cyntrisec 0.1.7__py3-none-any.whl

cyntrisec/cli/cuts.py

@@ -0,0 +1,231 @@
+"""
+cuts command - Find minimal remediations that block attack paths.
+
+Usage:
+    cyntrisec cuts [OPTIONS]
+
+Examples:
+    cyntrisec cuts                    # Show top 5 remediations
+    cyntrisec cuts --max-cuts 10      # Show top 10
+    cyntrisec cuts --format json      # Machine-readable output
+"""
+
+from __future__ import annotations
+
+import typer
+from rich import box
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+
+from cyntrisec.cli.errors import EXIT_CODE_MAP, CyntriError, ErrorCode, handle_errors
+from cyntrisec.cli.output import (
+    build_artifact_paths,
+    emit_agent_or_json,
+    resolve_format,
+    suggested_actions,
+)
+from cyntrisec.cli.schemas import CutsResponse
+from cyntrisec.core.cost_estimator import CostEstimator
+from cyntrisec.core.cuts import MinCutFinder
+from cyntrisec.core.graph import GraphBuilder
+from cyntrisec.storage import FileSystemStorage
+
+console = Console()
+
+
+@handle_errors
+def cuts_cmd(
+    max_cuts: int = typer.Option(
+        5,
+        "--max-cuts",
+        "-n",
+        help="Maximum number of remediations to return",
+    ),
+    format: str | None = typer.Option(
+        None,
+        "--format",
+        "-f",
+        help="Output format: table, json, agent (defaults to json when piped)",
+    ),
+    snapshot_id: str | None = typer.Option(
+        None,
+        "--snapshot",
+        "-s",
+        help="Snapshot UUID (default: latest; scan_id accepted)",
+    ),
+    cost_source: str = typer.Option(
+        "estimate",
+        "--cost-source",
+        help="Cost data source: estimate (static), pricing-api, cost-explorer",
+    ),
+):
+    """
+    Find minimal remediations that block the most attack paths.
+
+    Uses a greedy set-cover algorithm to identify the smallest set of
+    changes that would disconnect entry points from sensitive targets.
+
+    Exit codes:
+        0 - No attack paths (nothing to cut)
+        0 - Remediations found
+        2 - Error
+    """
+    output_format = resolve_format(
+        format,
+        default_tty="table",
+        allowed=["table", "json", "agent"],
+    )
+
+    storage = FileSystemStorage()
+
+    # Load data from storage
+    assets = storage.get_assets(snapshot_id)
+    relationships = storage.get_relationships(snapshot_id)
+    paths = storage.get_attack_paths(snapshot_id)
+    snapshot = storage.get_snapshot(snapshot_id)
+
+    if not assets or not snapshot:
+        raise CyntriError(
+            error_code=ErrorCode.SNAPSHOT_NOT_FOUND,
+            message="No scan data found. Run 'cyntrisec scan' first.",
+            exit_code=EXIT_CODE_MAP["usage"],
+        )
+
+    if not paths:
+        console.print("[green]No attack paths found - nothing to remediate.[/green]")
+        raise typer.Exit(0)
+
+    # Build graph and find cuts
+    graph = GraphBuilder().build(assets=assets, relationships=relationships)
+    finder = MinCutFinder()
+    result = finder.find_cuts(graph, paths, max_cuts=max_cuts)
+
+    if output_format in {"json", "agent"}:
+        cost_estimator = CostEstimator(source=cost_source)
+        payload = _build_payload(result, snapshot, graph, cost_estimator)
+        top_rem = result.remediations[0] if result.remediations else None
+        scan_id = storage.resolve_scan_id(snapshot_id)
+        followups = suggested_actions(
+            [
+                (
+                    f"cyntrisec can {top_rem.source_name} access {top_rem.target_name}"
+                    if top_rem
+                    else "",
+                    "Verify the highest-priority remediation closes access" if top_rem else "",
+                ),
+                (
+                    f"cyntrisec report --scan {scan_id}" if scan_id else "",
+                    "Export a full report for stakeholders" if scan_id else "",
+                ),
+            ]
+        )
+        artifact_paths = build_artifact_paths(storage, snapshot_id)
+        emit_agent_or_json(
+            output_format,
+            payload,
+            suggested=followups,
+            artifact_paths=artifact_paths,
+            schema=CutsResponse,
+        )
+    else:
+        _output_table(result, snapshot)
+
+
+def _output_table(result, snapshot):
+    """Display results as a rich table."""
+    # Header panel
+    console.print()
+    console.print(
+        Panel(
+            f"[bold]Minimal Cut Analysis[/bold]\n"
+            f"Account: {snapshot.aws_account_id if snapshot else 'unknown'}\n"
+            f"Attack Paths: {result.total_paths} -> "
+            f"[green]{result.paths_blocked} blocked[/green] "
+            f"({result.coverage:.0%} coverage)",
+            title="cyntrisec cuts",
+            border_style="cyan",
+        )
+    )
+    console.print()
+
+    if not result.remediations:
+        console.print("[yellow]No remediations found that would block attack paths.[/yellow]")
+        return
+
+    # Main table
+    table = Table(
+        title=f"Top {len(result.remediations)} Remediations",
+        box=box.ROUNDED,
+        show_header=True,
+        header_style="bold cyan",
+    )
+    table.add_column("#", style="dim", width=3)
+    table.add_column("Blocks", justify="right", style="green", width=8)
+    table.add_column("Action", style="yellow", width=15)
+    table.add_column("Remediation", style="white", min_width=40)
+
+    for i, rem in enumerate(result.remediations, 1):
+        table.add_row(
+            str(i),
+            f"{len(rem.paths_blocked)} paths",
+            rem.action,
+            rem.description,
+        )
+
+    console.print(table)
+    console.print()
+
+    # Summary
+    if result.coverage < 1.0:
+        remaining = result.total_paths - result.paths_blocked
+        console.print(
+            f"[yellow]{remaining} paths remain unblocked. "
+            f"Increase --max-cuts to find more.[/yellow]"
+        )
+    else:
+        console.print(
+            f"[green]All {result.total_paths} attack paths can be blocked "
+            f"with {len(result.remediations)} changes.[/green]"
+        )
+
+
+def _build_payload(result, snapshot, graph=None, cost_estimator=None):
+    """Build structured output for JSON/agent modes."""
+    remediations = []
+
+    for i, rem in enumerate(result.remediations):
+        rem_dict = {
+            "priority": i + 1,
+            "action": rem.action,
+            "description": rem.description,
+            "relationship_type": rem.relationship_type,
+            "source": rem.source_name,
+            "target": rem.target_name,
+            "paths_blocked": len(rem.paths_blocked),
+            "path_ids": [str(p) for p in rem.paths_blocked],
+        }
+
+        # Add cost estimate for target asset if available
+        if cost_estimator and graph:
+            target_asset = graph.asset(rem.relationship.target_asset_id)
+            if target_asset:
+                estimate = cost_estimator.estimate(target_asset)
+                if estimate:
+                    rem_dict["estimated_monthly_savings"] = float(
+                        estimate.monthly_cost_usd_estimate
+                    )
+                    rem_dict["cost_source"] = estimate.cost_source
+                    rem_dict["cost_confidence"] = estimate.confidence
+                    rem_dict["cost_assumptions"] = estimate.assumptions
+
+        remediations.append(rem_dict)
+
+    return {
+        "snapshot_id": str(snapshot.id) if snapshot else None,
+        "account_id": snapshot.aws_account_id if snapshot else None,
+        "total_paths": result.total_paths,
+        "paths_blocked": result.paths_blocked,
+        "coverage": result.coverage,
+        "remediations": remediations,
+    }

cyntrisec/cli/diff.py

@@ -0,0 +1,332 @@
+"""
+diff command - Compare two scan snapshots to detect changes.
+"""
+
+from __future__ import annotations
+
+import logging
+
+import typer
+from rich import box
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+
+from cyntrisec.cli.errors import EXIT_CODE_MAP, CyntriError, ErrorCode, handle_errors
+from cyntrisec.cli.output import (
+    build_artifact_paths,
+    emit_agent_or_json,
+    resolve_format,
+    suggested_actions,
+)
+from cyntrisec.cli.schemas import DiffResponse
+from cyntrisec.core.diff import ChangeType, SnapshotDiff
+from cyntrisec.storage import FileSystemStorage
+
+console = Console()
+log = logging.getLogger(__name__)
+
+
+def _find_scan_id(scan_ids: list[str], partial: str) -> str:
+    """Find a scan ID by partial match."""
+    if partial in scan_ids:
+        return partial
+    for scan_id in scan_ids:
+        if partial in scan_id:
+            return scan_id
+    return partial
+
+
+@handle_errors
+def diff_cmd(
+    old_snapshot: str | None = typer.Option(
+        None,
+        "--old",
+        "-o",
+        help="Old snapshot ID (default: second most recent)",
+    ),
+    new_snapshot: str | None = typer.Option(
+        None,
+        "--new",
+        "-n",
+        help="New snapshot ID (default: most recent)",
+    ),
+    format: str | None = typer.Option(
+        None,
+        "--format",
+        "-f",
+        help="Output format: table, json, agent (defaults to json when piped)",
+    ),
+    show_all: bool = typer.Option(
+        False,
+        "--all",
+        "-a",
+        help="Show all changes including assets and relationships",
+    ),
+):
+    """
+    Compare two scan snapshots to detect changes.
+    """
+    output_format = resolve_format(
+        format,
+        default_tty="table",
+        allowed=["table", "json", "agent"],
+    )
+
+    storage = FileSystemStorage()
+    scan_ids = storage.list_scans()
+    if len(scan_ids) < 2:
+        raise CyntriError(
+            error_code=ErrorCode.SNAPSHOT_NOT_FOUND,
+            message="Need at least 2 scans to compare. Run 'cyntrisec scan' again.",
+            exit_code=EXIT_CODE_MAP["usage"],
+        )
+
+    new_scan_id = _find_scan_id(scan_ids, new_snapshot) if new_snapshot else scan_ids[0]
+    old_scan_id = _find_scan_id(scan_ids, old_snapshot) if old_snapshot else scan_ids[1]
+
+    old_snap = storage.get_snapshot(old_scan_id)
+    new_snap = storage.get_snapshot(new_scan_id)
+    if not old_snap or not new_snap:
+        raise CyntriError(
+            error_code=ErrorCode.SNAPSHOT_NOT_FOUND,
+            message="Could not load snapshots for diff.",
+            exit_code=EXIT_CODE_MAP["usage"],
+        )
+
+    old_assets = storage.get_assets(old_scan_id)
+    old_rels = storage.get_relationships(old_scan_id)
+    old_paths = storage.get_attack_paths(old_scan_id)
+    old_findings = storage.get_findings(old_scan_id)
+
+    new_assets = storage.get_assets(new_scan_id)
+    new_rels = storage.get_relationships(new_scan_id)
+    new_paths = storage.get_attack_paths(new_scan_id)
+    new_findings = storage.get_findings(new_scan_id)
+
+    differ = SnapshotDiff()
+    result = differ.diff(
+        old_assets=old_assets,
+        old_relationships=old_rels,
+        old_paths=old_paths,
+        old_findings=old_findings,
+        new_assets=new_assets,
+        new_relationships=new_rels,
+        new_paths=new_paths,
+        new_findings=new_findings,
+        old_snapshot_id=old_snap.id,
+        new_snapshot_id=new_snap.id,
+    )
+
+    if output_format in {"json", "agent"}:
+        payload = _build_payload(result, old_snap, new_snap, show_all)
+        actions = suggested_actions(
+            [
+                (
+                    f"cyntrisec analyze paths --scan {new_scan_id}",
+                    "Review new attack paths",
+                ),
+                (
+                    f"cyntrisec cuts --snapshot {new_snap.id}",
+                    "Find fixes for new regressions",
+                ),
+            ]
+        )
+        emit_agent_or_json(
+            output_format,
+            payload,
+            suggested=actions,
+            status="regressions" if result.has_regressions else "success",
+            artifact_paths=build_artifact_paths(storage, new_scan_id),
+            schema=DiffResponse,
+        )
+    else:
+        _output_table(result, old_snap, new_snap, show_all)
+
+    if result.has_regressions:
+        raise typer.Exit(1)
+    raise typer.Exit(0)
+
+
+def _output_table(result, old_snap, new_snap, show_all: bool):
+    """Display diff as formatted tables."""
+    console.print()
+
+    summary = result.summary
+
+    if result.has_regressions:
+        status_icon = "REGRESSION"
+        status_color = "red"
+        status_text = "REGRESSIONS DETECTED"
+    elif result.has_improvements:
+        status_icon = "IMPROVED"
+        status_color = "green"
+        status_text = "IMPROVEMENTS FOUND"
+    else:
+        status_icon = "="
+        status_color = "cyan"
+        status_text = "NO SECURITY CHANGES"
+
+    console.print(
+        Panel(
+            f"[bold {status_color}]{status_icon} {status_text}[/bold {status_color}]\n\n"
+            f"Comparing:\n"
+            f"  Old: {old_snap.aws_account_id} @ {old_snap.started_at:%Y-%m-%d %H:%M}\n"
+            f"  New: {new_snap.aws_account_id} @ {new_snap.started_at:%Y-%m-%d %H:%M}",
+            title="cyntrisec diff",
+            border_style=status_color,
+        )
+    )
+    console.print()
+
+    summary_table = Table(box=box.ROUNDED, show_header=True, header_style="bold")
+    summary_table.add_column("Category", style="cyan")
+    summary_table.add_column("Added", justify="right", style="green")
+    summary_table.add_column("Removed", justify="right", style="red")
+
+    summary_table.add_row("Assets", f"+{summary['assets_added']}", f"-{summary['assets_removed']}")
+    summary_table.add_row(
+        "Relationships",
+        f"+{summary['relationships_added']}",
+        f"-{summary['relationships_removed']}",
+    )
+    summary_table.add_row(
+        "Attack Paths", f"+{summary['paths_added']}", f"-{summary['paths_removed']}"
+    )
+    summary_table.add_row(
+        "Findings", f"+{summary['findings_new']}", f"-{summary['findings_resolved']}"
+    )
+
+    console.print(summary_table)
+    console.print()
+
+    if result.path_changes:
+        path_table = Table(
+            title="Attack Path Changes",
+            box=box.ROUNDED,
+            show_header=True,
+            header_style="bold yellow",
+        )
+        path_table.add_column("Status", width=12)
+        path_table.add_column("Vector", width=20)
+        path_table.add_column("Risk", justify="right", width=8)
+
+        for change in result.path_changes:
+            status = (
+                "[red]+ NEW (regression)[/red]"
+                if change.change_type == ChangeType.added
+                else "[green]- FIXED[/green]"
+            )
+            path_table.add_row(
+                status, change.path.attack_vector, f"{float(change.path.risk_score):.2f}"
+            )
+
+        console.print(path_table)
+        console.print()
+
+    if result.finding_changes:
+        finding_table = Table(title="Finding Changes", box=box.ROUNDED, show_header=True)
+        finding_table.add_column("Status", width=12)
+        finding_table.add_column("Severity", width=10)
+        finding_table.add_column("Finding", min_width=30)
+
+        for change in result.finding_changes:
+            status = (
+                "[red]+ NEW[/red]"
+                if change.change_type == ChangeType.added
+                else "[green]- FIXED[/green]"
+            )
+            sev_style = {
+                "critical": "red bold",
+                "high": "red",
+                "medium": "yellow",
+                "low": "dim",
+            }.get(change.finding.severity, "white")
+            finding_table.add_row(
+                status,
+                f"[{sev_style}]{change.finding.severity.upper()}[/]",
+                change.finding.title[:50],
+            )
+
+        console.print(finding_table)
+        console.print()
+
+    if show_all and result.asset_changes:
+        asset_table = Table(title="Asset Changes", box=box.SIMPLE)
+        asset_table.add_column("Status", width=8)
+        asset_table.add_column("Type", width=15)
+        asset_table.add_column("Name", min_width=30)
+
+        for change in result.asset_changes[:20]:
+            status = (
+                "[green]+[/green]" if change.change_type == ChangeType.added else "[red]-[/red]"
+            )
+            asset_table.add_row(status, change.asset.asset_type, change.asset.name[:40])
+
+        if len(result.asset_changes) > 20:
+            asset_table.add_row("...", f"+{len(result.asset_changes) - 20} more", "")
+
+        console.print(asset_table)
+        console.print()
+
+
+def _build_payload(result, old_snap, new_snap, show_all: bool = False):
+    """Build structured output for JSON/agent formats."""
+    payload = {
+        "old_snapshot": {
+            "id": str(old_snap.id),
+            "account_id": old_snap.aws_account_id,
+            "timestamp": old_snap.started_at.isoformat(),
+        },
+        "new_snapshot": {
+            "id": str(new_snap.id),
+            "account_id": new_snap.aws_account_id,
+            "timestamp": new_snap.started_at.isoformat(),
+        },
+        "summary": result.summary,
+        "has_regressions": result.has_regressions,
+        "has_improvements": result.has_improvements,
+        "path_changes": [
+            {
+                "change_type": c.change_type.value,
+                "attack_vector": c.path.attack_vector,
+                "risk_score": float(c.path.risk_score),
+                "is_regression": c.is_regression,
+                "is_improvement": c.is_improvement,
+            }
+            for c in result.path_changes
+        ],
+        "finding_changes": [
+            {
+                "change_type": c.change_type.value,
+                "severity": c.finding.severity,
+                "title": c.finding.title,
+                "is_regression": c.is_regression,
+            }
+            for c in result.finding_changes
+        ],
+    }
+
+    # Include asset_changes and relationship_changes when show_all is True
+    if show_all:
+        payload["asset_changes"] = [
+            {
+                "change_type": c.change_type.value,
+                "asset_id": str(c.asset.id),
+                "asset_type": c.asset.asset_type,
+                "name": c.asset.name,
+            }
+            for c in result.asset_changes
+        ]
+        payload["relationship_changes"] = [
+            {
+                "change_type": c.change_type.value,
+                "relationship_id": str(c.relationship.id),
+                "relationship_type": c.relationship.relationship_type,
+                "source_id": str(c.relationship.source_asset_id),
+                "target_id": str(c.relationship.target_asset_id),
+            }
+            for c in result.relationship_changes
+        ]
+
+    return payload

cyntrisec/cli/errors.py

@@ -0,0 +1,105 @@
+"""
+Central error handling and envelope utilities.
+
+Defines a small error taxonomy and helpers to wrap CLI commands so that
+all failures return a consistent agent-friendly envelope.
+"""
+
+from __future__ import annotations
+
+import functools
+from collections.abc import Callable
+from dataclasses import dataclass
+from typing import Any
+
+import typer
+from pydantic import ValidationError
+
+from cyntrisec.cli.output import emit_agent_or_json
+
+
+class ErrorCode:
+    AWS_ACCESS_DENIED = "AWS_ACCESS_DENIED"
+    AWS_THROTTLED = "AWS_THROTTLED"
+    AWS_REGION_DISABLED = "AWS_REGION_DISABLED"
+    AUTH_ERROR = "AUTH_ERROR"
+    SNAPSHOT_NOT_FOUND = "SNAPSHOT_NOT_FOUND"
+    SCHEMA_MISMATCH = "SCHEMA_MISMATCH"
+    INVALID_QUERY = "INVALID_QUERY"
+    INTERNAL_ERROR = "INTERNAL_ERROR"
+
+
+EXIT_CODE_MAP = {
+    "ok": 0,
+    "findings": 1,
+    "usage": 2,
+    "transient": 3,
+    "internal": 4,
+}
+
+
+@dataclass
+class CyntriError(Exception):
+    error_code: str
+    message: str
+    details: Any | None = None
+    hint: str | None = None
+    retryable: bool = False
+    status: str = "error"
+    exit_code: int = EXIT_CODE_MAP["internal"]
+
+    def to_payload(self) -> dict:
+        return {
+            "message": self.message,
+            "details": self.details,
+            "hint": self.hint,
+        }
+
+
+def handle_errors(command: Callable) -> Callable:
+    """
+    Decorator to wrap Typer commands and emit consistent envelopes on failure.
+    """
+
+    @functools.wraps(command)
+    def wrapper(*args, **kwargs):
+        from typer.models import OptionInfo
+
+        clean_kwargs = {k: (None if isinstance(v, OptionInfo) else v) for k, v in kwargs.items()}
+        format_arg = clean_kwargs.get("format") or clean_kwargs.get("output_format")
+        try:
+            return command(*args, **clean_kwargs)
+        except CyntriError as ce:
+            emit_agent_or_json(
+                "agent" if format_arg in {"agent", "json"} else "json",
+                ce.to_payload(),
+                status=ce.status,
+                error_code=ce.error_code,
+                message=ce.message,
+                suggested=[],
+            )
+            raise typer.Exit(code=ce.exit_code)
+        except ValidationError as ve:
+            emit_agent_or_json(
+                "json",
+                {"errors": ve.errors()},
+                status="error",
+                error_code=ErrorCode.SCHEMA_MISMATCH,
+                message="Response schema validation failed",
+                suggested=[],
+            )
+            raise typer.Exit(code=EXIT_CODE_MAP["internal"])
+        except typer.Exit:
+            raise
+        except Exception as e:  # pragma: no cover
+            emit_agent_or_json(
+                "json",
+                {"message": str(e)},
+                status="error",
+                error_code=ErrorCode.INTERNAL_ERROR,
+                message=str(e),
+                suggested=[],
+            )
+            raise typer.Exit(code=EXIT_CODE_MAP["internal"])
+
+    return wrapper