attune-ai 2.0.0__py3-none-any.whl

attune_llm/security/secure_memdocs.py

@@ -0,0 +1,1192 @@
+"""Secure MemDocs Integration for Enterprise Privacy
+
+Combines PII scrubbing, secrets detection, and audit logging with MemDocs pattern storage.
+Implements three-tier classification (PUBLIC/INTERNAL/SENSITIVE) with encryption support.
+
+This module provides the complete security pipeline for storing and retrieving
+patterns with full compliance for GDPR, HIPAA, and SOC2 requirements.
+
+Key Features:
+- Automatic PII scrubbing before storage
+- Secrets detection with blocking
+- Three-tier classification system
+- AES-256-GCM encryption for SENSITIVE patterns
+- Comprehensive audit logging
+- Access control enforcement
+- Retention policy management
+
+Architecture:
+    User Input → [PII Scrubbing + Secrets Detection (PARALLEL)] → Classification
+    → Encryption (if SENSITIVE) → MemDocs Storage → Audit Logging
+
+Reference:
+- SECURE_MEMORY_ARCHITECTURE.md: MemDocs Integration Patterns
+- ENTERPRISE_PRIVACY_INTEGRATION.md: Phase 2 Implementation
+
+Copyright 2025 Smart AI Memory, LLC
+Licensed under Fair Source 0.9
+"""
+
+import base64
+import concurrent.futures
+import hashlib
+import json
+import os
+from dataclasses import dataclass, field
+from datetime import datetime, timedelta
+from enum import Enum
+from pathlib import Path
+from typing import Any
+
+import structlog
+
+from .audit_logger import AuditEvent, AuditLogger
+from .pii_scrubber import PIIScrubber
+from .secrets_detector import SecretsDetector
+
+logger = structlog.get_logger(__name__)
+
+# Check for cryptography library
+try:
+    from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+
+    HAS_ENCRYPTION = True
+except ImportError:
+    HAS_ENCRYPTION = False
+    logger.warning("cryptography library not available - encryption disabled")
+
+
+class Classification(Enum):
+    """Three-tier classification system for MemDocs patterns"""
+
+    PUBLIC = "PUBLIC"  # Shareable across organization, anonymized
+    INTERNAL = "INTERNAL"  # Team/project only, no PII or secrets
+    SENSITIVE = "SENSITIVE"  # Encrypted at rest, access-controlled (HIPAA, finance)
+
+
+@dataclass
+class ClassificationRules:
+    """Security rules for each classification level"""
+
+    classification: Classification
+    encryption_required: bool
+    retention_days: int
+    access_level: str  # "all_users", "project_team", "explicit_permission"
+    audit_all_access: bool = False
+
+
+# Default classification rules based on enterprise security policy
+DEFAULT_CLASSIFICATION_RULES: dict[Classification, ClassificationRules] = {
+    Classification.PUBLIC: ClassificationRules(
+        classification=Classification.PUBLIC,
+        encryption_required=False,
+        retention_days=365,
+        access_level="all_users",
+        audit_all_access=False,
+    ),
+    Classification.INTERNAL: ClassificationRules(
+        classification=Classification.INTERNAL,
+        encryption_required=False,
+        retention_days=180,
+        access_level="project_team",
+        audit_all_access=False,
+    ),
+    Classification.SENSITIVE: ClassificationRules(
+        classification=Classification.SENSITIVE,
+        encryption_required=True,
+        retention_days=90,
+        access_level="explicit_permission",
+        audit_all_access=True,
+    ),
+}
+
+
+@dataclass
+class PatternMetadata:
+    """Metadata for stored MemDocs patterns"""
+
+    pattern_id: str
+    created_by: str
+    created_at: str
+    classification: str
+    retention_days: int
+    encrypted: bool
+    pattern_type: str
+    sanitization_applied: bool
+    pii_removed: int
+    secrets_detected: int
+    access_control: dict[str, Any] = field(default_factory=dict)
+    custom_metadata: dict[str, Any] = field(default_factory=dict)
+
+
+@dataclass
+class SecurePattern:
+    """Represents a securely stored pattern"""
+
+    pattern_id: str
+    content: str
+    metadata: PatternMetadata
+
+
+class SecurityError(Exception):
+    """Raised when security policy is violated"""
+
+
+class PermissionError(Exception):
+    """Raised when access is denied"""
+
+
+class EncryptionManager:
+    """Manages encryption/decryption for SENSITIVE patterns.
+
+    Uses AES-256-GCM (Galois/Counter Mode) for authenticated encryption.
+    Keys are derived from a master key using HKDF.
+    """
+
+    def __init__(self, master_key: bytes | None = None):
+        """Initialize encryption manager.
+
+        Args:
+            master_key: 32-byte master key (or None to generate/load)
+
+        """
+        if not HAS_ENCRYPTION:
+            logger.warning("Encryption not available - install cryptography library")
+            self.enabled = False
+            return
+
+        self.enabled = True
+        self.master_key = master_key or self._load_or_generate_key()
+
+    def _load_or_generate_key(self) -> bytes:
+        """Load master key from environment or generate new one.
+
+        Production: Set EMPATHY_MASTER_KEY environment variable
+        Development: Generates ephemeral key (warning logged)
+        """
+        # Check environment variable first
+        if env_key := os.getenv("EMPATHY_MASTER_KEY"):
+            try:
+                return base64.b64decode(env_key)
+            except Exception as e:
+                logger.error("invalid_master_key_in_env", error=str(e))
+                raise ValueError("Invalid EMPATHY_MASTER_KEY format") from e
+
+        # Check key file
+        key_file = Path.home() / ".empathy" / "master.key"
+        if key_file.exists():
+            try:
+                return key_file.read_bytes()
+            except Exception as e:
+                logger.error("failed_to_load_key_file", error=str(e))
+
+        # Generate ephemeral key (NOT for production)
+        logger.warning(
+            "no_master_key_found",
+            message="Generating ephemeral encryption key - set EMPATHY_MASTER_KEY for production",
+        )
+        return AESGCM.generate_key(bit_length=256)
+
+    def encrypt(self, plaintext: str) -> str:
+        """Encrypt plaintext using AES-256-GCM.
+
+        Args:
+            plaintext: Content to encrypt
+
+        Returns:
+            Base64-encoded ciphertext with format: nonce||ciphertext||tag
+
+        Raises:
+            SecurityError: If encryption fails
+
+        """
+        if not self.enabled:
+            raise SecurityError("Encryption not available - install cryptography library")
+
+        try:
+            # Generate random 96-bit nonce (12 bytes)
+            nonce = os.urandom(12)
+
+            # Create AESGCM cipher
+            aesgcm = AESGCM(self.master_key)
+
+            # Encrypt and authenticate
+            ciphertext = aesgcm.encrypt(nonce, plaintext.encode("utf-8"), None)
+
+            # Combine nonce + ciphertext for storage
+            encrypted_data = nonce + ciphertext
+
+            # Return base64-encoded
+            return base64.b64encode(encrypted_data).decode("utf-8")
+
+        except Exception as e:
+            logger.error("encryption_failed", error=str(e))
+            raise SecurityError(f"Encryption failed: {e}") from e
+
+    def decrypt(self, ciphertext_b64: str) -> str:
+        """Decrypt ciphertext using AES-256-GCM.
+
+        Args:
+            ciphertext_b64: Base64-encoded encrypted data
+
+        Returns:
+            Decrypted plaintext
+
+        Raises:
+            SecurityError: If decryption fails (invalid key, corrupted data, etc.)
+
+        """
+        if not self.enabled:
+            raise SecurityError("Encryption not available - install cryptography library")
+
+        try:
+            # Decode from base64
+            encrypted_data = base64.b64decode(ciphertext_b64)
+
+            # Extract nonce (first 12 bytes) and ciphertext (rest)
+            nonce = encrypted_data[:12]
+            ciphertext = encrypted_data[12:]
+
+            # Create AESGCM cipher
+            aesgcm = AESGCM(self.master_key)
+
+            # Decrypt and verify
+            plaintext_bytes = aesgcm.decrypt(nonce, ciphertext, None)
+
+            return plaintext_bytes.decode("utf-8")
+
+        except Exception as e:
+            logger.error("decryption_failed", error=str(e))
+            raise SecurityError(f"Decryption failed: {e}") from e
+
+
+class MemDocsStorage:
+    """Mock/Simple MemDocs storage backend.
+
+    In production, this would integrate with the actual MemDocs library.
+    For now, provides a simple file-based storage for testing.
+    """
+
+    def __init__(self, storage_dir: str = "./memdocs_storage"):
+        """Initialize storage backend.
+
+        Args:
+            storage_dir: Directory for pattern storage
+
+        """
+        self.storage_dir = Path(storage_dir)
+        self.storage_dir.mkdir(parents=True, exist_ok=True)
+        logger.info("memdocs_storage_initialized", storage_dir=str(self.storage_dir))
+
+    def store(self, pattern_id: str, content: str, metadata: dict[str, Any]) -> bool:
+        """Store a pattern.
+
+        Args:
+            pattern_id: Unique pattern identifier
+            content: Pattern content (may be encrypted)
+            metadata: Pattern metadata
+
+        Returns:
+            True if successful
+
+        Raises:
+            IOError: If storage fails
+
+        """
+        try:
+            pattern_file = self.storage_dir / f"{pattern_id}.json"
+
+            # Ensure parent directory exists
+            pattern_file.parent.mkdir(parents=True, exist_ok=True)
+
+            pattern_data = {"pattern_id": pattern_id, "content": content, "metadata": metadata}
+
+            with open(pattern_file, "w", encoding="utf-8") as f:
+                json.dump(pattern_data, f, indent=2)
+
+            logger.debug("pattern_stored", pattern_id=pattern_id)
+            return True
+
+        except Exception as e:
+            logger.error("pattern_storage_failed", pattern_id=pattern_id, error=str(e))
+            raise
+
+    def retrieve(self, pattern_id: str) -> dict[str, Any] | None:
+        """Retrieve a pattern.
+
+        Args:
+            pattern_id: Unique pattern identifier
+
+        Returns:
+            Pattern data dictionary or None if not found
+
+        """
+        try:
+            pattern_file = self.storage_dir / f"{pattern_id}.json"
+
+            if not pattern_file.exists():
+                logger.warning("pattern_not_found", pattern_id=pattern_id)
+                return None
+
+            with open(pattern_file, encoding="utf-8") as f:
+                pattern_data: dict[str, Any] = json.load(f)
+
+            logger.debug("pattern_retrieved", pattern_id=pattern_id)
+            return pattern_data
+
+        except Exception as e:
+            logger.error("pattern_retrieval_failed", pattern_id=pattern_id, error=str(e))
+            return None
+
+    def delete(self, pattern_id: str) -> bool:
+        """Delete a pattern.
+
+        Args:
+            pattern_id: Unique pattern identifier
+
+        Returns:
+            True if deleted, False if not found
+
+        """
+        try:
+            pattern_file = self.storage_dir / f"{pattern_id}.json"
+
+            if not pattern_file.exists():
+                return False
+
+            pattern_file.unlink()
+            logger.info("pattern_deleted", pattern_id=pattern_id)
+            return True
+
+        except Exception as e:
+            logger.error("pattern_deletion_failed", pattern_id=pattern_id, error=str(e))
+            return False
+
+    def list_patterns(
+        self,
+        classification: str | None = None,
+        created_by: str | None = None,
+    ) -> list[str]:
+        """List pattern IDs matching criteria.
+
+        Args:
+            classification: Filter by classification
+            created_by: Filter by creator
+
+        Returns:
+            List of pattern IDs
+
+        """
+        pattern_ids = []
+
+        for pattern_file in self.storage_dir.glob("*.json"):
+            try:
+                with open(pattern_file, encoding="utf-8") as f:
+                    data = json.load(f)
+                    metadata = data.get("metadata", {})
+
+                    # Apply filters
+                    if classification and metadata.get("classification") != classification:
+                        continue
+                    if created_by and metadata.get("created_by") != created_by:
+                        continue
+
+                    pattern_ids.append(data.get("pattern_id"))
+
+            except Exception:
+                continue
+
+        return pattern_ids
+
+
+class SecureMemDocsIntegration:
+    """Secure integration between Claude Memory and MemDocs.
+
+    Enforces enterprise security policies from CLAUDE.md with:
+    - Automatic PII scrubbing
+    - Secrets detection and blocking
+    - Three-tier classification
+    - Encryption for SENSITIVE data
+    - Comprehensive audit logging
+    - Access control enforcement
+
+    Example:
+        >>> from attune_llm.claude_memory import ClaudeMemoryConfig
+        >>> config = ClaudeMemoryConfig(enabled=True, load_enterprise=True)
+        >>> integration = SecureMemDocsIntegration(config)
+        >>>
+        >>> # Store pattern with full security pipeline
+        >>> result = integration.store_pattern(
+        ...     content="Patient diagnosis: diabetes type 2",
+        ...     pattern_type="clinical_protocol",
+        ...     user_id="doctor@hospital.com"
+        ... )
+        >>> # Automatically: PII scrubbed, classified as SENSITIVE, encrypted
+        >>>
+        >>> # Retrieve with access control
+        >>> pattern = integration.retrieve_pattern(
+        ...     pattern_id=result["pattern_id"],
+        ...     user_id="doctor@hospital.com"
+        ... )
+
+    """
+
+    def __init__(
+        self,
+        claude_memory_config=None,
+        storage_dir: str = "./memdocs_storage",
+        audit_log_dir: str = "/var/log/empathy",
+        classification_rules: dict[Classification, ClassificationRules] | None = None,
+        enable_encryption: bool = True,
+        master_key: bytes | None = None,
+    ):
+        """Initialize Secure MemDocs Integration.
+
+        Args:
+            claude_memory_config: Configuration for Claude memory integration
+            storage_dir: Directory for MemDocs storage
+            audit_log_dir: Directory for audit logs
+            classification_rules: Custom classification rules (uses defaults if None)
+            enable_encryption: Enable encryption for SENSITIVE patterns
+            master_key: Encryption master key (auto-generated if None)
+
+        """
+        self.claude_memory_config = claude_memory_config
+        self.classification_rules = classification_rules or DEFAULT_CLASSIFICATION_RULES
+
+        # Initialize security components
+        self.pii_scrubber = PIIScrubber()
+        self.secrets_detector = SecretsDetector()
+        self.audit_logger = AuditLogger(
+            log_dir=audit_log_dir,
+            enable_console_logging=True,  # Development mode
+        )
+
+        # Initialize encryption
+        self.encryption_enabled = enable_encryption and HAS_ENCRYPTION
+        self.encryption_manager: EncryptionManager | None = None
+        if self.encryption_enabled:
+            self.encryption_manager = EncryptionManager(master_key)
+        elif enable_encryption:
+            logger.warning("encryption_disabled", reason="cryptography library not available")
+
+        # Initialize storage backend
+        self.storage = MemDocsStorage(storage_dir)
+
+        # Load security policies from enterprise CLAUDE.md
+        self.security_policies = self._load_security_policies()
+
+        logger.info(
+            "secure_memdocs_initialized",
+            encryption_enabled=self.encryption_enabled,
+            storage_dir=storage_dir,
+            audit_dir=audit_log_dir,
+        )
+
+    def _load_security_policies(self) -> dict[str, Any]:
+        """Load security policies from enterprise Claude memory.
+
+        In production, this would parse the enterprise CLAUDE.md file
+        to extract PII patterns, secret patterns, and classification rules.
+
+        For now, returns default policies that match the architecture spec.
+        """
+        policies = {
+            "pii_scrubbing_enabled": True,
+            "secrets_detection_enabled": True,
+            "classification_required": True,
+            "audit_logging_enabled": True,
+            "retention_enforcement_enabled": True,
+        }
+
+        logger.debug("security_policies_loaded", policies=policies)
+        return policies
+
+    def store_pattern(
+        self,
+        content: str,
+        pattern_type: str,
+        user_id: str,
+        auto_classify: bool = True,
+        explicit_classification: Classification | None = None,
+        session_id: str = "",
+        custom_metadata: dict[str, Any] | None = None,
+    ) -> dict[str, Any]:
+        """Store a pattern with full security pipeline.
+
+        Pipeline:
+            1. PII scrubbing
+            2. Secrets detection (blocks if found)
+            3. Classification (auto or explicit)
+            4. Encryption (if SENSITIVE)
+            5. MemDocs storage
+            6. Audit logging
+
+        Args:
+            content: Pattern content to store
+            pattern_type: Type of pattern (code, architecture, clinical, etc.)
+            user_id: User storing the pattern
+            auto_classify: Enable automatic classification
+            explicit_classification: Override auto-classification
+            session_id: Session identifier for audit
+            custom_metadata: Additional metadata
+
+        Returns:
+            Dictionary with:
+                - pattern_id: Unique identifier
+                - classification: Applied classification
+                - sanitization_report: PII and secrets detection results
+
+        Raises:
+            SecurityError: If secrets detected or security policy violated
+            ValueError: If invalid classification specified
+
+        Example:
+            >>> result = integration.store_pattern(
+            ...     content="Patient vital signs protocol",
+            ...     pattern_type="clinical_protocol",
+            ...     user_id="nurse@hospital.com"
+            ... )
+            >>> print(f"Stored as {result['classification']}")
+
+        """
+        logger.info(
+            "store_pattern_started",
+            user_id=user_id,
+            pattern_type=pattern_type,
+            auto_classify=auto_classify,
+        )
+
+        try:
+            # Validate content
+            if not content or not content.strip():
+                raise ValueError("Content cannot be empty")
+
+            # Step 1 & 2: PII Scrubbing + Secrets Detection (PARALLEL for performance)
+            # Run both operations in parallel since they're independent
+            # Secrets detection runs on original content to catch secrets before PII scrubbing
+            with concurrent.futures.ThreadPoolExecutor(max_workers=2) as executor:
+                # Submit both tasks in parallel
+                pii_future = executor.submit(self.pii_scrubber.scrub, content)
+                secrets_future = executor.submit(self.secrets_detector.detect, content)
+
+                # Wait for both to complete
+                sanitized_content, pii_detections = pii_future.result()
+                secrets_found = secrets_future.result()
+
+            pii_count = len(pii_detections)
+
+            if pii_count > 0:
+                logger.info(
+                    "pii_scrubbed",
+                    user_id=user_id,
+                    pii_count=pii_count,
+                    types=[d.pii_type for d in pii_detections],
+                )
+
+            if secrets_found:
+                # CRITICAL: Block storage if secrets detected
+                secret_types = [s.secret_type.value for s in secrets_found]
+                logger.error(
+                    "secrets_detected_blocking_storage",
+                    user_id=user_id,
+                    secret_count=len(secrets_found),
+                    types=secret_types,
+                )
+
+                # Log to audit trail
+                self.audit_logger.log_security_violation(
+                    user_id=user_id,
+                    violation_type="secrets_in_storage_attempt",
+                    severity="CRITICAL",
+                    details={
+                        "secret_count": len(secrets_found),
+                        "secret_types": secret_types,
+                        "pattern_type": pattern_type,
+                    },
+                    session_id=session_id,
+                    blocked=True,
+                )
+
+                raise SecurityError(
+                    f"Secrets detected in pattern. Cannot store. Found: {secret_types}",
+                )
+
+            # Step 3: Classification
+            if explicit_classification:
+                classification = explicit_classification
+                logger.info("explicit_classification", classification=classification.value)
+            elif auto_classify:
+                classification = self._classify_pattern(sanitized_content, pattern_type)
+                logger.info("auto_classification", classification=classification.value)
+            else:
+                # Default to INTERNAL if not specified
+                classification = Classification.INTERNAL
+                logger.info("default_classification", classification=classification.value)
+
+            # Step 4: Apply classification-specific controls
+            rules = self.classification_rules[classification]
+
+            # Encrypt if required
+            final_content = sanitized_content
+            encrypted = False
+
+            if rules.encryption_required and self.encryption_enabled and self.encryption_manager:
+                final_content = self.encryption_manager.encrypt(sanitized_content)
+                encrypted = True
+                logger.info("pattern_encrypted", classification=classification.value)
+            elif rules.encryption_required and not self.encryption_enabled:
+                logger.warning(
+                    "encryption_required_but_unavailable",
+                    classification=classification.value,
+                    action="storing_unencrypted",
+                )
+
+            # Generate pattern ID
+            pattern_id = self._generate_pattern_id(user_id, pattern_type)
+
+            # Step 5: Store in MemDocs with metadata
+            metadata = PatternMetadata(
+                pattern_id=pattern_id,
+                created_by=user_id,
+                created_at=datetime.utcnow().isoformat() + "Z",
+                classification=classification.value,
+                retention_days=rules.retention_days,
+                encrypted=encrypted,
+                pattern_type=pattern_type,
+                sanitization_applied=True,
+                pii_removed=pii_count,
+                secrets_detected=0,
+                access_control={
+                    "access_level": rules.access_level,
+                    "audit_required": rules.audit_all_access,
+                },
+                custom_metadata=custom_metadata or {},
+            )
+
+            self.storage.store(
+                pattern_id=pattern_id,
+                content=final_content,
+                metadata=metadata.__dict__,
+            )
+
+            # Step 6: Audit logging
+            self.audit_logger.log_pattern_store(
+                user_id=user_id,
+                pattern_id=pattern_id,
+                pattern_type=pattern_type,
+                classification=classification.value,
+                pii_scrubbed=pii_count,
+                secrets_detected=0,
+                retention_days=rules.retention_days,
+                encrypted=encrypted,
+                session_id=session_id,
+                status="success",
+            )
+
+            logger.info(
+                "pattern_stored_successfully",
+                pattern_id=pattern_id,
+                classification=classification.value,
+                encrypted=encrypted,
+            )
+
+            return {
+                "pattern_id": pattern_id,
+                "classification": classification.value,
+                "sanitization_report": {
+                    "pii_removed": [{"type": d.pii_type, "count": 1} for d in pii_detections],
+                    "pii_count": pii_count,
+                    "secrets_detected": 0,
+                },
+                "metadata": {
+                    "encrypted": encrypted,
+                    "retention_days": rules.retention_days,
+                    "created_at": metadata.created_at,
+                },
+            }
+
+        except SecurityError:
+            # Re-raise security errors
+            raise
+        except Exception as e:
+            # Log unexpected errors
+            logger.error("pattern_storage_failed", user_id=user_id, error=str(e))
+
+            self.audit_logger.log_pattern_store(
+                user_id=user_id,
+                pattern_id="",
+                pattern_type=pattern_type,
+                classification="UNKNOWN",
+                pii_scrubbed=0,
+                secrets_detected=0,
+                retention_days=0,
+                encrypted=False,
+                session_id=session_id,
+                status="failed",
+                error=str(e),
+            )
+
+            raise
+
+    def retrieve_pattern(
+        self,
+        pattern_id: str,
+        user_id: str,
+        check_permissions: bool = True,
+        session_id: str = "",
+    ) -> dict[str, Any]:
+        """Retrieve a pattern with access control and decryption.
+
+        Pipeline:
+            1. Retrieve from MemDocs
+            2. Check access permissions
+            3. Decrypt (if SENSITIVE)
+            4. Check retention policy
+            5. Audit logging
+
+        Args:
+            pattern_id: Unique pattern identifier
+            user_id: User retrieving the pattern
+            check_permissions: Enforce access control
+            session_id: Session identifier for audit
+
+        Returns:
+            Dictionary with:
+                - content: Pattern content (decrypted if needed)
+                - metadata: Pattern metadata
+
+        Raises:
+            PermissionError: If access denied
+            ValueError: If pattern not found or retention expired
+            SecurityError: If decryption fails
+
+        Example:
+            >>> pattern = integration.retrieve_pattern(
+            ...     pattern_id="pat_abc123",
+            ...     user_id="user@company.com"
+            ... )
+            >>> print(pattern["content"])
+
+        """
+        logger.info(
+            "retrieve_pattern_started",
+            pattern_id=pattern_id,
+            user_id=user_id,
+            check_permissions=check_permissions,
+        )
+
+        try:
+            # Step 1: Retrieve from MemDocs
+            pattern_data = self.storage.retrieve(pattern_id)
+
+            if not pattern_data:
+                logger.warning("pattern_not_found", pattern_id=pattern_id)
+                raise ValueError(f"Pattern {pattern_id} not found")
+
+            content = pattern_data["content"]
+            metadata = pattern_data["metadata"]
+            classification = Classification[metadata["classification"]]
+
+            # Step 2: Check access permissions
+            access_granted = True
+            if check_permissions:
+                access_granted = self._check_access(
+                    user_id=user_id,
+                    classification=classification,
+                    metadata=metadata,
+                )
+
+                if not access_granted:
+                    logger.warning(
+                        "access_denied",
+                        pattern_id=pattern_id,
+                        user_id=user_id,
+                        classification=classification.value,
+                    )
+
+                    # Log access denial
+                    self.audit_logger.log_pattern_retrieve(
+                        user_id=user_id,
+                        pattern_id=pattern_id,
+                        classification=classification.value,
+                        access_granted=False,
+                        session_id=session_id,
+                        status="blocked",
+                        error="Access denied",
+                    )
+
+                    raise PermissionError(
+                        f"User {user_id} does not have access to {classification.value} pattern",
+                    )
+
+            # Step 3: Decrypt if needed
+            if metadata.get("encrypted", False):
+                if not self.encryption_enabled or not self.encryption_manager:
+                    logger.error("decryption_required_but_unavailable", pattern_id=pattern_id)
+                    raise SecurityError("Encryption not available for decryption")
+
+                content = self.encryption_manager.decrypt(content)
+                logger.debug("pattern_decrypted", pattern_id=pattern_id)
+
+            # Step 4: Check retention policy
+            created_at = datetime.fromisoformat(metadata["created_at"].rstrip("Z"))
+            retention_days = metadata["retention_days"]
+            expiration_date = created_at + timedelta(days=retention_days)
+
+            if datetime.utcnow() > expiration_date:
+                logger.warning(
+                    "pattern_retention_expired",
+                    pattern_id=pattern_id,
+                    created_at=metadata["created_at"],
+                    retention_days=retention_days,
+                )
+                raise ValueError(
+                    f"Pattern {pattern_id} has expired retention period "
+                    f"(created: {metadata['created_at']}, retention: {retention_days} days)",
+                )
+
+            # Step 5: Audit logging
+            self.audit_logger.log_pattern_retrieve(
+                user_id=user_id,
+                pattern_id=pattern_id,
+                classification=classification.value,
+                access_granted=True,
+                permission_level=metadata["access_control"]["access_level"],
+                session_id=session_id,
+                status="success",
+            )
+
+            logger.info(
+                "pattern_retrieved_successfully",
+                pattern_id=pattern_id,
+                classification=classification.value,
+            )
+
+            return {"content": content, "metadata": metadata}
+
+        except (PermissionError, ValueError, SecurityError):
+            # Re-raise expected errors
+            raise
+        except Exception as e:
+            # Log unexpected errors
+            logger.error("pattern_retrieval_failed", pattern_id=pattern_id, error=str(e))
+
+            self.audit_logger.log_pattern_retrieve(
+                user_id=user_id,
+                pattern_id=pattern_id,
+                classification="UNKNOWN",
+                access_granted=False,
+                session_id=session_id,
+                status="failed",
+                error=str(e),
+            )
+
+            raise
+
+    def _classify_pattern(self, content: str, pattern_type: str) -> Classification:
+        """Auto-classify pattern based on content and type.
+
+        Classification heuristics:
+        - SENSITIVE: Healthcare, financial, regulated data keywords
+        - INTERNAL: Proprietary, confidential, internal keywords
+        - PUBLIC: Everything else (general patterns)
+
+        Args:
+            content: Pattern content (already PII-scrubbed)
+            pattern_type: Type of pattern
+
+        Returns:
+            Classification level
+
+        """
+        content_lower = content.lower()
+
+        # SENSITIVE: Healthcare keywords (HIPAA)
+        healthcare_keywords = [
+            "patient",
+            "medical",
+            "diagnosis",
+            "treatment",
+            "healthcare",
+            "clinical",
+            "hipaa",
+            "phi",
+            "medical record",
+            "prescription",
+        ]
+
+        # SENSITIVE: Financial keywords
+        financial_keywords = [
+            "financial",
+            "payment",
+            "credit card",
+            "banking",
+            "transaction",
+            "pci dss",
+            "payment card",
+        ]
+
+        # INTERNAL: Proprietary keywords
+        proprietary_keywords = [
+            "proprietary",
+            "confidential",
+            "internal",
+            "trade secret",
+            "company confidential",
+            "restricted",
+        ]
+
+        # Check for SENSITIVE indicators
+        if any(keyword in content_lower for keyword in healthcare_keywords):
+            return Classification.SENSITIVE
+
+        if any(keyword in content_lower for keyword in financial_keywords):
+            return Classification.SENSITIVE
+
+        # Pattern type based classification
+        if pattern_type in [
+            "clinical_protocol",
+            "medical_guideline",
+            "patient_workflow",
+            "financial_procedure",
+        ]:
+            return Classification.SENSITIVE
+
+        # Check for INTERNAL indicators
+        if any(keyword in content_lower for keyword in proprietary_keywords):
+            return Classification.INTERNAL
+
+        if pattern_type in ["architecture", "business_logic", "company_process"]:
+            return Classification.INTERNAL
+
+        # Default to PUBLIC for general patterns
+        return Classification.PUBLIC
+
+    def _check_access(
+        self,
+        user_id: str,
+        classification: Classification,
+        metadata: dict[str, Any],
+    ) -> bool:
+        """Check if user has access to pattern based on classification.
+
+        Access rules:
+        - PUBLIC: All users
+        - INTERNAL: Users on project team (simplified: always granted for demo)
+        - SENSITIVE: Explicit permission required (simplified: creator only)
+
+        Args:
+            user_id: User requesting access
+            classification: Pattern classification
+            metadata: Pattern metadata
+
+        Returns:
+            True if access granted, False otherwise
+
+        """
+        # PUBLIC: Everyone has access
+        if classification == Classification.PUBLIC:
+            return True
+
+        # INTERNAL: Check project team membership
+        # Simplified: Grant access (production would check team membership)
+        if classification == Classification.INTERNAL:
+            logger.debug("internal_access_check", user_id=user_id, granted=True)
+            return True
+
+        # SENSITIVE: Require explicit permission
+        # Simplified: Only pattern creator has access
+        if classification == Classification.SENSITIVE:
+            created_by = str(metadata.get("created_by", ""))
+            granted = user_id == created_by
+
+            logger.debug(
+                "sensitive_access_check",
+                user_id=user_id,
+                created_by=created_by,
+                granted=granted,
+            )
+
+            return bool(granted)
+
+        # Default deny
+        return False
+
+    def _generate_pattern_id(self, user_id: str, pattern_type: str) -> str:
+        """Generate unique pattern ID.
+
+        Format: pat_{timestamp}_{hash}
+
+        Args:
+            user_id: User creating the pattern
+            pattern_type: Type of pattern
+
+        Returns:
+            Unique pattern identifier
+
+        """
+        timestamp = datetime.utcnow().strftime("%Y%m%d%H%M%S")
+
+        # Create hash from user_id, pattern_type, and random component
+        hash_input = f"{user_id}:{pattern_type}:{timestamp}:{os.urandom(8).hex()}"
+        hash_digest = hashlib.sha256(hash_input.encode()).hexdigest()[:12]
+
+        return f"pat_{timestamp}_{hash_digest}"
+
+    def list_patterns(
+        self,
+        user_id: str,
+        classification: Classification | None = None,
+        pattern_type: str | None = None,
+    ) -> list[dict[str, Any]]:
+        """List patterns accessible to user.
+
+        Args:
+            user_id: User listing patterns
+            classification: Filter by classification
+            pattern_type: Filter by pattern type
+
+        Returns:
+            List of pattern summaries
+
+        """
+        all_pattern_ids = self.storage.list_patterns()
+        accessible_patterns = []
+
+        for pattern_id in all_pattern_ids:
+            try:
+                pattern_data = self.storage.retrieve(pattern_id)
+                if not pattern_data:
+                    continue
+
+                metadata = pattern_data["metadata"]
+                pat_classification = Classification[metadata["classification"]]
+
+                # Apply filters
+                if classification and pat_classification != classification:
+                    continue
+
+                if pattern_type and metadata.get("pattern_type") != pattern_type:
+                    continue
+
+                # Check access
+                if self._check_access(user_id, pat_classification, metadata):
+                    accessible_patterns.append(
+                        {
+                            "pattern_id": pattern_id,
+                            "pattern_type": metadata.get("pattern_type"),
+                            "classification": metadata["classification"],
+                            "created_by": metadata.get("created_by"),
+                            "created_at": metadata.get("created_at"),
+                            "encrypted": metadata.get("encrypted", False),
+                        },
+                    )
+
+            except Exception as e:
+                logger.warning(
+                    "failed_to_load_pattern_metadata",
+                    pattern_id=pattern_id,
+                    error=str(e),
+                )
+                continue
+
+        return accessible_patterns
+
+    def delete_pattern(self, pattern_id: str, user_id: str, session_id: str = "") -> bool:
+        """Delete a pattern (with access control).
+
+        Args:
+            pattern_id: Pattern to delete
+            user_id: User requesting deletion
+            session_id: Session identifier
+
+        Returns:
+            True if deleted successfully
+
+        Raises:
+            PermissionError: If user doesn't have permission to delete
+
+        """
+        # Retrieve pattern to check permissions
+        pattern_data = self.storage.retrieve(pattern_id)
+
+        if not pattern_data:
+            logger.warning("pattern_not_found_for_deletion", pattern_id=pattern_id)
+            return False
+
+        metadata = pattern_data["metadata"]
+
+        # Only creator can delete (simplified access control)
+        if metadata.get("created_by") != user_id:
+            logger.warning(
+                "delete_permission_denied",
+                pattern_id=pattern_id,
+                user_id=user_id,
+                created_by=metadata.get("created_by"),
+            )
+            raise PermissionError(f"User {user_id} cannot delete pattern {pattern_id}")
+
+        # Delete pattern
+        deleted = self.storage.delete(pattern_id)
+
+        if deleted:
+            # Log deletion
+            self.audit_logger._write_event(
+                AuditEvent(
+                    event_type="delete_pattern",
+                    user_id=user_id,
+                    session_id=session_id,
+                    status="success",
+                    data={
+                        "pattern_id": pattern_id,
+                        "classification": metadata["classification"],
+                    },
+                ),
+            )
+
+            logger.info("pattern_deleted", pattern_id=pattern_id, user_id=user_id)
+
+        return deleted
+
+    def get_statistics(self) -> dict[str, Any]:
+        """Get statistics about stored patterns.
+
+        Returns:
+            Dictionary with pattern statistics
+
+        """
+        all_patterns = self.storage.list_patterns()
+
+        stats: dict[str, Any] = {
+            "total_patterns": len(all_patterns),
+            "by_classification": {
+                "PUBLIC": 0,
+                "INTERNAL": 0,
+                "SENSITIVE": 0,
+            },
+            "encrypted_count": 0,
+            "with_pii_scrubbed": 0,
+        }
+
+        for pattern_id in all_patterns:
+            try:
+                pattern_data = self.storage.retrieve(pattern_id)
+                if not pattern_data:
+                    continue
+
+                metadata = pattern_data["metadata"]
+                classification = metadata.get("classification", "INTERNAL")
+
+                stats["by_classification"][classification] += 1
+
+                if metadata.get("encrypted", False):
+                    stats["encrypted_count"] += 1
+
+                if metadata.get("pii_removed", 0) > 0:
+                    stats["with_pii_scrubbed"] += 1
+
+            except Exception:
+                continue
+
+        return stats