aiopsone-assure 0.1.0__tar.gz

aiopsone_assure-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Jayprakash Bilgaye
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

aiopsone_assure-0.1.0/PKG-INFO

@@ -0,0 +1,122 @@
+Metadata-Version: 2.4
+Name: aiopsone-assure
+Version: 0.1.0
+Summary: APRA CPS 234 / CPS 230 AWS compliance evidence from your terminal — security findings to a board-ready narrative report.
+Author: Jayprakash Bilgaye
+License: MIT
+Project-URL: Homepage, https://aiopsone.com
+Project-URL: Repository, https://github.com/jaybilgaye/aiopsone-assure
+Project-URL: Issues, https://github.com/jaybilgaye/aiopsone-assure/issues
+Keywords: apra,cps-234,cps-230,aws,compliance,prowler,cloud-security,bedrock,audit,governance,australia
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Provides-Extra: ai
+Requires-Dist: boto3>=1.34.0; extra == "ai"
+Provides-Extra: scan
+Requires-Dist: prowler>=5.0.0; extra == "scan"
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"
+Dynamic: license-file
+
+# aiopsone-assure
+
+> **APRA compliance evidence for AWS, from your terminal.** Point `assure` at an AWS account (or existing Prowler findings) and get a **board-ready, APRA-paragraph-mapped narrative report** (Markdown + branded PDF) for **CPS 234** and **CPS 230** — generated locally, in your own environment.
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+[![CI](https://github.com/jaybilgaye/aiopsone-assure/actions/workflows/ci.yml/badge.svg)](https://github.com/jaybilgaye/aiopsone-assure/actions/workflows/ci.yml)
+
+**Keywords:** APRA CPS 234 / CPS 230 · AWS compliance report · Prowler findings to board narrative · Bedrock AI compliance · Australian regulated cloud
+
+---
+
+## Why
+
+Security scanners produce **findings**. Boards and APRA want **narrative evidence** — "demonstrate, mapped to CPS 234 ¶21, that information assets are encrypted, with evidence and a remediation plan." That translation is the biggest time-sink in an APRA review.
+
+`assure` closes the gap: **findings → CPS 234/230 paragraph mapping → board-ready narrative report.** It runs entirely in your environment — your AWS credentials, your Bedrock, nothing leaves your account.
+
+> Built on **Prowler**, **Powerpipe**, **Cloud Custodian** and **AWS Config** — the best open-source scanners. `assure` does the part they don't: turning their findings into APRA-paragraph board evidence.
+
+## Install
+
+```bash
+pipx install aiopsone-assure          # or: pip install aiopsone-assure
+pipx install "aiopsone-assure[ai]"    # + Bedrock AI narrative (boto3)
+pipx install "aiopsone-assure[scan]"  # + run Prowler scans (prowler)
+```
+
+PDF output needs Chrome/Chromium on the machine (set `$ASSURE_CHROME` to override the path), or use `--format md`.
+
+## Usage
+
+```bash
+# 1. Run Prowler against an account and build the report in one step
+assure scan --framework cps234 --region ap-southeast-2
+
+# 2. Build a report from findings you already have (Prowler CSV / JSON / OCSF)
+assure report --in findings.csv --framework cps234
+
+# 3. Deterministic, no AI (template engine — default; zero AWS calls)
+assure report --in findings.csv --no-ai
+
+# 4. AI narrative via Amazon Bedrock (AU-resident), board-ready PDF
+assure report --in findings.csv --engine bedrock --region ap-southeast-2 --format pdf
+
+# 5. CI gate: non-zero exit if any control FAILs; machine-readable summary
+assure report --in findings.csv --json
+```
+
+List bundled frameworks:
+
+```bash
+assure frameworks
+# cps234   APRA CPS 234 Information Security  (20 controls, 55 checks)
+# cps230   APRA CPS 230 Operational Risk Management  (18 controls, 15 checks)
+```
+
+## What you get
+
+A board-ready report with:
+- **Executive summary** + automated compliance score
+- **Control-by-control assessment** mapped to CPS 234/230 paragraphs (PASS / FAIL / MANUAL / NOT-ASSESSED)
+- **Cited evidence** per failing control
+- **Remediation roadmap**
+
+Two formats: **Markdown** (always) and a **branded PDF** (professional, print-friendly).
+
+## How it works
+
+```
+ AWS account / existing findings
+        │  (your own AWS creds — nothing leaves your environment)
+        ▼
+   assure ── run Prowler (scoped to the framework's checks)
+        │
+        ├─ map check → CPS 234/230 paragraph   (we own the mapping; no FW injection into Prowler)
+        ├─ narrate: template (offline) or Amazon Bedrock / Claude (AU-resident)
+        ▼
+   Board-ready report: Markdown + branded PDF
+```
+
+## Exit codes
+
+`0` no failing controls · `2` one or more controls FAIL (for CI gating) · `1` error. Use `--exit-zero` to always return 0.
+
+## Frameworks are pluggable
+
+A framework is just data — a pack JSON mapping checks → paragraphs. Bundled: CPS 234, CPS 230. Point `--framework path/to/pack.json` at your own. (Roadmap: Essential Eight, ACSC ISM/IRAP, then ISO 27001 / SOC 2.)
+
+## Status & scope
+
+v0.1 — CLI. Self-hosted, single-shot, stores nothing. The hosted SaaS (continuous, multi-account, managed AU-resident inference, dashboard) is a separate product that wraps this engine.
+
+---
+
+*Practitioner tooling for AWS Security in APRA-regulated Australia — [aiopsone.com](https://aiopsone.com). Not legal advice; verify against the official APRA standards.*

aiopsone_assure-0.1.0/README.md

@@ -0,0 +1,95 @@
+# aiopsone-assure
+
+> **APRA compliance evidence for AWS, from your terminal.** Point `assure` at an AWS account (or existing Prowler findings) and get a **board-ready, APRA-paragraph-mapped narrative report** (Markdown + branded PDF) for **CPS 234** and **CPS 230** — generated locally, in your own environment.
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+[![CI](https://github.com/jaybilgaye/aiopsone-assure/actions/workflows/ci.yml/badge.svg)](https://github.com/jaybilgaye/aiopsone-assure/actions/workflows/ci.yml)
+
+**Keywords:** APRA CPS 234 / CPS 230 · AWS compliance report · Prowler findings to board narrative · Bedrock AI compliance · Australian regulated cloud
+
+---
+
+## Why
+
+Security scanners produce **findings**. Boards and APRA want **narrative evidence** — "demonstrate, mapped to CPS 234 ¶21, that information assets are encrypted, with evidence and a remediation plan." That translation is the biggest time-sink in an APRA review.
+
+`assure` closes the gap: **findings → CPS 234/230 paragraph mapping → board-ready narrative report.** It runs entirely in your environment — your AWS credentials, your Bedrock, nothing leaves your account.
+
+> Built on **Prowler**, **Powerpipe**, **Cloud Custodian** and **AWS Config** — the best open-source scanners. `assure` does the part they don't: turning their findings into APRA-paragraph board evidence.
+
+## Install
+
+```bash
+pipx install aiopsone-assure          # or: pip install aiopsone-assure
+pipx install "aiopsone-assure[ai]"    # + Bedrock AI narrative (boto3)
+pipx install "aiopsone-assure[scan]"  # + run Prowler scans (prowler)
+```
+
+PDF output needs Chrome/Chromium on the machine (set `$ASSURE_CHROME` to override the path), or use `--format md`.
+
+## Usage
+
+```bash
+# 1. Run Prowler against an account and build the report in one step
+assure scan --framework cps234 --region ap-southeast-2
+
+# 2. Build a report from findings you already have (Prowler CSV / JSON / OCSF)
+assure report --in findings.csv --framework cps234
+
+# 3. Deterministic, no AI (template engine — default; zero AWS calls)
+assure report --in findings.csv --no-ai
+
+# 4. AI narrative via Amazon Bedrock (AU-resident), board-ready PDF
+assure report --in findings.csv --engine bedrock --region ap-southeast-2 --format pdf
+
+# 5. CI gate: non-zero exit if any control FAILs; machine-readable summary
+assure report --in findings.csv --json
+```
+
+List bundled frameworks:
+
+```bash
+assure frameworks
+# cps234   APRA CPS 234 Information Security  (20 controls, 55 checks)
+# cps230   APRA CPS 230 Operational Risk Management  (18 controls, 15 checks)
+```
+
+## What you get
+
+A board-ready report with:
+- **Executive summary** + automated compliance score
+- **Control-by-control assessment** mapped to CPS 234/230 paragraphs (PASS / FAIL / MANUAL / NOT-ASSESSED)
+- **Cited evidence** per failing control
+- **Remediation roadmap**
+
+Two formats: **Markdown** (always) and a **branded PDF** (professional, print-friendly).
+
+## How it works
+
+```
+ AWS account / existing findings
+        │  (your own AWS creds — nothing leaves your environment)
+        ▼
+   assure ── run Prowler (scoped to the framework's checks)
+        │
+        ├─ map check → CPS 234/230 paragraph   (we own the mapping; no FW injection into Prowler)
+        ├─ narrate: template (offline) or Amazon Bedrock / Claude (AU-resident)
+        ▼
+   Board-ready report: Markdown + branded PDF
+```
+
+## Exit codes
+
+`0` no failing controls · `2` one or more controls FAIL (for CI gating) · `1` error. Use `--exit-zero` to always return 0.
+
+## Frameworks are pluggable
+
+A framework is just data — a pack JSON mapping checks → paragraphs. Bundled: CPS 234, CPS 230. Point `--framework path/to/pack.json` at your own. (Roadmap: Essential Eight, ACSC ISM/IRAP, then ISO 27001 / SOC 2.)
+
+## Status & scope
+
+v0.1 — CLI. Self-hosted, single-shot, stores nothing. The hosted SaaS (continuous, multi-account, managed AU-resident inference, dashboard) is a separate product that wraps this engine.
+
+---
+
+*Practitioner tooling for AWS Security in APRA-regulated Australia — [aiopsone.com](https://aiopsone.com). Not legal advice; verify against the official APRA standards.*

aiopsone_assure-0.1.0/aiopsone_assure.egg-info/PKG-INFO

@@ -0,0 +1,122 @@
+Metadata-Version: 2.4
+Name: aiopsone-assure
+Version: 0.1.0
+Summary: APRA CPS 234 / CPS 230 AWS compliance evidence from your terminal — security findings to a board-ready narrative report.
+Author: Jayprakash Bilgaye
+License: MIT
+Project-URL: Homepage, https://aiopsone.com
+Project-URL: Repository, https://github.com/jaybilgaye/aiopsone-assure
+Project-URL: Issues, https://github.com/jaybilgaye/aiopsone-assure/issues
+Keywords: apra,cps-234,cps-230,aws,compliance,prowler,cloud-security,bedrock,audit,governance,australia
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Provides-Extra: ai
+Requires-Dist: boto3>=1.34.0; extra == "ai"
+Provides-Extra: scan
+Requires-Dist: prowler>=5.0.0; extra == "scan"
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"
+Dynamic: license-file
+
+# aiopsone-assure
+
+> **APRA compliance evidence for AWS, from your terminal.** Point `assure` at an AWS account (or existing Prowler findings) and get a **board-ready, APRA-paragraph-mapped narrative report** (Markdown + branded PDF) for **CPS 234** and **CPS 230** — generated locally, in your own environment.
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+[![CI](https://github.com/jaybilgaye/aiopsone-assure/actions/workflows/ci.yml/badge.svg)](https://github.com/jaybilgaye/aiopsone-assure/actions/workflows/ci.yml)
+
+**Keywords:** APRA CPS 234 / CPS 230 · AWS compliance report · Prowler findings to board narrative · Bedrock AI compliance · Australian regulated cloud
+
+---
+
+## Why
+
+Security scanners produce **findings**. Boards and APRA want **narrative evidence** — "demonstrate, mapped to CPS 234 ¶21, that information assets are encrypted, with evidence and a remediation plan." That translation is the biggest time-sink in an APRA review.
+
+`assure` closes the gap: **findings → CPS 234/230 paragraph mapping → board-ready narrative report.** It runs entirely in your environment — your AWS credentials, your Bedrock, nothing leaves your account.
+
+> Built on **Prowler**, **Powerpipe**, **Cloud Custodian** and **AWS Config** — the best open-source scanners. `assure` does the part they don't: turning their findings into APRA-paragraph board evidence.
+
+## Install
+
+```bash
+pipx install aiopsone-assure          # or: pip install aiopsone-assure
+pipx install "aiopsone-assure[ai]"    # + Bedrock AI narrative (boto3)
+pipx install "aiopsone-assure[scan]"  # + run Prowler scans (prowler)
+```
+
+PDF output needs Chrome/Chromium on the machine (set `$ASSURE_CHROME` to override the path), or use `--format md`.
+
+## Usage
+
+```bash
+# 1. Run Prowler against an account and build the report in one step
+assure scan --framework cps234 --region ap-southeast-2
+
+# 2. Build a report from findings you already have (Prowler CSV / JSON / OCSF)
+assure report --in findings.csv --framework cps234
+
+# 3. Deterministic, no AI (template engine — default; zero AWS calls)
+assure report --in findings.csv --no-ai
+
+# 4. AI narrative via Amazon Bedrock (AU-resident), board-ready PDF
+assure report --in findings.csv --engine bedrock --region ap-southeast-2 --format pdf
+
+# 5. CI gate: non-zero exit if any control FAILs; machine-readable summary
+assure report --in findings.csv --json
+```
+
+List bundled frameworks:
+
+```bash
+assure frameworks
+# cps234   APRA CPS 234 Information Security  (20 controls, 55 checks)
+# cps230   APRA CPS 230 Operational Risk Management  (18 controls, 15 checks)
+```
+
+## What you get
+
+A board-ready report with:
+- **Executive summary** + automated compliance score
+- **Control-by-control assessment** mapped to CPS 234/230 paragraphs (PASS / FAIL / MANUAL / NOT-ASSESSED)
+- **Cited evidence** per failing control
+- **Remediation roadmap**
+
+Two formats: **Markdown** (always) and a **branded PDF** (professional, print-friendly).
+
+## How it works
+
+```
+ AWS account / existing findings
+        │  (your own AWS creds — nothing leaves your environment)
+        ▼
+   assure ── run Prowler (scoped to the framework's checks)
+        │
+        ├─ map check → CPS 234/230 paragraph   (we own the mapping; no FW injection into Prowler)
+        ├─ narrate: template (offline) or Amazon Bedrock / Claude (AU-resident)
+        ▼
+   Board-ready report: Markdown + branded PDF
+```
+
+## Exit codes
+
+`0` no failing controls · `2` one or more controls FAIL (for CI gating) · `1` error. Use `--exit-zero` to always return 0.
+
+## Frameworks are pluggable
+
+A framework is just data — a pack JSON mapping checks → paragraphs. Bundled: CPS 234, CPS 230. Point `--framework path/to/pack.json` at your own. (Roadmap: Essential Eight, ACSC ISM/IRAP, then ISO 27001 / SOC 2.)
+
+## Status & scope
+
+v0.1 — CLI. Self-hosted, single-shot, stores nothing. The hosted SaaS (continuous, multi-account, managed AU-resident inference, dashboard) is a separate product that wraps this engine.
+
+---
+
+*Practitioner tooling for AWS Security in APRA-regulated Australia — [aiopsone.com](https://aiopsone.com). Not legal advice; verify against the official APRA standards.*

aiopsone_assure-0.1.0/aiopsone_assure.egg-info/SOURCES.txt

@@ -0,0 +1,21 @@
+LICENSE
+README.md
+pyproject.toml
+aiopsone_assure.egg-info/PKG-INFO
+aiopsone_assure.egg-info/SOURCES.txt
+aiopsone_assure.egg-info/dependency_links.txt
+aiopsone_assure.egg-info/entry_points.txt
+aiopsone_assure.egg-info/requires.txt
+aiopsone_assure.egg-info/top_level.txt
+assure/__init__.py
+assure/cli.py
+assure/core/__init__.py
+assure/core/frameworks.py
+assure/core/ingest.py
+assure/core/mapping.py
+assure/core/narrate.py
+assure/core/report.py
+assure/core/scan.py
+assure/data/frameworks/cps230.json
+assure/data/frameworks/cps234.json
+tests/test_assure.py

aiopsone_assure-0.1.0/aiopsone_assure.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

aiopsone_assure-0.1.0/aiopsone_assure.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+assure = assure.cli:main

aiopsone_assure-0.1.0/aiopsone_assure.egg-info/requires.txt

@@ -0,0 +1,9 @@
+
+[ai]
+boto3>=1.34.0
+
+[dev]
+pytest>=7.0
+
+[scan]
+prowler>=5.0.0

aiopsone_assure-0.1.0/aiopsone_assure.egg-info/top_level.txt

@@ -0,0 +1 @@
+assure

aiopsone_assure-0.1.0/assure/__init__.py

@@ -0,0 +1,6 @@
+"""aiopsone-assure — APRA compliance evidence for AWS, from your terminal.
+
+Turn AWS security findings (Prowler / Security Hub / AWS Config) into a
+board-ready, APRA-paragraph-mapped narrative compliance report (CPS 234 / CPS 230).
+"""
+__version__ = "0.1.0"

aiopsone_assure-0.1.0/assure/cli.py

@@ -0,0 +1,186 @@
+"""assure — APRA compliance evidence for AWS, from your terminal.
+
+  assure scan   --framework cps234 --region ap-southeast-2     # run Prowler, then report
+  assure report --in findings.csv --framework cps234           # report from existing findings
+  assure frameworks                                            # list bundled frameworks
+
+Exit codes:  0 = no failing controls · 2 = one or more controls FAIL · 1 = error
+"""
+import argparse
+import json
+import os
+import shutil
+import sys
+
+from . import __version__
+from .core import frameworks, ingest, mapping, narrate, report
+
+# AU-resident inference profile (data residency for APRA-regulated entities), current model.
+DEFAULT_MODEL = os.environ.get("BEDROCK_MODEL_ID", "au.anthropic.claude-sonnet-4-6")
+DEFAULT_REGION = os.environ.get("AWS_REGION", "ap-southeast-2")
+
+
+def _err(msg):
+    print(f"assure: error: {msg}", file=sys.stderr)
+    return 1
+
+
+def _add_common(p):
+    p.add_argument("--framework", default="cps234",
+                   help="framework alias (cps234, cps230) or path to a framework-pack .json")
+    p.add_argument("--engine", choices=["template", "bedrock"], default="template",
+                   help="narrative engine (default: template / offline)")
+    p.add_argument("--no-ai", action="store_true", help="force the deterministic template engine")
+    p.add_argument("--model", default=DEFAULT_MODEL, help="Bedrock model id (with --engine bedrock)")
+    p.add_argument("--region", default=DEFAULT_REGION, help="AWS region")
+    p.add_argument("-o", "--output", default="assure-report",
+                   help="output basename or path (default: assure-report)")
+    p.add_argument("--format", choices=["pdf", "md", "both"], default="both",
+                   help="report format (default: both)")
+    p.add_argument("--json", action="store_true", help="print a machine-readable summary to stdout")
+    p.add_argument("--exit-zero", action="store_true", help="always exit 0, even with failing controls")
+
+
+def _outputs(base, fmt):
+    """Resolve (md_path, pdf_path) honouring an explicit extension on base."""
+    root, ext = os.path.splitext(base)
+    if ext.lower() == ".md":
+        return root + ".md", root + ".pdf"
+    if ext.lower() == ".pdf":
+        return root + ".md", root + ".pdf"
+    return base + ".md", base + ".pdf"
+
+
+def _generate(fw, results, ctx, args):
+    ctx = dict(ctx)
+    ctx["engine"] = "template" if args.no_ai else args.engine
+    control_results = mapping.aggregate(fw, results)
+    s = mapping.summarise(control_results)
+
+    engine = "template" if args.no_ai else args.engine
+    try:
+        base_narrator = narrate.get_narrator(engine, args.model, args.region)
+    except RuntimeError as e:
+        return _err(str(e))
+
+    # Memoise per control so md + pdf reuse one narrative (no double Bedrock cost).
+    _cache = {}
+
+    def narrator(res):
+        if res.control.id not in _cache:
+            _cache[res.control.id] = base_narrator(res)
+        return _cache[res.control.id]
+
+    md = report.build_markdown(fw, control_results, ctx, narrator)
+    md_path, pdf_path = _outputs(args.output, args.format)
+    written = []
+
+    if args.format in ("md", "both"):
+        with open(md_path, "w", encoding="utf-8") as f:
+            f.write(md)
+        written.append(md_path)
+
+    if args.format in ("pdf", "both"):
+        # Re-narrate via HTML builder (same narrator) so AI text isn't regenerated twice
+        # for bedrock: build_html calls narrator again — acceptable for v1 (cache later).
+        html_doc = report.build_html(fw, control_results, ctx, narrator)
+        try:
+            report.render_pdf(html_doc, pdf_path)
+            written.append(pdf_path)
+        except report.PDFError as e:
+            if args.format == "pdf":
+                return _err(str(e))
+            print(f"assure: warning: PDF skipped ({e})", file=sys.stderr)
+
+    if args.json:
+        print(json.dumps({
+            "framework": fw.id, "score": s["score"], "counts": {
+                "fail": s["fail"], "pass": s["pass"], "manual": s["manual"],
+                "not_assessed": s["not_assessed"], "total": s["total"],
+            }, "outputs": written,
+        }, indent=2))
+    else:
+        print(f"✔ {fw.name}: {s['score']}% automated "
+              f"({s['pass']} pass · {s['fail']} fail · {s['manual']} manual"
+              + (f" · {s['not_assessed']} not-assessed" if s['not_assessed'] else "") + ")")
+        for w in written:
+            print(f"  → {w}")
+
+    if s["fail"] and not args.exit_zero:
+        return 2
+    return 0
+
+
+def cmd_report(args):
+    try:
+        fw = frameworks.load(args.framework)
+    except frameworks.FrameworkError as e:
+        return _err(str(e))
+    if not os.path.exists(args.input):
+        return _err(f"findings file not found: {args.input}")
+    try:
+        results, ctx = ingest.load(args.input)
+    except ingest.IngestError as e:
+        return _err(str(e))
+    return _generate(fw, results, ctx, args)
+
+
+def cmd_scan(args):
+    from .core import scan
+    try:
+        fw = frameworks.load(args.framework)
+    except frameworks.FrameworkError as e:
+        return _err(str(e))
+    print(f"Running Prowler for {fw.name} ({len(fw.check_index)} checks) in {args.region}…",
+          file=sys.stderr)
+    try:
+        csv_path, workdir = scan.run_prowler(fw, region=args.region, profile=args.profile)
+    except scan.ScanError as e:
+        return _err(str(e))
+    try:
+        results, ctx = ingest.load(csv_path)
+    finally:
+        shutil.rmtree(workdir, ignore_errors=True)
+    return _generate(fw, results, ctx, args)
+
+
+def cmd_frameworks(args):
+    for name in frameworks.available():
+        fw = frameworks.load(name)
+        print(f"{name:10s} {fw.name}  ({len(fw.controls)} controls, "
+              f"{len(fw.check_index)} checks)")
+    return 0
+
+
+def build_parser():
+    p = argparse.ArgumentParser(prog="assure", description=__doc__,
+                                formatter_class=argparse.RawDescriptionHelpFormatter)
+    p.add_argument("--version", action="version", version=f"assure {__version__}")
+    sub = p.add_subparsers(dest="command")
+
+    sp = sub.add_parser("scan", help="run Prowler against an AWS account, then build the report")
+    _add_common(sp)
+    sp.add_argument("--profile", default=None, help="AWS profile to use for the scan")
+    sp.set_defaults(func=cmd_scan)
+
+    rp = sub.add_parser("report", help="build the report from an existing findings file")
+    rp.add_argument("--in", dest="input", required=True, help="Prowler CSV/JSON findings file")
+    _add_common(rp)
+    rp.set_defaults(func=cmd_report)
+
+    fp = sub.add_parser("frameworks", help="list bundled frameworks")
+    fp.set_defaults(func=cmd_frameworks)
+    return p
+
+
+def main(argv=None):
+    parser = build_parser()
+    args = parser.parse_args(argv)
+    if not getattr(args, "func", None):
+        parser.print_help()
+        return 0
+    return args.func(args)
+
+
+if __name__ == "__main__":
+    sys.exit(main())