empathy-framework 5.3.0__py3-none-any.whl → 5.4.0__py3-none-any.whl

empathy_os/memory/security/audit_logger.py

@@ -1,932 +0,0 @@
-"""Audit Logging Framework for Empathy Framework
-
-Comprehensive audit logging for SOC2, HIPAA, and GDPR compliance.
-Implements tamper-evident, append-only logging with structured JSON format.
-
-Key Features:
-- JSON Lines format (one event per line)
-- ISO-8601 timestamps (UTC)
-- Unique event IDs (UUID)
-- Tamper-evident (append-only)
-- Query/search capability
-- Log rotation support
-
-Reference:
-- SECURE_MEMORY_ARCHITECTURE.md: Audit Trail Implementation
-- SOC2 CC7.2: System Monitoring
-- HIPAA 164.312(b): Audit Controls
-- GDPR Article 30: Records of Processing
-
-Copyright 2025 Smart AI Memory, LLC
-Licensed under Fair Source 0.9
-"""
-
-import json
-import logging
-import os
-import uuid
-from dataclasses import asdict, dataclass, field
-from datetime import datetime, timedelta
-from pathlib import Path
-from typing import Any
-
-logger = logging.getLogger(__name__)
-
-
-@dataclass
-class AuditEvent:
-    """Represents a single audit event.
-
-    All audit events share these core fields for compliance tracking.
-    """
-
-    # Core identification
-    event_id: str = field(default_factory=lambda: f"evt_{uuid.uuid4().hex[:12]}")
-    timestamp: str = field(default_factory=lambda: datetime.utcnow().isoformat() + "Z")
-    version: str = "1.0"
-
-    # Event classification
-    event_type: str = ""  # llm_request, store_pattern, retrieve_pattern, security_violation
-    user_id: str = ""
-    session_id: str = ""
-
-    # Status tracking
-    status: str = "success"  # success, failed, blocked
-    error: str = ""
-
-    # Custom fields (populated by specific event types)
-    data: dict[str, Any] = field(default_factory=dict)
-
-    def to_dict(self) -> dict[str, Any]:
-        """Convert to dictionary for JSON serialization"""
-        result = asdict(self)
-        # Flatten data dict into top level for easier querying
-        data = result.pop("data", {})
-        result.update(data)
-        return result
-
-
-@dataclass
-class SecurityViolation:
-    """Represents a security policy violation.
-
-    Used for tracking and alerting on security issues.
-    """
-
-    violation_type: str  # secrets_detected, pii_in_storage, classification_error, etc.
-    severity: str  # LOW, MEDIUM, HIGH, CRITICAL
-    details: dict[str, Any] = field(default_factory=dict)
-    user_notified: bool = False
-    manager_notified: bool = False
-    security_team_notified: bool = False
-
-
-class AuditLogger:
-    """Comprehensive audit logging for Empathy Framework.
-
-    Implements SOC2, HIPAA, and GDPR compliant audit trails with:
-    - Tamper-evident append-only logging
-    - Structured JSON Lines format
-    - Comprehensive event tracking
-    - Query and search capabilities
-    - Log rotation support
-
-    Example:
-        >>> logger = AuditLogger()  # Uses platform-appropriate default
-        >>> logger.log_llm_request(
-        ...     user_id="user@company.com",
-        ...     empathy_level=3,
-        ...     provider="anthropic",
-        ...     model="claude-sonnet-4",
-        ...     memory_sources=["enterprise", "user", "project"],
-        ...     pii_count=0,
-        ...     secrets_count=0
-        ... )
-
-    Log Format:
-        Each line is a complete JSON object representing one event.
-        Format: JSON Lines (.jsonl) - one event per line, append-only.
-
-    Compliance:
-        - SOC2 CC7.2: System Monitoring and Logging
-        - HIPAA 164.312(b): Audit Controls
-        - GDPR Article 30: Records of Processing Activities
-
-    """
-
-    def __init__(
-        self,
-        log_dir: str | None = None,  # Uses platform-appropriate default if None
-        log_filename: str = "audit.jsonl",
-        max_file_size_mb: int = 100,
-        retention_days: int = 365,
-        enable_rotation: bool = True,
-        enable_console_logging: bool = False,
-    ):
-        """Initialize the audit logger.
-
-        Args:
-            log_dir: Directory for audit logs
-            log_filename: Name of the audit log file
-            max_file_size_mb: Maximum file size before rotation (if enabled)
-            retention_days: Number of days to retain audit logs
-            enable_rotation: Whether to enable automatic log rotation
-            enable_console_logging: Whether to also log to console (for development)
-
-        """
-        # Use platform-appropriate default if log_dir not specified
-        if log_dir is None:
-            from empathy_os.platform_utils import get_default_log_dir
-
-            self.log_dir = get_default_log_dir()
-        else:
-            self.log_dir = Path(log_dir)
-        self.log_filename = log_filename
-        self.log_path = self.log_dir / log_filename
-        self.max_file_size_bytes = max_file_size_mb * 1024 * 1024
-        self.retention_days = retention_days
-        self.enable_rotation = enable_rotation
-        self.enable_console_logging = enable_console_logging
-
-        # Track security violations for alerting
-        self._violation_counts: dict[str, int] = {}
-
-        # Initialize log directory
-        self._initialize_log_directory()
-
-    def _initialize_log_directory(self):
-        """Create log directory if it doesn't exist"""
-        try:
-            self.log_dir.mkdir(parents=True, exist_ok=True)
-            # Set restrictive permissions (owner read/write only)
-            os.chmod(self.log_dir, 0o700)
-            logger.info(f"Audit log directory initialized: {self.log_dir}")
-        except Exception as e:
-            logger.error(f"Failed to initialize audit log directory: {e}")
-            # Fallback to local directory
-            self.log_dir = Path("./logs")
-            self.log_dir.mkdir(parents=True, exist_ok=True)
-            self.log_path = self.log_dir / self.log_filename
-            logger.warning(f"Using fallback log directory: {self.log_dir}")
-
-    def _write_event(self, event: AuditEvent):
-        """Write an audit event to the log file.
-
-        Uses append-only mode for tamper-evidence.
-        """
-        try:
-            # Check if rotation is needed
-            if self.enable_rotation and self.log_path.exists():
-                if self.log_path.stat().st_size > self.max_file_size_bytes:
-                    self._rotate_log()
-
-            # Write event as single line JSON
-            with open(self.log_path, "a", encoding="utf-8") as f:
-                json.dump(event.to_dict(), f, ensure_ascii=False)
-                f.write("\n")
-
-            # Optional console logging for development
-            if self.enable_console_logging:
-                logger.debug(f"Audit event: {event.event_type} - {event.status}")
-
-        except Exception as e:
-            logger.error(f"Failed to write audit event: {e}")
-            # Critical: audit logging failure should be visible
-            if self.enable_console_logging:
-                print(f"AUDIT LOG FAILURE: {e}", flush=True)
-
-    def _rotate_log(self):
-        """Rotate the audit log file.
-
-        Renames current log with timestamp and creates new file.
-        """
-        try:
-            timestamp = datetime.utcnow().strftime("%Y%m%d_%H%M%S")
-            rotated_name = f"{self.log_filename}.{timestamp}"
-            rotated_path = self.log_dir / rotated_name
-
-            self.log_path.rename(rotated_path)
-            logger.info(f"Audit log rotated: {rotated_path}")
-
-            # Clean up old logs beyond retention period
-            self._cleanup_old_logs()
-
-        except Exception as e:
-            logger.error(f"Failed to rotate audit log: {e}")
-
-    def _cleanup_old_logs(self):
-        """Remove audit logs older than retention period"""
-        try:
-            cutoff_date = datetime.utcnow() - timedelta(days=self.retention_days)
-
-            for log_file in self.log_dir.glob(f"{self.log_filename}.*"):
-                # Extract timestamp from filename
-                try:
-                    timestamp_str = log_file.suffix[1:]  # Remove leading dot
-                    file_date = datetime.strptime(timestamp_str, "%Y%m%d_%H%M%S")
-
-                    if file_date < cutoff_date:
-                        log_file.unlink()
-                        logger.info(f"Removed old audit log: {log_file}")
-                except (ValueError, IndexError):
-                    # Skip files that don't match expected format
-                    continue
-
-        except Exception as e:
-            logger.error(f"Failed to cleanup old audit logs: {e}")
-
-    def log_llm_request(
-        self,
-        user_id: str,
-        empathy_level: int,
-        provider: str,
-        model: str,
-        memory_sources: list[str],
-        pii_count: int = 0,
-        secrets_count: int = 0,
-        request_size_bytes: int = 0,
-        response_size_bytes: int = 0,
-        duration_ms: int = 0,
-        memdocs_patterns_used: list[str] | None = None,
-        sanitization_applied: bool = True,
-        classification_verified: bool = True,
-        session_id: str = "",
-        ip_address: str = "",
-        temperature: float = 0.7,
-        status: str = "success",
-        error: str = "",
-        **kwargs,
-    ):
-        """Log an LLM API request.
-
-        Tracks all LLM interactions for compliance and monitoring.
-
-        Args:
-            user_id: User or service account making the request
-            empathy_level: Empathy level (1-5) used for this request
-            provider: LLM provider (anthropic, openai, local)
-            model: Specific model used
-            memory_sources: Which memory sources were loaded (enterprise, user, project)
-            pii_count: Number of PII items detected (not the items themselves)
-            secrets_count: Number of secrets detected
-            request_size_bytes: Size of the request payload
-            response_size_bytes: Size of the response payload
-            duration_ms: Request duration in milliseconds
-            memdocs_patterns_used: List of MemDocs pattern IDs used
-            sanitization_applied: Whether PII sanitization was applied
-            classification_verified: Whether data classification was verified
-            session_id: Session identifier
-            ip_address: Anonymized IP address (e.g., first 3 octets only)
-            temperature: LLM temperature setting
-            status: success, failed, or blocked
-            error: Error message if failed
-            **kwargs: Additional custom fields
-
-        Example:
-            >>> logger.log_llm_request(
-            ...     user_id="user@company.com",
-            ...     empathy_level=3,
-            ...     provider="anthropic",
-            ...     model="claude-sonnet-4",
-            ...     memory_sources=["enterprise", "user"],
-            ...     pii_count=0,
-            ...     secrets_count=0
-            ... )
-
-        """
-        event = AuditEvent(
-            event_type="llm_request",
-            user_id=user_id,
-            session_id=session_id,
-            status=status,
-            error=error,
-            data={
-                "llm": {
-                    "provider": provider,
-                    "model": model,
-                    "empathy_level": empathy_level,
-                    "temperature": temperature,
-                },
-                "memory": {
-                    "sources": memory_sources,
-                    "total_sources": len(memory_sources),
-                    "security_policies_applied": "enterprise" in memory_sources,
-                },
-                "memdocs": {
-                    "patterns_used": memdocs_patterns_used or [],
-                    "pattern_count": len(memdocs_patterns_used or []),
-                },
-                "security": {
-                    "pii_detected": pii_count,
-                    "secrets_detected": secrets_count,
-                    "sanitization_applied": sanitization_applied,
-                    "classification_verified": classification_verified,
-                },
-                "request": {
-                    "size_bytes": request_size_bytes,
-                    "duration_ms": duration_ms,
-                    "ip_address": ip_address,
-                },
-                "response": {
-                    "size_bytes": response_size_bytes,
-                },
-                "compliance": {
-                    "gdpr_compliant": pii_count == 0 or sanitization_applied,
-                    "hipaa_compliant": secrets_count == 0 and sanitization_applied,
-                    "soc2_compliant": True,
-                },
-                **kwargs,
-            },
-        )
-
-        self._write_event(event)
-
-        # Check for security violations
-        if secrets_count > 0:
-            self._handle_security_violation(
-                user_id=user_id,
-                violation_type="secrets_detected",
-                severity="HIGH",
-                details={"secrets_count": secrets_count, "event_type": "llm_request"},
-            )
-
-    def log_pattern_store(
-        self,
-        user_id: str,
-        pattern_id: str,
-        pattern_type: str,
-        classification: str,
-        pii_scrubbed: int = 0,
-        secrets_detected: int = 0,
-        retention_days: int = 180,
-        encrypted: bool = False,
-        session_id: str = "",
-        status: str = "success",
-        error: str = "",
-        **kwargs,
-    ):
-        """Log MemDocs pattern storage.
-
-        Tracks pattern creation for compliance and data governance.
-
-        Args:
-            user_id: User storing the pattern
-            pattern_id: Unique identifier for the pattern
-            pattern_type: Type of pattern (code, architecture, workflow, etc.)
-            classification: PUBLIC, INTERNAL, or SENSITIVE
-            pii_scrubbed: Number of PII items scrubbed before storage
-            secrets_detected: Number of secrets found (should be 0 for storage)
-            retention_days: Retention period in days
-            encrypted: Whether pattern is encrypted at rest
-            session_id: Session identifier
-            status: success, failed, or blocked
-            error: Error message if failed
-            **kwargs: Additional custom fields
-
-        Example:
-            >>> logger.log_pattern_store(
-            ...     user_id="user@company.com",
-            ...     pattern_id="pattern_abc123",
-            ...     pattern_type="architecture",
-            ...     classification="INTERNAL",
-            ...     pii_scrubbed=2,
-            ...     retention_days=180
-            ... )
-
-        """
-        event = AuditEvent(
-            event_type="store_pattern",
-            user_id=user_id,
-            session_id=session_id,
-            status=status,
-            error=error,
-            data={
-                "pattern": {
-                    "pattern_id": pattern_id,
-                    "pattern_type": pattern_type,
-                    "classification": classification,
-                    "encrypted": encrypted,
-                    "retention_days": retention_days,
-                },
-                "security": {
-                    "pii_scrubbed": pii_scrubbed,
-                    "secrets_detected": secrets_detected,
-                    "sanitization_applied": pii_scrubbed > 0,
-                },
-                "compliance": {
-                    "gdpr_compliant": secrets_detected == 0,
-                    "hipaa_compliant": (classification == "SENSITIVE" and encrypted)
-                    or classification != "SENSITIVE",
-                    "soc2_compliant": secrets_detected == 0
-                    and classification in ["PUBLIC", "INTERNAL", "SENSITIVE"],
-                    "classification_verified": classification
-                    in ["PUBLIC", "INTERNAL", "SENSITIVE"],
-                },
-                **kwargs,
-            },
-        )
-
-        self._write_event(event)
-
-        # Check for security violations
-        if secrets_detected > 0:
-            self._handle_security_violation(
-                user_id=user_id,
-                violation_type="secrets_in_storage",
-                severity="CRITICAL",
-                details={
-                    "secrets_detected": secrets_detected,
-                    "pattern_id": pattern_id,
-                    "event_type": "store_pattern",
-                },
-            )
-
-        if classification == "SENSITIVE" and not encrypted:
-            self._handle_security_violation(
-                user_id=user_id,
-                violation_type="sensitive_not_encrypted",
-                severity="HIGH",
-                details={
-                    "pattern_id": pattern_id,
-                    "classification": classification,
-                    "event_type": "store_pattern",
-                },
-            )
-
-    def log_pattern_retrieve(
-        self,
-        user_id: str,
-        pattern_id: str,
-        classification: str,
-        access_granted: bool = True,
-        permission_level: str = "",
-        session_id: str = "",
-        status: str = "success",
-        error: str = "",
-        **kwargs,
-    ):
-        """Log MemDocs pattern retrieval.
-
-        Tracks pattern access for compliance and security monitoring.
-
-        Args:
-            user_id: User retrieving the pattern
-            pattern_id: Unique identifier for the pattern
-            classification: PUBLIC, INTERNAL, or SENSITIVE
-            access_granted: Whether access was granted
-            permission_level: Permission level used for access decision
-            session_id: Session identifier
-            status: success, failed, or blocked
-            error: Error message if failed
-            **kwargs: Additional custom fields
-
-        Example:
-            >>> logger.log_pattern_retrieve(
-            ...     user_id="user@company.com",
-            ...     pattern_id="pattern_abc123",
-            ...     classification="SENSITIVE",
-            ...     access_granted=True,
-            ...     permission_level="explicit"
-            ... )
-
-        """
-        event = AuditEvent(
-            event_type="retrieve_pattern",
-            user_id=user_id,
-            session_id=session_id,
-            status="success" if access_granted else "blocked",
-            error=error,
-            data={
-                "pattern": {
-                    "pattern_id": pattern_id,
-                    "classification": classification,
-                },
-                "access": {
-                    "granted": access_granted,
-                    "permission_level": permission_level,
-                    "audit_required": classification == "SENSITIVE",
-                },
-                "compliance": {
-                    "access_logged": True,
-                    "hipaa_compliant": classification == "SENSITIVE",
-                },
-                **kwargs,
-            },
-        )
-
-        self._write_event(event)
-
-        # Log unauthorized access attempts
-        if not access_granted:
-            self._handle_security_violation(
-                user_id=user_id,
-                violation_type="unauthorized_access",
-                severity="MEDIUM" if classification == "INTERNAL" else "HIGH",
-                details={
-                    "pattern_id": pattern_id,
-                    "classification": classification,
-                    "event_type": "retrieve_pattern",
-                },
-            )
-
-    def log_security_violation(
-        self,
-        user_id: str,
-        violation_type: str,
-        severity: str,
-        details: dict[str, Any],
-        session_id: str = "",
-        blocked: bool = True,
-        **kwargs,
-    ):
-        """Log a security policy violation.
-
-        Tracks security incidents for monitoring and response.
-
-        Args:
-            user_id: User who triggered the violation
-            violation_type: Type of violation (secrets_detected, pii_in_storage, etc.)
-            severity: LOW, MEDIUM, HIGH, or CRITICAL
-            details: Additional details about the violation
-            session_id: Session identifier
-            blocked: Whether the action was blocked
-            **kwargs: Additional custom fields
-
-        Example:
-            >>> logger.log_security_violation(
-            ...     user_id="user@company.com",
-            ...     violation_type="secrets_detected",
-            ...     severity="HIGH",
-            ...     details={"secret_type": "api_key", "action": "llm_request"},  # pragma: allowlist secret
-            ...     blocked=True
-            ... )
-
-        """
-        violation = SecurityViolation(
-            violation_type=violation_type,
-            severity=severity,
-            details=details,
-        )
-
-        event = AuditEvent(
-            event_type="security_violation",
-            user_id=user_id,
-            session_id=session_id,
-            status="blocked" if blocked else "logged",
-            data={
-                "violation": {
-                    "type": violation_type,
-                    "severity": severity,
-                    "details": details,
-                    "blocked": blocked,
-                },
-                "response": {
-                    "user_notified": violation.user_notified,
-                    "manager_notified": violation.manager_notified,
-                    "security_team_notified": violation.security_team_notified,
-                },
-                "compliance": {
-                    "gdpr_compliant": blocked,
-                    "hipaa_compliant": blocked,
-                    "soc2_compliant": blocked,
-                },
-                **kwargs,
-            },
-        )
-
-        self._write_event(event)
-
-    def _handle_security_violation(
-        self,
-        user_id: str,
-        violation_type: str,
-        severity: str,
-        details: dict[str, Any],
-    ):
-        """Internal handler for security violations.
-
-        Tracks violation counts and triggers alerts.
-        """
-        # Track violations per user
-        key = f"{user_id}:{violation_type}"
-        self._violation_counts[key] = self._violation_counts.get(key, 0) + 1
-
-        # Log the violation
-        self.log_security_violation(
-            user_id=user_id,
-            violation_type=violation_type,
-            severity=severity,
-            details=details,
-        )
-
-        # Alert logic
-        count = self._violation_counts[key]
-        if severity == "CRITICAL" or count >= 3:
-            logger.warning(
-                f"Security violation threshold reached: {user_id} - "
-                f"{violation_type} (count: {count}, severity: {severity})",
-            )
-
-    def query(
-        self,
-        event_type: str | None = None,
-        user_id: str | None = None,
-        status: str | None = None,
-        start_date: datetime | None = None,
-        end_date: datetime | None = None,
-        limit: int = 1000,
-        **filters,
-    ) -> list[dict]:
-        """Query audit logs with filters.
-
-        Provides search and analysis capabilities for audit data.
-
-        Args:
-            event_type: Filter by event type (llm_request, store_pattern, etc.)
-            user_id: Filter by user ID
-            status: Filter by status (success, failed, blocked)
-            start_date: Filter events after this date
-            end_date: Filter events before this date
-            limit: Maximum number of events to return
-            **filters: Additional key-value filters (supports nested keys with __)
-
-        Returns:
-            List of matching audit events as dictionaries
-
-        Example:
-            >>> # Find all failed LLM requests
-            >>> events = logger.query(event_type="llm_request", status="failed")
-            >>>
-            >>> # Find security violations in last 24 hours
-            >>> from datetime import datetime, timedelta
-            >>> events = logger.query(
-            ...     event_type="security_violation",
-            ...     start_date=datetime.utcnow() - timedelta(days=1)
-            ... )
-            >>>
-            >>> # Find patterns with high PII counts (nested filter)
-            >>> events = logger.query(security__pii_detected__gt=5)
-
-        """
-        results: list[dict[str, object]] = []
-
-        try:
-            if not self.log_path.exists():
-                return results
-
-            with open(self.log_path, encoding="utf-8") as f:
-                for line in f:
-                    if len(results) >= limit:
-                        break
-
-                    try:
-                        event = json.loads(line.strip())
-
-                        # Apply filters
-                        if event_type and event.get("event_type") != event_type:
-                            continue
-                        if user_id and event.get("user_id") != user_id:
-                            continue
-                        if status and event.get("status") != status:
-                            continue
-
-                        # Date range filtering
-                        if start_date or end_date:
-                            event_time = datetime.fromisoformat(
-                                event.get("timestamp", "").rstrip("Z"),
-                            )
-                            if start_date and event_time < start_date:
-                                continue
-                            if end_date and event_time > end_date:
-                                continue
-
-                        # Custom filters (supports nested keys with __)
-                        if filters and not self._apply_custom_filters(event, filters):
-                            continue
-
-                        results.append(event)
-
-                    except json.JSONDecodeError:
-                        logger.warning("Skipping malformed audit log line")
-                        continue
-
-        except Exception as e:
-            logger.error(f"Failed to query audit logs: {e}")
-
-        return results
-
-    def _apply_custom_filters(self, event: dict, filters: dict) -> bool:
-        """Apply custom filters to an event.
-
-        Supports nested key access with __ separator and comparison operators.
-        """
-        for key, value in filters.items():
-            # Handle comparison operators (e.g., security__pii_detected__gt=5)
-            parts = key.split("__")
-            operator = None
-
-            # Optimization: Use set for O(1) membership testing (vs O(n) with list)
-            valid_operators = {"gt", "gte", "lt", "lte", "ne"}
-            if len(parts) > 1 and parts[-1] in valid_operators:
-                operator = parts[-1]
-                parts = parts[:-1]
-
-            # Navigate nested dictionary
-            current = event
-            for part in parts:
-                if isinstance(current, dict) and part in current:
-                    current = current[part]
-                else:
-                    return False
-
-            # Apply comparison
-            if (
-                operator == "gt" and not (isinstance(current, int | float) and current > value)
-            ) or (
-                operator == "gte" and not (isinstance(current, int | float) and current >= value)
-            ):
-                return False
-            if (
-                (operator == "lt" and not (isinstance(current, int | float) and current < value))
-                or (
-                    operator == "lte"
-                    and not (isinstance(current, int | float) and current <= value)
-                )
-                or (operator == "ne" and current == value)
-                or (operator is None and current != value)
-            ):
-                return False
-
-        return True
-
-    def get_violation_summary(self, user_id: str | None = None) -> dict[str, Any]:
-        """Get summary of security violations.
-
-        Args:
-            user_id: Optional user ID to filter by
-
-        Returns:
-            Dictionary with violation statistics
-
-        Example:
-            >>> summary = logger.get_violation_summary(user_id="user@company.com")
-            >>> print(f"Total violations: {summary['total_violations']}")
-
-        """
-        violations = self.query(event_type="security_violation", user_id=user_id)
-
-        by_type: dict[str, int] = {}
-        by_severity: dict[str, int] = {}
-        by_user: dict[str, int] = {}
-
-        for violation in violations:
-            vtype = str(violation.get("violation", {}).get("type", "unknown"))
-            severity = str(violation.get("violation", {}).get("severity", "unknown"))
-            vid = str(violation.get("user_id", "unknown"))
-
-            by_type[vtype] = by_type.get(vtype, 0) + 1
-            by_severity[severity] = by_severity.get(severity, 0) + 1
-            by_user[vid] = by_user.get(vid, 0) + 1
-
-        summary: dict[str, int | dict[str, int]] = {
-            "total_violations": len(violations),
-            "by_type": by_type,
-            "by_severity": by_severity,
-            "by_user": by_user,
-        }
-
-        return summary
-
-    def get_compliance_report(
-        self,
-        start_date: datetime | None = None,
-        end_date: datetime | None = None,
-    ) -> dict[str, Any]:
-        """Generate compliance report for audit period.
-
-        Provides statistics for compliance audits (SOC2, HIPAA, GDPR).
-
-        Args:
-            start_date: Start of audit period
-            end_date: End of audit period
-
-        Returns:
-            Dictionary with compliance statistics
-
-        Example:
-            >>> from datetime import datetime, timedelta
-            >>> report = logger.get_compliance_report(
-            ...     start_date=datetime.utcnow() - timedelta(days=30)
-            ... )
-            >>> print(f"Total LLM requests: {report['llm_requests']['total']}")
-
-        """
-        # Query all events in period
-        all_events = self.query(start_date=start_date, end_date=end_date, limit=100000)
-
-        report: dict[str, Any] = {
-            "period": {
-                "start": start_date.isoformat() if start_date else "all_time",
-                "end": end_date.isoformat() if end_date else "now",
-            },
-            "llm_requests": {
-                "total": 0,
-                "with_pii_detected": 0,
-                "with_secrets_detected": 0,
-                "sanitization_applied": 0,
-            },
-            "pattern_storage": {
-                "total": 0,
-                "by_classification": {"PUBLIC": 0, "INTERNAL": 0, "SENSITIVE": 0},
-                "with_pii_scrubbed": 0,
-                "encrypted": 0,
-            },
-            "pattern_retrieval": {
-                "total": 0,
-                "by_classification": {"PUBLIC": 0, "INTERNAL": 0, "SENSITIVE": 0},
-                "access_denied": 0,
-            },
-            "security_violations": {"total": 0, "by_severity": {}, "by_type": {}},
-            "compliance_metrics": {
-                "gdpr_compliant_rate": 0.0,
-                "hipaa_compliant_rate": 0.0,
-                "soc2_compliant_rate": 0.0,
-            },
-        }
-
-        total_compliance_checks = 0
-        gdpr_compliant = 0
-        hipaa_compliant = 0
-        soc2_compliant = 0
-
-        for event in all_events:
-            event_type = event.get("event_type")
-
-            if event_type == "llm_request":
-                report["llm_requests"]["total"] += 1
-                security = event.get("security", {})
-                if security.get("pii_detected", 0) > 0:
-                    report["llm_requests"]["with_pii_detected"] += 1
-                if security.get("secrets_detected", 0) > 0:
-                    report["llm_requests"]["with_secrets_detected"] += 1
-                if security.get("sanitization_applied"):
-                    report["llm_requests"]["sanitization_applied"] += 1
-
-            elif event_type == "store_pattern":
-                report["pattern_storage"]["total"] += 1
-                pattern = event.get("pattern", {})
-                classification = pattern.get("classification", "INTERNAL")
-                report["pattern_storage"]["by_classification"][classification] = (
-                    report["pattern_storage"]["by_classification"].get(classification, 0) + 1
-                )
-                if event.get("security", {}).get("pii_scrubbed", 0) > 0:
-                    report["pattern_storage"]["with_pii_scrubbed"] += 1
-                if pattern.get("encrypted"):
-                    report["pattern_storage"]["encrypted"] += 1
-
-            elif event_type == "retrieve_pattern":
-                report["pattern_retrieval"]["total"] += 1
-                pattern = event.get("pattern", {})
-                classification = pattern.get("classification", "INTERNAL")
-                report["pattern_retrieval"]["by_classification"][classification] = (
-                    report["pattern_retrieval"]["by_classification"].get(classification, 0) + 1
-                )
-                if not event.get("access", {}).get("granted", True):
-                    report["pattern_retrieval"]["access_denied"] += 1
-
-            elif event_type == "security_violation":
-                report["security_violations"]["total"] += 1
-                violation = event.get("violation", {})
-                vtype = violation.get("type", "unknown")
-                severity = violation.get("severity", "unknown")
-                report["security_violations"]["by_type"][vtype] = (
-                    report["security_violations"]["by_type"].get(vtype, 0) + 1
-                )
-                report["security_violations"]["by_severity"][severity] = (
-                    report["security_violations"]["by_severity"].get(severity, 0) + 1
-                )
-
-            # Track compliance rates
-            compliance = event.get("compliance", {})
-            if compliance:
-                total_compliance_checks += 1
-                if compliance.get("gdpr_compliant"):
-                    gdpr_compliant += 1
-                if compliance.get("hipaa_compliant"):
-                    hipaa_compliant += 1
-                if compliance.get("soc2_compliant"):
-                    soc2_compliant += 1
-
-        # Calculate compliance rates
-        if total_compliance_checks > 0:
-            report["compliance_metrics"]["gdpr_compliant_rate"] = (
-                gdpr_compliant / total_compliance_checks
-            )
-            report["compliance_metrics"]["hipaa_compliant_rate"] = (
-                hipaa_compliant / total_compliance_checks
-            )
-            report["compliance_metrics"]["soc2_compliant_rate"] = (
-                soc2_compliant / total_compliance_checks
-            )
-
-        return report