iam-policy-validator 1.14.6__py3-none-any.whl → 1.15.0__py3-none-any.whl

iam_validator/commands/completion.py

@@ -6,6 +6,8 @@ The generated scripts provide intelligent autocompletion for:
 - Command options (--service, --access-level, etc.)
 - Cached AWS service names (for --service flag)
 
+Both `iam-validator` and `iam-policy-validator` commands are supported.
+
 Usage:
     # Bash completion
     iam-validator completion bash > ~/.bash_completion.d/iam-validator
@@ -135,7 +137,7 @@ _iam_validator_completion() {{
     prev="${{COMP_WORDS[COMP_CWORD-1]}}"
 
     # Main commands
-    local commands="validate post-to-pr analyze cache sync-services query completion"
+    local commands="validate post-to-pr analyze cache sync-services query completion mcp"
 
     # Get the command (first non-option argument)
     local cmd=""
@@ -186,7 +188,7 @@ _iam_validator_completion() {{
             COMPREPLY=( $(compgen -f -- "$cur") )
             return 0
             ;;
-        --resource-type|--condition|--name|--batch-size)
+        --resource-type|--condition|--name|--batch-size|--host|--port)
             # Allow any input
             return 0
             ;;
@@ -194,8 +196,23 @@ _iam_validator_completion() {{
             COMPREPLY=( $(compgen -W "bash zsh" -- "$cur") )
             return 0
             ;;
+        --transport)
+            COMPREPLY=( $(compgen -W "stdio sse" -- "$cur") )
+            return 0
+            ;;
+        --config)
+            # File completion for config
+            COMPREPLY=( $(compgen -f -- "$cur") )
+            return 0
+            ;;
     esac
 
+    # Handle cache list --format specifically
+    if [[ "$cmd" == "cache" && "$prev" == "--format" ]]; then
+        COMPREPLY=( $(compgen -W "table columns simple" -- "$cur") )
+        return 0
+    fi
+
     # Command-specific completions
     case "$cmd" in
         query)
@@ -215,10 +232,12 @@ _iam_validator_completion() {{
             fi
 
             # Complete options for query subcommands
+            # Note: --service is optional if --name includes service prefix (e.g., s3:GetObject)
+            # Note: --name accepts multiple values and supports wildcards
             local opts=""
             case "$query_subcmd" in
                 action)
-                    opts="--service --name --access-level --resource-type --condition --output"
+                    opts="--service --name --access-level --resource-type --condition --output --show-condition-keys --show-resource-types --show-access-level"
                     ;;
                 arn)
                     opts="--service --name --list-arn-types --output"
@@ -276,7 +295,16 @@ _iam_validator_completion() {{
                 COMPREPLY=( $(compgen -W "info list clear refresh prefetch location" -- "$cur") )
                 return 0
             fi
-            # Cache subcommands have no additional options
+
+            # Cache subcommand-specific options
+            case "$cache_subcmd" in
+                list)
+                    COMPREPLY=( $(compgen -W "--config --format" -- "$cur") )
+                    ;;
+                info|clear|refresh|prefetch|location)
+                    COMPREPLY=( $(compgen -W "--config" -- "$cur") )
+                    ;;
+            esac
             return 0
             ;;
         sync-services)
@@ -284,12 +312,18 @@ _iam_validator_completion() {{
             COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
             return 0
             ;;
+        mcp)
+            opts="--transport --host --port --verbose -v --config --instructions --instructions-file"
+            COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
+            return 0
+            ;;
     esac
 
     return 0
 }}
 
 complete -F _iam_validator_completion iam-validator
+complete -F _iam_validator_completion iam-policy-validator
 '''
 
     def _generate_zsh_completion(self) -> str:
@@ -302,8 +336,8 @@ complete -F _iam_validator_completion iam-validator
         # For zsh, we need to format as: 'service1' 'service2' ...
         services_list = " ".join(f"'{svc}'" for svc in cached_services) if cached_services else ""
 
-        return f"""#compdef iam-validator
-# Zsh completion for iam-validator
+        return f"""#compdef iam-validator iam-policy-validator
+# Zsh completion for iam-validator and iam-policy-validator
 # Generated by: iam-validator completion zsh
 
 _iam_validator() {{
@@ -332,24 +366,27 @@ _iam_validator() {{
                             case $words[1] in
                                 action)
                                     _arguments \\
-                                        '--service[AWS service name]:service:($aws_services)' \\
-                                        '--name[Action name]:action name:' \\
+                                        '--service[AWS service (optional if --name has prefix)]:service:($aws_services)' \\
+                                        '*--name[Action name(s) - supports multiple values and wildcards]:action name:' \\
                                         '--access-level[Filter by access level]:access level:(read write list tagging permissions-management)' \\
                                         '--resource-type[Filter by resource type]:resource type:' \\
                                         '--condition[Filter by condition key]:condition key:' \\
-                                        '--output[Output format]:format:(json yaml text)'
+                                        '--output[Output format]:format:(json yaml text)' \\
+                                        '--show-condition-keys[Show only condition keys for each action]' \\
+                                        '--show-resource-types[Show only resource types for each action]' \\
+                                        '--show-access-level[Show only access level for each action]'
                                     ;;
                                 arn)
                                     _arguments \\
-                                        '--service[AWS service name]:service:($aws_services)' \\
-                                        '--name[ARN resource type]:arn type:' \\
+                                        '--service[AWS service (optional if --name has prefix)]:service:($aws_services)' \\
+                                        '--name[ARN type (e.g., bucket or s3:bucket)]:arn type:' \\
                                         '--list-arn-types[List all ARN types]' \\
                                         '--output[Output format]:format:(json yaml text)'
                                     ;;
                                 condition)
                                     _arguments \\
-                                        '--service[AWS service name]:service:($aws_services)' \\
-                                        '--name[Condition key name]:condition key:' \\
+                                        '--service[AWS service (optional if --name has prefix)]:service:($aws_services)' \\
+                                        '--name[Condition key (e.g., prefix or s3:prefix)]:condition key:' \\
                                         '--output[Output format]:format:(json yaml text)'
                                     ;;
                             esac
@@ -414,8 +451,26 @@ _iam_validator() {{
                         '(--verbose -v)'{{--verbose,-v}}'[Enable verbose logging]'
                     ;;
                 cache)
-                    _arguments \\
-                        '1: :(info list clear refresh prefetch location)'
+                    local cache_state
+                    _arguments -C \\
+                        '1: :_iam_validator_cache_subcommands' \\
+                        '*::arg:->cache_args' && return 0
+
+                    case $state in
+                        cache_args)
+                            case $words[1] in
+                                info|clear|refresh|prefetch|location)
+                                    _arguments \\
+                                        '--config[Configuration file]:file:_files'
+                                    ;;
+                                list)
+                                    _arguments \\
+                                        '--config[Configuration file]:file:_files' \\
+                                        '--format[Output format]:format:(table columns simple)'
+                                    ;;
+                            esac
+                            ;;
+                    esac
                     ;;
                 sync-services)
                     _arguments \\
@@ -426,6 +481,16 @@ _iam_validator() {{
                     _arguments \\
                         '1: :(bash zsh)'
                     ;;
+                mcp)
+                    _arguments \\
+                        '--transport[Transport protocol]:transport:(stdio sse)' \\
+                        '--host[Host for SSE transport]:host:' \\
+                        '--port[Port for SSE transport]:port:' \\
+                        '(--verbose -v)'{{--verbose,-v}}'[Enable verbose logging]' \\
+                        '--config[Path to configuration YAML file]:file:_files' \\
+                        '--instructions[Custom instructions for policy generation]:text:' \\
+                        '--instructions-file[Path to file containing custom instructions]:file:_files'
+                    ;;
             esac
             ;;
     esac
@@ -441,6 +506,7 @@ _iam_validator_commands() {{
         'sync-services:Sync/download all AWS service definitions for offline use'
         'query:Query AWS service definitions (actions, ARNs, condition keys)'
         'completion:Generate shell completion scripts (bash or zsh)'
+        'mcp:Start MCP server for AI assistant integration'
     )
     _describe 'command' commands
 }}
@@ -455,6 +521,19 @@ _iam_validator_query_subcommands() {{
     _describe 'query subcommand' subcommands
 }}
 
+_iam_validator_cache_subcommands() {{
+    local -a subcommands
+    subcommands=(
+        'info:Show cache information and statistics'
+        'list:List all cached AWS services'
+        'clear:Clear all cached AWS service definitions'
+        'refresh:Refresh all cached services with fresh data'
+        'prefetch:Pre-fetch common AWS services (without clearing)'
+        'location:Show cache directory location'
+    )
+    _describe 'cache subcommand' subcommands
+}}
+
 _iam_validator "$@"
 """
 

iam_validator/commands/mcp.py

@@ -0,0 +1,210 @@
+"""MCP command for IAM Policy Validator."""
+
+import argparse
+import logging
+
+from iam_validator.commands.base import Command
+
+
+class MCPCommand(Command):
+    """Command to start MCP server for AI assistant integration."""
+
+    @property
+    def name(self) -> str:
+        return "mcp"
+
+    @property
+    def help(self) -> str:
+        return "Start MCP server for AI assistant integration"
+
+    @property
+    def epilog(self) -> str:
+        return """
+Examples:
+  # Start MCP server with stdio transport (for Claude Desktop)
+  iam-validator mcp
+
+  # Start with SSE transport on custom host/port
+  iam-validator mcp --transport sse --host 127.0.0.1 --port 8000
+
+  # Start with config preloaded
+  iam-validator mcp --config ./config.yaml
+
+Claude Desktop Configuration:
+  Add to your claude_desktop_config.json:
+  {
+    "mcpServers": {
+      "iam-validator": {
+        "command": "iam-validator",
+        "args": ["mcp"]
+      }
+    }
+  }
+
+  With configuration:
+  {
+    "mcpServers": {
+      "iam-validator": {
+        "command": "iam-validator",
+        "args": ["mcp", "--config", "/path/to/config.yaml"]
+      }
+    }
+  }
+
+Config File (YAML) - same format as CLI validator:
+  settings:
+    fail_on_severity: [error, critical, high]
+  wildcard_resource:
+    severity: critical
+  sensitive_action:
+    enabled: true
+    severity: high
+
+Features:
+  - Policy generation from natural language descriptions
+  - Template-based policy generation (15 built-in templates)
+  - Policy validation with 19 security checks
+  - AWS service queries (actions, resources, condition keys)
+  - Security enforcement (auto-adds required conditions)
+  - Session-wide configuration management
+        """
+
+    def add_arguments(self, parser: argparse.ArgumentParser) -> None:
+        """Add MCP command arguments."""
+        parser.add_argument(
+            "--transport",
+            choices=["stdio", "sse"],
+            default="stdio",
+            help="Transport protocol (default: stdio for Claude Desktop, sse for HTTP/SSE)",
+        )
+
+        parser.add_argument(
+            "--host",
+            default="127.0.0.1",
+            help="Host for SSE transport (default: 127.0.0.1)",
+        )
+
+        parser.add_argument(
+            "--port",
+            type=int,
+            default=8000,
+            help="Port for SSE transport (default: 8000)",
+        )
+
+        parser.add_argument(
+            "--verbose",
+            "-v",
+            action="store_true",
+            help="Enable verbose logging",
+        )
+
+        parser.add_argument(
+            "--config",
+            type=str,
+            metavar="FILE",
+            help="Path to configuration YAML file to load at startup",
+        )
+
+    async def execute(self, args: argparse.Namespace) -> int:
+        """Execute the MCP server command.
+
+        Args:
+            args: Parsed command-line arguments
+
+        Returns:
+            Exit code (0 for success, non-zero for failure)
+        """
+        # Check if fastmcp is installed
+        try:
+            import fastmcp  # noqa: F401
+        except ImportError:
+            logging.error(
+                "FastMCP is not installed. Install with: uv sync --extra mcp or pip install 'iam-validator[mcp]'"
+            )
+            return 1
+
+        # Import and create the MCP server
+        try:
+            from iam_validator.mcp import create_server
+        except ImportError as e:
+            logging.error(f"Failed to import MCP server: {e}")
+            logging.error(
+                "Make sure the MCP module is properly installed with: uv sync --extra mcp"
+            )
+            return 1
+
+        # Set up logging level
+        if args.verbose:
+            logging.basicConfig(level=logging.DEBUG)
+        else:
+            logging.basicConfig(level=logging.INFO)
+
+        # Load config if provided
+        if args.config:
+            try:
+                from pathlib import Path
+
+                from iam_validator.mcp.session_config import SessionConfigManager
+
+                config_path = Path(args.config)
+                if not config_path.exists():
+                    logging.error(f"Config file not found: {args.config}")
+                    return 1
+
+                config, warnings = SessionConfigManager.load_from_file(str(config_path))
+
+                for warning in warnings:
+                    logging.warning(f"Config warning: {warning}")
+
+                logging.info(f"Loaded config from: {args.config}")
+
+                # Log config summary
+                if config.settings:
+                    fail_on = config.settings.get("fail_on_severity", [])
+                    if fail_on:
+                        logging.info(f"  Fail on severity: {fail_on}")
+
+                if config.checks_config:
+                    disabled_checks = [
+                        k for k, v in config.checks_config.items() if not v.get("enabled", True)
+                    ]
+                    if disabled_checks:
+                        logging.info(f"  Disabled checks: {disabled_checks}")
+
+            except Exception as e:
+                logging.error(f"Failed to load config: {e}")
+                if args.verbose:
+                    import traceback
+
+                    traceback.print_exc()
+                return 1
+
+        try:
+            # Create and run the server
+            server = create_server()
+
+            if args.transport == "stdio":
+                logging.info("Starting MCP server with stdio transport...")
+                logging.info("Waiting for client connection...")
+                # Run with stdio transport using async method
+                await server.run_stdio_async()
+            else:
+                # SSE transport
+                logging.info(
+                    f"Starting MCP server with SSE transport on {args.host}:{args.port}..."
+                )
+                # Run with SSE transport using async method
+                await server.run_http_async(host=args.host, port=args.port)
+
+            return 0
+
+        except KeyboardInterrupt:
+            logging.info("\nMCP server stopped by user")
+            return 0
+        except Exception as e:
+            logging.error(f"Failed to start MCP server: {e}")
+            if args.verbose:
+                import traceback
+
+                traceback.print_exc()
+            return 1