instances.length} compute instances in the stack.`,
+        recommendation: ""
+      });
+    }
+  }
+  return findings;
+}
+var AuditHA = class _AuditHA extends import_core2.Command {
+  static description = "Audit stacks for high availability (HA) issues";
+  static examples = [
+    "$ iacmp audit-ha",
+    "$ iacmp audit-ha --fail-on=critical"
+  ];
+  static flags = {
+    "fail-on": import_core2.Flags.string({
+      description: "Sai com exit 1 quando h\xE1 achados no n\xEDvel indicado",
+      options: ["critical", "warning", "none"],
+      default: "none"
+    })
+  };
+  async run() {
+    const { flags } = await this.parse(_AuditHA);
+    const failOn = flags["fail-on"];
+    const cwd = process.cwd();
+    let config;
+    try {
+      config = readConfig(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    let stacks;
+    try {
+      stacks = loadStacks(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    const allFindings = [];
+    for (const { name, stack } of stacks) {
+      allFindings.push(...analyzeStack2(name, stack));
+    }
+    const noHA = allFindings.filter((f) => f.status === "no-ha");
+    const partial = allFindings.filter((f) => f.status === "ha-partial");
+    const haOk = allFindings.filter((f) => f.status === "ha-ok");
+    const infos = allFindings.filter((f) => f.status === "info");
+    this.log(import_chalk2.default.bold("\nHigh Availability (HA) Audit"));
+    this.log("\u2500".repeat(40));
+    this.log(`No HA:    ${noHA.length > 0 ? import_chalk2.default.red(noHA.length) : import_chalk2.default.green(0)}`);
+    this.log(`Partial:  ${partial.length > 0 ? import_chalk2.default.yellow(partial.length) : import_chalk2.default.green(0)}`);
+    this.log(`HA OK:    ${import_chalk2.default.green(haOk.length)}`);
+    this.log("");
+    for (const f of noHA) {
+      this.log(`${import_chalk2.default.red("\u2717 [NO HA]")} ${f.title}`);
+    }
+    for (const f of partial) {
+      this.log(`${import_chalk2.default.yellow("\u26A0 [PARTIAL HA]")} ${f.title}`);
+    }
+    for (const f of infos) {
+      this.log(`${import_chalk2.default.yellow("\u26A0 [WARNING]")} ${f.title}`);
+    }
+    for (const f of haOk) {
+      this.log(`${import_chalk2.default.green("\u2713 [HA OK]")} ${f.title}`);
+    }
+    let md = `# High Availability (HA) Audit Report \u2014 ${config.name}
+`;
+    md += `Date: ${today()}
+
+`;
+    md += `## Summary
+`;
+    md += `- No HA: ${noHA.length} resources
+`;
+    md += `- Partial HA: ${partial.length} resources
+`;
+    md += `- HA OK: ${haOk.length} resources
+
+`;
+    md += `## Findings
+
+`;
+    for (const f of [...noHA, ...partial, ...infos]) {
+      const label = f.status === "no-ha" ? "NO HA" : f.status === "ha-partial" ? "PARTIAL HA" : "WARNING";
+      md += `### [${label}] ${f.title}
+`;
+      md += `Stack: ${f.stackName}
+`;
+      md += `${f.detail}
+`;
+      if (f.recommendation) md += `Recommendation: ${f.recommendation}
+`;
+      md += "\n";
+    }
+    if (haOk.length > 0) {
+      md += `## Resources with HA
+`;
+      for (const f of haOk) {
+        md += `- ${f.constructType} '${f.constructId}' \u2014 HA OK
+`;
+      }
+      md += "\n";
+    }
+    const relPath = saveReport(cwd, "ha", md);
+    this.log(`
+Report saved to ${relPath}`);
+    if (shouldFail2(failOn, noHA.length, partial.length + infos.length)) {
+      this.exit(1);
+    }
+  }
+};
+
+// src/commands/audit-dr.ts
+var import_core3 = require("@oclif/core");
+var import_chalk3 = __toESM(require("chalk"));
+function shouldFail3(failOn, critical, warnings) {
+  if (failOn === "critical") return critical > 0;
+  if (failOn === "warning") return critical > 0 || warnings > 0;
+  return false;
+}
+function analyzeStack3(stackName, stack) {
+  const constructs = stack.constructs;
+  const checks = [];
+  const details = [];
+  const buckets = constructs.filter((c) => c.type === "Storage.Bucket");
+  const dbs = constructs.filter((c) => c.type === "Database.SQL");
+  const vpcs = constructs.filter((c) => c.type === "Network.VPC");
+  const instances = constructs.filter((c) => c.type === "Compute.Instance");
+  const bucketsWithVersioning = buckets.filter((c) => c.props.versioning === true);
+  checks.push({
+    label: "Buckets with versioning enabled",
+    passed: buckets.length === 0 || bucketsWithVersioning.length === buckets.length
+  });
+  for (const b of buckets) {
+    if (b.props.versioning !== true) {
+      details.push({
+        level: "no-dr",
+        title: `Storage.Bucket '${b.id}' \u2014 no versioning`,
+        detail: "Without versioning there is no object history. Deletions or overwrites are unrecoverable.",
+        recommendation: "Set `versioning: true`."
+      });
+    }
+  }
+  const dbsMultiAz = dbs.filter((c) => c.props.multiAz === true);
+  checks.push({
+    label: "Multi-AZ database",
+    passed: dbs.length === 0 || dbsMultiAz.length === dbs.length
+  });
+  for (const db of dbs) {
+    if (db.props.multiAz !== true) {
+      details.push({
+        level: "no-dr",
+        title: `Database.SQL '${db.id}' \u2014 Single-AZ`,
+        detail: "Single-AZ database. In case of AZ failure, restore may take hours.",
+        recommendation: "Set `multiAz: true` for automatic failover."
+      });
+    }
+    if (db.props.instanceType === void 0 || db.props.instanceType === null) {
+      details.push({
+        level: "warning",
+        title: `Database.SQL '${db.id}' \u2014 instanceType not defined`,
+        detail: "Default instance type may be insufficient for fast restore in DR scenarios.",
+        recommendation: "Set `instanceType` explicitly to ensure adequate performance."
+      });
+    }
+  }
+  const vpcsMultiAz = vpcs.filter((c) => {
+    const maxAzs = c.props.maxAzs;
+    return maxAzs !== void 0 && maxAzs >= 2;
+  });
+  checks.push({
+    label: "Network with multiple AZs",
+    passed: vpcs.length === 0 || vpcsMultiAz.length === vpcs.length
+  });
+  for (const vpc of vpcs) {
+    const maxAzs = vpc.props.maxAzs;
+    if (maxAzs === void 0 || maxAzs < 2) {
+      details.push({
+        level: "no-dr",
+        title: `Network.VPC '${vpc.id}' \u2014 single AZ`,
+        detail: `maxAzs is ${maxAzs ?? "not defined"}. Single-AZ network compromises DR.`,
+        recommendation: "Set `maxAzs: 2` or more."
+      });
+    }
+  }
+  if (dbs.length === 0 && buckets.length === 0) {
+    details.push({
+      level: "info",
+      title: "No persistent state detected",
+      detail: "No Database.SQL or Storage.Bucket found. The stack may be stateless."
+    });
+  }
+  if (instances.length > 0 && buckets.length === 0) {
+    details.push({
+      level: "warning",
+      title: "Compute without storage detected",
+      detail: "Compute instances found but no storage bucket. Where will data be stored in a DR event?",
+      recommendation: "Consider adding a Storage.Bucket for persistent data."
+    });
+  }
+  const passed = checks.filter((c) => c.passed).length;
+  const total = checks.length;
+  const score = total > 0 ? Math.round(passed / total * 10) : 10;
+  return { stackName, checks, details, score };
+}
+function scoreLabel(score) {
+  if (score <= 3) return "Critical";
+  if (score <= 5) return "Below expectations";
+  if (score <= 7) return "Adequate";
+  return "Excellent";
+}
+var AuditDR = class _AuditDR extends import_core3.Command {
+  static description = "Audit stacks for disaster recovery (DR) readiness";
+  static examples = [
+    "$ iacmp audit-dr",
+    "$ iacmp audit-dr --fail-on=critical"
+  ];
+  static flags = {
+    "fail-on": import_core3.Flags.string({
+      description: "Sai com exit 1 quando h\xE1 achados no n\xEDvel indicado",
+      options: ["critical", "warning", "none"],
+      default: "none"
+    })
+  };
+  async run() {
+    const { flags } = await this.parse(_AuditDR);
+    const failOn = flags["fail-on"];
+    const cwd = process.cwd();
+    let config;
+    try {
+      config = readConfig(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    let stacks;
+    try {
+      stacks = loadStacks(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    const results = [];
+    for (const { name, stack } of stacks) {
+      results.push(analyzeStack3(name, stack));
+    }
+    const globalScore = results.length > 0 ? Math.round(results.reduce((sum, r) => sum + r.score, 0) / results.length) : 10;
+    const scoreColor = globalScore <= 5 ? import_chalk3.default.red : globalScore <= 7 ? import_chalk3.default.yellow : import_chalk3.default.green;
+    this.log(import_chalk3.default.bold("\nDisaster Recovery (DR) Audit"));
+    this.log("\u2500".repeat(40));
+    this.log(`DR Score: ${scoreColor(`${globalScore}/10`)} \u2014 ${scoreLabel(globalScore)}`);
+    this.log("");
+    for (const r of results) {
+      for (const d of r.details) {
+        if (d.level === "no-dr") this.log(`${import_chalk3.default.red("\u2717 [NO DR]")} ${d.title}`);
+        else if (d.level === "warning") this.log(`${import_chalk3.default.yellow("\u26A0 [WARNING]")} ${d.title}`);
+        else if (d.level === "info") this.log(`${import_chalk3.default.cyan("\u2139 [INFO]")} ${d.title}`);
+        else this.log(`${import_chalk3.default.green("\u2713")} ${d.title}`);
+      }
+    }
+    let md = `# Disaster Recovery (DR) Audit Report \u2014 ${config.name}
+`;
+    md += `Date: ${today()}
+
+`;
+    md += `## DR Score
+`;
+    md += `${globalScore}/10 \u2014 ${scoreLabel(globalScore)}
+
+`;
+    for (const r of results) {
+      md += `## DR Checklist \u2014 Stack: ${r.stackName}
+`;
+      for (const ch of r.checks) {
+        md += `- [${ch.passed ? "x" : " "}] ${ch.label}
+`;
+      }
+      md += "\n";
+    }
+    md += `## Findings
+
+`;
+    for (const r of results) {
+      for (const d of r.details) {
+        const label = d.level === "no-dr" ? "NO DR" : d.level === "warning" ? "WARNING" : d.level === "info" ? "INFO" : "OK";
+        md += `### [${label}] ${d.title}
+`;
+        md += `Stack: ${r.stackName}
+`;
+        md += `${d.detail}
+`;
+        if (d.recommendation) md += `Recommendation: ${d.recommendation}
+`;
+        md += "\n";
+      }
+    }
+    const relPath = saveReport(cwd, "dr", md);
+    this.log(`
+Report saved to ${relPath}`);
+    let noDr = 0;
+    let warnings = 0;
+    for (const r of results) {
+      for (const d of r.details) {
+        if (d.level === "no-dr") noDr++;
+        else if (d.level === "warning") warnings++;
+      }
+    }
+    if (shouldFail3(failOn, noDr, warnings)) {
+      this.exit(1);
+    }
+  }
+};
+
+// src/commands/audit-improvements.ts
+var import_core4 = require("@oclif/core");
+var import_chalk4 = __toESM(require("chalk"));
+function shouldFail4(failOn, critical, warnings) {
+  if (failOn === "critical") return critical > 0;
+  if (failOn === "warning") return critical > 0 || warnings > 0;
+  return false;
+}
+function analyzeStack4(stackName, stack) {
+  const constructs = stack.constructs;
+  const improvements = [];
+  const ok = [];
+  if (constructs.length === 0) {
+    improvements.push({
+      category: "CONFIGURATION",
+      constructId: stackName,
+      constructType: "Stack",
+      stackName,
+      title: `Stack '${stackName}' \u2014 empty`,
+      impact: "High",
+      current: "The stack has no constructs defined.",
+      suggestion: "Add constructs to the stack to make it functional.",
+      effort: "Varies by use case"
+    });
+    return { improvements, ok };
+  }
+  const instances = constructs.filter((c) => c.type === "Compute.Instance");
+  const buckets = constructs.filter((c) => c.type === "Storage.Bucket");
+  const dbs = constructs.filter((c) => c.type === "Database.SQL");
+  const lambdas = constructs.filter((c) => c.type === "Function.Lambda");
+  const vpcs = constructs.filter((c) => c.type === "Network.VPC");
+  for (const inst of instances) {
+    if (inst.props.instanceType === "small") {
+      improvements.push({
+        category: "PERFORMANCE",
+        constructId: inst.id,
+        constructType: inst.type,
+        stackName,
+        title: `Compute.Instance '${inst.id}' \u2014 small instance type`,
+        impact: "Medium",
+        current: `instanceType 'small' may be insufficient for production workloads.`,
+        suggestion: `Use 'medium' or 'large' for production. Consider adding auto-scaling.`,
+        effort: "Low (change 1 field in the stack)"
+      });
+    } else {
+      ok.push({ id: inst.id, type: inst.type, reason: "adequate instance type" });
+    }
+  }
+  if (instances.length > 1) {
+    improvements.push({
+      category: "ARCHITECTURE",
+      constructId: "stack",
+      constructType: "Stack",
+      stackName,
+      title: "Multiple instances without a load balancer",
+      impact: "High",
+      current: `${instances.length} compute instances detected with no load balancer defined.`,
+      suggestion: "Add a load balancer to distribute traffic and increase resilience. (future feature in iacmp)",
+      effort: "Medium (requires new resource in iacmp)"
+    });
+  }
+  for (const b of buckets) {
+    if (b.props.versioning !== true) {
+      improvements.push({
+        category: "DATA PROTECTION",
+        constructId: b.id,
+        constructType: b.type,
+        stackName,
+        title: `Storage.Bucket '${b.id}' \u2014 versioning disabled`,
+        impact: "Medium",
+        current: "Versioning is disabled. Deleted or overwritten objects are unrecoverable.",
+        suggestion: "Enable `versioning: true` to protect against accidental deletion.",
+        effort: "Low (change 1 field in the stack)"
+      });
+    } else {
+      ok.push({ id: b.id, type: b.type, reason: "versioning enabled" });
+    }
+  }
+  for (const db of dbs) {
+    if (db.props.multiAz !== true) {
+      improvements.push({
+        category: "AVAILABILITY",
+        constructId: db.id,
+        constructType: db.type,
+        stackName,
+        title: `Database.SQL '${db.id}' \u2014 no Multi-AZ or read replica`,
+        impact: "High",
+        current: "Single-AZ database with no read replica.",
+        suggestion: "Set `multiAz: true` and consider adding a read replica for query performance.",
+        effort: "Low (change 1 field; replica requires a new construct)"
+      });
+    } else {
+      ok.push({ id: db.id, type: db.type, reason: "Multi-AZ enabled" });
+    }
+  }
+  for (const vpc of vpcs) {
+    const maxAzs = vpc.props.maxAzs;
+    if (maxAzs === void 0 || maxAzs === null) {
+      improvements.push({
+        category: "ARCHITECTURE",
+        constructId: vpc.id,
+        constructType: vpc.type,
+        stackName,
+        title: `Network.VPC '${vpc.id}' \u2014 maxAzs not defined`,
+        impact: "Medium",
+        current: "maxAzs not defined. The provider may default to 1 AZ.",
+        suggestion: "Set `maxAzs: 3` for production with high availability.",
+        effort: "Low (change 1 field in the stack)"
+      });
+    } else {
+      ok.push({ id: vpc.id, type: vpc.type, reason: `${maxAzs} AZs configured` });
+    }
+  }
+  if (lambdas.length === 0 && instances.length > 0) {
+    improvements.push({
+      category: "ARCHITECTURE",
+      constructId: "stack",
+      constructType: "Stack",
+      stackName,
+      title: "No serverless functions detected",
+      impact: "Low",
+      current: `Stack has ${instances.length} compute instance(s) but no Function.Lambda.`,
+      suggestion: "For event-driven tasks, scheduled jobs, or webhooks, consider Function.Lambda instead of always-on instances.",
+      effort: "Medium (requires partial logic refactoring)"
+    });
+  }
+  for (const fn of lambdas) {
+    ok.push({ id: fn.id, type: fn.type, reason: "serverless \u2014 cost-efficient by nature" });
+  }
+  return { improvements, ok };
+}
+var AuditImprovements = class _AuditImprovements extends import_core4.Command {
+  static description = "Suggest architecture and performance improvements for stacks";
+  static examples = [
+    "$ iacmp audit-improvements",
+    "$ iacmp audit-improvements --fail-on=critical"
+  ];
+  static flags = {
+    "fail-on": import_core4.Flags.string({
+      description: "Sai com exit 1 quando h\xE1 melhorias no n\xEDvel indicado (critical = High impact, warning = qualquer)",
+      options: ["critical", "warning", "none"],
+      default: "none"
+    })
+  };
+  async run() {
+    const { flags } = await this.parse(_AuditImprovements);
+    const failOn = flags["fail-on"];
+    const cwd = process.cwd();
+    let config;
+    try {
+      config = readConfig(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    let stacks;
+    try {
+      stacks = loadStacks(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    const allImprovements = [];
+    const allOk = [];
+    for (const { name, stack } of stacks) {
+      const { improvements, ok } = analyzeStack4(name, stack);
+      allImprovements.push(...improvements);
+      for (const o of ok) allOk.push({ ...o, stackName: name });
+    }
+    this.log(import_chalk4.default.bold("\nImprovements Audit"));
+    this.log("\u2500".repeat(40));
+    this.log(`Improvements found: ${allImprovements.length > 0 ? import_chalk4.default.yellow(allImprovements.length) : import_chalk4.default.green(0)}`);
+    this.log("");
+    for (const m of allImprovements) {
+      const impactColor = m.impact === "High" ? import_chalk4.default.red : m.impact === "Medium" ? import_chalk4.default.yellow : import_chalk4.default.cyan;
+      this.log(`${import_chalk4.default.yellow("\u26A0")} [${m.category}] ${m.title} \u2014 Impact: ${impactColor(m.impact)}`);
+    }
+    for (const o of allOk) {
+      this.log(`${import_chalk4.default.green("\u2713")} ${o.type} '${o.id}' \u2014 ${o.reason}`);
+    }
+    let md = `# Improvements Audit Report \u2014 ${config.name}
+`;
+    md += `Date: ${today()}
+
+`;
+    md += `## Improvements found: ${allImprovements.length}
+
+`;
+    for (const m of allImprovements) {
+      md += `### [${m.category}] ${m.title}
+`;
+      md += `Impact: ${m.impact}
+`;
+      md += `Stack: ${m.stackName}
+`;
+      md += `Current situation: ${m.current}
+`;
+      md += `Suggestion: ${m.suggestion}
+`;
+      md += `Estimated effort: ${m.effort}
+
+`;
+    }
+    if (allOk.length > 0) {
+      md += `## No suggestions
+`;
+      for (const o of allOk) {
+        md += `- ${o.type} '${o.id}' \u2014 ${o.reason}
+`;
+      }
+      md += "\n";
+    }
+    const relPath = saveReport(cwd, "improvements", md);
+    this.log(`
+Report saved to ${relPath}`);
+    const highImpact = allImprovements.filter((m) => m.impact === "High").length;
+    const otherImpact = allImprovements.length - highImpact;
+    if (shouldFail4(failOn, highImpact, otherImpact)) {
+      this.exit(1);
+    }
+  }
+};
+
+// src/commands/audit-all.ts
+var AuditAll = class _AuditAll extends import_core5.Command {
+  static description = "Run all audits and generate all reports";
+  static examples = [
+    "$ iacmp audit-all",
+    "$ iacmp audit-all --fail-on=critical"
+  ];
+  static flags = {
+    "fail-on": import_core5.Flags.string({
+      description: "Sai com exit 1 quando qualquer audit acusa achados no n\xEDvel indicado",
+      options: ["critical", "warning", "none"],
+      default: "none"
+    })
+  };
+  async run() {
+    const { flags } = await this.parse(_AuditAll);
+    const failOnArgs = flags["fail-on"] === "none" ? [] : [`--fail-on=${flags["fail-on"]}`];
+    this.log("Running all audits...\n");
+    let anyFailed = false;
+    let hardError = null;
+    for (const Cmd of [AuditSecurity, AuditHA, AuditDR, AuditImprovements]) {
+      try {
+        await Cmd.run(failOnArgs);
+      } catch (e) {
+        const code = e.oclif?.exit;
+        if (code === 1) {
+          anyFailed = true;
+        } else {
+          hardError = e;
+          break;
+        }
+      }
+      this.log("");
+    }
+    if (hardError) {
+      this.error(hardError.message);
+    }
+    this.log("All audits complete. Reports saved to audit/");
+    if (anyFailed) this.exit(1);
+  }
+};