cmmc2-toolkit 0.2.0__py3-none-any.whl

cmmc2_toolkit-0.2.0.dist-info/METADATA

@@ -0,0 +1,109 @@
+Metadata-Version: 2.4
+Name: cmmc2-toolkit
+Version: 0.2.0
+Summary: CMMC 2.0 Level 2 compliance scanner and admin dashboard for web application teams
+Author-email: David Moorhead <david.moorhead37@gmail.com>
+License-Expression: MIT
+Keywords: cmmc,compliance,nist,800-171,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Classifier: Programming Language :: Python :: 3
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: flask>=3.0
+Requires-Dist: click>=8.0
+Requires-Dist: openpyxl>=3.1
+Requires-Dist: bcrypt>=4.0
+Requires-Dist: flask-login>=0.6
+Requires-Dist: flask-wtf>=1.2
+Requires-Dist: pyotp>=2.9
+Requires-Dist: qrcode[pil]>=7.4
+Requires-Dist: flask-limiter>=3.5
+Requires-Dist: waitress>=3.0
+Provides-Extra: mongo
+Requires-Dist: pymongo>=4.0; extra == "mongo"
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+
+# cmmc2-toolkit
+
+A self-contained Python package that gives any web application team a **CMMC 2.0 Level 2** compliance scanner and admin dashboard — installable via pip, zero infrastructure required.
+
+## Features
+
+- **62 controls** — all CMMC Level 1 (17), Level 2 practices, and optional Level 3 (24) controls
+- **Auto-scan** for 5 platforms: Flask, Django, FastAPI, Express/Node.js, Spring Boot
+- **Dashboard** — per-project compliance tracker with status, progress, target dates, and audit log
+- **POA&M** — Plan of Action & Milestones view for Gap / Partial / Manual controls
+- **Excel export** — one-click 3-tab workbook (Dashboard, POA&M, Audit Log)
+- **Audit log** — every status change timestamped and attributed to a user
+- **REST API** — agent ingest endpoint for CI/CD pipeline integration
+
+## Quickstart
+
+```bash
+pip install cmmc2-toolkit
+
+cmmc2 serve                        # launch dashboard at http://localhost:5050
+cmmc2 scan --path /path/to/project # run programmatic checks (CLI mode)
+cmmc2 export --out poam.xlsx       # export POA&M to Excel
+```
+
+On first launch the dashboard creates an admin account automatically (`admin` / `BWIadmin!2026` — change it immediately).
+
+## Supported platforms
+
+| Platform | Auto-detected by | Auto-checks |
+|---|---|---|
+| Flask | `flask` in requirements / `app.py` | 25 controls |
+| Django | `django` in requirements / `manage.py` | 25 controls |
+| FastAPI | `fastapi` in requirements / `main.py` | 25 controls |
+| Express / Next.js | `express` or `next` in `package.json` | 25 controls |
+| Spring Boot / WildFly | `spring-boot` in `pom.xml` / `WEB-INF` | 25 controls |
+
+Unsupported platforms fall back to full manual tracking mode.
+
+## Dashboard
+
+```
+cmmc2 serve --port 5050
+```
+
+- Create projects by URL or local path
+- Run a live scan against a local codebase
+- Track status (Pass / Gap / Partial / Manual) per control
+- Every status change requires a note — written to the immutable audit log
+- Level 3 controls (NIST SP 800-172) are opt-in per project
+- Export the full workbook (Dashboard + POA&M + Audit Log tabs) with one click
+
+On Windows, use the included `serve.ps1` launcher if `cmmc2` is not yet on your PATH.
+
+## Architecture
+
+```
+cmmc2toolkit/
+├── controls.py          # 62 CMMC control definitions (L1 + L2 + L3)
+├── models.py            # Control, Finding dataclasses
+├── cli.py               # click CLI (scan | serve | export | init)
+├── detector/            # auto-detect platform from project files
+├── adapters/            # platform-specific check runners
+├── checks/              # atomic grep-based check functions
+├── store/               # SQLiteStore + StoreBase ABC
+├── auth/                # password hashing, TOTP, session management
+├── dashboard/           # Flask micro-app (routes + Jinja2 templates)
+└── export.py            # openpyxl 3-tab Excel export
+```
+
+## Contributing an adapter
+
+1. Subclass `AdapterBase` in `cmmc2toolkit/adapters/adapter_<platform>.py`
+2. Implement `check_all() -> list[Finding]`
+3. Register it in `adapters/base.py` → `get_adapter()` registry
+4. Add fingerprint rules in `detector/fingerprints.py`
+5. Open a PR
+
+## License
+
+MIT

cmmc2_toolkit-0.2.0.dist-info/RECORD

@@ -0,0 +1,51 @@
+cmmc2agent/__init__.py,sha256=lo8AMhMpp0dcllCcc_lCfPHjMs3zSKqVTBmeCCpFPps,89
+cmmc2agent/cli.py,sha256=fVa_m6NcyXZnvSFh85K6kAY2CNyXTovoJ6022jfiLgw,3455
+cmmc2agent/config.py,sha256=ydnDYBAVdcZ4yRYUUpgvW3U_zbP18c1JCEBwvl3Eq3Y,1649
+cmmc2agent/poster.py,sha256=X8ZSIzKuW51xlIyAjASzzMog0jvrZgUtdqcRoTAoWQk,1365
+cmmc2toolkit/__init__.py,sha256=6nt07LUM6qqUB9DgZtwlA2mT84qX5xX_NGAUEMQahBM,97
+cmmc2toolkit/cli.py,sha256=iKYxfMs5X1Sn8_uiUh3aiENY0vrZr9uMIWzp0QsDJCE,3316
+cmmc2toolkit/controls.py,sha256=2l_cJwJjCjMP-6aG67M2EYgOJRdB8IRfhjfaGmKhFLQ,16343
+cmmc2toolkit/export.py,sha256=AYJvtvwD1wn8V3oDs7usLvBPfCV_Nm-ss63yf0G51Pg,4125
+cmmc2toolkit/models.py,sha256=zmLNtFRJu0QpVKFzT_WYBk7RU6M4SRywCMIM5rqkjNo,1489
+cmmc2toolkit/adapters/__init__.py,sha256=24DMsY1UDbTt0BtVlirW8rUvqkEZMEDwBwGn7_nmXQw,106
+cmmc2toolkit/adapters/adapter_django.py,sha256=ifyUyq2Gv0Rmrbft34w3fCVm4_NIDisco0wZpms9h-k,6630
+cmmc2toolkit/adapters/adapter_express.py,sha256=nJSQ9j7HNUMt57CjAtPXhdq_ffLq_FGxKwxvPW7zWps,8337
+cmmc2toolkit/adapters/adapter_fastapi.py,sha256=viD1jw8jc30OftQ4Btv6ja26WSEzqi-nrWwrPfoEjEs,8263
+cmmc2toolkit/adapters/adapter_flask.py,sha256=xcwUzZblW0h3NpqQL1IvtCSkS9KemQPF2K0YV8Q-Fvs,2875
+cmmc2toolkit/adapters/adapter_spring.py,sha256=mMBiRsFTz0mnbeBMoImkKDcFReSiZgfcZHWl1OQQivE,8898
+cmmc2toolkit/adapters/base.py,sha256=1Qy8sr2kdvT6Cw4o60rflzwm9cSQvnvVpkaW_sfHp1E,1904
+cmmc2toolkit/auth/__init__.py,sha256=X9aGekY2x65Q6Pwx-ahirDmR1ud8PBpxvkU2vuS4w5k,402
+cmmc2toolkit/auth/models.py,sha256=qkPWXFxslG97XSU7Bsq-2wo57m5HKH2J6Lpm2qwoDI0,1060
+cmmc2toolkit/auth/passwords.py,sha256=nq_Gpp1DPQ5VOGnWBeaF2msl8nySvmLXaHglh-XMKtU,1628
+cmmc2toolkit/auth/store.py,sha256=Fz_KajaARgnZdPwrTwyHwpunUyPZvRs6Ud_X7MlOjJc,7761
+cmmc2toolkit/auth/totp.py,sha256=Gu9xSUVjh37_YxKY1JU14sL5VTPqp2Zx4dKA_Kjatro,707
+cmmc2toolkit/checks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cmmc2toolkit/checks/access.py,sha256=rzLpvDDfLtiU_XIhZofp_7lKn1mPNPIgqlTiGJTWcv4,1766
+cmmc2toolkit/checks/audit.py,sha256=i_HxtBuWAaoJ5hnyn8ThRfvfM_EP8PIt2ZuW5yfGN3E,431
+cmmc2toolkit/checks/auth.py,sha256=p7ihcVJXPbFfh7lNKOoTVCDprFPhLwuWH60etmGxvQM,1960
+cmmc2toolkit/checks/config.py,sha256=zEEIOz5x30onC86eVo6H_OEQCDAuRz9gP74EzAZ5wZg,1837
+cmmc2toolkit/checks/integrity.py,sha256=IC-pAK_TRqT6zqHuB2WJxmbEPdjhj4TV51Rgp0-gzLg,4413
+cmmc2toolkit/checks/transport.py,sha256=K_E0KCK8IAPIbLbJNPwpaFcIHIkJ4ZY44POXXgI_SBQ,623
+cmmc2toolkit/dashboard/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cmmc2toolkit/dashboard/app.py,sha256=97iOfk5FRN3s2PYyjcfx1x7CoJO0A-qpMUj6zpQ7_Ss,24760
+cmmc2toolkit/dashboard/templates/audit_log.html,sha256=n4RW3QEgGr7SAhV_cw6ER4G1MvAsgw04xFjrijPL0H0,3162
+cmmc2toolkit/dashboard/templates/dashboard.html,sha256=Qz02FEc9vMo7f23je1psoF5d2E3BIkblfMgB0d0UCMw,22542
+cmmc2toolkit/dashboard/templates/home.html,sha256=hvQmwVjlVf-pNaZCPkHtvkP5tFjqssuUPwSNkhIHEUA,12312
+cmmc2toolkit/dashboard/templates/login.html,sha256=xloh3KNhdn2gSvYJCQN0EwkU8LDA-gdnOq6GBTdPKnc,3347
+cmmc2toolkit/dashboard/templates/mfa.html,sha256=LHVBffijdP0-CEVGgQHIMg2ZazFoYRPiiNDxTYvYaBk,2834
+cmmc2toolkit/dashboard/templates/poam.html,sha256=kdYkMV1JtyoB2aABy84C_PM90ANSvixnHcAUM8A7aDM,3333
+cmmc2toolkit/dashboard/templates/register.html,sha256=XMuz7uNGtBz0fQRcfuoKGOq8z-_L5cWFll95plBlQkg,4052
+cmmc2toolkit/dashboard/templates/setup_mfa.html,sha256=H8bheFPnA7SH08nQ4uh5CRE3yQrNxYa_Z2db7-8PQ5Y,2319
+cmmc2toolkit/detector/__init__.py,sha256=Hm4JD2Ards-453GjV1tdR1yPnjxIxlotsDJzHVfEzYo,163
+cmmc2toolkit/detector/base.py,sha256=nmdVIgtA9EB20kwuMCJ2rXFuasiOYsrkg_7v4lbIXYs,2390
+cmmc2toolkit/detector/fingerprints.py,sha256=B0quxOE9AhFrcAFi8ApSpm3cMx1OIxINF0npsm8eDmE,1647
+cmmc2toolkit/detector/profile.py,sha256=WwXEqO1vB72IvLZdWi4Usk2dL3_uDzs8b_HQCrnBWmo,543
+cmmc2toolkit/store/__init__.py,sha256=hh6rTTTnGktVGPsTkCIOIlp8pwHPkKoXp_3aGT7nTy4,217
+cmmc2toolkit/store/base.py,sha256=-omdiv4Mg-29fQLkx39rtHcOrzuK6x2M085J-4jJ2TI,631
+cmmc2toolkit/store/registry.py,sha256=YlPSqWUehbiUie4SMelhQO4tvnRk1jCenjSxzt2eDi4,6841
+cmmc2toolkit/store/store_sqlite.py,sha256=y1XRfXXHmD0mgqppnxROQlylvtnEvERmaKd7RYwrJ0E,8642
+cmmc2_toolkit-0.2.0.dist-info/METADATA,sha256=tQKoJy9XRFvZDRM2_jNvx9hIh-ElrpYLIEUpaDtMQDM,4308
+cmmc2_toolkit-0.2.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+cmmc2_toolkit-0.2.0.dist-info/entry_points.txt,sha256=ButJtfhSa82YSBgNddNBMU4Lh4SO68-vQ_bIKbqcqW8,81
+cmmc2_toolkit-0.2.0.dist-info/top_level.txt,sha256=T_vE6nTZCeibBZ3qYBlfUJ-bMiei3TM3bC_tTeN4caw,24
+cmmc2_toolkit-0.2.0.dist-info/RECORD,,

cmmc2_toolkit-0.2.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

cmmc2_toolkit-0.2.0.dist-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+cmmc2 = cmmc2toolkit.cli:main
+cmmc2agent = cmmc2agent.cli:main

cmmc2_toolkit-0.2.0.dist-info/top_level.txt

@@ -0,0 +1,2 @@
+cmmc2agent
+cmmc2toolkit

cmmc2agent/__init__.py

@@ -0,0 +1,2 @@
+"""cmmc2-agent — lightweight scanner agent for cmmc2-toolkit."""
+__version__ = "0.1.0"

cmmc2agent/cli.py

@@ -0,0 +1,94 @@
+"""cmmc2agent CLI entry point."""
+import click
+from cmmc2agent.config import load_config, TOML_TEMPLATE
+
+
+@click.group()
+def main():
+    """CMMC 2.0 scanner agent — posts results to a central dashboard."""
+
+
+@main.command()
+@click.option("--config", default=None, help="Path to cmmc2agent.toml")
+@click.option("--dry-run", is_flag=True, help="Run checks but do not post results.")
+def scan(config, dry_run):
+    """Run compliance checks and POST results to the dashboard."""
+    from cmmc2toolkit.detector import detect_platform
+    from cmmc2toolkit.adapters import get_adapter
+    from cmmc2agent.poster import post_findings
+
+    try:
+        cfg = load_config(config)
+    except (FileNotFoundError, RuntimeError) as e:
+        click.secho(str(e), fg="red")
+        raise SystemExit(1)
+
+    click.echo(f"Scanning: {cfg.scan_path}")
+    profile = detect_platform(cfg.scan_path)
+    click.echo(f"Platform: {profile.platform}  Language: {profile.language}")
+
+    try:
+        adapter  = get_adapter(profile)
+        findings = adapter.check_all()
+    except NotImplementedError as e:
+        click.secho(str(e), fg="yellow")
+        raise SystemExit(1)
+
+    passed = [f for f in findings if f.passed]
+    failed = [f for f in findings if not f.passed]
+    click.echo(f"Results : {len(passed)} passed / {len(failed)} failed")
+
+    for f in failed:
+        click.secho(f"  ✗ {f.practice_id}  {f.detail[:80]}", fg="red")
+    for f in passed:
+        click.secho(f"  ✓ {f.practice_id}  {f.detail[:80]}", fg="green")
+
+    if dry_run:
+        click.secho("\nDry run — results not posted.", fg="yellow")
+        return
+
+    click.echo(f"\nPosting to: {cfg.ingest_url}")
+    try:
+        result = post_findings(
+            ingest_url=cfg.ingest_url,
+            api_key=cfg.api_key,
+            project_id=cfg.project_id,
+            platform=profile.platform,
+            scan_path=cfg.scan_path,
+            findings=findings,
+        )
+        click.secho(
+            f"Dashboard updated — "
+            f"{result.get('passed',0)} passed, "
+            f"{result.get('failed',0)} failed, "
+            f"{result.get('skipped',0)} skipped.",
+            fg="green", bold=True,
+        )
+    except RuntimeError as e:
+        click.secho(f"Post failed: {e}", fg="red")
+        raise SystemExit(1)
+
+
+@main.command("init")
+@click.option("--dashboard-url", prompt="Central dashboard URL",
+              help="e.g. http://cmmc2.mycompany.com:5050")
+@click.option("--api-key",       prompt="API key",
+              help="Issued when you created the project on the dashboard.")
+@click.option("--project-id",    prompt="Project ID",
+              help="Shown on the dashboard home page after project creation.")
+@click.option("--scan-path",     prompt="Local scan path",
+              default=".", show_default=True,
+              help="Directory containing the app source code.")
+@click.option("--output", default="cmmc2agent.toml", show_default=True)
+def init_cmd(dashboard_url, api_key, project_id, scan_path, output):
+    """Interactively create a cmmc2agent.toml config file."""
+    from pathlib import Path
+    content = TOML_TEMPLATE.format(
+        dashboard_url=dashboard_url,
+        api_key=api_key,
+        project_id=project_id,
+        scan_path=scan_path,
+    )
+    Path(output).write_text(content)
+    click.secho(f"Config written to {output}", fg="green")
+    click.echo("Run `cmmc2agent scan` to send your first results to the dashboard.")

cmmc2agent/config.py

@@ -0,0 +1,64 @@
+"""Load and validate cmmc2agent.toml config."""
+from dataclasses import dataclass
+from pathlib import Path
+
+try:
+    import tomllib
+except ImportError:
+    try:
+        import tomli as tomllib          # pip install tomli on Python < 3.11
+    except ImportError:
+        tomllib = None
+
+
+DEFAULT_CONFIG_PATHS = [
+    Path("cmmc2agent.toml"),
+    Path.home() / ".cmmc2" / "agent.toml",
+]
+
+
+@dataclass
+class AgentConfig:
+    dashboard_url: str
+    api_key: str
+    project_id: str
+    scan_path: str
+
+    @property
+    def ingest_url(self) -> str:
+        return self.dashboard_url.rstrip("/") + "/api/v1/ingest"
+
+
+def load_config(path: str | Path | None = None) -> AgentConfig:
+    if tomllib is None:
+        raise RuntimeError(
+            "TOML support not available. On Python < 3.11, run: pip install tomli"
+        )
+
+    candidates = [Path(path)] if path else DEFAULT_CONFIG_PATHS
+    for candidate in candidates:
+        if candidate.exists():
+            with open(candidate, "rb") as f:
+                data = tomllib.load(f)
+            return AgentConfig(
+                dashboard_url=data["dashboard_url"],
+                api_key=data["api_key"],
+                project_id=data["project_id"],
+                scan_path=data["scan_path"],
+            )
+
+    raise FileNotFoundError(
+        "No cmmc2agent.toml found. Run `cmmc2agent init` to create one, "
+        "or specify --config <path>."
+    )
+
+
+TOML_TEMPLATE = """\
+# cmmc2agent.toml — Scanner agent configuration
+# Generated by `cmmc2agent init`
+
+dashboard_url = "{dashboard_url}"
+api_key       = "{api_key}"
+project_id    = "{project_id}"
+scan_path     = "{scan_path}"
+"""

cmmc2agent/poster.py

@@ -0,0 +1,43 @@
+"""HTTP poster — sends scan results to the central dashboard."""
+import json
+import urllib.request
+import urllib.error
+from cmmc2toolkit.models import Finding
+
+
+def post_findings(ingest_url: str, api_key: str, project_id: str,
+                  platform: str, scan_path: str,
+                  findings: list[Finding]) -> dict:
+    payload = json.dumps({
+        "project_id": project_id,
+        "platform":   platform,
+        "path":       scan_path,
+        "findings": [
+            {
+                "practice_id": f.practice_id,
+                "passed":      f.passed,
+                "detail":      f.detail,
+                "evidence":    f.evidence,
+            }
+            for f in findings
+        ],
+    }).encode()
+
+    req = urllib.request.Request(
+        ingest_url,
+        data=payload,
+        headers={
+            "Content-Type":  "application/json",
+            "X-CMMC2-Key":   api_key,
+        },
+        method="POST",
+    )
+
+    try:
+        with urllib.request.urlopen(req, timeout=30) as resp:
+            return json.loads(resp.read())
+    except urllib.error.HTTPError as e:
+        body = e.read().decode(errors="replace")
+        raise RuntimeError(f"Dashboard returned {e.code}: {body}") from e
+    except urllib.error.URLError as e:
+        raise RuntimeError(f"Could not reach dashboard at {ingest_url}: {e.reason}") from e

cmmc2toolkit/__init__.py

@@ -0,0 +1,2 @@
+"""cmmc2-toolkit — CMMC 2.0 Level 2 compliance scanner and dashboard."""
+__version__ = "0.1.0"

cmmc2toolkit/adapters/__init__.py

@@ -0,0 +1,3 @@
+from cmmc2toolkit.adapters.base import AdapterBase, get_adapter
+
+__all__ = ["AdapterBase", "get_adapter"]

cmmc2toolkit/adapters/adapter_django.py

@@ -0,0 +1,129 @@
+"""Django adapter — maps CMMC 2.0 controls to Django-specific checks."""
+from cmmc2toolkit.adapters.base import AdapterBase
+from cmmc2toolkit.models import Finding
+from cmmc2toolkit.checks import auth, transport, config, audit, access, integrity
+from cmmc2toolkit.checks.auth import grep
+
+
+# ── Django-specific checks ────────────────────────────────────────────────────
+
+def check_django_auth(root: str) -> tuple[bool, str]:
+    found, ev = grep(root, r"django\.contrib\.auth|authenticate\(|login\(request")
+    return found, ev or "No Django auth framework usage found"
+
+
+def check_django_login_required(root: str) -> tuple[bool, str]:
+    found, ev = grep(root, r"@login_required|LoginRequiredMixin|PermissionRequiredMixin")
+    return found, ev or "No @login_required or LoginRequiredMixin found in views"
+
+
+def check_django_password_validators(root: str) -> tuple[bool, str]:
+    found, ev = grep(root, r"AUTH_PASSWORD_VALIDATORS|MinimumLengthValidator|"
+                           r"CommonPasswordValidator|NumericPasswordValidator")
+    return found, ev or "No AUTH_PASSWORD_VALIDATORS in Django settings"
+
+
+def check_django_session_timeout(root: str) -> tuple[bool, str]:
+    found, ev = grep(root, r"SESSION_COOKIE_AGE|SESSION_EXPIRE_AT_BROWSER_CLOSE|"
+                           r"set_expiry\(")
+    return found, ev or "No session timeout config found (set SESSION_COOKIE_AGE)"
+
+
+def check_django_csrf(root: str) -> tuple[bool, str]:
+    found, ev = grep(root, r"CsrfViewMiddleware|csrf_protect|csrf_token")
+    return found, ev or "No Django CSRF middleware or {% csrf_token %} found"
+
+
+def check_django_https(root: str) -> tuple[bool, str]:
+    found, ev = grep(root, r"SECURE_SSL_REDIRECT|SECURE_HSTS_SECONDS|"
+                           r"SESSION_COOKIE_SECURE|CSRF_COOKIE_SECURE")
+    return found, ev or "No HTTPS enforcement settings found (set SECURE_SSL_REDIRECT = True)"
+
+
+def check_django_security_headers(root: str) -> tuple[bool, str]:
+    found, ev = grep(root, r"SecurityMiddleware|SECURE_CONTENT_TYPE_NOSNIFF|"
+                           r"X_FRAME_OPTIONS|SECURE_BROWSER_XSS_FILTER|"
+                           r"SECURE_REFERRER_POLICY")
+    return found, ev or "No Django SecurityMiddleware or security header settings found"
+
+
+def check_django_secret_key(root: str) -> tuple[bool, str]:
+    bad, ev = grep(root, r"SECRET_KEY\s*=\s*['\"](?!os\.|environ|get_secret|config|decouple)")
+    if bad:
+        return False, f"Hardcoded SECRET_KEY detected: {ev}"
+    return True, "SECRET_KEY loaded from environment (not hardcoded)"
+
+
+def check_django_audit_log(root: str) -> tuple[bool, str]:
+    found, ev = grep(root, r"auditlog|AuditlogHistoricalRecords|HistoricalRecords|"
+                           r"django_simple_history|LogEntry|post_save.*signal|"
+                           r"pre_delete.*signal")
+    return found, ev or "No audit logging found (consider django-auditlog or django-simple-history)"
+
+
+def check_django_rate_limiting(root: str) -> tuple[bool, str]:
+    found, ev = grep(root, r"django.ratelimit|ratelimit|RateThrottle|"
+                           r"UserRateThrottle|AnonRateThrottle|DEFAULT_THROTTLE_RATES")
+    return found, ev or "No rate limiting found (consider django-ratelimit or DRF throttling)"
+
+
+def check_django_permissions(root: str) -> tuple[bool, str]:
+    found, ev = grep(root, r"has_perm|permission_required|PermissionRequiredMixin|"
+                           r"user\.groups|Meta.*permissions\s*=|DjangoModelPermissions")
+    return found, ev or "No Django permission checks found — add object-level permissions"
+
+
+def check_django_mfa(root: str) -> tuple[bool, str]:
+    found, ev = grep(root, r"django_otp|django.mfa|allauth\.mfa|OTPDevice|"
+                           r"TOTPDevice|totp|two.?factor")
+    return found, ev or "No MFA library found (consider django-otp or django-mfa2)"
+
+
+# ── Adapter ───────────────────────────────────────────────────────────────────
+
+class DjangoAdapter(AdapterBase):
+    platform = "django"
+
+    def check_all(self) -> list[Finding]:
+        r = self.root
+        results: list[Finding] = []
+
+        def f(pid, fn, *args):
+            passed, detail = fn(*args)
+            results.append(self._finding(pid, passed, detail))
+
+        # Identification & Authentication
+        f("IA.L1.076", check_django_auth,                         r)
+        f("IA.L1.077", check_django_auth,                         r)
+        f("IA.L2.078", check_django_password_validators,          r)
+        f("IA.L2.079", auth.check_password_history,               r)
+        f("IA.L2.081", auth.check_bcrypt,                         r)
+        f("IA.L2.082", check_django_mfa,                          r)
+        # Access Control (Level 1 + Level 2)
+        f("AC.L1.001", check_django_login_required,               r)
+        f("AC.L1.002", access.check_rbac,                         r)
+        f("AC.L1.003", access.check_external_connections,         r)
+        f("AC.L1.004", access.check_cui_exposure,                 r)
+        f("AC.L2.005", config.check_login_banner,                 r)
+        f("AC.L2.007", check_django_permissions,                  r)
+        f("AC.L2.013", check_django_session_timeout,              r)
+        # Audit & Accountability
+        f("AU.L2.041", check_django_audit_log,                    r)
+        f("AU.L2.042", check_django_audit_log,                    r)
+        f("AU.L2.043", check_django_audit_log,                    r)
+        # System & Comms Protection (Level 1 + Level 2)
+        f("SC.L1.175", check_django_https,                        r)
+        f("SC.L2.178", check_django_csrf,                         r)
+        f("SC.L2.179", check_django_security_headers,             r)
+        # Configuration Management
+        f("CM.L2.061", config.check_env_vars,                     r)
+        f("CM.L2.062", check_django_secret_key,                   r)
+        f("CM.L2.064", config.check_requirements_pinned,          r)
+        # System & Info Integrity (Level 1 + Level 2)
+        f("SI.L1.210", check_django_rate_limiting,                r)
+        f("SI.L1.211", integrity.check_malicious_code_protection, r)
+        f("SI.L1.212", integrity.check_dependency_update_policy,  r)
+        f("SI.L1.213", integrity.check_scan_policy,               r)
+        f("SI.L2.214", config.check_file_upload,                  r)
+
+        return results