PyPI - icdev - Versions diffs - 0.0.3__py3-none-any.whl - Mend

icdev 0.0.3__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1214) hide show

args/agent_config.yaml +113 -0
args/audit_regimes/cisa_sbd.json +381 -0
args/audit_regimes/cmmc_l2.json +906 -0
args/audit_regimes/dod_cssp.json +393 -0
args/audit_regimes/dodi_5000_87.json +297 -0
args/audit_regimes/fedramp_moderate.json +650 -0
args/audit_regimes/ieee_1012.json +373 -0
args/audit_regimes/nist_800_171.json +624 -0
args/audit_regimes/nist_800_53.json +907 -0
args/cloudforge_blueprints/aws_commercial.yaml +29 -0
args/cloudforge_blueprints/aws_govcloud_il4.yaml +34 -0
args/cloudforge_blueprints/aws_govcloud_il5.yaml +38 -0
args/cloudforge_blueprints/azure_commercial.yaml +28 -0
args/cloudforge_blueprints/azure_gov_il4.yaml +32 -0
args/cloudforge_blueprints/azure_gov_il5.yaml +36 -0
args/cloudforge_blueprints/gcp_commercial.yaml +28 -0
args/cloudforge_blueprints/oci_commercial.yaml +28 -0
args/cloudforge_config.yaml +231 -0
args/cloudforge_runbook_templates/backup_verify.yaml +98 -0
args/cloudforge_runbook_templates/dr_failover.yaml +107 -0
args/cloudforge_runbook_templates/health_check.yaml +97 -0
args/cloudforge_runbook_templates/incident_response.yaml +101 -0
args/cloudforge_runbook_templates/migration_cutover.yaml +105 -0
args/cloudforge_runbook_templates/patch_rollout.yaml +92 -0
args/cloudforge_runbook_templates/zone_provision.yaml +93 -0
args/code_pattern_config.yaml +151 -0
args/code_quality_config.yaml +47 -0
args/compliance_config.yaml +17 -0
args/control_inheritance.yaml +177 -0
args/csp_mcp_config.yaml +41 -0
args/cui_markings.yaml +35 -0
args/databridge_config.yaml +232 -0
args/db_config.yaml +116 -0
args/decision_tables/agent_trust_decision.yaml +143 -0
args/decision_tables/ato_boundary_impact.yaml +132 -0
args/decision_tables/deployment_approval.yaml +152 -0
args/degradation_matrix.yaml +163 -0
args/devsecops_config.yaml +286 -0
args/endpoint_security_config.yaml +207 -0
args/exit_criteria.yaml +102 -0
args/feature_flags.yaml +235 -0
args/file_access_tiers.yaml +88 -0
args/forge_studio/blueprint_config.yaml +27 -0
args/forge_studio/component_catalog.json +411 -0
args/forge_studio/workflow_templates.yaml +103 -0
args/govcon_config.yaml +41 -0
args/harness_config.yaml +67 -0
args/innovation_config.yaml +321 -0
args/knowledge_graph_config.yaml +113 -0
args/llm_config.yaml +222 -0
args/marketplace_config.yaml +260 -0
args/monitoring_config.yaml +127 -0
args/mosa_config.yaml +190 -0
args/observability_tracing_config.yaml +170 -0
args/owasp_agentic_config.yaml +171 -0
args/pipeline_gates.yaml +197 -0
args/project_defaults.yaml +235 -0
args/prompt_chains.yaml +163 -0
args/rag_config.yaml +167 -0
args/research_config.yaml +89 -0
args/resilience_config.yaml +197 -0
args/ricoas_config.yaml +191 -0
args/security_gates.yaml +763 -0
args/storage_config.yaml +63 -0
args/writeguard_config.yaml +131 -0
args/zta_config.yaml +247 -0
context/__init__.py +6 -0
context/agent/__init__.py +6 -0
context/agent/response_schemas/__init__.py +6 -0
context/agent/response_schemas/debate_position.json +46 -0
context/agent/response_schemas/fitness_scorecard.json +74 -0
context/agent/response_schemas/review_decision.json +39 -0
context/agent/response_schemas/task_decomposition.json +82 -0
context/agent/response_schemas/veto_decision.json +40 -0
context/agentic/__init__.py +6 -0
context/agentic/architecture_patterns.md +269 -0
context/agentic/capability_registry.yaml +223 -0
context/agentic/csp_integration.md +30 -0
context/agentic/csp_mcp_registry.yaml +280 -0
context/agentic/fitness_rubric.md +56 -0
context/agentic/governance_baseline.md +205 -0
context/ci/__init__.py +6 -0
context/ci/worktree_templates.json +44 -0
context/cloud/__init__.py +6 -0
context/cloud/csp_service_registry.json +739 -0
context/compliance/__init__.py +6 -0
context/compliance/ai_rmf_crosswalk.yaml +226 -0
context/compliance/atlas_mitigations.json +293 -0
context/compliance/atlas_techniques.json +833 -0
context/compliance/cisa_sbd_requirements.json +477 -0
context/compliance/cjis_security_policy.json +522 -0
context/compliance/cmmc_practices.json +2494 -0
context/compliance/cmmc_report_template.md +142 -0
context/compliance/cnssi_1253_overlay.json +109 -0
context/compliance/control_crosswalk.json +1914 -0
context/compliance/control_families/__init__.py +6 -0
context/compliance/csp_certifications.json +251 -0
context/compliance/cssp_report_template.md +193 -0
context/compliance/cui_templates/__init__.py +6 -0
context/compliance/cui_templates/banner_block.txt +4 -0
context/compliance/cui_templates/code_header.txt +8 -0
context/compliance/cui_templates/document_template.md +35 -0
context/compliance/data_type_framework_map.json +321 -0
context/compliance/data_type_registry.json +147 -0
context/compliance/dod_cssp_8530.json +463 -0
context/compliance/eu_ai_act_annex_iii.json +108 -0
context/compliance/export_templates/__init__.py +6 -0
context/compliance/export_templates/emass_controls.csv.j2 +4 -0
context/compliance/export_templates/evidence_package.md.j2 +39 -0
context/compliance/export_templates/executive_summary.md.j2 +55 -0
context/compliance/export_templates/poam_tracking.csv.j2 +4 -0
context/compliance/fedramp_20x_ksi_schemas.json +133 -0
context/compliance/fedramp_high_baseline.json +4370 -0
context/compliance/fedramp_moderate_baseline.json +2183 -0
context/compliance/fedramp_report_template.md +181 -0
context/compliance/fips_200_areas.json +362 -0
context/compliance/gao_ai_accountability.json +262 -0
context/compliance/hipaa_security_rule.json +720 -0
context/compliance/hitrust_csf_v11.json +930 -0
context/compliance/impact_level_profiles.json +251 -0
context/compliance/incident_response_template.md +1110 -0
context/compliance/iso27001_2022_controls.json +750 -0
context/compliance/iso27001_nist_bridge.json +382 -0
context/compliance/iso42001_controls.json +254 -0
context/compliance/ivv_checklist_template.md +80 -0
context/compliance/ivv_report_template.md +116 -0
context/compliance/ivv_requirements.json +372 -0
context/compliance/mosa_crosswalk.json +327 -0
context/compliance/mosa_framework.json +250 -0
context/compliance/narrative_templates/AC.md.j2 +101 -0
context/compliance/narrative_templates/AU.md.j2 +106 -0
context/compliance/narrative_templates/IA.md.j2 +104 -0
context/compliance/narrative_templates/SC.md.j2 +102 -0
context/compliance/narrative_templates/SI.md.j2 +111 -0
context/compliance/narrative_templates/__init__.py +6 -0
context/compliance/narrative_templates/default.md.j2 +50 -0
context/compliance/narrative_templates/executive_summary.j2 +27 -0
context/compliance/narrative_templates/poam_milestone.j2 +19 -0
context/compliance/narrative_templates/ssp_section.j2 +11 -0
context/compliance/nist_800_171_controls.json +1552 -0
context/compliance/nist_800_207_crosswalk.json +399 -0
context/compliance/nist_800_207_zta.json +258 -0
context/compliance/nist_800_53.json +324 -0
context/compliance/nist_ai_600_1_genai.json +326 -0
context/compliance/nist_ai_rmf.json +206 -0
context/compliance/nist_sp_800_60_types.json +1667 -0
context/compliance/omb_m25_21_high_impact_ai.json +248 -0
context/compliance/omb_m26_04_unbiased_ai.json +262 -0
context/compliance/owasp_agentic_asi.json +133 -0
context/compliance/owasp_agentic_threats.json +285 -0
context/compliance/owasp_llm_top10.json +274 -0
context/compliance/pci_dss_v4.json +510 -0
context/compliance/poam_template.md +117 -0
context/compliance/safeai_controls.json +512 -0
context/compliance/sbd_report_template.md +77 -0
context/compliance/siem_config_templates/__init__.py +6 -0
context/compliance/siem_config_templates/filebeat.yml +213 -0
context/compliance/siem_config_templates/log_sources.json +208 -0
context/compliance/soc2_trust_criteria.json +661 -0
context/compliance/ssp_template.md +432 -0
context/compliance/stig_templates/__init__.py +6 -0
context/compliance/stig_templates/webapp_stig.json +139 -0
context/compliance/xai_requirements.json +108 -0
context/dashboard/__init__.py +6 -0
context/dashboard/nlq_examples.json +50 -0
context/dashboard/schema_descriptions.json +23 -0
context/icdev_methodology.md +100 -0
context/integration/__init__.py +6 -0
context/integration/approval_workflows.json +32 -0
context/integration/gitlab_field_mappings.json +33 -0
context/integration/jira_field_mappings.json +32 -0
context/integration/reqif_export_schema.json +23 -0
context/integration/servicenow_field_mappings.json +22 -0
context/languages/__init__.py +6 -0
context/languages/framework_patterns.json +205 -0
context/languages/language_registry.json +279 -0
context/llm/__init__.py +6 -0
context/llm/example_provider.py +89 -0
context/marketplace/assets/writeguard-core.yaml +100 -0
context/marketplace/assets/writeguard-govcon.yaml +45 -0
context/marketplace/assets/writeguard-style-guides.yaml +44 -0
context/mbse/__init__.py +6 -0
context/mbse/des_report_template.md +162 -0
context/mbse/des_requirements.json +411 -0
context/mbse/digital_thread_patterns.json +403 -0
context/mbse/reqif_schema.json +280 -0
context/mbse/sysml_element_types.json +432 -0
context/oscal/NIST_SP-800-53_rev5_catalog.json +254987 -0
context/oscal/README.md +43 -0
context/patterns/__init__.py +6 -0
context/profiles/__init__.py +6 -0
context/profiles/dod_baseline_v1.yaml +145 -0
context/profiles/fedramp_baseline_v1.yaml +143 -0
context/profiles/financial_baseline_v1.yaml +142 -0
context/profiles/healthcare_baseline_v1.yaml +135 -0
context/profiles/law_enforcement_v1.yaml +129 -0
context/profiles/startup_v1.yaml +134 -0
context/rag/source_mappings.json +42 -0
context/requirements/__init__.py +6 -0
context/requirements/ambiguity_patterns.json +97 -0
context/requirements/boundary_impact_rules.json +123 -0
context/requirements/default_constitutions.json +67 -0
context/requirements/document_extraction_rules.json +58 -0
context/requirements/gap_patterns.json +108 -0
context/requirements/readiness_rubric.json +78 -0
context/requirements/red_alternative_patterns.json +210 -0
context/requirements/safe_templates.json +72 -0
context/requirements/spec_quality_checklist.json +122 -0
context/research/regulatory_registry.json +114 -0
context/research/verticals/cybersecurity.json +127 -0
context/research/verticals/defense.json +104 -0
context/research/verticals/fintech.json +125 -0
context/research/verticals/healthcare.json +118 -0
context/research/verticals/logistics.json +117 -0
context/research/verticals/trading.json +145 -0
context/simulation/__init__.py +6 -0
context/simulation/architecture_patterns.json +36 -0
context/simulation/coa_templates.json +38 -0
context/simulation/cost_models.json +23 -0
context/simulation/risk_categories.json +46 -0
context/supply_chain/__init__.py +6 -0
context/supply_chain/isa_templates.json +129 -0
context/supply_chain/nist_800_161_controls.json +247 -0
context/supply_chain/scrm_risk_matrix.json +147 -0
context/templates/__init__.py +6 -0
context/templates/ansible/__init__.py +6 -0
context/templates/ansible/playbooks/__init__.py +6 -0
context/templates/ansible/roles/__init__.py +6 -0
context/templates/gitlab_ci/__init__.py +6 -0
context/templates/grafana/__init__.py +6 -0
context/templates/kubernetes/__init__.py +6 -0
context/templates/project/__init__.py +6 -0
context/templates/project/api/__init__.py +6 -0
context/templates/project/cli/__init__.py +6 -0
context/templates/project/data_pipeline/__init__.py +6 -0
context/templates/project/iac/__init__.py +6 -0
context/templates/project/javascript_frontend/__init__.py +6 -0
context/templates/project/javascript_frontend/src/__init__.py +6 -0
context/templates/project/javascript_frontend/tests/__init__.py +6 -0
context/templates/project/microservice/__init__.py +6 -0
context/templates/project/python_backend/__init__.py +6 -0
context/templates/project/python_backend/src/__init__.py +6 -0
context/templates/project/python_backend/tests/__init__.py +6 -0
context/templates/project/python_backend/tests/features/__init__.py +6 -0
context/templates/project/python_backend/tests/steps/__init__.py +6 -0
context/templates/terraform/__init__.py +6 -0
context/templates/terraform/govcloud_base/__init__.py +6 -0
context/templates/terraform/modules/__init__.py +6 -0
context/tone/__init__.py +6 -0
context/writing/grammar_rules/common_errors.json +306 -0
context/writing/grammar_rules/govcon_vocabulary.json +113 -0
context/writing/style_guides/academic.yaml +43 -0
context/writing/style_guides/business.yaml +42 -0
context/writing/style_guides/government.yaml +59 -0
context/writing/style_guides/proposal.yaml +58 -0
context/writing/style_guides/technical.yaml +43 -0
docs/adr/README.md +66 -0
docs/adr/connector-forge-decisions.md +318 -0
docs/adr/core-decisions.md +289 -0
docs/adr/db-decisions.md +94 -0
docs/adr/harness-decisions.md +122 -0
docs/adr/innovation-decisions.md +262 -0
docs/adr/marketplace-decisions.md +109 -0
docs/adr/sbd-decisions.md +109 -0
docs/adr/scale-engine-decisions.md +108 -0
docs/adr/writeguard-decisions.md +136 -0
docs/architecture/bounded-contexts.md +1032 -0
docs/features/phase-65-writeguard.md +139 -0
docs/features/phase-66-marketplace-commerce.md +79 -0
docs/features/phase-67-knowledge-ingestion-rag-autodraft.md +97 -0
docs/features/phase-68-enhanced-autodraft-pipeline.md +109 -0
docs/features/phase-69-proposalai-marketplace-module.md +131 -0
docs/features/phase-70-databridge.md +214 -0
docs/features/phase-71-databridge-messaging.md +102 -0
docs/implementation-plan-architecture-evolution.md +614 -0
docs/marketplace/CONTRIBUTING.md +124 -0
docs/marketplace/module_manifest_schema.yaml +83 -0
docs/research/ai-architecture-patterns-2024-2026.md +1236 -0
docs/research/app-builder-platform-analysis.md +582 -0
docs/research/architecture-patterns-c4-ddd-agentic.md +871 -0
docs/research/flowable-boat-competitive-analysis.md +426 -0
docs/research/modern-dev-practices-2024-2026.md +1615 -0
docs/research/secure-by-design-cloudyrion-adaptation.md +270 -0
goals/agent_management.md +144 -0
goals/ai_accountability.md +90 -0
goals/ai_narratives.md +79 -0
goals/ai_transparency.md +76 -0
goals/ato_simulator.md +78 -0
goals/audit_engine.md +177 -0
goals/bite_sized_plans.md +225 -0
goals/boundary_supply_chain.md +206 -0
goals/brainstorming_gate.md +186 -0
goals/build_app.md +604 -0
goals/cato_live_evidence.md +77 -0
goals/cloudforge.md +106 -0
goals/code_intelligence.md +197 -0
goals/compliance_workflow.md +858 -0
goals/connector_forge.md +133 -0
goals/databridge.md +128 -0
goals/deploy_workflow.md +390 -0
goals/developer_scorecard.md +78 -0
goals/devsecops_workflow.md +408 -0
goals/firmware_sbom.md +79 -0
goals/forge_hub.md +78 -0
goals/golden_path.md +77 -0
goals/harness_engineering.md +91 -0
goals/integration_testing.md +189 -0
goals/knowledge_graph.md +128 -0
goals/maintenance_audit.md +196 -0
goals/manifest.md +50 -0
goals/monitoring.md +126 -0
goals/mosa_workflow.md +463 -0
goals/multi_agent_orchestration.md +68 -0
goals/observability_traceability_xai.md +154 -0
goals/owasp_agentic_security.md +395 -0
goals/pr_intelligence.md +78 -0
goals/requirements_intake.md +213 -0
goals/secure_by_design.md +135 -0
goals/security_scan.md +381 -0
goals/self_healing.md +120 -0
goals/simulation_engine.md +111 -0
goals/subagent_review.md +205 -0
goals/systematic_debugging.md +257 -0
goals/tdd_workflow.md +403 -0
goals/template_exchange.md +77 -0
goals/thread_heatmap.md +77 -0
goals/threat_modeler.md +77 -0
goals/verification_iron_law.md +192 -0
goals/vsm_dashboard.md +76 -0
goals/writeguard.md +89 -0
goals/zero_trust_architecture.md +403 -0
hardprompts/__init__.py +6 -0
hardprompts/agent/__init__.py +6 -0
hardprompts/agent/agentic_architect.md +100 -0
hardprompts/agent/debate_prompt.md +32 -0
hardprompts/agent/fitness_evaluation.md +48 -0
hardprompts/agent/governance_review.md +214 -0
hardprompts/agent/reviewer_prompt.md +34 -0
hardprompts/agent/skill_design.md +172 -0
hardprompts/agent/task_decomposition.md +275 -0
hardprompts/agent/veto_check_prompt.md +33 -0
hardprompts/architect/__init__.py +6 -0
hardprompts/architect/api_design.md +283 -0
hardprompts/architect/data_model.md +277 -0
hardprompts/architect/system_design.md +180 -0
hardprompts/builder/__init__.py +6 -0
hardprompts/builder/code_generation.md +59 -0
hardprompts/builder/refactor.md +58 -0
hardprompts/builder/scaffold_project.md +69 -0
hardprompts/builder/test_generation.md +87 -0
hardprompts/ci/__init__.py +6 -0
hardprompts/ci/worktree_setup.md +35 -0
hardprompts/compliance/__init__.py +6 -0
hardprompts/compliance/cmmc_assessment.md +63 -0
hardprompts/compliance/cssp_assessment.md +75 -0
hardprompts/compliance/cui_marking.md +86 -0
hardprompts/compliance/fedramp_assessment.md +55 -0
hardprompts/compliance/ivv_assessment.md +96 -0
hardprompts/compliance/poam_generation.md +57 -0
hardprompts/compliance/sbd_assessment.md +101 -0
hardprompts/compliance/security_categorization.md +74 -0
hardprompts/compliance/ssp_generation.md +56 -0
hardprompts/compliance/stig_evaluation.md +63 -0
hardprompts/dashboard/__init__.py +6 -0
hardprompts/dashboard/nlq_system_prompt.md +26 -0
hardprompts/infra/__init__.py +6 -0
hardprompts/infra/k8s_manifests.md +118 -0
hardprompts/infra/pipeline_generation.md +160 -0
hardprompts/infra/terraform_generation.md +92 -0
hardprompts/integration/__init__.py +6 -0
hardprompts/integration/approval_review.md +17 -0
hardprompts/integration/jira_mapping.md +25 -0
hardprompts/integration/servicenow_mapping.md +14 -0
hardprompts/knowledge/__init__.py +6 -0
hardprompts/knowledge/pattern_detection.md +73 -0
hardprompts/knowledge/recommendation_engine.md +90 -0
hardprompts/knowledge/root_cause_analysis.md +91 -0
hardprompts/maintenance/__init__.py +6 -0
hardprompts/maintenance/maintenance_assessment.md +82 -0
hardprompts/mbse/__init__.py +6 -0
hardprompts/mbse/digital_thread.md +67 -0
hardprompts/mbse/model_import.md +62 -0
hardprompts/mbse/model_to_code.md +65 -0
hardprompts/modernization/__init__.py +6 -0
hardprompts/modernization/legacy_analysis.md +93 -0
hardprompts/modernization/migration_planning.md +150 -0
hardprompts/modernization/seven_r_assessment.md +107 -0
hardprompts/proposal_draft.md +53 -0
hardprompts/rag_citation.md +12 -0
hardprompts/rag_rerank.md +31 -0
hardprompts/requirements/__init__.py +6 -0
hardprompts/requirements/bdd_generation.md +35 -0
hardprompts/requirements/clarification_prioritization.md +29 -0
hardprompts/requirements/decomposition.md +60 -0
hardprompts/requirements/document_extraction.md +45 -0
hardprompts/requirements/gap_detection.md +70 -0
hardprompts/requirements/intake_conversation.md +101 -0
hardprompts/requirements/readiness_assessment.md +39 -0
hardprompts/requirements/spec_quality.md +33 -0
hardprompts/requirements/traceability_analysis.md +23 -0
hardprompts/security/__init__.py +6 -0
hardprompts/security/endpoint_security.md +78 -0
hardprompts/security/threat_model.md +70 -0
hardprompts/security/vulnerability_assessment.md +81 -0
hardprompts/simulation/__init__.py +6 -0
hardprompts/simulation/architecture_impact.md +27 -0
hardprompts/simulation/coa_alternative.md +27 -0
hardprompts/simulation/coa_generation.md +25 -0
hardprompts/simulation/compliance_impact.md +28 -0
hardprompts/simulation/cost_estimation.md +33 -0
hardprompts/simulation/risk_assessment.md +28 -0
hardprompts/translation/code_translation.md +68 -0
hardprompts/translation/dependency_suggestion.md +44 -0
hardprompts/translation/test_translation.md +64 -0
hardprompts/translation/translation_repair.md +59 -0
icdev-0.0.3.dist-info/METADATA +909 -0
icdev-0.0.3.dist-info/RECORD +1214 -0
icdev-0.0.3.dist-info/WHEEL +5 -0
icdev-0.0.3.dist-info/entry_points.txt +9 -0
icdev-0.0.3.dist-info/licenses/LICENSE +201 -0
icdev-0.0.3.dist-info/licenses/NOTICE +11 -0
icdev-0.0.3.dist-info/top_level.txt +7 -0
memory/MEMORY.md +52 -0
memory/logs/2026-02-14.md +17 -0
memory/logs/2026-03-03.md +2 -0
memory/logs/__init__.py +1 -0
tools/a2a/icdev_callback_client.py +210 -0
tools/agent/cards/architect_card.json +29 -0
tools/agent/cards/builder_card.json +34 -0
tools/agent/cards/compliance_card.json +29 -0
tools/agent/cards/connector_forge_card.json +49 -0
tools/agent/cards/devsecops_zta_card.json +24 -0
tools/agent/cards/knowledge_card.json +29 -0
tools/agent/cards/monitor_card.json +29 -0
tools/agent/cards/orchestrator_card.json +29 -0
tools/agent/cards/requirements_analyst_card.json +24 -0
tools/agent/cards/security_card.json +29 -0
tools/agent/cards/simulation_card.json +24 -0
tools/agent/cards/supply_chain_card.json +24 -0
tools/analysis/__init__.py +1 -0
tools/analysis/code_analyzer.py +770 -0
tools/analysis/runtime_feedback.py +379 -0
tools/analytics/__init__.py +2 -0
tools/analytics/scorecard.py +538 -0
tools/analytics/vsm_engine.py +612 -0
tools/architecture/__init__.py +2 -0
tools/architecture/adr_extractor.py +393 -0
tools/audit/__init__.py +1 -0
tools/audit/audit_logger.py +199 -0
tools/audit/audit_query.py +153 -0
tools/audit/decision_recorder.py +73 -0
tools/audit_engine/__init__.py +12 -0
tools/audit_engine/ai_advisor.py +906 -0
tools/audit_engine/cli.py +286 -0
tools/audit_engine/comparator.py +305 -0
tools/audit_engine/eject_scaffolder.py +399 -0
tools/audit_engine/engine.py +614 -0
tools/audit_engine/git_fetcher.py +341 -0
tools/audit_engine/regime_loader.py +200 -0
tools/audit_engine/regime_updater.py +325 -0
tools/audit_engine/report_card.py +289 -0
tools/audit_engine/scanner.py +684 -0
tools/audit_engine/self_heal.py +1042 -0
tools/ci/__init__.py +2 -0
tools/ci/connectors/__init__.py +2 -0
tools/ci/connectors/base_connector.py +80 -0
tools/ci/connectors/connector_registry.py +188 -0
tools/ci/connectors/mattermost_connector.py +159 -0
tools/ci/connectors/slack_connector.py +197 -0
tools/ci/core/__init__.py +2 -0
tools/ci/core/air_gap_detector.py +115 -0
tools/ci/core/comment_handler.py +192 -0
tools/ci/core/conversation_manager.py +480 -0
tools/ci/core/event_envelope.py +500 -0
tools/ci/core/event_router.py +444 -0
tools/ci/core/failure_parser.py +397 -0
tools/ci/core/recovery_engine.py +527 -0
tools/ci/gate_enforcer.py +361 -0
tools/ci/modules/__init__.py +2 -0
tools/ci/modules/agent.py +271 -0
tools/ci/modules/git_ops.py +175 -0
tools/ci/modules/state.py +117 -0
tools/ci/modules/vcs.py +303 -0
tools/ci/modules/workflow_ops.py +295 -0
tools/ci/modules/worktree.py +337 -0
tools/ci/pipeline_config_generator.py +558 -0
tools/ci/pr_intelligence.py +485 -0
tools/ci/triggers/__init__.py +2 -0
tools/ci/triggers/gitlab_task_monitor.py +327 -0
tools/ci/triggers/poll_trigger.py +237 -0
tools/ci/triggers/webhook_server.py +356 -0
tools/ci/workflows/__init__.py +2 -0
tools/ci/workflows/icdev_build.py +140 -0
tools/ci/workflows/icdev_comply.py +284 -0
tools/ci/workflows/icdev_document.py +152 -0
tools/ci/workflows/icdev_e2e.py +188 -0
tools/ci/workflows/icdev_patch.py +186 -0
tools/ci/workflows/icdev_plan.py +202 -0
tools/ci/workflows/icdev_plan_build.py +41 -0
tools/ci/workflows/icdev_plan_build_test.py +46 -0
tools/ci/workflows/icdev_plan_build_test_review.py +47 -0
tools/ci/workflows/icdev_review.py +126 -0
tools/ci/workflows/icdev_sdlc.py +261 -0
tools/ci/workflows/icdev_test.py +240 -0
tools/cli/__init__.py +1 -0
tools/cli/output_formatter.py +756 -0
tools/cloudforge/__init__.py +12 -0
tools/cloudforge/airgap/__init__.py +2 -0
tools/cloudforge/airgap/il_classifier.py +70 -0
tools/cloudforge/airgap/offline_validator.py +42 -0
tools/cloudforge/airgap/shift_emulator.py +155 -0
tools/cloudforge/airgap/sneakernet.py +91 -0
tools/cloudforge/cd_hub/__init__.py +2 -0
tools/cloudforge/cd_hub/canary_deployer.py +88 -0
tools/cloudforge/cd_hub/gitops_renderer.py +123 -0
tools/cloudforge/cd_hub/hub_controller.py +143 -0
tools/cloudforge/cd_hub/pipeline_bridge.py +30 -0
tools/cloudforge/cd_hub/rollback_engine.py +29 -0
tools/cloudforge/cd_hub/spoke_agent.py +51 -0
tools/cloudforge/compliance/__init__.py +2 -0
tools/cloudforge/compliance/ato_accelerator.py +272 -0
tools/cloudforge/compliance/control_inheritor.py +127 -0
tools/cloudforge/compliance/evidence_generator.py +129 -0
tools/cloudforge/compliance/poam_bridge.py +41 -0
tools/cloudforge/compliance/ssp_bridge.py +52 -0
tools/cloudforge/compliance/stig_bridge.py +41 -0
tools/cloudforge/container_forge/__init__.py +2 -0
tools/cloudforge/container_forge/bigbang_renderer.py +85 -0
tools/cloudforge/container_forge/hardener.py +169 -0
tools/cloudforge/container_forge/image_scanner_bridge.py +33 -0
tools/cloudforge/container_forge/runtime_policy.py +87 -0
tools/cloudforge/container_forge/sbom_bridge.py +42 -0
tools/cloudforge/finops/__init__.py +2 -0
tools/cloudforge/finops/anomaly_detector.py +78 -0
tools/cloudforge/finops/budget_tracker.py +96 -0
tools/cloudforge/finops/chargeback.py +69 -0
tools/cloudforge/finops/cost_collector.py +141 -0
tools/cloudforge/finops/optimizer.py +55 -0
tools/cloudforge/hybrid/__init__.py +2 -0
tools/cloudforge/hybrid/connection_manager.py +141 -0
tools/cloudforge/hybrid/dns_federator.py +56 -0
tools/cloudforge/hybrid/health_monitor.py +108 -0
tools/cloudforge/hybrid/identity_federator.py +53 -0
tools/cloudforge/hybrid/network_bridge.py +68 -0
tools/cloudforge/hybrid/topology_manager.py +147 -0
tools/cloudforge/hybrid/workload_abstractor.py +92 -0
tools/cloudforge/iac/__init__.py +2 -0
tools/cloudforge/iac/drift_detector.py +154 -0
tools/cloudforge/iac/module_library.py +265 -0
tools/cloudforge/iac/opentofu_adapter.py +89 -0
tools/cloudforge/iac/pulumi_renderer.py +292 -0
tools/cloudforge/iac/state_backend.py +146 -0
tools/cloudforge/iac/terraform_renderer.py +626 -0
tools/cloudforge/landing_zone/__init__.py +2 -0
tools/cloudforge/landing_zone/blueprint_loader.py +98 -0
tools/cloudforge/landing_zone/blueprint_validator.py +113 -0
tools/cloudforge/landing_zone/zone_provisioner.py +306 -0
tools/cloudforge/landing_zone/zone_state.py +143 -0
tools/cloudforge/mbse_thread/__init__.py +2 -0
tools/cloudforge/mbse_thread/ato_thread_weaver.py +111 -0
tools/cloudforge/mbse_thread/control_tracer.py +68 -0
tools/cloudforge/mbse_thread/system_boundary.py +83 -0
tools/cloudforge/metastore/__init__.py +2 -0
tools/cloudforge/metastore/dependency_graph.py +202 -0
tools/cloudforge/metastore/discovery.py +192 -0
tools/cloudforge/metastore/registry.py +185 -0
tools/cloudforge/metastore/rto_tracker.py +92 -0
tools/cloudforge/metastore/runbook_linker.py +82 -0
tools/cloudforge/migration/__init__.py +2 -0
tools/cloudforge/migration/assessor.py +187 -0
tools/cloudforge/migration/cutover_orchestrator.py +117 -0
tools/cloudforge/migration/databridge_bridge.py +92 -0
tools/cloudforge/migration/planner.py +98 -0
tools/cloudforge/migration/risk_scorer.py +97 -0
tools/cloudforge/migration/validation_runner.py +45 -0
tools/cloudforge/migration/workload_inventory.py +107 -0
tools/cloudforge/provider.py +319 -0
tools/cloudforge/providers/__init__.py +2 -0
tools/cloudforge/providers/aws_commercial.py +92 -0
tools/cloudforge/providers/aws_govcloud.py +229 -0
tools/cloudforge/providers/aws_secret.py +83 -0
tools/cloudforge/providers/azure_commercial.py +80 -0
tools/cloudforge/providers/azure_gov.py +91 -0
tools/cloudforge/providers/azure_secret.py +71 -0
tools/cloudforge/providers/gcp.py +102 -0
tools/cloudforge/providers/oci.py +102 -0
tools/cloudforge/registry.py +140 -0
tools/cloudforge/runbooks/__init__.py +2 -0
tools/cloudforge/runbooks/ai_generator.py +119 -0
tools/cloudforge/runbooks/dag_validator.py +219 -0
tools/cloudforge/runbooks/engine.py +470 -0
tools/cloudforge/runbooks/models.py +99 -0
tools/cloudforge/runbooks/snippet_library.py +158 -0
tools/cloudforge/runbooks/template_loader.py +122 -0
tools/cloudforge/runbooks/visualization.py +108 -0
tools/cloudforge/siem/__init__.py +2 -0
tools/cloudforge/siem/alert_rules.py +86 -0
tools/cloudforge/siem/correlation_engine.py +61 -0
tools/cloudforge/siem/log_aggregator.py +113 -0
tools/cloudforge/siem/siem_dashboard_data.py +28 -0
tools/cloudforge/supply_chain/__init__.py +2 -0
tools/cloudforge/supply_chain/bridge.py +33 -0
tools/cloudforge/supply_chain/iac_dependency_scanner.py +36 -0
tools/cloudforge/supply_chain/provider_trust_scorer.py +54 -0
tools/compat/__init__.py +21 -0
tools/compat/cli_harmonizer.py +251 -0
tools/compat/datetime_utils.py +18 -0
tools/compat/db_utils.py +190 -0
tools/compat/platform_utils.py +123 -0
tools/compliance/__init__.py +1 -0
tools/compliance/accountability_manager.py +391 -0
tools/compliance/ai_accountability_audit.py +287 -0
tools/compliance/ai_impact_assessor.py +267 -0
tools/compliance/ai_incident_response.py +295 -0
tools/compliance/ai_inventory_manager.py +233 -0
tools/compliance/ai_reassessment_scheduler.py +250 -0
tools/compliance/ai_transparency_audit.py +247 -0
tools/compliance/atlas_assessor.py +276 -0
tools/compliance/atlas_report_generator.py +1199 -0
tools/compliance/base_assessor.py +591 -0
tools/compliance/cato_live_engine.py +607 -0
tools/compliance/cato_monitor.py +1371 -0
tools/compliance/cato_scheduler.py +698 -0
tools/compliance/cjis_assessor.py +76 -0
tools/compliance/classification_manager.py +1340 -0
tools/compliance/cmmc_assessor.py +1478 -0
tools/compliance/cmmc_report_generator.py +1087 -0
tools/compliance/compliance_detector.py +452 -0
tools/compliance/compliance_exporter.py +418 -0
tools/compliance/compliance_status.py +810 -0
tools/compliance/control_mapper.py +488 -0
tools/compliance/crosswalk_engine.py +1208 -0
tools/compliance/cssp_assessor.py +1032 -0
tools/compliance/cssp_evidence_collector.py +716 -0
tools/compliance/cssp_report_generator.py +1103 -0
tools/compliance/cui_marker.py +387 -0
tools/compliance/diagram_validator.py +599 -0
tools/compliance/emass/__init__.py +2 -0
tools/compliance/emass/emass_client.py +822 -0
tools/compliance/emass/emass_export.py +758 -0
tools/compliance/emass/emass_sync.py +807 -0
tools/compliance/eu_ai_act_classifier.py +193 -0
tools/compliance/evidence_collector.py +459 -0
tools/compliance/fairness_assessor.py +310 -0
tools/compliance/fedramp_20x_ksi_emitter.py +692 -0
tools/compliance/fedramp_assessor.py +1795 -0
tools/compliance/fedramp_authorization_packager.py +137 -0
tools/compliance/fedramp_ksi_generator.py +349 -0
tools/compliance/fedramp_report_generator.py +1115 -0
tools/compliance/fips199_categorizer.py +869 -0
tools/compliance/fips200_validator.py +304 -0
tools/compliance/firmware_sbom.py +646 -0
tools/compliance/gao_ai_assessor.py +228 -0
tools/compliance/gao_evidence_builder.py +302 -0
tools/compliance/hipaa_assessor.py +78 -0
tools/compliance/hitrust_assessor.py +49 -0
tools/compliance/incident_response_plan.py +705 -0
tools/compliance/inheritance_engine.py +693 -0
tools/compliance/iso27001_assessor.py +92 -0
tools/compliance/iso42001_assessor.py +114 -0
tools/compliance/ivv_assessor.py +2314 -0
tools/compliance/ivv_report_generator.py +1649 -0
tools/compliance/model_card_generator.py +291 -0
tools/compliance/mosa_assessor.py +117 -0
tools/compliance/multi_regime_assessor.py +441 -0
tools/compliance/narrative_generator.py +1012 -0
tools/compliance/narrative_quality_gate.py +701 -0
tools/compliance/narrative_workflow.py +814 -0
tools/compliance/nist_800_207_assessor.py +191 -0
tools/compliance/nist_ai_600_1_assessor.py +185 -0
tools/compliance/nist_ai_rmf_assessor.py +110 -0
tools/compliance/nist_lookup.py +244 -0
tools/compliance/omb_m25_21_assessor.py +225 -0
tools/compliance/omb_m26_04_assessor.py +185 -0
tools/compliance/oscal_catalog_adapter.py +395 -0
tools/compliance/oscal_generator.py +2157 -0
tools/compliance/oscal_tools.py +1182 -0
tools/compliance/oscal_validator.py +692 -0
tools/compliance/owasp_agentic_assessor.py +227 -0
tools/compliance/owasp_asi_assessor.py +197 -0
tools/compliance/owasp_llm_assessor.py +245 -0
tools/compliance/pci_dss_assessor.py +80 -0
tools/compliance/pi_compliance_tracker.py +1447 -0
tools/compliance/poam_generator.py +388 -0
tools/compliance/resolve_marking.py +272 -0
tools/compliance/sbd_assessor.py +2070 -0
tools/compliance/sbd_report_generator.py +1223 -0
tools/compliance/sbom_generator.py +993 -0
tools/compliance/siem_config_generator.py +661 -0
tools/compliance/slsa_attestation_generator.py +479 -0
tools/compliance/soc2_assessor.py +77 -0
tools/compliance/ssp_generator.py +556 -0
tools/compliance/stig_checker.py +712 -0
tools/compliance/swft_evidence_bundler.py +326 -0
tools/compliance/system_card_generator.py +303 -0
tools/compliance/template_exchange.py +513 -0
tools/compliance/traceability_matrix.py +1268 -0
tools/compliance/universal_classification_manager.py +1159 -0
tools/compliance/xacta/__init__.py +2 -0
tools/compliance/xacta/xacta_client.py +438 -0
tools/compliance/xacta/xacta_export.py +546 -0
tools/compliance/xacta/xacta_sync.py +322 -0
tools/compliance/xai_assessor.py +231 -0
tools/core/__init__.py +2 -0
tools/core/circuit_breaker.py +353 -0
tools/core/compliance_sidecar.py +344 -0
tools/core/container.py +110 -0
tools/core/errors.py +256 -0
tools/core/feature_flags.py +311 -0
tools/core/task_dlq.py +350 -0
tools/dashboard/__init__.py +2 -0
tools/dashboard/app.py +6288 -0
tools/dashboard/templates/agent_evolution.html +287 -0
tools/dashboard/templates/agents/list.html +71 -0
tools/dashboard/templates/agents.html +132 -0
tools/dashboard/templates/architecture.html +289 -0
tools/dashboard/templates/ato_simulator.html +170 -0
tools/dashboard/templates/audit_engine.html +844 -0
tools/dashboard/templates/base.html +236 -0
tools/dashboard/templates/cato_live.html +116 -0
tools/dashboard/templates/cloudforge.html +195 -0
tools/dashboard/templates/cloudforge_finops.html +111 -0
tools/dashboard/templates/cloudforge_hybrid.html +122 -0
tools/dashboard/templates/cloudforge_metastore.html +234 -0
tools/dashboard/templates/cloudforge_migration.html +87 -0
tools/dashboard/templates/cloudforge_runbooks.html +201 -0
tools/dashboard/templates/cloudforge_siem.html +94 -0
tools/dashboard/templates/compliance_accel.html +292 -0
tools/dashboard/templates/crashes.html +122 -0
tools/dashboard/templates/databridge.html +305 -0
tools/dashboard/templates/databridge_analytics.html +195 -0
tools/dashboard/templates/databridge_mapping.html +345 -0
tools/dashboard/templates/databridge_messaging.html +321 -0
tools/dashboard/templates/decisions.html +258 -0
tools/dashboard/templates/devices.html +151 -0
tools/dashboard/templates/devsecops_maturity.html +278 -0
tools/dashboard/templates/edge_ai.html +128 -0
tools/dashboard/templates/firmware.html +120 -0
tools/dashboard/templates/firmware_sbom.html +193 -0
tools/dashboard/templates/forge_hub.html +196 -0
tools/dashboard/templates/forge_studio.html +379 -0
tools/dashboard/templates/forge_studio_analytics.html +360 -0
tools/dashboard/templates/forge_studio_builder.html +1637 -0
tools/dashboard/templates/forge_studio_compliance.html +310 -0
tools/dashboard/templates/forge_studio_deploy.html +573 -0
tools/dashboard/templates/forge_studio_enterprise.html +888 -0
tools/dashboard/templates/forge_studio_marketplace.html +502 -0
tools/dashboard/templates/forge_studio_workflow.html +696 -0
tools/dashboard/templates/golden_path.html +175 -0
tools/dashboard/templates/govcon.html +280 -0
tools/dashboard/templates/harness.html +148 -0
tools/dashboard/templates/index.html +207 -0
tools/dashboard/templates/intelligence.html +336 -0
tools/dashboard/templates/knowledge/index.html +190 -0
tools/dashboard/templates/knowledge_graph.html +739 -0
tools/dashboard/templates/login.html +51 -0
tools/dashboard/templates/marketplace.html +336 -0
tools/dashboard/templates/marketplace_admin.html +247 -0
tools/dashboard/templates/missions.html +403 -0
tools/dashboard/templates/narratives.html +154 -0
tools/dashboard/templates/pr_intelligence.html +151 -0
tools/dashboard/templates/proposals/detail.html +300 -0
tools/dashboard/templates/proposals/list.html +52 -0
tools/dashboard/templates/proposals/sam_detail.html +132 -0
tools/dashboard/templates/proposals/section_detail.html +375 -0
tools/dashboard/templates/research.html +222 -0
tools/dashboard/templates/resilience.html +300 -0
tools/dashboard/templates/scorecard.html +162 -0
tools/dashboard/templates/simulator.html +131 -0
tools/dashboard/templates/template_exchange.html +147 -0
tools/dashboard/templates/thread_heatmap.html +151 -0
tools/dashboard/templates/threat_model.html +195 -0
tools/dashboard/templates/vsm.html +141 -0
tools/dashboard/templates/writeguard.html +277 -0
tools/databridge/__init__.py +5 -0
tools/databridge/agent/__init__.py +2 -0
tools/databridge/agent/daemon.py +227 -0
tools/databridge/agent/tunnel.py +101 -0
tools/databridge/agent/ws_relay.py +91 -0
tools/databridge/analytics.py +167 -0
tools/databridge/arrow_pipeline.py +327 -0
tools/databridge/connection_manager.py +424 -0
tools/databridge/connector.py +331 -0
tools/databridge/connectors/__init__.py +2 -0
tools/databridge/connectors/argocd_connector.py +160 -0
tools/databridge/connectors/avro_connector.py +203 -0
tools/databridge/connectors/azure_blob.py +63 -0
tools/databridge/connectors/cdc_connector.py +205 -0
tools/databridge/connectors/csv_connector.py +172 -0
tools/databridge/connectors/datadog_connector.py +153 -0
tools/databridge/connectors/discord_messaging.py +215 -0
tools/databridge/connectors/dynamics365.py +151 -0
tools/databridge/connectors/elasticsearch_connector.py +145 -0
tools/databridge/connectors/email_base.py +114 -0
tools/databridge/connectors/excel_connector.py +175 -0
tools/databridge/connectors/fsspec_base.py +300 -0
tools/databridge/connectors/gcs.py +53 -0
tools/databridge/connectors/github_connector.py +138 -0
tools/databridge/connectors/gitlab_connector.py +132 -0
tools/databridge/connectors/gmail_connector.py +182 -0
tools/databridge/connectors/hdfs.py +57 -0
tools/databridge/connectors/health_base.py +401 -0
tools/databridge/connectors/hubspot.py +124 -0
tools/databridge/connectors/imap_connector.py +171 -0
tools/databridge/connectors/jenkins_connector.py +138 -0
tools/databridge/connectors/jira_connector.py +86 -0
tools/databridge/connectors/json_connector.py +184 -0
tools/databridge/connectors/kafka_connector.py +246 -0
tools/databridge/connectors/kinesis_connector.py +238 -0
tools/databridge/connectors/local_fs.py +30 -0
tools/databridge/connectors/matrix.py +197 -0
tools/databridge/connectors/mattermost_messaging.py +184 -0
tools/databridge/connectors/messaging_base.py +172 -0
tools/databridge/connectors/mssql.py +63 -0
tools/databridge/connectors/mysql.py +57 -0
tools/databridge/connectors/netsuite.py +170 -0
tools/databridge/connectors/o365_mail.py +196 -0
tools/databridge/connectors/oracle.py +65 -0
tools/databridge/connectors/pagerduty_connector.py +162 -0
tools/databridge/connectors/parquet_connector.py +131 -0
tools/databridge/connectors/postgresql.py +58 -0
tools/databridge/connectors/s3.py +65 -0
tools/databridge/connectors/saas_base.py +198 -0
tools/databridge/connectors/salesforce.py +126 -0
tools/databridge/connectors/sap.py +89 -0
tools/databridge/connectors/servicenow.py +60 -0
tools/databridge/connectors/signal_messaging.py +150 -0
tools/databridge/connectors/slack_messaging.py +203 -0
tools/databridge/connectors/smtp_connector.py +126 -0
tools/databridge/connectors/soap_base.py +258 -0
tools/databridge/connectors/splunk_connector.py +171 -0
tools/databridge/connectors/sql_base.py +310 -0
tools/databridge/connectors/sqlite_connector.py +76 -0
tools/databridge/connectors/teams.py +148 -0
tools/databridge/connectors/telegram.py +192 -0
tools/databridge/connectors/whatsapp.py +137 -0
tools/databridge/data_profiler.py +99 -0
tools/databridge/forge/__init__.py +6 -0
tools/databridge/forge/base_selector.py +150 -0
tools/databridge/forge/code_generator.py +206 -0
tools/databridge/forge/community_hub.py +539 -0
tools/databridge/forge/forge_agent.py +306 -0
tools/databridge/forge/import_handler.py +133 -0
tools/databridge/forge/integration_tester.py +127 -0
tools/databridge/forge/marketplace_publisher.py +164 -0
tools/databridge/forge/promoter.py +159 -0
tools/databridge/forge/sandbox_manager.py +257 -0
tools/databridge/forge/spec_parser.py +358 -0
tools/databridge/forge/static_validator.py +363 -0
tools/databridge/forge/templates/__init__.py +591 -0
tools/databridge/format_converter.py +188 -0
tools/databridge/mapping_engine.py +348 -0
tools/databridge/messaging/__init__.py +5 -0
tools/databridge/messaging/agent_bridge.py +254 -0
tools/databridge/messaging/message_envelope.py +111 -0
tools/databridge/messaging/message_logger.py +204 -0
tools/databridge/messaging/messaging_daemon.py +326 -0
tools/databridge/messaging/oauth2_manager.py +411 -0
tools/databridge/pii_detector.py +221 -0
tools/databridge/registry.py +352 -0
tools/databridge/relay_server.py +105 -0
tools/databridge/scale/__init__.py +16 -0
tools/databridge/scale/backpressure.py +134 -0
tools/databridge/scale/chunked_pipeline.py +169 -0
tools/databridge/scale/connection_pool.py +293 -0
tools/databridge/scale/engine.py +492 -0
tools/databridge/scale/worker_pool.py +140 -0
tools/databridge/scale/write_batcher.py +250 -0
tools/databridge/schema_engine.py +324 -0
tools/databridge/stream_manager.py +225 -0
tools/databridge/sync_engine.py +411 -0
tools/databridge/transforms.py +302 -0
tools/db/__init__.py +1 -0
tools/db/backup.py +312 -0
tools/db/backup_manager.py +832 -0
tools/db/init_icdev_db.py +7753 -0
tools/db/init_sparkpilot_db.py +431 -0
tools/db/migrate.py +177 -0
tools/db/migrate_innovation_audit.py +165 -0
tools/db/migration_runner.py +548 -0
tools/db/migrations/001_baseline/meta.json +9 -0
tools/db/migrations/001_baseline/up.py +67 -0
tools/db/migrations/002_memory_enhancements/down.sql +8 -0
tools/db/migrations/002_memory_enhancements/meta.json +9 -0
tools/db/migrations/002_memory_enhancements/up.py +119 -0
tools/db/migrations/003_dev_profiles/meta.json +8 -0
tools/db/migrations/003_dev_profiles/up.py +93 -0
tools/db/migrations/004_innovation_engine/down.py +19 -0
tools/db/migrations/004_innovation_engine/up.py +227 -0
tools/db/migrations/005_phase_37_ai_security/down.py +19 -0
tools/db/migrations/005_phase_37_ai_security/up.py +257 -0
tools/db/migrations/006_phase_36_evolution/down.py +21 -0
tools/db/migrations/006_phase_36_evolution/up.py +323 -0
tools/db/migrations/007_phase_38_cloud/down.py +14 -0
tools/db/migrations/007_phase_38_cloud/up.py +110 -0
tools/db/migrations/008_phase36_37_integration/up.py +55 -0
tools/db/migrations/__init__.py +2 -0
tools/db/pg_migrate.py +642 -0
tools/db/storage.py +1080 -0
tools/decisions/__init__.py +2 -0
tools/decisions/dmn_engine.py +695 -0
tools/devsecops/__init__.py +2 -0
tools/devsecops/attestation_manager.py +449 -0
tools/devsecops/network_segmentation_generator.py +604 -0
tools/devsecops/pdp_config_generator.py +1246 -0
tools/devsecops/pipeline_security_generator.py +475 -0
tools/devsecops/policy_generator.py +644 -0
tools/devsecops/profile_manager.py +374 -0
tools/devsecops/service_mesh_generator.py +1063 -0
tools/devsecops/zta_maturity_scorer.py +355 -0
tools/devsecops/zta_terraform_generator.py +1301 -0
tools/edge_ai/__init__.py +2 -0
tools/edge_ai/model_manager.py +200 -0
tools/embedded/__init__.py +2 -0
tools/embedded/cmake_generator.py +318 -0
tools/embedded/crash_analyzer.py +191 -0
tools/embedded/nl_to_firmware.py +277 -0
tools/events/__init__.py +1 -0
tools/events/event_bus.py +199 -0
tools/finetune/pair_generator.py +832 -0
tools/fleet/__init__.py +2 -0
tools/fleet/device_registry.py +148 -0
tools/fleet/ota_manager.py +153 -0
tools/forge_studio/__init__.py +13 -0
tools/forge_studio/analytics/__init__.py +0 -0
tools/forge_studio/analytics/process_miner.py +383 -0
tools/forge_studio/audit.py +183 -0
tools/forge_studio/blueprint/__init__.py +2 -0
tools/forge_studio/blueprint/build_tracker.py +317 -0
tools/forge_studio/blueprint/export_engine.py +441 -0
tools/forge_studio/blueprint/parent_client.py +335 -0
tools/forge_studio/catalog/__init__.py +2 -0
tools/forge_studio/catalog/component_registry.py +176 -0
tools/forge_studio/catalog/schema_validator.py +193 -0
tools/forge_studio/compliance/__init__.py +1 -0
tools/forge_studio/compliance/compliance_wiring.py +554 -0
tools/forge_studio/deploy/__init__.py +1 -0
tools/forge_studio/deploy/airgap_packager.py +466 -0
tools/forge_studio/deploy/deploy_engine.py +1792 -0
tools/forge_studio/deploy/env_manager.py +431 -0
tools/forge_studio/eject/__init__.py +2 -0
tools/forge_studio/eject/docker_compose_generator.py +237 -0
tools/forge_studio/eject/eject_engine.py +230 -0
tools/forge_studio/eject/expo_scaffolder.py +303 -0
tools/forge_studio/eject/nextjs_scaffolder.py +338 -0
tools/forge_studio/enterprise/__init__.py +0 -0
tools/forge_studio/enterprise/custom_frameworks.py +826 -0
tools/forge_studio/enterprise/hardening_engine.py +1530 -0
tools/forge_studio/enterprise/sso_manager.py +718 -0
tools/forge_studio/enterprise/whitelabel_engine.py +887 -0
tools/forge_studio/formula/__init__.py +0 -0
tools/forge_studio/formula/expression_engine.py +562 -0
tools/forge_studio/formula/formula_registry.py +265 -0
tools/forge_studio/generator/__init__.py +2 -0
tools/forge_studio/generator/app_generator.py +584 -0
tools/forge_studio/generator/complexity_detector.py +368 -0
tools/forge_studio/generator/prompt_templates.py +104 -0
tools/forge_studio/generator/spec_builder.py +192 -0
tools/forge_studio/intake_bridge.py +898 -0
tools/forge_studio/marketplace/__init__.py +0 -0
tools/forge_studio/marketplace/component_hub.py +428 -0
tools/forge_studio/models.py +369 -0
tools/forge_studio/renderer/__init__.py +2 -0
tools/forge_studio/renderer/json_render_engine.py +623 -0
tools/forge_studio/renderer/layout_engine.py +214 -0
tools/forge_studio/renderer/rn_component_map.py +182 -0
tools/forge_studio/supabase/__init__.py +2 -0
tools/forge_studio/supabase/auth_generator.py +283 -0
tools/forge_studio/supabase/migration_generator.py +93 -0
tools/forge_studio/supabase/schema_generator.py +281 -0
tools/forge_studio/tenant_manager.py +387 -0
tools/forge_studio/workflow/__init__.py +2 -0
tools/forge_studio/workflow/bpmn_adapter.py +489 -0
tools/govcon/draft_orchestrator.py +1151 -0
tools/govcon/engine_enrichment.py +373 -0
tools/govcon/knowledge_base.py +487 -0
tools/govcon/knowledge_ingestion.py +510 -0
tools/govcon/sam_scanner.py +754 -0
tools/harness/__init__.py +6 -0
tools/harness/exit_criteria_evaluator.py +231 -0
tools/harness/maturity_assessor.py +347 -0
tools/harness/scaffold_harness.py +416 -0
tools/harness/trace_analyzer.py +281 -0
tools/infra/__init__.py +1 -0
tools/infra/ansible_generator.py +867 -0
tools/infra/dockerfile_generator.py +359 -0
tools/infra/infra_status.py +384 -0
tools/infra/ironbank_metadata_generator.py +403 -0
tools/infra/k8s_generator.py +1000 -0
tools/infra/pipeline_generator.py +830 -0
tools/infra/rollback.py +389 -0
tools/infra/terraform_generator.py +1140 -0
tools/infra/terraform_generator_azure.py +1252 -0
tools/infra/terraform_generator_gcp.py +951 -0
tools/infra/terraform_generator_ibm.py +359 -0
tools/infra/terraform_generator_oci.py +918 -0
tools/infra/terraform_generator_onprem.py +318 -0
tools/knowledge/__init__.py +1 -0
tools/knowledge/knowledge_ingest.py +281 -0
tools/knowledge/pattern_detector.py +681 -0
tools/knowledge/recommendation_engine.py +449 -0
tools/knowledge/self_heal_analyzer.py +492 -0
tools/knowledge_graph/__init__.py +2 -0
tools/knowledge_graph/graph_rag.py +498 -0
tools/knowledge_graph/ingester.py +406 -0
tools/knowledge_graph/insight_generator.py +369 -0
tools/knowledge_graph/text_network.py +832 -0
tools/llm/__init__.py +72 -0
tools/llm/anthropic_provider.py +170 -0
tools/llm/azure_openai_provider.py +338 -0
tools/llm/bedrock_provider.py +315 -0
tools/llm/embedding_provider.py +438 -0
tools/llm/gemini_provider.py +381 -0
tools/llm/ibm_watsonx_provider.py +231 -0
tools/llm/oci_genai_provider.py +462 -0
tools/llm/ollama_provider.py +350 -0
tools/llm/openai_provider.py +225 -0
tools/llm/prompt_registry.py +447 -0
tools/llm/provider.py +355 -0
tools/llm/provider_sdk.py +175 -0
tools/llm/router.py +1124 -0
tools/llm/semantic_cache.py +394 -0
tools/llm/vertex_ai_provider.py +374 -0
tools/maintenance/__init__.py +2 -0
tools/maintenance/dependency_scanner.py +1016 -0
tools/maintenance/maintenance_auditor.py +804 -0
tools/maintenance/remediation_engine.py +957 -0
tools/maintenance/vulnerability_checker.py +978 -0
tools/manifest.md +1066 -0
tools/marketplace/asset_installer.py +639 -0
tools/marketplace/feedback_validator.py +359 -0
tools/marketplace/license_client.py +458 -0
tools/marketplace/module_crypto.py +544 -0
tools/marketplace/module_runtime.py +236 -0
tools/marketplace/token_store.py +264 -0
tools/mbse/__init__.py +3 -0
tools/mbse/des_assessor.py +1173 -0
tools/mbse/des_report_generator.py +787 -0
tools/mbse/diagram_extractor.py +792 -0
tools/mbse/digital_thread.py +1650 -0
tools/mbse/model_code_generator.py +1115 -0
tools/mbse/model_control_mapper.py +410 -0
tools/mbse/pi_model_tracker.py +1079 -0
tools/mbse/reqif_parser.py +1468 -0
tools/mbse/sync_engine.py +1789 -0
tools/mbse/thread_heatmap.py +445 -0
tools/mbse/xmi_parser.py +1558 -0
tools/mcp/builder_server.py +64 -0
tools/mcp/compliance_server.py +64 -0
tools/mcp/connector_forge_server.py +155 -0
tools/mcp/core_server.py +64 -0
tools/mcp/devsecops_server.py +11 -0
tools/mcp/devsecops_zta_server.py +64 -0
tools/mcp/knowledge_server.py +64 -0
tools/mcp/monitor_server.py +64 -0
tools/mcp/ops_server.py +300 -0
tools/mcp/requirements_analyst_server.py +64 -0
tools/mcp/requirements_server.py +11 -0
tools/mcp/security_server.py +64 -0
tools/mcp/simulation_server.py +64 -0
tools/mcp/supply_chain_server.py +64 -0
tools/mcp/tool_registry.py +299 -0
tools/memory/__init__.py +2 -0
tools/memory/auto_capture.py +346 -0
tools/memory/embed_memory.py +157 -0
tools/memory/history_compressor.py +334 -0
tools/memory/hybrid_search.py +235 -0
tools/memory/maintenance_cron.py +288 -0
tools/memory/memory_consolidation.py +439 -0
tools/memory/memory_db.py +132 -0
tools/memory/memory_read.py +101 -0
tools/memory/memory_write.py +221 -0
tools/memory/semantic_search.py +138 -0
tools/memory/time_decay.py +434 -0
tools/missions/__init__.py +2 -0
tools/missions/mission_engine.py +459 -0
tools/monitor/__init__.py +1 -0
tools/monitor/alert_correlator.py +486 -0
tools/monitor/auto_resolver.py +603 -0
tools/monitor/health_checker.py +507 -0
tools/monitor/heartbeat_daemon.py +779 -0
tools/monitor/log_analyzer.py +507 -0
tools/monitor/metric_collector.py +484 -0
tools/mosa/__init__.py +10 -0
tools/mosa/icd_generator.py +358 -0
tools/mosa/modular_design_analyzer.py +682 -0
tools/mosa/mosa_code_enforcer.py +348 -0
tools/mosa/tsp_generator.py +265 -0
tools/observability/__init__.py +100 -0
tools/observability/genai_attributes.py +88 -0
tools/observability/instrumentation.py +140 -0
tools/observability/mlflow_exporter.py +193 -0
tools/observability/otel_tracer.py +168 -0
tools/observability/provenance/__init__.py +3 -0
tools/observability/provenance/prov_recorder.py +322 -0
tools/observability/shap/__init__.py +3 -0
tools/observability/shap/agent_shap.py +274 -0
tools/observability/sqlite_tracer.py +360 -0
tools/observability/trace_context.py +205 -0
tools/observability/tracer.py +230 -0
tools/orchestration/__init__.py +1 -0
tools/orchestration/peer_channels.py +254 -0
tools/orchestration/saga_coordinator.py +390 -0
tools/project/__init__.py +1 -0
tools/project/manifest_loader.py +418 -0
tools/project/project_create.py +350 -0
tools/project/project_list.py +171 -0
tools/project/project_scaffold.py +1715 -0
tools/project/project_status.py +478 -0
tools/project/session_context_builder.py +752 -0
tools/project/validate_manifest.py +54 -0
tools/rag/corrective_rag.py +582 -0
tools/rag/source_registry.py +482 -0
tools/requirements/__init__.py +1 -0
tools/requirements/ai_governance_scorer.py +207 -0
tools/requirements/boundary_analyzer.py +1281 -0
tools/requirements/clarification_engine.py +605 -0
tools/requirements/complexity_scorer.py +369 -0
tools/requirements/consistency_analyzer.py +789 -0
tools/requirements/constitution_manager.py +592 -0
tools/requirements/decomposition_engine.py +764 -0
tools/requirements/document_extractor.py +1002 -0
tools/requirements/elicitation_techniques.py +508 -0
tools/requirements/gap_detector.py +260 -0
tools/requirements/intake_engine.py +2175 -0
tools/requirements/prd_generator.py +839 -0
tools/requirements/prd_validator.py +584 -0
tools/requirements/readiness_scorer.py +302 -0
tools/requirements/spec_organizer.py +1015 -0
tools/requirements/spec_quality_checker.py +1083 -0
tools/requirements/traceability_builder.py +566 -0
tools/research/__init__.py +3 -0
tools/research/academic_scanner.py +130 -0
tools/research/build_buy_analyzer.py +229 -0
tools/research/challenge_scorer.py +280 -0
tools/research/community_scanner.py +174 -0
tools/research/cross_engine_bridge.py +124 -0
tools/research/dossier_generator.py +305 -0
tools/research/landscape_scanner.py +315 -0
tools/research/regulatory_scanner.py +248 -0
tools/research/research_manager.py +469 -0
tools/research/source_scanner.py +150 -0
tools/research/vertical_loader.py +118 -0
tools/saas/__init__.py +0 -0
tools/saas/licensing/__init__.py +0 -0
tools/saas/licensing/license_validator.py +345 -0
tools/scaffold/__init__.py +2 -0
tools/scaffold/golden_path.py +504 -0
tools/security/__init__.py +1 -0
tools/security/agent_output_validator.py +330 -0
tools/security/agent_trust_scorer.py +652 -0
tools/security/ai_bom_generator.py +718 -0
tools/security/ai_telemetry_logger.py +469 -0
tools/security/atlas_red_team.py +541 -0
tools/security/code_pattern_scanner.py +382 -0
tools/security/confabulation_detector.py +265 -0
tools/security/container_scanner.py +489 -0
tools/security/dependency_auditor.py +942 -0
tools/security/endpoint_security_scanner.py +626 -0
tools/security/mcp_tool_authorizer.py +242 -0
tools/security/output_verifier.py +427 -0
tools/security/prompt_injection_detector.py +737 -0
tools/security/sast_runner.py +946 -0
tools/security/secret_detector.py +376 -0
tools/security/threat_modeler.py +678 -0
tools/security/tool_chain_validator.py +357 -0
tools/security/vuln_scanner.py +536 -0
tools/simulation/__init__.py +2 -0
tools/simulation/ato_simulator.py +517 -0
tools/simulation/coa_generator.py +1539 -0
tools/simulation/monte_carlo.py +745 -0
tools/simulation/scenario_manager.py +1060 -0
tools/simulation/simulation_engine.py +1091 -0
tools/simulator/__init__.py +2 -0
tools/simulator/sim_runner.py +272 -0
tools/supply_chain/__init__.py +2 -0
tools/supply_chain/cve_triager.py +690 -0
tools/supply_chain/dependency_graph.py +630 -0
tools/supply_chain/isa_manager.py +526 -0
tools/supply_chain/scrm_assessor.py +531 -0
tools/supply_chain/slsa_verifier.py +473 -0
tools/testing/__init__.py +2 -0
tools/testing/acceptance_validator.py +411 -0
tools/testing/api_surface_extractor.py +749 -0
tools/testing/claude_dir_validator.py +831 -0
tools/testing/data_types.py +199 -0
tools/testing/e2e_runner.py +715 -0
tools/testing/fuzz_cli.py +306 -0
tools/testing/health_check.py +483 -0
tools/testing/platform_check.py +143 -0
tools/testing/production_audit.py +1836 -0
tools/testing/production_remediate.py +803 -0
tools/testing/screenshot_validator.py +538 -0
tools/testing/smoke_test.py +283 -0
tools/testing/test_agent_models.py +117 -0
tools/testing/test_orchestrator.py +957 -0
tools/testing/utils.py +229 -0
tools/writeguard/__init__.py +1 -0
tools/writeguard/main.py +1 -0
tools/writing/__init__.py +7 -0
tools/writing/ai_content_detector.py +316 -0
tools/writing/analysis_engine.py +454 -0
tools/writing/batch_analyzer.py +276 -0
tools/writing/coherence_analyzer.py +221 -0
tools/writing/govcon_bridge.py +509 -0
tools/writing/grammar_checker.py +270 -0
tools/writing/plagiarism_detector.py +106 -0
tools/writing/readability_scorer.py +201 -0
tools/writing/rewriter.py +96 -0
tools/writing/signal_registrar.py +167 -0
tools/writing/snippet_manager.py +276 -0
tools/writing/style_enforcer.py +220 -0
tools/writing/style_guide_manager.py +438 -0
tools/writing/tone_profiler.py +168 -0

tools/devsecops/pdp_config_generator.py ADDED Viewed

@@ -0,0 +1,1246 @@
+#!/usr/bin/env python3
+# CUI // SP-CTI
+"""PDP/PEP Configuration Generator — Policy Decision Point and Policy Enforcement Point configs for ZTA.
+Generates PEP configurations (Istio AuthorizationPolicy, Linkerd ServerAuthorization) that point
+to external Policy Decision Points. SPARKPILOT does NOT implement PDP logic itself.
+ADR D124: PDP modeled as external reference (Zscaler, Palo Alto, DISA ICAM, CrowdStrike) —
+SPARKPILOT generates PEP configs (Istio AuthorizationPolicy) but does NOT implement PDP itself.
+Usage:
+    python tools/devsecops/pdp_config_generator.py --project-id "proj-123" --pdp-type disa_icam --json
+    python tools/devsecops/pdp_config_generator.py --project-id "proj-123" --pdp-type zscaler --json
+    python tools/devsecops/pdp_config_generator.py --project-id "proj-123" --mesh istio --pdp-type disa_icam --json
+    python tools/devsecops/pdp_config_generator.py --project-id "proj-123" --mesh linkerd --pdp-type crowdstrike --json
+    python tools/devsecops/pdp_config_generator.py --project-id "proj-123" --device-trust --mdm-type crowdstrike --json
+    python tools/devsecops/pdp_config_generator.py --project-id "proj-123" --device-trust --mdm-type microsoft_intune --json
+"""
+import argparse
+import json
+import os
+from datetime import datetime, timezone
+from pathlib import Path
+from tools.db.storage import get_connection
+BASE_DIR = Path(__file__).resolve().parent.parent.parent
+try:
+    import yaml
+    def _to_yaml(data: dict) -> str:
+        return yaml.dump(data, default_flow_style=False, sort_keys=False)
+except ImportError:
+    yaml = None
+    def _to_yaml(data: dict) -> str:
+        return json.dumps(data, indent=2)
+# ---------------------------------------------------------------------------
+# Config and DB helpers
+# ---------------------------------------------------------------------------
+def _load_config() -> dict:
+    """Load ZTA config from args/zta_config.yaml (reads pdp_references section)."""
+    config_path = BASE_DIR / "args" / "zta_config.yaml"
+    if yaml and config_path.exists():
+        with open(config_path) as f:
+            return yaml.safe_load(f) or {}
+    # Minimal fallback matching zta_config.yaml structure
+    return {
+        "pdp_references": [
+            {
+                "id": "disa_icam",
+                "name": "DISA ICAM/IDAM",
+                "type": "identity",
+                "description": "DoD Identity, Credential, and Access Management",
+                "integration": "SAML/OIDC federation to Istio/Linkerd",
+            },
+            {
+                "id": "zscaler",
+                "name": "Zscaler Private Access",
+                "type": "network",
+                "description": "Zero Trust Network Access (ZTNA)",
+                "integration": "Connector deployment in K8s, policy push via API",
+            },
+            {
+                "id": "palo_alto_prisma",
+                "name": "Palo Alto Prisma Access",
+                "type": "network",
+                "description": "Cloud-delivered security platform",
+                "integration": "GlobalProtect agent, Prisma Cloud Defender",
+            },
+            {
+                "id": "crowdstrike",
+                "name": "CrowdStrike Falcon",
+                "type": "device",
+                "description": "Endpoint detection and response (EDR)",
+                "integration": "Falcon sensor DaemonSet, device posture API",
+            },
+            {
+                "id": "microsoft_entra",
+                "name": "Microsoft Entra ID (Azure AD)",
+                "type": "identity",
+                "description": "Cloud identity and access management",
+                "integration": "OIDC/SAML federation, conditional access policies",
+            },
+            {
+                "id": "custom",
+                "name": "Customer-provided PDP",
+                "type": "custom",
+                "description": "Customer's existing policy decision point",
+                "integration": "Customer provides integration spec",
+            },
+        ]
+    }
+def _get_profile(project_id: str) -> dict:
+    """Retrieve DevSecOps profile for a project."""
+    conn = get_connection()
+    try:
+        row = conn.execute(
+            "SELECT * FROM devsecops_profiles WHERE project_id = ?",
+            (project_id,)
+        ).fetchone()
+        if not row:
+            return {}
+        return {
+            "maturity_level": row["maturity_level"],
+            "active_stages": json.loads(row["active_stages"] or "[]"),
+            "stage_configs": json.loads(row["stage_configs"] or "{}"),
+        }
+    finally:
+        conn.close()
+def _get_project_info(project_id: str) -> dict:
+    """Retrieve project metadata."""
+    conn = get_connection()
+    try:
+        row = conn.execute(
+            "SELECT name, classification, impact_level FROM projects WHERE id = ?",
+            (project_id,)
+        ).fetchone()
+        if row:
+            return dict(row)
+        return {"name": "unknown", "classification": "CUI", "impact_level": "IL4"}
+    finally:
+        conn.close()
+def _find_pdp_reference(config: dict, pdp_type: str) -> dict:
+    """Look up a PDP reference entry from config by id."""
+    for ref in config.get("pdp_references", []):
+        if ref.get("id") == pdp_type:
+            return ref
+    return {}
+# ---------------------------------------------------------------------------
+# PDP reference generation (D124: SPARKPILOT documents but does NOT implement PDP)
+# ---------------------------------------------------------------------------
+def generate_pdp_reference(project_id: str, pdp_type: str) -> dict:
+    """Document external PDP integration point for a project.
+    SPARKPILOT does not implement PDP logic. This function generates documentation
+    and integration configuration describing how the project's PEP will connect
+    to the specified external PDP. The customer is responsible for deploying
+    and operating the PDP.
+    ADR D124: PDP is an external reference. SPARKPILOT generates PEP configs only.
+    Args:
+        project_id: Project identifier.
+        pdp_type: One of disa_icam, zscaler, palo_alto_prisma, crowdstrike,
+                  microsoft_entra, custom.
+    Returns:
+        Dict with integration_config (connection details, endpoints),
+        documentation, deployment_notes.
+    """
+    valid_types = [
+        "disa_icam", "zscaler", "palo_alto_prisma",
+        "crowdstrike", "microsoft_entra", "custom",
+    ]
+    if pdp_type not in valid_types:
+        return {
+            "error": f"Invalid pdp_type: {pdp_type}",
+            "valid_types": valid_types,
+        }
+    config = _load_config()
+    ref = _find_pdp_reference(config, pdp_type)
+    project = _get_project_info(project_id)
+    now = datetime.now(timezone.utc).isoformat()
+    # Build type-specific integration config
+    integration_config = _build_integration_config(pdp_type, project)
+    # Build documentation
+    documentation = _build_pdp_documentation(pdp_type, ref, project)
+    # Build deployment notes
+    deployment_notes = _build_deployment_notes(pdp_type, ref, project)
+    return {
+        "project_id": project_id,
+        "pdp_type": pdp_type,
+        "pdp_name": ref.get("name", pdp_type),
+        "pdp_category": ref.get("type", "unknown"),
+        "description": ref.get("description", ""),
+        "integration_method": ref.get("integration", ""),
+        "integration_config": integration_config,
+        "documentation": documentation,
+        "deployment_notes": deployment_notes,
+        "adr_reference": "ADR D124: PDP is external — SPARKPILOT generates PEP configs only",
+        "generated_at": now,
+        "status": "reference_documented",
+    }
+def _build_integration_config(pdp_type: str, project: dict) -> dict:
+    """Build type-specific integration connection details."""
+    impact_level = project.get("impact_level", "IL4")
+    configs = {
+        "disa_icam": {
+            "protocol": "OIDC/SAML 2.0",
+            "endpoints": {
+                "authorization": "https://icam.mil/oauth2/authorize",
+                "token": "https://icam.mil/oauth2/token",
+                "jwks": "https://icam.mil/.well-known/jwks.json",
+                "userinfo": "https://icam.mil/oauth2/userinfo",
+            },
+            "connection_details": {
+                "auth_method": "CAC/PIV + OIDC federation",
+                "mfa_required": True,
+                "phishing_resistant_mfa": True,
+                "federation_type": "SAML 2.0 / OIDC",
+                "audience": f"sparkpilot-{project.get('name', 'app')}.mil",
+            },
+            "k8s_integration": {
+                "ext_authz_provider": "ext-authz-grpc",
+                "grpc_service": "disa-icam-ext-authz.icam-system.svc.cluster.local:9001",
+                "timeout_ms": 5000,
+                "failure_mode": "DENY",
+            },
+            "nist_controls": ["IA-2", "IA-8", "AC-2", "AC-3"],
+        },
+        "zscaler": {
+            "protocol": "ZTNA/HTTPS",
+            "endpoints": {
+                "cloud_portal": "https://admin.zscaler.net",
+                "api_base": "https://zsapi.zscaler.net/api/v1",
+                "connector_mgmt": "https://connector.zscaler.net",
+            },
+            "connection_details": {
+                "auth_method": "Zscaler App Connector (K8s DaemonSet)",
+                "tunnel_type": "Zscaler Tunnel 2.0 (ZT2)",
+                "policy_enforcement": "Zscaler cloud — policies defined in ZPA admin portal",
+                "app_segment": f"{project.get('name', 'app')}-{impact_level.lower()}",
+            },
+            "k8s_integration": {
+                "connector_image": "zscaler/zpa-connector:latest",
+                "deployment_type": "DaemonSet",
+                "namespace": "zscaler-system",
+                "secret_name": "zpa-connector-secret",
+                "required_secret_keys": ["CONNECTOR_NAME", "PROVISIONING_KEY", "ZPA_CLOUD"],
+            },
+            "nist_controls": ["AC-3", "AC-4", "SC-7", "SC-8"],
+        },
+        "palo_alto_prisma": {
+            "protocol": "ZTNA/IPSec/SSL-VPN",
+            "endpoints": {
+                "cloud_portal": "https://panorama.paloaltonetworks.com",
+                "api_base": "https://api.prismaaccess.com/api",
+                "cspm": "https://api2.prismacloud.io",
+            },
+            "connection_details": {
+                "auth_method": "GlobalProtect Agent + Prisma Cloud Defender",
+                "tunnel_type": "IPSec / SSL",
+                "policy_enforcement": "Prisma Access cloud — NGFW policies in Panorama",
+                "defender_mode": "DaemonSet (container runtime protection)",
+            },
+            "k8s_integration": {
+                "defender_image": "paloaltonetworks/prisma-cloud-compute-defender:latest",
+                "deployment_type": "DaemonSet",
+                "namespace": "prisma-system",
+                "secret_name": "prisma-defender-secret",
+                "required_secret_keys": ["PRISMA_CLOUD_URL", "PRISMA_ACCESS_KEY", "PRISMA_SECRET_KEY"],
+            },
+            "nist_controls": ["AC-3", "AC-4", "SC-7", "SI-4"],
+        },
+        "crowdstrike": {
+            "protocol": "REST API / Falcon Sensor",
+            "endpoints": {
+                "api_base": "https://api.crowdstrike.com",
+                "device_posture": "https://api.crowdstrike.com/zero-trust-assessment/v1",
+                "oauth2": "https://api.crowdstrike.com/oauth2/token",
+            },
+            "connection_details": {
+                "auth_method": "CrowdStrike Falcon Sensor (DaemonSet) + OAuth2 API",
+                "posture_endpoint": "/zero-trust-assessment/v1/assessments",
+                "check_frequency_seconds": 30,
+                "minimum_ztascore": 75,
+            },
+            "k8s_integration": {
+                "sensor_image": "falcon-sensor/falcon-sensor:latest",
+                "deployment_type": "DaemonSet",
+                "namespace": "crowdstrike-system",
+                "secret_name": "falcon-api-secret",
+                "required_secret_keys": ["FALCON_CLIENT_ID", "FALCON_CLIENT_SECRET", "FALCON_CID"],
+                "posture_sidecar": "falcon-sidecar-injector",
+            },
+            "nist_controls": ["CM-8", "IA-3", "SI-7", "SI-4"],
+        },
+        "microsoft_entra": {
+            "protocol": "OIDC/OAuth2 / SAML 2.0",
+            "endpoints": {
+                "authorization": "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize",
+                "token": "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
+                "jwks": "https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys",
+                "userinfo": "https://graph.microsoft.com/oidc/userinfo",
+            },
+            "connection_details": {
+                "auth_method": "OIDC/SAML federation with conditional access policies",
+                "mfa_required": True,
+                "phishing_resistant_mfa": True,
+                "conditional_access": "Require compliant device + MFA + risk-based",
+                "audience": f"api://{project.get('name', 'app')}-{impact_level.lower()}",
+            },
+            "k8s_integration": {
+                "ext_authz_provider": "ext-authz-grpc",
+                "grpc_service": "entra-ext-authz.entra-system.svc.cluster.local:9001",
+                "timeout_ms": 5000,
+                "failure_mode": "DENY",
+            },
+            "nist_controls": ["IA-2", "IA-8", "AC-2", "AC-3"],
+        },
+        "custom": {
+            "protocol": "Customer-defined",
+            "endpoints": {
+                "ext_authz_grpc": "PLACEHOLDER: customer-pdp.pdp-system.svc.cluster.local:9001",
+                "api_base": "PLACEHOLDER: https://pdp.customer.internal/api",
+            },
+            "connection_details": {
+                "auth_method": "Customer-defined — update before deployment",
+                "integration_spec": "Customer must provide gRPC ext_authz service implementation",
+                "protocol_reference": "Envoy ext_authz v3 API (envoy.service.auth.v3.Authorization)",
+            },
+            "k8s_integration": {
+                "ext_authz_provider": "ext-authz-grpc",
+                "grpc_service": "PLACEHOLDER: customer-pdp.pdp-system.svc.cluster.local:9001",
+                "timeout_ms": 5000,
+                "failure_mode": "DENY",
+            },
+            "nist_controls": ["AC-3", "IA-2"],
+        },
+    }
+    return configs.get(pdp_type, configs["custom"])
+def _build_pdp_documentation(pdp_type: str, ref: dict, project: dict) -> dict:
+    """Build human-readable documentation for the PDP integration."""
+    docs = {
+        "disa_icam": {
+            "summary": "DISA ICAM (Identity, Credential, and Access Management) provides DoD-wide identity services. "
+                       "SPARKPILOT generates Istio/Linkerd PEP configurations that delegate authorization decisions "
+                       "to the DISA ICAM ext_authz gRPC service. The DISA ICAM service evaluates OIDC tokens "
+                       "and CAC/PIV certificates to grant or deny access.",
+            "customer_responsibilities": [
+                "Deploy DISA ICAM ext_authz gRPC sidecar or service in the cluster",
+                "Configure OIDC relying party registration with DISA ICAM",
+                "Provide CAC/PIV certificate authority trust anchors",
+                "Define access policies in DISA ICAM admin console",
+                "Maintain ICAM service availability (SLA per DoD policy)",
+            ],
+            "icdev_responsibilities": [
+                "Generate Istio AuthorizationPolicy pointing to DISA ICAM ext_authz provider",
+                "Generate PeerAuthentication for mTLS enforcement",
+                "Configure service account bindings for PEP identity",
+            ],
+            "references": [
+                "DoD Identity, Credential, and Access Management (ICAM) Reference Design",
+                "NIST SP 800-63 (Digital Identity Guidelines)",
+                "DoDI 8520.02 (PKI and PKE for DoD)",
+            ],
+        },
+        "zscaler": {
+            "summary": "Zscaler Private Access (ZPA) provides Zero Trust Network Access. "
+                       "SPARKPILOT generates K8s Connector DaemonSet manifests and PEP network policies "
+                       "that route traffic through Zscaler's cloud enforcement points. "
+                       "Policy decisions occur in the Zscaler cloud — not within the cluster.",
+            "customer_responsibilities": [
+                "Provision Zscaler ZPA tenant and configure app segments",
+                "Generate provisioning key for App Connector",
+                "Define access policies in ZPA admin portal",
+                "Maintain Zscaler connector licensing",
+                "Configure user identity integration (IdP federation to Zscaler)",
+            ],
+            "icdev_responsibilities": [
+                "Generate App Connector DaemonSet K8s manifest",
+                "Generate K8s Secret template for provisioning key",
+                "Generate NetworkPolicy allowing Zscaler connector egress",
+            ],
+            "references": [
+                "Zscaler Private Access Deployment Guide",
+                "Zscaler Zero Trust Exchange Architecture",
+                "NIST SP 800-207 (Zero Trust Architecture)",
+            ],
+        },
+        "palo_alto_prisma": {
+            "summary": "Palo Alto Prisma Access combines ZTNA and cloud-delivered NGFW. "
+                       "Prisma Cloud Defender provides runtime container security. "
+                       "SPARKPILOT generates Defender DaemonSet manifests and PEP policies. "
+                       "Policy enforcement occurs in Prisma Access cloud.",
+            "customer_responsibilities": [
+                "Provision Palo Alto Prisma Access tenant",
+                "Configure application onboarding in Panorama",
+                "Deploy and license Prisma Cloud Compute (Defender)",
+                "Define security policies in Panorama/Prisma Cloud console",
+                "Configure user identity integration (GlobalProtect + IdP)",
+            ],
+            "icdev_responsibilities": [
+                "Generate Prisma Cloud Defender DaemonSet manifest",
+                "Generate K8s Secret template for Prisma API credentials",
+                "Generate Kyverno/OPA policies enforcing Prisma security baselines",
+            ],
+            "references": [
+                "Palo Alto Prisma Access Deployment Guide",
+                "Prisma Cloud Compute Administrator Guide",
+                "NIST SP 800-207 (Zero Trust Architecture)",
+            ],
+        },
+        "crowdstrike": {
+            "summary": "CrowdStrike Falcon provides device trust and endpoint detection. "
+                       "SPARKPILOT generates Falcon Sensor DaemonSet manifests and device posture "
+                       "check configurations. The Falcon API is called at admission time to "
+                       "verify device ZTA score before granting access.",
+            "customer_responsibilities": [
+                "Provision CrowdStrike Falcon subscription with Zero Trust Assessment module",
+                "Generate API credentials (Client ID + Secret) for posture checks",
+                "Deploy Falcon sensor to endpoint devices (BYOD/GFE)",
+                "Define device posture policies in Falcon console",
+                "Maintain Falcon CID configuration in K8s secrets",
+            ],
+            "icdev_responsibilities": [
+                "Generate Falcon Sensor DaemonSet manifest for K8s nodes",
+                "Generate device posture ext_authz integration config",
+                "Generate K8s Secret template for Falcon API credentials",
+            ],
+            "references": [
+                "CrowdStrike Falcon Sensor Deployment Guide for Kubernetes",
+                "CrowdStrike Zero Trust Assessment API Reference",
+                "NIST SP 800-207 (Zero Trust Architecture)",
+            ],
+        },
+        "microsoft_entra": {
+            "summary": "Microsoft Entra ID (formerly Azure AD) provides cloud identity and conditional access. "
+                       "SPARKPILOT generates Istio/Linkerd PEP configurations that validate Entra ID JWT tokens "
+                       "and enforce conditional access policies. Phishing-resistant MFA and device compliance "
+                       "checks are enforced through Entra conditional access — not by SPARKPILOT.",
+            "customer_responsibilities": [
+                "Register application in Microsoft Entra ID tenant",
+                "Configure conditional access policies (MFA, device compliance, risk-based)",
+                "Set up phishing-resistant authentication (FIDO2/Windows Hello)",
+                "Provide tenant ID and application client ID/secret",
+                "Configure Entra ext_authz gRPC adapter in the cluster",
+            ],
+            "icdev_responsibilities": [
+                "Generate Istio AuthorizationPolicy pointing to Entra ext_authz provider",
+                "Generate PeerAuthentication for mTLS enforcement",
+                "Generate K8s Secret template for Entra application credentials",
+            ],
+            "references": [
+                "Microsoft Entra ID Documentation",
+                "Microsoft Zero Trust Deployment Guide",
+                "NIST SP 800-63 (Digital Identity Guidelines)",
+            ],
+        },
+        "custom": {
+            "summary": "Customer-provided PDP integration. SPARKPILOT generates PEP configurations "
+                       "with placeholder endpoints that the customer must update. The PDP must "
+                       "implement the Envoy ext_authz v3 gRPC API to integrate with Istio/Linkerd.",
+            "customer_responsibilities": [
+                "Implement or deploy a PDP that exposes Envoy ext_authz v3 gRPC API",
+                "Update placeholder endpoint in generated Istio AuthorizationPolicy",
+                "Define and maintain authorization policies in the PDP",
+                "Ensure PDP high availability (SLA per organizational policy)",
+                "Document PDP integration for ATO artifacts (SSP)",
+            ],
+            "icdev_responsibilities": [
+                "Generate Istio AuthorizationPolicy template with placeholder PDP endpoint",
+                "Generate Linkerd ServerAuthorization template with placeholder reference",
+                "Provide integration checklist for customer PDP onboarding",
+            ],
+            "references": [
+                "Envoy ext_authz v3 API Reference (envoy.service.auth.v3.Authorization)",
+                "Istio External Authorization Documentation",
+                "NIST SP 800-207 (Zero Trust Architecture)",
+            ],
+        },
+    }
+    return docs.get(pdp_type, docs["custom"])
+def _build_deployment_notes(pdp_type: str, ref: dict, project: dict) -> list:
+    """Build ordered deployment notes for the PDP integration."""
+    impact_level = project.get("impact_level", "IL4")
+    common_notes = [
+        f"CLASSIFICATION: All PDP integration credentials must be stored in AWS Secrets Manager "
+        f"(not K8s ConfigMaps or plaintext files) — required for {impact_level}.",
+        "AUDIT: PDP authorization decisions must be forwarded to SIEM (Splunk/ELK) per NIST AU-2/AU-12.",
+        "FAILSAFE: Configure failure_mode=DENY on all ext_authz providers — never ALLOW on PDP unavailability.",
+        "mTLS: Ensure Istio/Linkerd mTLS is STRICT before enabling ext_authz — prevent bypass via non-mesh traffic.",
+    ]
+    type_notes = {
+        "disa_icam": [
+            "Step 1: Submit DoD ICAM relying party registration request (est. 2-4 weeks lead time).",
+            "Step 2: Obtain DISA ext_authz gRPC service endpoint and client certificate from DISA ICAM team.",
+            "Step 3: Deploy DISA ICAM ext_authz adapter into cluster (DISA-provided container image).",
+            "Step 4: Apply generated Istio AuthorizationPolicy — verify ext_authz provider name matches adapter.",
+            "Step 5: Test with CAC/PIV + OIDC token end-to-end before ATO submission.",
+        ],
+        "zscaler": [
+            "Step 1: Work with Zscaler account team to provision ZPA tenant and app segments.",
+            "Step 2: Generate App Connector provisioning key from ZPA admin portal.",
+            "Step 3: Store provisioning key in AWS Secrets Manager, reference in K8s ExternalSecret.",
+            "Step 4: Apply generated App Connector DaemonSet manifest to cluster.",
+            "Step 5: Verify connector registration in ZPA portal before enabling user access.",
+            "Step 6: Configure user access policies in ZPA — map to project app segment.",
+        ],
+        "palo_alto_prisma": [
+            "Step 1: Provision Prisma Access tenant and configure app onboarding in Panorama.",
+            "Step 2: Generate Prisma Cloud API access key from Prisma Cloud console.",
+            "Step 3: Store API credentials in AWS Secrets Manager, reference in K8s ExternalSecret.",
+            "Step 4: Apply generated Prisma Defender DaemonSet manifest to cluster.",
+            "Step 5: Verify Defender registration in Prisma Cloud console.",
+            "Step 6: Configure runtime defense policies in Prisma Cloud for this project.",
+        ],
+        "crowdstrike": [
+            "Step 1: Confirm Zero Trust Assessment (ZTA) module is included in Falcon subscription.",
+            "Step 2: Generate API client credentials (Client ID + Secret) with ZTA read scope.",
+            "Step 3: Store Falcon credentials in AWS Secrets Manager, reference in K8s ExternalSecret.",
+            "Step 4: Apply generated Falcon Sensor DaemonSet manifest to cluster nodes.",
+            "Step 5: Verify sensor enrollment in Falcon console — check ZTA score availability.",
+            "Step 6: Configure minimum ZTA score threshold (recommended: 75) in integration config.",
+        ],
+        "microsoft_entra": [
+            "Step 1: Register application in Microsoft Entra ID tenant (App Registration).",
+            "Step 2: Configure conditional access policy: require MFA + device compliance + risk-based.",
+            "Step 3: Generate client secret or certificate for ext_authz adapter.",
+            "Step 4: Store Entra credentials in AWS Secrets Manager, reference in K8s ExternalSecret.",
+            "Step 5: Deploy Entra ext_authz gRPC adapter into cluster.",
+            "Step 6: Apply generated Istio AuthorizationPolicy — update tenant_id placeholder.",
+        ],
+        "custom": [
+            "Step 1: Implement or procure a PDP that exposes Envoy ext_authz v3 gRPC API.",
+            "Step 2: Deploy PDP into cluster or as an external service reachable from the mesh.",
+            "Step 3: Update PLACEHOLDER endpoint in generated AuthorizationPolicy YAML.",
+            "Step 4: Test ext_authz integration — verify DENY on invalid credentials.",
+            "Step 5: Document PDP implementation in SSP AC-3 and IA-2 control responses.",
+        ],
+    }
+    return type_notes.get(pdp_type, type_notes["custom"]) + common_notes
+# ---------------------------------------------------------------------------
+# PEP config generation (Istio and Linkerd)
+# ---------------------------------------------------------------------------
+def generate_pep_config(project_id: str, mesh: str = "istio", pdp_type: str = "disa_icam") -> dict:
+    """Generate PEP (Policy Enforcement Point) configurations for the service mesh.
+    For Istio: generates AuthorizationPolicy YAML pointing to external authz provider.
+    For Linkerd: generates ServerAuthorization with external policy reference.
+    The PEP enforces decisions made by the external PDP — SPARKPILOT does not implement
+    the PDP itself (ADR D124).
+    Args:
+        project_id: Project identifier.
+        mesh: Service mesh type — 'istio' or 'linkerd'.
+        pdp_type: External PDP to reference.
+    Returns:
+        Dict with yaml_content, pep_type, integration_notes.
+    """
+    valid_meshes = ["istio", "linkerd"]
+    if mesh not in valid_meshes:
+        return {
+            "error": f"Invalid mesh: {mesh}",
+            "valid_meshes": valid_meshes,
+        }
+    valid_pdp_types = [
+        "disa_icam", "zscaler", "palo_alto_prisma",
+        "crowdstrike", "microsoft_entra", "custom",
+    ]
+    if pdp_type not in valid_pdp_types:
+        return {
+            "error": f"Invalid pdp_type: {pdp_type}",
+            "valid_types": valid_pdp_types,
+        }
+    project = _get_project_info(project_id)
+    now = datetime.now(timezone.utc).isoformat()
+    if mesh == "istio":
+        result = _generate_istio_pep(project_id, pdp_type, project)
+    else:
+        result = _generate_linkerd_pep(project_id, pdp_type, project)
+    result["project_id"] = project_id
+    result["mesh"] = mesh
+    result["pdp_type"] = pdp_type
+    result["generated_at"] = now
+    result["adr_reference"] = "ADR D124: PEP generated by SPARKPILOT; PDP is external"
+    return result
+def _generate_istio_pep(project_id: str, pdp_type: str, project: dict) -> dict:
+    """Generate Istio AuthorizationPolicy for external PDP."""
+    project.get("name", "app")
+    namespace = f"sparkpilot-{project_id[:8]}"
+    # Determine ext_authz provider name based on PDP type
+    provider_map = {
+        "disa_icam": "ext-authz-disa-icam",
+        "zscaler": "ext-authz-zscaler",
+        "palo_alto_prisma": "ext-authz-prisma",
+        "crowdstrike": "ext-authz-crowdstrike",
+        "microsoft_entra": "ext-authz-entra",
+        "custom": "ext-authz-grpc",
+    }
+    provider_name = provider_map.get(pdp_type, "ext-authz-grpc")
+    # AuthorizationPolicy (ext_authz CUSTOM action)
+    authz_policy = {
+        "apiVersion": "security.istio.io/v1beta1",
+        "kind": "AuthorizationPolicy",
+        "metadata": {
+            "name": f"ext-authz-pdp-{pdp_type.replace('_', '-')}",
+            "namespace": namespace,
+            "labels": {
+                "app.kubernetes.io/managed-by": "sparkpilot",
+                "sparkpilot.mil/project-id": project_id,
+                "sparkpilot.mil/classification": project.get("classification", "CUI"),
+                "sparkpilot.mil/pdp-type": pdp_type,
+            },
+            "annotations": {
+                "sparkpilot.mil/adr": "D124 — PDP is external; this policy is the PEP",
+                "sparkpilot.mil/generated-at": datetime.now(timezone.utc).isoformat(),
+            },
+        },
+        "spec": {
+            "action": "CUSTOM",
+            "provider": {
+                "name": provider_name,
+            },
+            "rules": [
+                {
+                    "to": [
+                        {
+                            "operation": {
+                                "paths": ["/*"],
+                            }
+                        }
+                    ]
+                }
+            ],
+        },
+    }
+    # PeerAuthentication (enforce mTLS STRICT — required before ext_authz)
+    peer_auth = {
+        "apiVersion": "security.istio.io/v1beta1",
+        "kind": "PeerAuthentication",
+        "metadata": {
+            "name": f"mtls-strict-{project_id[:8]}",
+            "namespace": namespace,
+            "labels": {
+                "app.kubernetes.io/managed-by": "sparkpilot",
+                "sparkpilot.mil/project-id": project_id,
+            },
+        },
+        "spec": {
+            "mtls": {
+                "mode": "STRICT",
+            }
+        },
+    }
+    # Mesh config extension (ext_authz provider registration in MeshConfig)
+    # This goes in istio-system ConfigMap — shown as a reference snippet
+    ext_authz_provider_snippet = {
+        "# Add to istio MeshConfig extensionProviders": None,
+        "extensionProviders": [
+            {
+                "name": provider_name,
+                "envoyExtAuthzGrpc": {
+                    "service": _get_grpc_service(pdp_type),
+                    "port": "9001",
+                    "timeout": "5s",
+                    "failOpen": False,
+                },
+            }
+        ],
+    }
+    yaml_docs = [
+        f"# CUI // SP-CTI\n# ADR D124: PEP config — delegates to external PDP: {pdp_type}\n---\n{_to_yaml(peer_auth)}",
+        f"# CUI // SP-CTI\n# Istio AuthorizationPolicy (CUSTOM ext_authz action)\n---\n{_to_yaml(authz_policy)}",
+        f"# CUI // SP-CTI\n# MeshConfig extensionProviders snippet (add to istio-system/istio ConfigMap)\n# ---\n# {json.dumps(ext_authz_provider_snippet, indent=2).replace(chr(10), chr(10) + '# ')}",
+    ]
+    integration_notes = [
+        f"Provider '{provider_name}' must be registered in Istio MeshConfig.extensionProviders before applying this policy.",
+        "PeerAuthentication STRICT mode must be applied before AuthorizationPolicy to prevent plaintext bypass.",
+        f"The ext_authz gRPC service endpoint is: {_get_grpc_service(pdp_type)}",
+        "failOpen is set to FALSE — traffic is denied if the PDP is unreachable (ZTA requirement).",
+        "Apply PeerAuthentication first, verify mTLS health, then apply AuthorizationPolicy.",
+    ]
+    return {
+        "pep_type": "istio_authorization_policy",
+        "yaml_content": "\n".join(yaml_docs),
+        "policies_generated": [
+            f"PeerAuthentication: mtls-strict-{project_id[:8]}",
+            f"AuthorizationPolicy: ext-authz-pdp-{pdp_type.replace('_', '-')}",
+        ],
+        "meshconfig_snippet_included": True,
+        "integration_notes": integration_notes,
+    }
+def _generate_linkerd_pep(project_id: str, pdp_type: str, project: dict) -> dict:
+    """Generate Linkerd ServerAuthorization with external policy reference."""
+    project_name = project.get("name", "app")
+    namespace = f"sparkpilot-{project_id[:8]}"
+    # Linkerd Server CRD — defines the protected server
+    server = {
+        "apiVersion": "policy.linkerd.io/v1beta1",
+        "kind": "Server",
+        "metadata": {
+            "name": f"{project_name}-server",
+            "namespace": namespace,
+            "labels": {
+                "app.kubernetes.io/managed-by": "sparkpilot",
+                "sparkpilot.mil/project-id": project_id,
+                "sparkpilot.mil/classification": project.get("classification", "CUI"),
+            },
+        },
+        "spec": {
+            "podSelector": {
+                "matchLabels": {
+                    "app.kubernetes.io/part-of": project_name,
+                }
+            },
+            "port": 8080,
+            "proxyProtocol": "HTTP/2",
+        },
+    }
+    # ServerAuthorization — allows traffic only from authorized clients
+    # In Linkerd, external authz requires a custom Auth Policy extension
+    server_authz = {
+        "apiVersion": "policy.linkerd.io/v1beta2",
+        "kind": "ServerAuthorization",
+        "metadata": {
+            "name": f"ext-policy-{pdp_type.replace('_', '-')}",
+            "namespace": namespace,
+            "labels": {
+                "app.kubernetes.io/managed-by": "sparkpilot",
+                "sparkpilot.mil/project-id": project_id,
+                "sparkpilot.mil/pdp-type": pdp_type,
+            },
+            "annotations": {
+                "sparkpilot.mil/adr": "D124 — PDP is external; this is the PEP config",
+                "sparkpilot.mil/pdp-reference": _get_grpc_service(pdp_type),
+                "sparkpilot.mil/generated-at": datetime.now(timezone.utc).isoformat(),
+            },
+        },
+        "spec": {
+            "server": {
+                "name": f"{project_name}-server",
+            },
+            "client": {
+                "meshTLS": {
+                    "serviceAccounts": [
+                        {
+                            "name": f"{project_name}-client-sa",
+                            "namespace": namespace,
+                        }
+                    ]
+                }
+            },
+        },
+    }
+    # Linkerd AuthPolicy (external policy — Linkerd 2.13+ AuthPolicy CRD)
+    auth_policy = {
+        "apiVersion": "policy.linkerd.io/v1alpha1",
+        "kind": "AuthorizationPolicy",
+        "metadata": {
+            "name": f"ext-authz-{pdp_type.replace('_', '-')}",
+            "namespace": namespace,
+            "labels": {
+                "app.kubernetes.io/managed-by": "sparkpilot",
+                "sparkpilot.mil/project-id": project_id,
+            },
+            "annotations": {
+                "sparkpilot.mil/adr": "D124 — external PDP reference",
+            },
+        },
+        "spec": {
+            "targetRef": {
+                "group": "policy.linkerd.io",
+                "kind": "Server",
+                "name": f"{project_name}-server",
+            },
+            "requiredAuthenticationRefs": [
+                {
+                    "group": "policy.linkerd.io",
+                    "kind": "MeshTLSAuthentication",
+                    "name": f"mesh-tls-auth-{project_id[:8]}",
+                }
+            ],
+        },
+    }
+    # MeshTLSAuthentication — require mesh identity
+    mesh_tls_auth = {
+        "apiVersion": "policy.linkerd.io/v1alpha1",
+        "kind": "MeshTLSAuthentication",
+        "metadata": {
+            "name": f"mesh-tls-auth-{project_id[:8]}",
+            "namespace": namespace,
+            "labels": {
+                "app.kubernetes.io/managed-by": "sparkpilot",
+            },
+        },
+        "spec": {
+            "identities": [f"*.{namespace}.serviceaccount.identity.linkerd.cluster.local"],
+        },
+    }
+    yaml_docs = [
+        f"# CUI // SP-CTI\n# ADR D124: Linkerd PEP config — external PDP reference: {pdp_type}\n---\n{_to_yaml(server)}",
+        f"# CUI // SP-CTI\n---\n{_to_yaml(mesh_tls_auth)}",
+        f"# CUI // SP-CTI\n---\n{_to_yaml(auth_policy)}",
+        f"# CUI // SP-CTI\n---\n{_to_yaml(server_authz)}",
+    ]
+    integration_notes = [
+        f"Linkerd's native policy enforces mTLS identity — external PDP ({pdp_type}) handles authorization decisions.",
+        f"External PDP gRPC endpoint: {_get_grpc_service(pdp_type)} — must be deployed before applying policies.",
+        "Linkerd AuthorizationPolicy (v1alpha1) requires Linkerd 2.13+ with policy extension enabled.",
+        "MeshTLSAuthentication enforces mutual TLS between all services — non-mesh traffic is denied by default.",
+        "For full ext_authz support in Linkerd, consider deploying an Envoy proxy as a policy sidecar.",
+    ]
+    return {
+        "pep_type": "linkerd_server_authorization",
+        "yaml_content": "\n".join(yaml_docs),
+        "policies_generated": [
+            f"Server: {project_name}-server",
+            f"MeshTLSAuthentication: mesh-tls-auth-{project_id[:8]}",
+            f"AuthorizationPolicy: ext-authz-{pdp_type.replace('_', '-')}",
+            f"ServerAuthorization: ext-policy-{pdp_type.replace('_', '-')}",
+        ],
+        "integration_notes": integration_notes,
+    }
+def _get_grpc_service(pdp_type: str) -> str:
+    """Return the expected gRPC service address for a PDP type."""
+    services = {
+        "disa_icam": "disa-icam-ext-authz.icam-system.svc.cluster.local:9001",
+        "zscaler": "zscaler-ext-authz.zscaler-system.svc.cluster.local:9001",
+        "palo_alto_prisma": "prisma-ext-authz.prisma-system.svc.cluster.local:9001",
+        "crowdstrike": "falcon-ext-authz.crowdstrike-system.svc.cluster.local:9001",
+        "microsoft_entra": "entra-ext-authz.entra-system.svc.cluster.local:9001",
+        "custom": "PLACEHOLDER: customer-pdp.pdp-system.svc.cluster.local:9001",
+    }
+    return services.get(pdp_type, services["custom"])
+# ---------------------------------------------------------------------------
+# Device trust config generation
+# ---------------------------------------------------------------------------
+def generate_device_trust_config(project_id: str, mdm_type: str = "crowdstrike") -> dict:
+    """Generate device posture checking integration config.
+    Documents how device trust is enforced via an external MDM/EDR solution.
+    SPARKPILOT generates the K8s manifests and configuration references — the
+    actual device posture decisions are made by the external MDM/EDR service.
+    Args:
+        project_id: Project identifier.
+        mdm_type: MDM/EDR solution — crowdstrike, microsoft_intune, jamf, custom.
+    Returns:
+        Dict with config describing device trust integration points.
+    """
+    valid_mdm_types = ["crowdstrike", "microsoft_intune", "jamf", "custom"]
+    if mdm_type not in valid_mdm_types:
+        return {
+            "error": f"Invalid mdm_type: {mdm_type}",
+            "valid_types": valid_mdm_types,
+        }
+    project = _get_project_info(project_id)
+    now = datetime.now(timezone.utc).isoformat()
+    # Build MDM-specific config
+    mdm_config = _build_mdm_config(mdm_type, project)
+    # Build K8s manifests for device trust enforcement
+    k8s_manifests = _build_device_trust_manifests(project_id, mdm_type, project)
+    # Build posture check policy
+    posture_policy = _build_posture_policy(mdm_type, project)
+    return {
+        "project_id": project_id,
+        "mdm_type": mdm_type,
+        "mdm_name": _get_mdm_name(mdm_type),
+        "device_trust_pillar": "ZTA Pillar: Device (weight 0.15)",
+        "nist_controls": ["CM-8", "IA-3", "SC-17", "SI-7"],
+        "mdm_config": mdm_config,
+        "k8s_manifests": k8s_manifests,
+        "posture_policy": posture_policy,
+        "enforcement_model": (
+            "Device posture decisions are made by the external MDM/EDR. "
+            "SPARKPILOT generates K8s admission webhook configs and PEP policies "
+            "that query the MDM API at admission time."
+        ),
+        "adr_reference": "ADR D124: device trust PDP is external — SPARKPILOT generates PEP integration configs",
+        "generated_at": now,
+    }
+def _get_mdm_name(mdm_type: str) -> str:
+    """Return display name for MDM type."""
+    names = {
+        "crowdstrike": "CrowdStrike Falcon Zero Trust Assessment",
+        "microsoft_intune": "Microsoft Intune (Endpoint Manager)",
+        "jamf": "JAMF Pro (macOS/iOS MDM)",
+        "custom": "Customer-provided MDM/EDR",
+    }
+    return names.get(mdm_type, mdm_type)
+def _build_mdm_config(mdm_type: str, project: dict) -> dict:
+    """Build MDM-specific configuration."""
+    impact_level = project.get("impact_level", "IL4")
+    configs = {
+        "crowdstrike": {
+            "product": "CrowdStrike Falcon",
+            "modules_required": ["Falcon Prevent (AV)", "Falcon Insight (EDR)", "Zero Trust Assessment (ZTA)"],
+            "api_integration": {
+                "base_url": "https://api.crowdstrike.com",
+                "zta_endpoint": "/zero-trust-assessment/v1/assessments",
+                "oauth2_token": "/oauth2/token",
+                "required_scopes": ["zero-trust-assessment:read"],
+            },
+            "posture_check": {
+                "field": "assessment.overall",
+                "minimum_score": 75,
+                "check_interval_seconds": 30,
+                "cache_ttl_seconds": 60,
+            },
+            "k8s_deployment": {
+                "sensor_daemonset": True,
+                "namespace": "crowdstrike-system",
+                "image": "falcon-sensor/falcon-sensor:latest",
+                "secret_name": "falcon-credentials",
+                "secret_keys": ["FALCON_CLIENT_ID", "FALCON_CLIENT_SECRET", "FALCON_CID"],
+            },
+            "node_coverage": f"All {impact_level} worker nodes must have Falcon sensor installed",
+        },
+        "microsoft_intune": {
+            "product": "Microsoft Intune (Endpoint Manager)",
+            "modules_required": ["Intune Device Compliance", "Conditional Access"],
+            "api_integration": {
+                "base_url": "https://graph.microsoft.com/v1.0",
+                "device_compliance_endpoint": "/deviceManagement/managedDevices",
+                "oauth2_token": "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
+                "required_scopes": ["DeviceManagementManagedDevices.Read.All"],
+            },
+            "posture_check": {
+                "field": "complianceState",
+                "required_value": "compliant",
+                "check_interval_seconds": 60,
+                "cache_ttl_seconds": 120,
+            },
+            "k8s_deployment": {
+                "sensor_daemonset": False,
+                "admission_webhook": True,
+                "namespace": "intune-system",
+                "secret_name": "intune-credentials",
+                "secret_keys": ["TENANT_ID", "CLIENT_ID", "CLIENT_SECRET"],
+            },
+            "node_coverage": f"All {impact_level} workloads require device compliance token in JWT",
+        },
+        "jamf": {
+            "product": "JAMF Pro",
+            "modules_required": ["JAMF Pro MDM", "JAMF Connect (optional, for OIDC)"],
+            "api_integration": {
+                "base_url": "https://{jamf_instance}.jamfcloud.com/api/v1",
+                "device_check_endpoint": "/computers/{device_id}",
+                "oauth2_token": "https://{jamf_instance}.jamfcloud.com/api/oauth/token",
+                "required_scopes": ["Read Computers"],
+            },
+            "posture_check": {
+                "field": "managementStatus.enrolled",
+                "required_value": True,
+                "additional_checks": ["extensionAttributes.patch_compliance", "extensionAttributes.disk_encrypted"],
+                "check_interval_seconds": 60,
+                "cache_ttl_seconds": 120,
+            },
+            "k8s_deployment": {
+                "sensor_daemonset": False,
+                "admission_webhook": True,
+                "namespace": "jamf-system",
+                "secret_name": "jamf-credentials",
+                "secret_keys": ["JAMF_INSTANCE_URL", "JAMF_CLIENT_ID", "JAMF_CLIENT_SECRET"],
+            },
+            "node_coverage": f"All {impact_level} macOS/iOS devices must be JAMF-enrolled",
+        },
+        "custom": {
+            "product": "Customer-provided MDM/EDR",
+            "modules_required": ["Customer-defined — document in SSP CM-8 control response"],
+            "api_integration": {
+                "base_url": "PLACEHOLDER: https://mdm.customer.internal/api",
+                "device_check_endpoint": "PLACEHOLDER: /v1/devices/{device_id}/posture",
+                "auth_method": "PLACEHOLDER: Bearer token / API key / mTLS client cert",
+            },
+            "posture_check": {
+                "field": "PLACEHOLDER: posture.compliant",
+                "required_value": True,
+                "check_interval_seconds": 60,
+                "cache_ttl_seconds": 120,
+            },
+            "k8s_deployment": {
+                "sensor_daemonset": False,
+                "admission_webhook": True,
+                "namespace": "mdm-system",
+                "secret_name": "mdm-credentials",
+                "secret_keys": ["MDM_API_URL", "MDM_API_KEY"],
+            },
+            "node_coverage": "PLACEHOLDER: Document MDM coverage requirements in SSP",
+        },
+    }
+    return configs.get(mdm_type, configs["custom"])
+def _build_device_trust_manifests(project_id: str, mdm_type: str, project: dict) -> dict:
+    """Build K8s manifests for device trust enforcement."""
+    namespace = f"sparkpilot-{project_id[:8]}"
+    # Kyverno policy: deny requests without device trust header/annotation
+    kyverno_device_policy = {
+        "apiVersion": "kyverno.io/v1",
+        "kind": "ClusterPolicy",
+        "metadata": {
+            "name": f"device-trust-{mdm_type.replace('_', '-')}",
+            "annotations": {
+                "policies.kyverno.io/title": "Device Trust Enforcement",
+                "policies.kyverno.io/category": "ZTA/Device",
+                "policies.kyverno.io/severity": "high",
+                "policies.kyverno.io/description": (
+                    f"Require device trust annotation from {mdm_type} before allowing pod scheduling"
+                ),
+                "sparkpilot.mil/adr": "D124 — device trust PDP is external",
+            },
+            "labels": {
+                "app.kubernetes.io/managed-by": "sparkpilot",
+                "sparkpilot.mil/project-id": project_id,
+            },
+        },
+        "spec": {
+            "validationFailureAction": "Enforce",
+            "background": False,
+            "rules": [
+                {
+                    "name": "require-device-trust-annotation",
+                    "match": {"any": [{"resources": {"kinds": ["Pod"], "namespaces": [namespace]}}]},
+                    "validate": {
+                        "message": (
+                            f"Pod must have device trust annotation from {mdm_type} "
+                            f"(sparkpilot.mil/device-trust-verified: 'true')"
+                        ),
+                        "pattern": {
+                            "metadata": {
+                                "annotations": {
+                                    "sparkpilot.mil/device-trust-verified": "true",
+                                    "sparkpilot.mil/device-trust-source": f"{mdm_type}",
+                                }
+                            }
+                        },
+                    },
+                }
+            ],
+        },
+    }
+    # Secret template (values must be populated from AWS Secrets Manager)
+    secret_template = {
+        "apiVersion": "v1",
+        "kind": "Secret",
+        "metadata": {
+            "name": _build_mdm_config(mdm_type, project).get("k8s_deployment", {}).get("secret_name", "mdm-secret"),
+            "namespace": _build_mdm_config(mdm_type, project).get("k8s_deployment", {}).get("namespace", "mdm-system"),
+            "annotations": {
+                "sparkpilot.mil/secret-source": "aws-secrets-manager",
+                "sparkpilot.mil/do-not-commit": "true — populate from AWS Secrets Manager ExternalSecret",
+            },
+        },
+        "type": "Opaque",
+        "stringData": {
+            k: "PLACEHOLDER — retrieve from AWS Secrets Manager"
+            for k in _build_mdm_config(mdm_type, project).get("k8s_deployment", {}).get("secret_keys", [])
+        },
+    }
+    yaml_docs = [
+        f"# CUI // SP-CTI\n# ADR D124: Device trust PEP policy — external MDM: {mdm_type}\n---\n{_to_yaml(kyverno_device_policy)}",
+        f"# CUI // SP-CTI\n# Secret template — populate from AWS Secrets Manager (do NOT commit values)\n---\n{_to_yaml(secret_template)}",
+    ]
+    return {
+        "yaml_content": "\n".join(yaml_docs),
+        "manifests_generated": [
+            f"ClusterPolicy: device-trust-{mdm_type.replace('_', '-')}",
+            f"Secret template: {secret_template['metadata']['name']}",
+        ],
+    }
+def _build_posture_policy(mdm_type: str, project: dict) -> dict:
+    """Build device posture evaluation policy."""
+    return {
+        "enforcement_point": "K8s admission webhook + Istio ext_authz",
+        "evaluation_trigger": "Every new pod admission + periodic re-evaluation (JWT expiry)",
+        "check_sequence": [
+            "1. Extract device identifier from client certificate CN or JWT claim",
+            f"2. Query {_get_mdm_name(mdm_type)} API for device posture",
+            "3. Evaluate posture against minimum compliance threshold",
+            "4. Annotate pod with device trust result (sparkpilot.mil/device-trust-verified)",
+            "5. Allow or deny based on Kyverno policy",
+        ],
+        "failure_behavior": "DENY — device posture failures result in access denial (ZTA: deny by default)",
+        "audit_logging": "All device posture decisions logged to SIEM per NIST AU-2/AU-12",
+        "cache_policy": (
+            "Device posture results cached per device ID with TTL — "
+            "balance between security (short TTL) and PDP load (longer TTL)"
+        ),
+        "nist_800_53_evidence": {
+            "CM-8": "Device inventory maintained in MDM",
+            "IA-3": "Device authentication via certificate/sensor enrollment",
+            "SC-17": "PKI certificates used for device identity",
+            "SI-7": "Software integrity verified by EDR sensor",
+        },
+    }
+# ---------------------------------------------------------------------------
+# CLI
+# ---------------------------------------------------------------------------
+def main():
+    parser = argparse.ArgumentParser(
+        description="PDP/PEP Configuration Generator for ZTA (ADR D124)"
+    )
+    parser.add_argument("--project-id", required=True, help="Project identifier")
+    parser.add_argument(
+        "--pdp-type",
+        choices=["disa_icam", "zscaler", "palo_alto_prisma", "crowdstrike", "microsoft_entra", "custom"],
+        default="disa_icam",
+        help="External PDP type",
+    )
+    parser.add_argument(
+        "--mesh",
+        choices=["istio", "linkerd"],
+        default="istio",
+        help="Service mesh for PEP config generation",
+    )
+    parser.add_argument(
+        "--device-trust",
+        action="store_true",
+        help="Generate device trust config instead of PDP/PEP config",
+    )
+    parser.add_argument(
+        "--mdm-type",
+        choices=["crowdstrike", "microsoft_intune", "jamf", "custom"],
+        default="crowdstrike",
+        help="MDM/EDR type for device trust config",
+    )
+    parser.add_argument("--json", action="store_true", help="JSON output")
+    parser.add_argument("--human", action="store_true", help="Human-readable output")
+    args = parser.parse_args()
+    if args.device_trust:
+        result = generate_device_trust_config(args.project_id, mdm_type=args.mdm_type)
+    elif hasattr(args, "pdp_type") and not hasattr(args, "mesh"):
+        result = generate_pdp_reference(args.project_id, pdp_type=args.pdp_type)
+    else:
+        # Default: generate both PDP reference doc and PEP config
+        pdp_ref = generate_pdp_reference(args.project_id, pdp_type=args.pdp_type)
+        pep_cfg = generate_pep_config(args.project_id, mesh=args.mesh, pdp_type=args.pdp_type)
+        result = {
+            "project_id": args.project_id,
+            "pdp_reference": pdp_ref,
+            "pep_config": pep_cfg,
+        }
+    if args.json or not args.human:
+        print(json.dumps(result, indent=2))
+    else:
+        if "error" in result:
+            print(f"ERROR: {result['error']}")
+            return
+        if args.device_trust:
+            print(f"Project:    {result['project_id']}")
+            print(f"MDM Type:   {result['mdm_name']}")
+            print(f"Pillar:     {result['device_trust_pillar']}")
+            print(f"Controls:   {', '.join(result['nist_controls'])}")
+            print(f"Manifests:  {', '.join(result['k8s_manifests'].get('manifests_generated', []))}")
+            print(f"ADR:        {result['adr_reference']}")
+        else:
+            pdp = result.get("pdp_reference", result)
+            pep = result.get("pep_config", {})
+            print(f"Project:    {result.get('project_id', args.project_id)}")
+            if pdp:
+                print(f"PDP Type:   {pdp.get('pdp_name', args.pdp_type)}")
+                print(f"Category:   {pdp.get('pdp_category', 'N/A')}")
+                print(f"Status:     {pdp.get('status', 'N/A')}")
+            if pep:
+                print(f"PEP Type:   {pep.get('pep_type', 'N/A')}")
+                print(f"Mesh:       {pep.get('mesh', args.mesh)}")
+                for policy in pep.get("policies_generated", []):
+                    print(f"  Policy:   {policy}")
+                for note in pep.get("integration_notes", [])[:3]:
+                    print(f"  Note:     {note}")
+            print("ADR:        ADR D124 — PDP is external; SPARKPILOT generates PEP configs only")
+if __name__ == "__main__":
+    main()