cirdanops 0.1.0__py3-none-any.whl

cirdan/__init__.py

@@ -0,0 +1,3 @@
+"""Cirdan: AI infrastructure cartographer and operations daemon."""
+
+__version__ = "0.1.0"

cirdan/access/__init__.py

@@ -0,0 +1,3 @@
+from cirdan.access.context import AccessContext, detect_access, render_access_report
+
+__all__ = ["AccessContext", "detect_access", "render_access_report"]

cirdan/access/context.py

@@ -0,0 +1,221 @@
+"""Access-context detection.
+
+Cirdan is not a permission manager: this module is a mirror of what the
+current agent/session/process can already do. Every probe has a hard timeout
+so detection never hangs in restricted sandboxes.
+"""
+
+from __future__ import annotations
+
+import os
+import stat
+from pathlib import Path
+
+import httpx
+from pydantic import BaseModel, Field
+
+from cirdan.config import CirdanConfig
+from cirdan.util import now_iso, run_cmd, which
+
+
+class AccessContext(BaseModel):
+    detected_at: str = Field(default_factory=now_iso)
+    mode: str = "inherited-agent-access"
+    source: dict = Field(default_factory=dict)
+    capabilities: dict[str, bool] = Field(default_factory=dict)
+    details: dict = Field(default_factory=dict)
+
+    def can(self, capability: str) -> bool:
+        return bool(self.capabilities.get(capability))
+
+
+def _detect_agent() -> str:
+    env = os.environ
+    if env.get("CLAUDECODE") or env.get("CLAUDE_CODE_ENTRYPOINT"):
+        return "claude-code"
+    if env.get("CODEX_HOME") or env.get("CODEX_SANDBOX"):
+        return "codex"
+    if env.get("CURSOR_TRACE_ID") or env.get("CURSOR_SESSION_ID"):
+        return "cursor"
+    if env.get("GEMINI_CLI"):
+        return "gemini-cli"
+    return "shell"
+
+
+def _probe_files(root: Path) -> tuple[bool, bool]:
+    readable = os.access(root, os.R_OK)
+    writable = False
+    if os.access(root, os.W_OK):
+        probe = root / ".cirdan-write-probe"
+        try:
+            probe.write_text("")
+            probe.unlink()
+            writable = True
+        except OSError:
+            writable = False
+    return readable, writable
+
+
+def _probe_docker(caps: dict, details: dict) -> None:
+    sock = Path("/var/run/docker.sock")
+    caps["docker_socket"] = sock.exists() and stat.S_ISSOCK(sock.stat().st_mode) and os.access(sock, os.R_OK | os.W_OK)
+    caps["docker_cli"] = which("docker")
+    caps["docker_read"] = False
+    if caps["docker_cli"]:
+        res = run_cmd(["docker", "version", "--format", "{{.Server.Version}}"], timeout=4)
+        caps["docker_read"] = res.ok
+        if res.ok:
+            details["docker_server_version"] = res.stdout.strip()
+    # With Docker there is no finer-grained authz: daemon access implies write.
+    caps["docker_write"] = caps["docker_read"]
+
+
+def _probe_kubernetes(caps: dict, details: dict) -> None:
+    kubeconfig = os.environ.get("KUBECONFIG")
+    has_kubeconfig = bool(kubeconfig and Path(kubeconfig).is_file()) or (Path.home() / ".kube" / "config").is_file()
+    in_cluster = bool(os.environ.get("KUBERNETES_SERVICE_HOST"))
+    caps["kubeconfig"] = has_kubeconfig
+    caps["kubernetes_in_cluster"] = in_cluster
+    caps["kubectl_cli"] = which("kubectl")
+    caps["kubernetes_read"] = False
+    caps["kubernetes_write"] = False
+    if not caps["kubectl_cli"] or not (has_kubeconfig or in_cluster):
+        return
+    res = run_cmd(["kubectl", "get", "namespaces", "-o", "name", "--request-timeout=3s"], timeout=6)
+    if res.ok:
+        caps["kubernetes_read"] = True
+        namespaces = [line.split("/", 1)[-1] for line in res.stdout.splitlines() if line.strip()]
+        details["kubernetes_namespaces"] = namespaces
+        ctx = run_cmd(["kubectl", "config", "current-context"], timeout=3)
+        if ctx.ok:
+            details["kubernetes_context"] = ctx.stdout.strip()
+        can_i = run_cmd(
+            ["kubectl", "auth", "can-i", "patch", "deployments", "--request-timeout=3s"], timeout=6
+        )
+        caps["kubernetes_write"] = can_i.ok and can_i.stdout.strip().lower().startswith("yes")
+
+
+def _probe_aws(caps: dict, details: dict) -> None:
+    caps["aws_cli"] = which("aws")
+    env_creds = bool(os.environ.get("AWS_ACCESS_KEY_ID") or os.environ.get("AWS_PROFILE"))
+    file_creds = (Path.home() / ".aws" / "credentials").is_file() or (Path.home() / ".aws" / "config").is_file()
+    caps["aws_credentials"] = env_creds or file_creds
+    caps["aws_read"] = False
+    if caps["aws_cli"] and caps["aws_credentials"]:
+        res = run_cmd(["aws", "sts", "get-caller-identity", "--output", "json"], timeout=8)
+        caps["aws_read"] = res.ok
+        if res.ok:
+            from cirdan.util import parse_json
+
+            ident = parse_json(res.stdout)
+            if isinstance(ident, dict):
+                details["aws_account"] = ident.get("Account")
+                details["aws_arn"] = ident.get("Arn")
+
+
+def _probe_cloud_cli(caps: dict) -> None:
+    caps["azure_cli"] = which("az")
+    caps["azure_config"] = (Path.home() / ".azure").is_dir()
+    caps["gcloud_cli"] = which("gcloud")
+    caps["gcloud_config"] = (Path.home() / ".config" / "gcloud").is_dir()
+
+
+def _probe_systemd(caps: dict) -> None:
+    caps["systemd"] = which("systemctl") and Path("/run/systemd/system").exists()
+    caps["journald"] = which("journalctl")
+
+
+def _probe_prometheus(caps: dict, details: dict, config: CirdanConfig) -> None:
+    caps["prometheus_read"] = False
+    candidates = []
+    if config.telemetry.prometheus_url:
+        candidates.append(config.telemetry.prometheus_url)
+    if os.environ.get("PROMETHEUS_URL"):
+        candidates.append(os.environ["PROMETHEUS_URL"])
+    candidates.append("http://localhost:9090")
+    for url in candidates:
+        try:
+            resp = httpx.get(url.rstrip("/") + "/-/ready", timeout=1.5)
+            if resp.status_code < 500:
+                caps["prometheus_read"] = True
+                details["prometheus_url"] = url.rstrip("/")
+                return
+        except httpx.HTTPError:
+            continue
+
+
+def detect_access(config: CirdanConfig) -> AccessContext:
+    root = config.root_path
+    caps: dict[str, bool] = {}
+    details: dict = {}
+
+    caps["file_read"], caps["file_write"] = _probe_files(root)
+    caps["shell"] = which("sh") or which("bash")
+    _probe_docker(caps, details)
+    _probe_kubernetes(caps, details)
+    _probe_aws(caps, details)
+    _probe_cloud_cli(caps)
+    _probe_systemd(caps)
+    _probe_prometheus(caps, details, config)
+
+    return AccessContext(
+        source={
+            "agent": _detect_agent(),
+            "workspace": str(root),
+            "user": os.environ.get("USER", "unknown"),
+        },
+        capabilities=caps,
+        details=details,
+    )
+
+
+def render_access_report(ctx: AccessContext) -> str:
+    caps = ctx.capabilities
+
+    def yn(key: str) -> str:
+        return "yes" if caps.get(key) else "no"
+
+    lines = [
+        "Cirdan Access Report",
+        "",
+        f"Source: {ctx.source.get('agent')} (workspace {ctx.source.get('workspace')})",
+        f"Mode:   {ctx.mode}",
+        "",
+        "Files:",
+        f"  repo read: {yn('file_read')}",
+        f"  repo write: {yn('file_write')}",
+        "",
+        "Shell:",
+        f"  available: {yn('shell')}",
+        "",
+        "Docker:",
+        f"  docker socket: {yn('docker_socket')}",
+        f"  docker CLI: {yn('docker_cli')}",
+        f"  daemon reachable: {yn('docker_read')}",
+        "",
+        "Kubernetes:",
+        f"  kubeconfig: {yn('kubeconfig')}",
+        f"  in-cluster service account: {yn('kubernetes_in_cluster')}",
+        f"  read access: {yn('kubernetes_read')}",
+        f"  write access: {yn('kubernetes_write')}",
+    ]
+    namespaces = ctx.details.get("kubernetes_namespaces")
+    if namespaces:
+        lines.append(f"  namespaces visible: {', '.join(namespaces)}")
+    lines += [
+        "",
+        "Cloud:",
+        f"  AWS identity: {'detected' if caps.get('aws_read') else 'not detected'}",
+        f"  Azure identity: {'possible' if caps.get('azure_config') else 'not detected'}",
+        f"  GCP identity: {'possible' if caps.get('gcloud_config') else 'not detected'}",
+        "",
+        "Telemetry:",
+        f"  prometheus: {ctx.details.get('prometheus_url', 'not detected')}",
+        f"  journald: {yn('journald')}",
+        "",
+        "Runtime:",
+        f"  systemd: {yn('systemd')}",
+        f"  docker: {yn('docker_read')}",
+        f"  kubernetes: {yn('kubernetes_read')}",
+    ]
+    return "\n".join(lines) + "\n"

cirdan/access/redaction.py

@@ -0,0 +1,56 @@
+"""Scrub secret-shaped values before anything is written to artifacts or logs."""
+
+from __future__ import annotations
+
+import re
+
+REDACTED = "[REDACTED]"
+
+SECRET_KEY_RE = re.compile(
+    r"(secret|token|password|passwd|credential|api[_-]?key|access[_-]?key|private[_-]?key|auth)",
+    re.IGNORECASE,
+)
+
+_PATTERNS = [
+    # user:password@ in URLs
+    re.compile(r"(?<=://)([^/\s:@]+):([^/\s@]+)(?=@)"),
+    # AWS access key ids and session-ish tokens
+    re.compile(r"\b(AKIA|ASIA)[0-9A-Z]{16}\b"),
+    # Bearer tokens
+    re.compile(r"(?i)\bbearer\s+[A-Za-z0-9._~+/=-]{16,}"),
+    # key=value pairs where the key looks secret
+    re.compile(
+        r"(?i)\b([A-Z0-9_]*(?:SECRET|TOKEN|PASSWORD|PASSWD|CREDENTIAL|API_?KEY|ACCESS_?KEY|PRIVATE_?KEY)[A-Z0-9_]*)\s*[=:]\s*([^\s,;\"']+)"
+    ),
+    # PEM blocks
+    re.compile(r"-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----"),
+]
+
+
+def redact_text(text: str) -> str:
+    if not text:
+        return text
+    out = text
+    out = _PATTERNS[0].sub(REDACTED, out)
+    out = _PATTERNS[1].sub(REDACTED, out)
+    out = _PATTERNS[2].sub(f"Bearer {REDACTED}", out)
+    out = _PATTERNS[3].sub(lambda m: f"{m.group(1)}={REDACTED}", out)
+    out = _PATTERNS[4].sub(REDACTED, out)
+    return out
+
+
+def redact_obj(obj: object) -> object:
+    """Recursively redact strings; values under secret-shaped keys are dropped entirely."""
+    if isinstance(obj, dict):
+        out = {}
+        for key, value in obj.items():
+            if isinstance(key, str) and SECRET_KEY_RE.search(key) and isinstance(value, str) and value:
+                out[key] = REDACTED
+            else:
+                out[key] = redact_obj(value)
+        return out
+    if isinstance(obj, list):
+        return [redact_obj(v) for v in obj]
+    if isinstance(obj, str):
+        return redact_text(obj)
+    return obj

cirdan/actions/__init__.py

@@ -0,0 +1,3 @@
+from cirdan.actions.executor import ActionRecord, execute_action, find_action, list_actions
+
+__all__ = ["ActionRecord", "execute_action", "find_action", "list_actions"]

cirdan/actions/executor.py

@@ -0,0 +1,165 @@
+"""Action discovery and execution through inherited session access.
+
+Cirdan never escalates: an action exists only if the adapter that owns it can
+already run the underlying command with the session's credentials. Every
+execution is recorded — pre-state, command, output, post-state — in the
+actions table, the audit log, and the graph itself.
+"""
+
+from __future__ import annotations
+
+import json
+import uuid
+
+from pydantic import BaseModel, Field
+
+from cirdan.access.redaction import redact_text
+from cirdan.adapters.base import ActionResult, ActionSpec
+from cirdan.adapters.registry import get_adapters
+from cirdan.engine import CirdanEngine
+from cirdan.graph.schema import Confidence, Edge, Node, NodeType, Origin, Relation
+from cirdan.util import now_iso
+
+
+class ActionRecord(BaseModel):
+    record_id: str
+    spec: ActionSpec
+    status: str = "executed"  # executed | verify_passed | verify_failed
+    pre_state: dict = Field(default_factory=dict)
+    post_state: dict = Field(default_factory=dict)
+    result: ActionResult | None = None
+    verification: dict = Field(default_factory=dict)
+    created_at: str = Field(default_factory=now_iso)
+
+
+def _live_adapters(engine: CirdanEngine) -> dict:
+    return {a.name: a for a in get_adapters(engine.config, engine.access, kind="live")}
+
+
+def list_actions(engine: CirdanEngine, node_ref: str) -> list[ActionSpec]:
+    node = engine.store.resolve(node_ref)
+    if node is None:
+        return []
+    specs: list[ActionSpec] = []
+    for adapter in _live_adapters(engine).values():
+        try:
+            specs.extend(adapter.actions(node))
+        except Exception:
+            continue
+    # Workload nodes inherit actions from the runtime resources they create.
+    for edge in engine.store.edges_for(node.id, direction="out"):
+        if edge.relation != Relation.CREATES:
+            continue
+        child = engine.store.get_node(edge.target)
+        if child:
+            for adapter in _live_adapters(engine).values():
+                try:
+                    specs.extend(adapter.actions(child))
+                except Exception:
+                    continue
+    seen: set[str] = set()
+    unique = []
+    for spec in specs:
+        if spec.id not in seen:
+            seen.add(spec.id)
+            unique.append(spec)
+    return unique
+
+
+def find_action(engine: CirdanEngine, action_id: str) -> ActionSpec | None:
+    """Resolve an action id like docker.restart:my-container back to a live spec."""
+    if ":" not in action_id:
+        return None
+    target = action_id.split(":", 1)[1]
+    for ref in (target, target.split("/")[-1]):
+        for spec in list_actions(engine, ref):
+            if spec.id == action_id:
+                return spec
+    return None
+
+
+def execute_action(engine: CirdanEngine, spec: ActionSpec) -> ActionRecord:
+    adapter = _live_adapters(engine).get(spec.adapter)
+    if adapter is None:
+        raise RuntimeError(f"adapter '{spec.adapter}' is not available in this session")
+    record = ActionRecord(record_id=f"act-{uuid.uuid4().hex[:8]}", spec=spec)
+    try:
+        record.pre_state = adapter.current_state(spec.node_id)
+    except Exception:
+        record.pre_state = {}
+    result = adapter.execute(spec)
+    result.stdout = redact_text(result.stdout)
+    result.stderr = redact_text(result.stderr)
+    record.result = result
+    try:
+        record.post_state = adapter.current_state(spec.node_id)
+    except Exception:
+        record.post_state = {}
+    _persist(engine, record)
+    _record_in_graph(engine, record)
+    _attach_to_incidents(engine, record)
+    engine.audit.write(
+        "action",
+        f"executed {spec.id} ({'ok' if result.ok else 'failed rc=' + str(result.returncode)})",
+        record_id=record.record_id, command=" ".join(spec.argv), writes=spec.writes,
+    )
+    return record
+
+
+def _persist(engine: CirdanEngine, record: ActionRecord) -> None:
+    with engine.store.lock:
+        engine.store.conn.execute(
+            "INSERT OR REPLACE INTO actions (id, status, created_at, data) VALUES (?,?,?,?)",
+            (record.record_id, record.status, record.created_at, record.model_dump_json()),
+        )
+        engine.store.conn.commit()
+
+
+def get_record(engine: CirdanEngine, record_id: str) -> ActionRecord | None:
+    with engine.store.lock:
+        row = engine.store.conn.execute(
+            "SELECT data FROM actions WHERE id=? OR id LIKE ?", (record_id, f"{record_id}%")
+        ).fetchone()
+    return ActionRecord.model_validate_json(row["data"]) if row else None
+
+
+def update_record(engine: CirdanEngine, record: ActionRecord) -> None:
+    _persist(engine, record)
+
+
+def list_records(engine: CirdanEngine, limit: int = 50) -> list[ActionRecord]:
+    with engine.store.lock:
+        rows = engine.store.conn.execute(
+            "SELECT data FROM actions ORDER BY created_at DESC LIMIT ?", (limit,)
+        ).fetchall()
+    return [ActionRecord.model_validate_json(r["data"]) for r in rows]
+
+
+def _record_in_graph(engine: CirdanEngine, record: ActionRecord) -> None:
+    spec, result = record.spec, record.result
+    engine.store.upsert_node(
+        Node(
+            id=f"action:{record.record_id}", type=NodeType.ACTION.value,
+            name=f"{spec.name} {spec.node_id}", origin=Origin.DERIVED, source_adapter="actions",
+            confidence=Confidence.EXTRACTED,
+            evidence=[f"command: {' '.join(spec.argv)}",
+                      f"exit code {result.returncode if result else '?'} at {record.created_at}"],
+            attrs={"ok": bool(result and result.ok), "writes": spec.writes,
+                   "record_id": record.record_id},
+        )
+    )
+    if engine.store.get_node(spec.node_id):
+        engine.store.upsert_edge(
+            Edge(source=f"action:{record.record_id}", target=spec.node_id,
+                 relation=Relation.AFFECTS, confidence=Confidence.EXTRACTED,
+                 evidence=[f"action executed against {spec.node_id}"])
+        )
+
+
+def _attach_to_incidents(engine: CirdanEngine, record: ActionRecord) -> None:
+    for incident in engine.incidents.list(include_resolved=False):
+        if record.spec.node_id in incident.affected_nodes:
+            incident.actions.append(record.record_id)
+            if record.spec.writes:
+                incident.transition("verifying", f"action {record.spec.id} executed")
+            engine.incidents.upsert(incident)

cirdan/adapters/__init__.py

@@ -0,0 +1,3 @@
+from cirdan.adapters.base import ActionResult, ActionSpec, Adapter, Signal
+
+__all__ = ["ActionResult", "ActionSpec", "Adapter", "Signal"]

cirdan/adapters/aws.py

@@ -0,0 +1,141 @@
+"""Live adapter: read-only AWS discovery via the aws CLI and credentials already present.
+
+Every call is best-effort: a missing permission simply means that surface
+stays invisible, mirroring exactly what the current session could see by hand.
+"""
+
+from __future__ import annotations
+
+from cirdan.adapters.base import Adapter, Signal
+from cirdan.graph.schema import Confidence, DiscoveryResult, Edge, Node, NodeType, Origin, Relation
+from cirdan.util import parse_json, run_cmd
+
+AWS_TIMEOUT = 15
+
+
+def _aws_json(args: list[str]) -> dict | list | None:
+    res = run_cmd(["aws", *args, "--output", "json"], timeout=AWS_TIMEOUT)
+    return parse_json(res.stdout) if res.ok else None
+
+
+class AwsAdapter(Adapter):
+    name = "aws"
+    kind = "live"
+
+    def available(self) -> bool:
+        return self.access.can("aws_read")
+
+    def fingerprint(self) -> list[Signal]:
+        if self.access.details.get("aws_account"):
+            return [Signal(system="aws", weight=0.5,
+                           evidence=f"AWS account {self.access.details['aws_account']} reachable")]
+        return []
+
+    def discover(self) -> DiscoveryResult:
+        result = DiscoveryResult(adapter=self.name)
+        account = self.access.details.get("aws_account", "unknown")
+        account_id = f"aws-account:{account}"
+        result.nodes.append(
+            Node(id=account_id, type=NodeType.CLOUD_ACCOUNT.value, name=f"aws {account}",
+                 origin=Origin.LIVE, source_adapter=self.name,
+                 evidence=["aws sts get-caller-identity"],
+                 attrs={"provider": "aws", "account": account})
+        )
+
+        def contain(nid: str, evidence: str) -> None:
+            result.edges.append(
+                Edge(source=account_id, target=nid, relation=Relation.CONTAINS,
+                     confidence=Confidence.EXTRACTED, evidence=[evidence])
+            )
+
+        rds = _aws_json(["rds", "describe-db-instances"])
+        for db in (rds or {}).get("DBInstances", []) if isinstance(rds, dict) else []:
+            ident = db.get("DBInstanceIdentifier", "unknown")
+            nid = f"database:{ident}"
+            result.nodes.append(
+                Node(id=nid, type=NodeType.DATABASE.value, name=ident,
+                     origin=Origin.LIVE, source_adapter=self.name,
+                     evidence=["aws rds describe-db-instances"],
+                     attrs={"engine": db.get("Engine"), "state": db.get("DBInstanceStatus"),
+                            "endpoint": (db.get("Endpoint") or {}).get("Address"),
+                            "instance_class": db.get("DBInstanceClass"), "provider": "aws"})
+            )
+            contain(nid, "RDS instance in account")
+
+        lbs = _aws_json(["elbv2", "describe-load-balancers"])
+        for lb in (lbs or {}).get("LoadBalancers", []) if isinstance(lbs, dict) else []:
+            name = lb.get("LoadBalancerName", "unknown")
+            nid = f"loadbalancer:{name}"
+            result.nodes.append(
+                Node(id=nid, type=NodeType.LOAD_BALANCER.value, name=name,
+                     origin=Origin.LIVE, source_adapter=self.name,
+                     evidence=["aws elbv2 describe-load-balancers"],
+                     attrs={"dns_name": lb.get("DNSName"), "state": (lb.get("State") or {}).get("Code"),
+                            "public": lb.get("Scheme") == "internet-facing", "provider": "aws"})
+            )
+            contain(nid, "load balancer in account")
+
+        eks = _aws_json(["eks", "list-clusters"])
+        for name in (eks or {}).get("clusters", []) if isinstance(eks, dict) else []:
+            nid = f"cluster:{name}"
+            result.nodes.append(
+                Node(id=nid, type=NodeType.CLUSTER.value, name=name,
+                     origin=Origin.LIVE, source_adapter=self.name,
+                     evidence=["aws eks list-clusters"], attrs={"provider": "aws", "kind": "eks"})
+            )
+            contain(nid, "EKS cluster in account")
+
+        sqs = _aws_json(["sqs", "list-queues"])
+        for url in (sqs or {}).get("QueueUrls", []) if isinstance(sqs, dict) else []:
+            name = url.rstrip("/").rsplit("/", 1)[-1]
+            nid = f"queue:{name}"
+            result.nodes.append(
+                Node(id=nid, type=NodeType.QUEUE.value, name=name,
+                     origin=Origin.LIVE, source_adapter=self.name,
+                     evidence=["aws sqs list-queues"], attrs={"provider": "aws"})
+            )
+            contain(nid, "SQS queue in account")
+
+        ec2 = _aws_json(["ec2", "describe-instances", "--max-results", "100"])
+        for reservation in (ec2 or {}).get("Reservations", []) if isinstance(ec2, dict) else []:
+            for inst in reservation.get("Instances", []):
+                iid = inst.get("InstanceId", "unknown")
+                tags = {t["Key"]: t["Value"] for t in inst.get("Tags", []) or []}
+                name = tags.get("Name", iid)
+                nid = f"compute:{iid}"
+                result.nodes.append(
+                    Node(id=nid, type=NodeType.COMPUTE_NODE.value, name=name,
+                         origin=Origin.LIVE, source_adapter=self.name,
+                         evidence=["aws ec2 describe-instances"],
+                         attrs={"instance_id": iid, "state": (inst.get("State") or {}).get("Name"),
+                                "instance_type": inst.get("InstanceType"), "provider": "aws"})
+                )
+                contain(nid, "EC2 instance in account")
+
+        s3 = _aws_json(["s3api", "list-buckets"])
+        for bucket in (s3 or {}).get("Buckets", []) if isinstance(s3, dict) else []:
+            name = bucket.get("Name", "unknown")
+            nid = f"bucket:{name}"
+            result.nodes.append(
+                Node(id=nid, type=NodeType.BUCKET.value, name=name,
+                     origin=Origin.LIVE, source_adapter=self.name,
+                     evidence=["aws s3api list-buckets"], attrs={"provider": "aws"})
+            )
+            contain(nid, "S3 bucket in account")
+        return result
+
+    def collect_logs(self, scope: str, lines: int = 200) -> list[str]:
+        group = scope.split(":", 1)[-1]
+        res = run_cmd(
+            ["aws", "logs", "tail", group, "--format", "short", "--since", "1h"], timeout=AWS_TIMEOUT
+        )
+        return res.stdout.splitlines()[-lines:] if res.ok else []
+
+    def current_state(self, scope: str) -> dict:
+        name = scope.split(":", 1)[-1]
+        if scope.startswith("database:"):
+            data = _aws_json(["rds", "describe-db-instances", "--db-instance-identifier", name])
+            instances = (data or {}).get("DBInstances", []) if isinstance(data, dict) else []
+            if instances:
+                return {"state": instances[0].get("DBInstanceStatus"), "engine": instances[0].get("Engine")}
+        return {}