humanbound-cli 0.3.5__tar.gz → 0.4.0__tar.gz

{humanbound_cli-0.3.5 → humanbound_cli-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: humanbound-cli
-Version: 0.3.5
+Version: 0.4.0
 Summary: Humanbound CLI - command line interface for AI agent security testing.
 Author-email: Kostas Siabanis <hello@humanbound.ai>, Demetris Gerogiannis <hello@humanbound.ai>
 License: Apache-2.0
@@ -19,6 +19,8 @@ Requires-Dist: click>=8.1.0
 Requires-Dist: rich>=13.0.0
 Requires-Dist: requests>=2.32.0
 Requires-Dist: pyyaml>=6.0.0
+Requires-Dist: msal>=1.31.0
+Requires-Dist: pyperclip>=1.8.0
 Provides-Extra: serve
 Requires-Dist: websockets>=12.0; extra == "serve"
 Provides-Extra: pytest
@@ -33,7 +35,7 @@ Requires-Dist: pytest-cov>=4.0.0; extra == "dev"
 
 [![PyPI](https://img.shields.io/pypi/v/humanbound-cli)](https://pypi.org/project/humanbound-cli/)
 [![License](https://img.shields.io/badge/license-proprietary-blue)]()
-[![Version](https://img.shields.io/badge/version-0.2.0-green)]()
+[![Version](https://img.shields.io/badge/version-0.4.0-green)]()
 
 ```
 pip install humanbound-cli
@@ -54,6 +56,7 @@ Humanbound runs automated adversarial attacks against your bot's live endpoint,
 | **Adversarial Testing** | OWASP-aligned attack scenarios: single-turn, multi-turn, adaptive, and agentic. |
 | **Behavioral Testing** | Validate intent boundaries, response quality, and functional correctness. |
 | **Posture Scoring** | Quantified 0-100 security score with breakdown by findings, coverage, and resilience. Track over time. |
+| **Shadow AI Discovery** | Scan cloud tenants for AI services, assess risk with 15 SAI threat classes, and govern your AI inventory. |
 | **Guardrails Export** | Generate protection rules from test findings. Export to OpenAI, Azure AI Content Safety, AWS Bedrock, or Humanbound format. |
 
 ### Why Humanbound?
@@ -394,6 +397,58 @@ Continuous security assurance with automated campaign management (ASCAM).
 
 ASCAM phases: Reconnaissance → Hardening → Red Teaming → Analysis → Monitoring
 
+### Shadow AI Discovery
+
+Discover, assess, and govern AI services across your cloud environment.
+
+| Command | Description |
+|---------|-------------|
+| `discover` | Scan cloud tenant for AI services |
+
+Options: `--save` (persist to inventory), `--report` (HTML report), `--json` (JSON output), `--verbose` (raw API responses)
+
+### Cloud Connectors
+
+Register cloud connectors for persistent, repeatable discovery.
+
+| Command | Description |
+|---------|-------------|
+| `connectors` | List registered connectors |
+| `connectors add` | Register a new cloud connector |
+| `connectors test <id>` | Test connector connectivity |
+| `connectors update <id>` | Update connector credentials |
+| `connectors remove <id>` | Remove connector |
+
+<details>
+<summary><code>connectors add</code> options</summary>
+
+```
+--vendor            Cloud vendor (default: microsoft)
+--tenant-id         Cloud tenant ID (required)
+--client-id         App registration client ID (required)
+--client-secret     App registration client secret (prompted)
+--name              Display name for the connector
+```
+
+</details>
+
+### AI Inventory
+
+View and govern discovered AI assets.
+
+| Command | Description |
+|---------|-------------|
+| `inventory` | List all inventory assets |
+| `inventory view <id>` | View asset details |
+| `inventory update <id>` | Update governance fields |
+| `inventory posture` | View shadow AI posture score |
+| `inventory onboard <id>` | Create security testing project from asset |
+| `inventory archive <id>` | Archive an asset |
+
+Options for `inventory`: `--category`, `--risk-level`, `--json`
+
+Options for `inventory update`: `--sanctioned / --unsanctioned`, `--owner`, `--department`, `--business-purpose`, `--has-policy / --no-policy`, `--has-risk-assessment / --no-risk-assessment`
+
 ### Upload Conversation Logs
 
 Evaluate real production conversations against security judges.
@@ -518,6 +573,24 @@ hb init -n "My Bot" -e ./bot-config.json
 hb test -e ./bot-config.json
 ```
 
+### Shadow AI discovery & governance
+
+```bash
+# Register a cloud connector
+hb connectors add --tenant-id abc --client-id def --client-secret
+
+# Scan, save to inventory, and export report
+hb discover --save --report
+
+# Review and govern assets
+hb inventory
+hb inventory update <id> --sanctioned --owner "security@company.com"
+
+# Onboard high-risk asset for security testing
+hb inventory onboard <id>
+hb test
+```
+
 ### Export guardrails
 
 ```bash

{humanbound_cli-0.3.5 → humanbound_cli-0.4.0}/README.md

@@ -4,7 +4,7 @@
 
 [![PyPI](https://img.shields.io/pypi/v/humanbound-cli)](https://pypi.org/project/humanbound-cli/)
 [![License](https://img.shields.io/badge/license-proprietary-blue)]()
-[![Version](https://img.shields.io/badge/version-0.2.0-green)]()
+[![Version](https://img.shields.io/badge/version-0.4.0-green)]()
 
 ```
 pip install humanbound-cli
@@ -25,6 +25,7 @@ Humanbound runs automated adversarial attacks against your bot's live endpoint,
 | **Adversarial Testing** | OWASP-aligned attack scenarios: single-turn, multi-turn, adaptive, and agentic. |
 | **Behavioral Testing** | Validate intent boundaries, response quality, and functional correctness. |
 | **Posture Scoring** | Quantified 0-100 security score with breakdown by findings, coverage, and resilience. Track over time. |
+| **Shadow AI Discovery** | Scan cloud tenants for AI services, assess risk with 15 SAI threat classes, and govern your AI inventory. |
 | **Guardrails Export** | Generate protection rules from test findings. Export to OpenAI, Azure AI Content Safety, AWS Bedrock, or Humanbound format. |
 
 ### Why Humanbound?
@@ -365,6 +366,58 @@ Continuous security assurance with automated campaign management (ASCAM).
 
 ASCAM phases: Reconnaissance → Hardening → Red Teaming → Analysis → Monitoring
 
+### Shadow AI Discovery
+
+Discover, assess, and govern AI services across your cloud environment.
+
+| Command | Description |
+|---------|-------------|
+| `discover` | Scan cloud tenant for AI services |
+
+Options: `--save` (persist to inventory), `--report` (HTML report), `--json` (JSON output), `--verbose` (raw API responses)
+
+### Cloud Connectors
+
+Register cloud connectors for persistent, repeatable discovery.
+
+| Command | Description |
+|---------|-------------|
+| `connectors` | List registered connectors |
+| `connectors add` | Register a new cloud connector |
+| `connectors test <id>` | Test connector connectivity |
+| `connectors update <id>` | Update connector credentials |
+| `connectors remove <id>` | Remove connector |
+
+<details>
+<summary><code>connectors add</code> options</summary>
+
+```
+--vendor            Cloud vendor (default: microsoft)
+--tenant-id         Cloud tenant ID (required)
+--client-id         App registration client ID (required)
+--client-secret     App registration client secret (prompted)
+--name              Display name for the connector
+```
+
+</details>
+
+### AI Inventory
+
+View and govern discovered AI assets.
+
+| Command | Description |
+|---------|-------------|
+| `inventory` | List all inventory assets |
+| `inventory view <id>` | View asset details |
+| `inventory update <id>` | Update governance fields |
+| `inventory posture` | View shadow AI posture score |
+| `inventory onboard <id>` | Create security testing project from asset |
+| `inventory archive <id>` | Archive an asset |
+
+Options for `inventory`: `--category`, `--risk-level`, `--json`
+
+Options for `inventory update`: `--sanctioned / --unsanctioned`, `--owner`, `--department`, `--business-purpose`, `--has-policy / --no-policy`, `--has-risk-assessment / --no-risk-assessment`
+
 ### Upload Conversation Logs
 
 Evaluate real production conversations against security judges.
@@ -489,6 +542,24 @@ hb init -n "My Bot" -e ./bot-config.json
 hb test -e ./bot-config.json
 ```
 
+### Shadow AI discovery & governance
+
+```bash
+# Register a cloud connector
+hb connectors add --tenant-id abc --client-id def --client-secret
+
+# Scan, save to inventory, and export report
+hb discover --save --report
+
+# Review and govern assets
+hb inventory
+hb inventory update <id> --sanctioned --owner "security@company.com"
+
+# Onboard high-risk asset for security testing
+hb inventory onboard <id>
+hb test
+```
+
 ### Export guardrails
 
 ```bash

{humanbound_cli-0.3.5 → humanbound_cli-0.4.0}/humanbound_cli/client.py

@@ -1,6 +1,7 @@
 """Humanbound API client with OAuth authentication."""
 
 import json
+import os
 import time
 import webbrowser
 import http.server
@@ -16,6 +17,7 @@ from pathlib import Path
 import requests
 
 from .config import (
+    DEFAULT_BASE_URL,
     get_base_url,
     get_auth0_domain,
     get_auth0_client_id,
@@ -547,7 +549,8 @@ class HumanboundClient:
             self._default_organisation_id = credentials.get("default_organisation_id")
             # Restore saved base_url unless explicitly overridden via --base-url or env var
             saved_url = credentials.get("base_url")
-            if saved_url and self.base_url == get_base_url().rstrip("/"):
+            env_override = os.environ.get("HUMANBOUND_BASE_URL")
+            if saved_url and not env_override and self.base_url == DEFAULT_BASE_URL.rstrip("/"):
                 self.base_url = saved_url.rstrip("/")
 
     def _load_credentials_file(self) -> dict:
@@ -1081,6 +1084,7 @@ class HumanboundClient:
             data["lang"] = lang
         return self.post(f"projects/{project_id}/datasets/conversations", data=data, include_project=True)
 
+
     # -------------------------------------------------------------------------
     # Subscription Methods
     # -------------------------------------------------------------------------
@@ -1145,6 +1149,150 @@ class HumanboundClient:
             data["event_type"] = event_type
         return self.post(f"organisations/{org_id}/webhooks/{webhook_id}/replay", data=data, include_org=False)
 
+    # -------------------------------------------------------------------------
+    # Connector & Inventory Methods (Shadow AI Discovery)
+    # -------------------------------------------------------------------------
+
+    def create_connector(self, vendor: str, tenant_id: str, client_id: str, client_secret: str,
+                         display_name: Optional[str] = None, scopes: Optional[List[str]] = None) -> dict:
+        """Register a new cloud connector."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        data = {
+            "vendor": vendor,
+            "credentials": {
+                "tenant_id": tenant_id,
+                "client_id": client_id,
+                "client_secret": client_secret,
+            },
+        }
+        if display_name:
+            data["display_name"] = display_name
+        if scopes:
+            data["scopes"] = scopes
+        return self.post("connectors", data=data)
+
+    def list_connectors(self) -> list:
+        """List all connectors for the current organisation."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        return self.get("connectors")
+
+    def get_connector(self, connector_id: str) -> dict:
+        """Get a single connector."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        return self.get(f"connectors/{connector_id}")
+
+    def update_connector(self, connector_id: str, data: dict) -> dict:
+        """Update a connector."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        return self.put(f"connectors/{connector_id}", data=data)
+
+    def delete_connector(self, connector_id: str) -> None:
+        """Delete a connector."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        self.delete(f"connectors/{connector_id}")
+
+    def test_connector(self, connector_id: str) -> dict:
+        """Test connection validity for a connector."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        return self.post(f"connectors/{connector_id}/test")
+
+    def trigger_discovery(self, connector_id: str) -> dict:
+        """Trigger a discovery scan for a connector."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        return self.post(
+            "discover",
+            data={"connector_id": connector_id},
+            timeout=LONG_TIMEOUT,
+        )
+
+    def list_inventory(self, category: Optional[str] = None, vendor: Optional[str] = None,
+                       risk_level: Optional[str] = None, is_sanctioned: Optional[bool] = None,
+                       page: int = 1, size: int = 50) -> dict:
+        """List discovered inventory assets."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        params: Dict[str, Any] = {"page": page, "size": size}
+        if category:
+            params["category"] = category
+        if vendor:
+            params["vendor"] = vendor
+        if risk_level:
+            params["risk_level"] = risk_level
+        if is_sanctioned is not None:
+            params["is_sanctioned"] = str(is_sanctioned).lower()
+        return self.get("inventory", params=params)
+
+    def get_inventory_asset(self, asset_id: str) -> dict:
+        """Get a single inventory asset."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        return self.get(f"inventory/{asset_id}")
+
+    def update_inventory_asset(self, asset_id: str, data: dict) -> dict:
+        """Update governance fields on an inventory asset."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        return self.put(f"inventory/{asset_id}", data=data)
+
+    def archive_inventory_asset(self, asset_id: str) -> dict:
+        """Archive an inventory asset."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        return self.put(f"inventory/{asset_id}/archive")
+
+    def get_shadow_posture(self) -> dict:
+        """Get shadow AI posture from the org posture endpoint."""
+        org_id = self._organisation_id
+        if not org_id:
+            raise ValidationError("No organisation selected.")
+        result = self.get(f"organisations/{org_id}/posture", include_org=False)
+        shadow = result.get("dimensions", {}).get("shadow_ai")
+        if not shadow:
+            return {"score": 100.0, "grade": "A", "total_assets": 0,
+                    "shadow_count": 0, "sanctioned_count": 0, "domain_scores": {}}
+        return shadow
+
+    def persist_discovery(self, nonce: str) -> dict:
+        """Persist analysed discovery results to inventory.
+
+        POST /organisations/{org_id}/analyse/persist with x-nonce header.
+
+        Args:
+            nonce: Single-use nonce from the /analyse response.
+
+        Returns:
+            Persistence summary dict.
+        """
+        org_id = self._organisation_id
+        if not org_id:
+            raise ValidationError("No organisation selected.")
+        self._ensure_authenticated()
+        headers = self._get_headers(include_org=False)
+        headers["x-nonce"] = nonce
+        response = requests.post(
+            f"{self.base_url}/organisations/{org_id}/analyse/persist",
+            headers=headers,
+            json={},
+            timeout=LONG_TIMEOUT,
+        )
+        return self._handle_response(response)
+
+    def onboard_inventory_asset(self, asset_id: str, project_name: Optional[str] = None) -> dict:
+        """Create a project from an inventory asset."""
+        if not self._organisation_id:
+            raise ValidationError("No organisation selected.")
+        data = {}
+        if project_name:
+            data["name"] = project_name
+        return self.post(f"inventory/{asset_id}/onboard", data=data)
+
 
 # Import ValidationError to this module
 from .exceptions import ValidationError

{humanbound_cli-0.3.5 → humanbound_cli-0.4.0}/humanbound_cli/commands/__init__.py

@@ -3,7 +3,8 @@
 from . import (
     auth, orgs, projects, experiments, init, test, logs, posture,
     guardrails, docs, providers, findings, api_keys, members,
-    coverage, campaigns, upload_logs, sentinel,
+    coverage, campaigns, upload_logs, sentinel, discover,
+    connectors, inventory, completion,
 )
 
 __all__ = [
@@ -25,4 +26,8 @@ __all__ = [
     "campaigns",
     "upload_logs",
     "sentinel",
+    "discover",
+    "connectors",
+    "inventory",
+    "completion",
 ]

humanbound_cli-0.4.0/humanbound_cli/commands/completion.py

@@ -0,0 +1,69 @@
+"""Shell tab-completion setup for the hb CLI."""
+
+import os
+import subprocess
+
+import click
+
+
+_SHELL_ENV_VARS = {
+    "bash": "_HB_COMPLETE=bash_source",
+    "zsh": "_HB_COMPLETE=zsh_source",
+    "fish": "_HB_COMPLETE=fish_source",
+}
+
+_INSTALL_HINTS = {
+    "bash": 'eval "$(hb completion bash)"  # or: hb completion bash >> ~/.bashrc',
+    "zsh": 'eval "$(hb completion zsh)"   # or: hb completion zsh >> ~/.zshrc',
+    "fish": "hb completion fish > ~/.config/fish/completions/hb.fish",
+}
+
+
+def _detect_shell() -> str | None:
+    """Detect the current shell from $SHELL."""
+    shell_path = os.environ.get("SHELL", "")
+    basename = os.path.basename(shell_path)
+    if basename in _SHELL_ENV_VARS:
+        return basename
+    return None
+
+
+@click.command("completion")
+@click.argument("shell", required=False, type=click.Choice(["bash", "zsh", "fish"]))
+def completion_command(shell: str | None):
+    """Enable shell tab completion for hb.
+
+    Prints the completion script for your shell. Add it to your profile:
+
+    \b
+      hb completion bash >> ~/.bashrc
+      hb completion zsh  >> ~/.zshrc
+      hb completion fish > ~/.config/fish/completions/hb.fish
+    """
+    if not shell:
+        shell = _detect_shell()
+        if not shell:
+            raise click.ClickException(
+                "Could not detect shell. Specify one explicitly: hb completion bash|zsh|fish"
+            )
+
+    env_var = _SHELL_ENV_VARS[shell]
+    key, value = env_var.split("=", 1)
+
+    env = {**os.environ, key: value}
+    result = subprocess.run(
+        ["hb"],
+        env=env,
+        capture_output=True,
+        text=True,
+    )
+
+    if result.stdout:
+        click.echo(result.stdout)
+    else:
+        raise click.ClickException(
+            f"Failed to generate {shell} completion script. "
+            "Make sure 'hb' is installed and on your PATH."
+        )
+
+    click.echo(f"# Add to your profile: {_INSTALL_HINTS[shell]}", err=True)