icdev 0.0.3__py3-none-any.whl

tools/forge_studio/enterprise/custom_frameworks.py

@@ -0,0 +1,826 @@
+# CUI // SP-CTI
+"""Custom compliance frameworks for Forge Studio enterprise tenants.
+
+Allows tenants to define custom compliance frameworks beyond the built-in 9,
+with crosswalk mappings to NIST 800-53 controls for automated assessment.
+
+Architecture decision: D-FS-P6-2 — Custom frameworks stored as JSON definitions,
+mapped to controls via crosswalk pattern.  Deterministic, no LLM, air-gap safe.
+
+CLI: python tools/forge_studio/enterprise/custom_frameworks.py --list --json
+"""
+from __future__ import annotations
+
+import json
+import logging
+import re
+import uuid
+from datetime import datetime, timezone
+from typing import Any, Dict, List, Optional
+
+from tools.forge_studio.audit import log_forge_event
+
+logger = logging.getLogger("forge_studio.custom_frameworks")
+
+# ---------------------------------------------------------------------------
+# DB schema
+# ---------------------------------------------------------------------------
+
+CUSTOM_FRAMEWORK_SCHEMA = """
+CREATE TABLE IF NOT EXISTS forge_studio_custom_frameworks (
+    id TEXT PRIMARY KEY,
+    tenant_id TEXT NOT NULL,
+    name TEXT NOT NULL,
+    short_key TEXT NOT NULL,
+    description TEXT,
+    version TEXT DEFAULT '1.0',
+    controls_json TEXT NOT NULL,
+    crosswalk_json TEXT,
+    assessment_criteria_json TEXT,
+    status TEXT DEFAULT 'active' CHECK(status IN ('active','draft','deprecated')),
+    classification TEXT DEFAULT 'CUI // SP-CTI',
+    created_at TEXT NOT NULL,
+    updated_at TEXT,
+    UNIQUE(tenant_id, short_key)
+);
+
+CREATE TABLE IF NOT EXISTS forge_studio_custom_framework_results (
+    id TEXT PRIMARY KEY,
+    app_id TEXT NOT NULL,
+    framework_id TEXT NOT NULL,
+    score REAL,
+    controls_passed INTEGER,
+    controls_total INTEGER,
+    details_json TEXT,
+    classification TEXT DEFAULT 'CUI // SP-CTI',
+    created_at TEXT NOT NULL
+);
+"""
+
+
+def ensure_framework_tables():
+    """Create custom framework tables if they don't exist."""
+    from tools.db.storage import get_connection
+
+    with get_connection() as conn:
+        for stmt in CUSTOM_FRAMEWORK_SCHEMA.split(";"):
+            s = stmt.strip()
+            if s and not s.startswith("--"):
+                conn.execute(s)
+
+    logger.info("Forge Studio custom framework tables ensured")
+
+
+# ---------------------------------------------------------------------------
+# Validation helpers
+# ---------------------------------------------------------------------------
+
+_SLUG_RE = re.compile(r"^[a-z][a-z0-9_]{1,63}$")
+
+
+def _validate_short_key(short_key: str) -> bool:
+    """Check that short_key is a valid slug (lowercase alphanumeric + underscores)."""
+    return bool(_SLUG_RE.match(short_key))
+
+
+def _validate_controls(controls: List[Dict[str, Any]]) -> Optional[str]:
+    """Validate controls array.  Returns error message or None."""
+    if not controls or not isinstance(controls, list):
+        return "controls must be a non-empty array"
+    for i, ctrl in enumerate(controls):
+        if not isinstance(ctrl, dict):
+            return f"controls[{i}] must be a dict"
+        if not ctrl.get("control_id"):
+            return f"controls[{i}] missing required field 'control_id'"
+        if not ctrl.get("title"):
+            return f"controls[{i}] missing required field 'title'"
+    return None
+
+
+def _auto_crosswalk(controls: List[Dict[str, Any]]) -> Dict[str, List[str]]:
+    """Build crosswalk mapping from nist_mappings in each control.
+
+    Returns: {control_id: [nist_control_id, ...]}
+    """
+    crosswalk: Dict[str, List[str]] = {}
+    for ctrl in controls:
+        mappings = ctrl.get("nist_mappings", [])
+        if mappings:
+            crosswalk[ctrl["control_id"]] = list(mappings)
+    return crosswalk
+
+
+# ---------------------------------------------------------------------------
+# CRUD
+# ---------------------------------------------------------------------------
+
+def create_framework(
+    tenant_id: str,
+    name: str,
+    short_key: str,
+    controls: List[Dict[str, Any]],
+    description: str = "",
+    crosswalk: Optional[Dict[str, List[str]]] = None,
+    assessment_criteria: Optional[Dict[str, Any]] = None,
+    project_id: str = "",
+) -> Dict[str, Any]:
+    """Create a custom compliance framework.
+
+    Args:
+        tenant_id: Owning tenant ID.
+        name: Display name (e.g. "HIPAA Privacy Rule").
+        short_key: Slug identifier (e.g. "hipaa_privacy").
+        controls: Array of control definitions (control_id + title required).
+        description: Optional long description.
+        crosswalk: Optional explicit NIST 800-53 crosswalk.  Auto-generated
+                   from nist_mappings in controls if not provided.
+        assessment_criteria: Optional pass/fail criteria per control.
+        project_id: Project context for audit trail.
+
+    Returns: {status, framework_id, framework}
+    """
+    from tools.db.storage import get_connection
+
+    # --- validation ---
+    if not name or not name.strip():
+        return {"status": "error", "error": "name is required"}
+    if not _validate_short_key(short_key):
+        return {
+            "status": "error",
+            "error": "short_key must be lowercase alphanumeric/underscores, "
+                     "2-64 chars, starting with a letter",
+        }
+    ctrl_err = _validate_controls(controls)
+    if ctrl_err:
+        return {"status": "error", "error": ctrl_err}
+
+    # Auto-generate crosswalk if not provided
+    if crosswalk is None:
+        crosswalk = _auto_crosswalk(controls)
+
+    framework_id = f"cf-{uuid.uuid4().hex[:12]}"
+    now = datetime.now(timezone.utc).isoformat()
+
+    with get_connection() as conn:
+        conn.execute(
+            "INSERT INTO forge_studio_custom_frameworks "
+            "(id, tenant_id, name, short_key, description, version, "
+            "controls_json, crosswalk_json, assessment_criteria_json, "
+            "status, classification, created_at, updated_at) "
+            "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
+            (
+                framework_id, tenant_id, name.strip(), short_key,
+                description, "1.0",
+                json.dumps(controls),
+                json.dumps(crosswalk),
+                json.dumps(assessment_criteria) if assessment_criteria else None,
+                "active", "CUI // SP-CTI", now, now,
+            ),
+        )
+
+    framework = {
+        "id": framework_id,
+        "tenant_id": tenant_id,
+        "name": name.strip(),
+        "short_key": short_key,
+        "description": description,
+        "version": "1.0",
+        "controls": controls,
+        "crosswalk": crosswalk,
+        "assessment_criteria": assessment_criteria,
+        "status": "active",
+        "created_at": now,
+    }
+
+    log_forge_event("forge_studio_custom_framework_created", {
+        "framework_id": framework_id,
+        "tenant_id": tenant_id,
+        "name": name.strip(),
+        "short_key": short_key,
+        "controls_count": len(controls),
+    }, project_id=project_id)
+
+    return {"status": "success", "framework_id": framework_id, "framework": framework}
+
+
+def get_framework(framework_id: str) -> Optional[Dict[str, Any]]:
+    """Get framework by ID with full detail including controls and crosswalk."""
+    from tools.db.storage import get_connection
+
+    with get_connection() as conn:
+        row = conn.execute(
+            "SELECT id, tenant_id, name, short_key, description, version, "
+            "controls_json, crosswalk_json, assessment_criteria_json, "
+            "status, classification, created_at, updated_at "
+            "FROM forge_studio_custom_frameworks WHERE id = ?",
+            (framework_id,),
+        ).fetchone()
+
+    if not row:
+        return None
+
+    return {
+        "id": row[0],
+        "tenant_id": row[1],
+        "name": row[2],
+        "short_key": row[3],
+        "description": row[4],
+        "version": row[5],
+        "controls": json.loads(row[6]) if row[6] else [],
+        "crosswalk": json.loads(row[7]) if row[7] else {},
+        "assessment_criteria": json.loads(row[8]) if row[8] else None,
+        "status": row[9],
+        "classification": row[10],
+        "created_at": row[11],
+        "updated_at": row[12],
+    }
+
+
+def list_frameworks(tenant_id: Optional[str] = None) -> List[Dict[str, Any]]:
+    """List frameworks, optionally filtered by tenant.
+
+    Excludes controls_json for performance.
+    """
+    from tools.db.storage import get_connection
+
+    if tenant_id:
+        sql = (
+            "SELECT id, tenant_id, name, short_key, description, version, "
+            "status, created_at, updated_at "
+            "FROM forge_studio_custom_frameworks "
+            "WHERE tenant_id = ? AND status != 'deprecated' "
+            "ORDER BY created_at DESC"
+        )
+        params = (tenant_id,)
+    else:
+        sql = (
+            "SELECT id, tenant_id, name, short_key, description, version, "
+            "status, created_at, updated_at "
+            "FROM forge_studio_custom_frameworks "
+            "WHERE status != 'deprecated' "
+            "ORDER BY created_at DESC"
+        )
+        params = ()
+
+    with get_connection() as conn:
+        rows = conn.execute(sql, params).fetchall()
+
+    return [
+        {
+            "id": r[0], "tenant_id": r[1], "name": r[2], "short_key": r[3],
+            "description": r[4], "version": r[5], "status": r[6],
+            "created_at": r[7], "updated_at": r[8],
+        }
+        for r in rows
+    ]
+
+
+def update_framework(
+    framework_id: str,
+    updates: Dict[str, Any],
+    project_id: str = "",
+) -> Dict[str, Any]:
+    """Update framework fields.
+
+    Allowed keys: name, description, version, controls, crosswalk,
+    assessment_criteria, status.
+
+    Returns: {status, framework_id}
+    """
+    from tools.db.storage import get_connection
+
+    existing = get_framework(framework_id)
+    if not existing:
+        return {"status": "error", "error": f"Framework not found: {framework_id}"}
+
+    allowed = {
+        "name", "description", "version", "controls", "crosswalk",
+        "assessment_criteria", "status",
+    }
+    field_map = []
+    params: List[Any] = []
+
+    for key, val in updates.items():
+        if key not in allowed:
+            continue
+
+        if key == "controls":
+            ctrl_err = _validate_controls(val)
+            if ctrl_err:
+                return {"status": "error", "error": ctrl_err}
+            field_map.append("controls_json = ?")
+            params.append(json.dumps(val))
+        elif key == "crosswalk":
+            field_map.append("crosswalk_json = ?")
+            params.append(json.dumps(val))
+        elif key == "assessment_criteria":
+            field_map.append("assessment_criteria_json = ?")
+            params.append(json.dumps(val) if val else None)
+        elif key == "status":
+            if val not in ("active", "draft", "deprecated"):
+                return {"status": "error", "error": f"Invalid status: {val}"}
+            field_map.append("status = ?")
+            params.append(val)
+        else:
+            field_map.append(f"{key} = ?")
+            params.append(val)
+
+    if not field_map:
+        return {"status": "success", "message": "No changes"}
+
+    now = datetime.now(timezone.utc).isoformat()
+    field_map.append("updated_at = ?")
+    params.append(now)
+    params.append(framework_id)
+
+    with get_connection() as conn:
+        conn.execute(
+            f"UPDATE forge_studio_custom_frameworks SET {', '.join(field_map)} WHERE id = ?",
+            params,
+        )
+
+    log_forge_event("forge_studio_custom_framework_updated", {
+        "framework_id": framework_id,
+        "fields_updated": [f.split(" =")[0] for f in field_map[:-1]],
+    }, project_id=project_id)
+
+    return {"status": "success", "framework_id": framework_id}
+
+
+def delete_framework(framework_id: str, project_id: str = "") -> Dict[str, Any]:
+    """Soft-delete a framework by setting status to 'deprecated'.
+
+    Never hard-deletes (D6: append-only audit trail).
+    """
+    from tools.db.storage import get_connection
+
+    existing = get_framework(framework_id)
+    if not existing:
+        return {"status": "error", "error": f"Framework not found: {framework_id}"}
+
+    now = datetime.now(timezone.utc).isoformat()
+
+    with get_connection() as conn:
+        conn.execute(
+            "UPDATE forge_studio_custom_frameworks "
+            "SET status = 'deprecated', updated_at = ? WHERE id = ?",
+            (now, framework_id),
+        )
+
+    log_forge_event("forge_studio_custom_framework_deprecated", {
+        "framework_id": framework_id,
+        "name": existing.get("name", ""),
+    }, project_id=project_id)
+
+    return {"status": "success", "framework_id": framework_id, "new_status": "deprecated"}
+
+
+# ---------------------------------------------------------------------------
+# Assessment
+# ---------------------------------------------------------------------------
+
+def assess_app_against_framework(
+    app_id: str,
+    framework_id: str,
+    project_id: str = "",
+) -> Dict[str, Any]:
+    """Assess an app against a custom framework via NIST crosswalk.
+
+    For each framework control that has nist_mappings, checks whether
+    the mapped NIST 800-53 controls have evidence in the compliance
+    system.  Produces a coverage score and stores the result.
+
+    Returns: {status, result_id, score, controls_passed, controls_total, details}
+    """
+    from tools.db.storage import get_connection
+
+    framework = get_framework(framework_id)
+    if not framework:
+        return {"status": "error", "error": f"Framework not found: {framework_id}"}
+
+    controls = framework.get("controls", [])
+    crosswalk = framework.get("crosswalk", {})
+
+    if not controls:
+        return {"status": "error", "error": "Framework has no controls defined"}
+
+    # Gather satisfied NIST controls from compliance_controls table
+    satisfied_nist: set = set()
+    with get_connection() as conn:
+        try:
+            rows = conn.execute(
+                "SELECT control_id, status FROM compliance_controls "
+                "WHERE project_id = ? AND status IN ('implemented', 'partially_implemented')",
+                (project_id,),
+            ).fetchall()
+            for r in rows:
+                satisfied_nist.add(r[0])
+        except Exception:
+            # Table may not exist; proceed with empty set
+            pass
+
+    # Assess each control
+    details: List[Dict[str, Any]] = []
+    controls_passed = 0
+    controls_total = len(controls)
+
+    for ctrl in controls:
+        ctrl_id = ctrl["control_id"]
+        nist_maps = crosswalk.get(ctrl_id, ctrl.get("nist_mappings", []))
+
+        if not nist_maps:
+            # No NIST mapping — cannot assess, mark as not_assessed
+            details.append({
+                "control_id": ctrl_id,
+                "title": ctrl.get("title", ""),
+                "result": "not_assessed",
+                "reason": "no NIST mapping defined",
+                "nist_mappings": [],
+                "satisfied_mappings": [],
+            })
+            continue
+
+        satisfied = [n for n in nist_maps if n in satisfied_nist]
+        passed = len(satisfied) == len(nist_maps) and len(nist_maps) > 0
+
+        if passed:
+            controls_passed += 1
+
+        details.append({
+            "control_id": ctrl_id,
+            "title": ctrl.get("title", ""),
+            "result": "pass" if passed else "fail",
+            "nist_mappings": nist_maps,
+            "satisfied_mappings": satisfied,
+            "coverage": len(satisfied) / len(nist_maps) if nist_maps else 0.0,
+        })
+
+    score = controls_passed / controls_total if controls_total > 0 else 0.0
+
+    # Store result
+    result_id = f"cfr-{uuid.uuid4().hex[:12]}"
+    now = datetime.now(timezone.utc).isoformat()
+
+    with get_connection() as conn:
+        conn.execute(
+            "INSERT INTO forge_studio_custom_framework_results "
+            "(id, app_id, framework_id, score, controls_passed, controls_total, "
+            "details_json, classification, created_at) "
+            "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)",
+            (
+                result_id, app_id, framework_id, score,
+                controls_passed, controls_total,
+                json.dumps(details), "CUI // SP-CTI", now,
+            ),
+        )
+
+    log_forge_event("forge_studio_custom_framework_assessed", {
+        "result_id": result_id,
+        "app_id": app_id,
+        "framework_id": framework_id,
+        "framework_name": framework.get("name", ""),
+        "score": round(score, 4),
+        "controls_passed": controls_passed,
+        "controls_total": controls_total,
+    }, project_id=project_id)
+
+    return {
+        "status": "success",
+        "result_id": result_id,
+        "score": round(score, 4),
+        "controls_passed": controls_passed,
+        "controls_total": controls_total,
+        "details": details,
+    }
+
+
+def get_framework_results(
+    app_id: str,
+    framework_id: Optional[str] = None,
+) -> List[Dict[str, Any]]:
+    """Get assessment results for an app, optionally filtered by framework."""
+    from tools.db.storage import get_connection
+
+    if framework_id:
+        sql = (
+            "SELECT id, app_id, framework_id, score, controls_passed, "
+            "controls_total, details_json, created_at "
+            "FROM forge_studio_custom_framework_results "
+            "WHERE app_id = ? AND framework_id = ? ORDER BY created_at DESC"
+        )
+        params = (app_id, framework_id)
+    else:
+        sql = (
+            "SELECT id, app_id, framework_id, score, controls_passed, "
+            "controls_total, details_json, created_at "
+            "FROM forge_studio_custom_framework_results "
+            "WHERE app_id = ? ORDER BY created_at DESC"
+        )
+        params = (app_id,)
+
+    with get_connection() as conn:
+        rows = conn.execute(sql, params).fetchall()
+
+    return [
+        {
+            "id": r[0], "app_id": r[1], "framework_id": r[2],
+            "score": r[3], "controls_passed": r[4], "controls_total": r[5],
+            "details": json.loads(r[6]) if r[6] else [],
+            "created_at": r[7],
+        }
+        for r in rows
+    ]
+
+
+# ---------------------------------------------------------------------------
+# Seed example frameworks
+# ---------------------------------------------------------------------------
+
+def seed_example_frameworks() -> Dict[str, Any]:
+    """Seed 3 example custom frameworks if the table is empty.
+
+    Frameworks:
+      a. HIPAA Privacy Rule (10 controls)
+      b. SOC 2 Type II (8 controls: CC1-CC8)
+      c. PCI DSS v4.0 (12 controls)
+
+    Returns: {status, seeded_count, framework_ids}
+    """
+    from tools.db.storage import get_connection
+
+    with get_connection() as conn:
+        row = conn.execute(
+            "SELECT COUNT(*) FROM forge_studio_custom_frameworks"
+        ).fetchone()
+        if row and row[0] > 0:
+            return {"status": "skipped", "message": "Table already has frameworks", "seeded_count": 0}
+
+    # --- HIPAA Privacy Rule ---
+    hipaa_controls = [
+        {"control_id": "HIPAA-164.312(a)(1)", "title": "Access Control",
+         "description": "Implement technical policies and procedures for access to ePHI",
+         "family": "Technical Safeguards", "priority": "P1",
+         "nist_mappings": ["AC-2", "AC-3", "AC-6"]},
+        {"control_id": "HIPAA-164.312(a)(2)(i)", "title": "Unique User Identification",
+         "description": "Assign a unique name or number for identifying and tracking user identity",
+         "family": "Technical Safeguards", "priority": "P1",
+         "nist_mappings": ["IA-2", "IA-5"]},
+        {"control_id": "HIPAA-164.312(a)(2)(iii)", "title": "Automatic Logoff",
+         "description": "Implement electronic procedures that terminate a session after inactivity",
+         "family": "Technical Safeguards", "priority": "P2",
+         "nist_mappings": ["AC-11", "AC-12"]},
+        {"control_id": "HIPAA-164.312(a)(2)(iv)", "title": "Encryption and Decryption",
+         "description": "Implement a mechanism to encrypt and decrypt ePHI",
+         "family": "Technical Safeguards", "priority": "P1",
+         "nist_mappings": ["SC-13", "SC-28"]},
+        {"control_id": "HIPAA-164.312(b)", "title": "Audit Controls",
+         "description": "Implement hardware, software, and/or procedural mechanisms to record and examine activity",
+         "family": "Technical Safeguards", "priority": "P1",
+         "nist_mappings": ["AU-2", "AU-3", "AU-6"]},
+        {"control_id": "HIPAA-164.312(c)(1)", "title": "Integrity Controls",
+         "description": "Implement policies and procedures to protect ePHI from improper alteration or destruction",
+         "family": "Technical Safeguards", "priority": "P1",
+         "nist_mappings": ["SI-7", "SI-10"]},
+        {"control_id": "HIPAA-164.312(d)", "title": "Person or Entity Authentication",
+         "description": "Implement procedures to verify that a person or entity seeking access is the one claimed",
+         "family": "Technical Safeguards", "priority": "P1",
+         "nist_mappings": ["IA-2", "IA-8"]},
+        {"control_id": "HIPAA-164.312(e)(1)", "title": "Transmission Security",
+         "description": "Implement technical security measures to guard against unauthorized access to ePHI in transit",
+         "family": "Technical Safeguards", "priority": "P1",
+         "nist_mappings": ["SC-8", "SC-23"]},
+        {"control_id": "HIPAA-164.308(a)(1)(ii)(A)", "title": "Risk Analysis",
+         "description": "Conduct an accurate and thorough assessment of potential risks and vulnerabilities",
+         "family": "Administrative Safeguards", "priority": "P1",
+         "nist_mappings": ["RA-3", "RA-5"]},
+        {"control_id": "HIPAA-164.308(a)(5)(ii)(B)", "title": "Protection from Malicious Software",
+         "description": "Procedures for guarding against, detecting, and reporting malicious software",
+         "family": "Administrative Safeguards", "priority": "P2",
+         "nist_mappings": ["SI-3", "SI-8"]},
+    ]
+
+    # --- SOC 2 Type II ---
+    soc2_controls = [
+        {"control_id": "SOC2-CC1", "title": "Control Environment",
+         "description": "The entity demonstrates a commitment to integrity and ethical values",
+         "family": "Common Criteria", "priority": "P1",
+         "nist_mappings": ["PL-1", "PM-1"]},
+        {"control_id": "SOC2-CC2", "title": "Communication and Information",
+         "description": "The entity internally communicates information necessary to support the functioning of internal control",
+         "family": "Common Criteria", "priority": "P1",
+         "nist_mappings": ["AT-1", "AT-2", "AT-3"]},
+        {"control_id": "SOC2-CC3", "title": "Risk Assessment",
+         "description": "The entity specifies objectives and identifies and assesses risks",
+         "family": "Common Criteria", "priority": "P1",
+         "nist_mappings": ["RA-1", "RA-3", "RA-5"]},
+        {"control_id": "SOC2-CC4", "title": "Monitoring Activities",
+         "description": "The entity selects, develops, and performs ongoing evaluations",
+         "family": "Common Criteria", "priority": "P1",
+         "nist_mappings": ["CA-7", "SI-4"]},
+        {"control_id": "SOC2-CC5", "title": "Control Activities",
+         "description": "The entity selects and develops control activities that mitigate risks",
+         "family": "Common Criteria", "priority": "P1",
+         "nist_mappings": ["AC-1", "AC-2", "AC-3"]},
+        {"control_id": "SOC2-CC6", "title": "Logical and Physical Access Controls",
+         "description": "The entity implements logical and physical access controls to protect against threats",
+         "family": "Common Criteria", "priority": "P1",
+         "nist_mappings": ["AC-2", "AC-3", "AC-6", "PE-2", "PE-3"]},
+        {"control_id": "SOC2-CC7", "title": "System Operations",
+         "description": "The entity detects and monitors anomalies and evaluates security events",
+         "family": "Common Criteria", "priority": "P1",
+         "nist_mappings": ["SI-4", "IR-4", "IR-6"]},
+        {"control_id": "SOC2-CC8", "title": "Change Management",
+         "description": "The entity authorizes, designs, develops, configures, documents, tests, approves, and implements changes",
+         "family": "Common Criteria", "priority": "P1",
+         "nist_mappings": ["CM-1", "CM-3", "CM-5"]},
+    ]
+
+    # --- PCI DSS v4.0 ---
+    pci_controls = [
+        {"control_id": "PCI-1", "title": "Install and Maintain Network Security Controls",
+         "description": "Network security controls are installed and maintained",
+         "family": "Build and Maintain a Secure Network", "priority": "P1",
+         "nist_mappings": ["SC-7", "AC-4"]},
+        {"control_id": "PCI-2", "title": "Apply Secure Configurations",
+         "description": "Secure configurations are applied to all system components",
+         "family": "Build and Maintain a Secure Network", "priority": "P1",
+         "nist_mappings": ["CM-2", "CM-6", "CM-7"]},
+        {"control_id": "PCI-3", "title": "Protect Stored Account Data",
+         "description": "Stored account data is protected",
+         "family": "Protect Account Data", "priority": "P1",
+         "nist_mappings": ["SC-28", "SC-13"]},
+        {"control_id": "PCI-4", "title": "Protect Data in Transit",
+         "description": "Cardholder data is protected with strong cryptography during transmission",
+         "family": "Protect Account Data", "priority": "P1",
+         "nist_mappings": ["SC-8", "SC-13"]},
+        {"control_id": "PCI-5", "title": "Protect from Malicious Software",
+         "description": "All systems are protected from malware",
+         "family": "Maintain a Vulnerability Management Program", "priority": "P1",
+         "nist_mappings": ["SI-3", "SI-8"]},
+        {"control_id": "PCI-6", "title": "Develop and Maintain Secure Systems",
+         "description": "Bespoke and custom software are developed securely",
+         "family": "Maintain a Vulnerability Management Program", "priority": "P1",
+         "nist_mappings": ["SA-11", "SI-10"]},
+        {"control_id": "PCI-7", "title": "Restrict Access by Business Need",
+         "description": "Access to system components and cardholder data is restricted",
+         "family": "Implement Strong Access Control", "priority": "P1",
+         "nist_mappings": ["AC-3", "AC-6"]},
+        {"control_id": "PCI-8", "title": "Identify Users and Authenticate Access",
+         "description": "Users are identified and access is authenticated",
+         "family": "Implement Strong Access Control", "priority": "P1",
+         "nist_mappings": ["IA-2", "IA-5"]},
+        {"control_id": "PCI-9", "title": "Restrict Physical Access",
+         "description": "Physical access to cardholder data is restricted",
+         "family": "Implement Strong Access Control", "priority": "P1",
+         "nist_mappings": ["PE-2", "PE-3"]},
+        {"control_id": "PCI-10", "title": "Log and Monitor All Access",
+         "description": "All access to system components and cardholder data is logged and monitored",
+         "family": "Regularly Monitor and Test Networks", "priority": "P1",
+         "nist_mappings": ["AU-2", "AU-3", "AU-6"]},
+        {"control_id": "PCI-11", "title": "Test Security Regularly",
+         "description": "Security of systems and networks is tested regularly",
+         "family": "Regularly Monitor and Test Networks", "priority": "P1",
+         "nist_mappings": ["CA-8", "RA-5"]},
+        {"control_id": "PCI-12", "title": "Support Information Security with Policy",
+         "description": "A policy that supports information security is maintained",
+         "family": "Maintain an Information Security Policy", "priority": "P1",
+         "nist_mappings": ["PL-1", "PM-1"]},
+    ]
+
+    seeded = []
+    tenant_id = "default"
+
+    for name, short_key, controls, desc in [
+        ("HIPAA Privacy Rule", "hipaa_privacy", hipaa_controls,
+         "Health Insurance Portability and Accountability Act — Technical and Administrative Safeguards for ePHI"),
+        ("SOC 2 Type II", "soc2_type2", soc2_controls,
+         "AICPA Service Organization Control 2 Type II — Trust Services Criteria (Common Criteria CC1-CC8)"),
+        ("PCI DSS v4.0", "pci_dss_v4", pci_controls,
+         "Payment Card Industry Data Security Standard v4.0 — 12 principal requirements"),
+    ]:
+        result = create_framework(
+            tenant_id=tenant_id,
+            name=name,
+            short_key=short_key,
+            controls=controls,
+            description=desc,
+        )
+        if result.get("status") == "success":
+            seeded.append(result["framework_id"])
+
+    return {
+        "status": "success",
+        "seeded_count": len(seeded),
+        "framework_ids": seeded,
+    }
+
+
+# ---------------------------------------------------------------------------
+# CLI
+# ---------------------------------------------------------------------------
+
+def main():
+    import argparse
+    import sys
+
+    parser = argparse.ArgumentParser(
+        description="Forge Studio Custom Compliance Frameworks (CUI // SP-CTI)"
+    )
+    parser.add_argument("--create", action="store_true", help="Create a custom framework")
+    parser.add_argument("--get", type=str, help="Get framework by ID")
+    parser.add_argument("--list", action="store_true", help="List frameworks")
+    parser.add_argument("--update", type=str, help="Update framework by ID")
+    parser.add_argument("--delete", type=str, help="Soft-delete (deprecate) framework by ID")
+    parser.add_argument("--assess", action="store_true", help="Assess app against framework")
+    parser.add_argument("--results", action="store_true", help="Get assessment results")
+    parser.add_argument("--seed", action="store_true", help="Seed 3 example frameworks")
+    parser.add_argument("--tenant-id", type=str, default="default", help="Tenant ID")
+    parser.add_argument("--name", type=str, default="", help="Framework name")
+    parser.add_argument("--short-key", type=str, default="", help="Framework slug key")
+    parser.add_argument("--description", type=str, default="", help="Description")
+    parser.add_argument("--controls-file", type=str, help="Path to JSON file with controls array")
+    parser.add_argument("--framework-id", type=str, default="", help="Framework ID (for assess/results)")
+    parser.add_argument("--app-id", type=str, default="", help="App ID (for assess/results)")
+    parser.add_argument("--project-id", type=str, default="", help="Project ID for audit")
+    parser.add_argument("--json", action="store_true", help="JSON output")
+    args = parser.parse_args()
+
+    ensure_framework_tables()
+
+    result: Any = None
+
+    if args.create:
+        if not args.name:
+            print(json.dumps({"status": "error", "error": "--name is required"}))
+            sys.exit(1)
+        if not args.short_key:
+            print(json.dumps({"status": "error", "error": "--short-key is required"}))
+            sys.exit(1)
+        controls: List[Dict[str, Any]] = []
+        if args.controls_file:
+            with open(args.controls_file, "r") as f:
+                controls = json.load(f)
+        if not controls:
+            print(json.dumps({"status": "error", "error": "--controls-file with valid JSON array is required"}))
+            sys.exit(1)
+        result = create_framework(
+            tenant_id=args.tenant_id,
+            name=args.name,
+            short_key=args.short_key,
+            controls=controls,
+            description=args.description,
+            project_id=args.project_id,
+        )
+
+    elif args.get:
+        result = get_framework(args.get) or {"status": "not_found"}
+
+    elif args.list:
+        tid = args.tenant_id if args.tenant_id != "default" else None
+        result = list_frameworks(tenant_id=tid)
+
+    elif args.update:
+        updates: Dict[str, Any] = {}
+        if args.name:
+            updates["name"] = args.name
+        if args.description:
+            updates["description"] = args.description
+        if args.controls_file:
+            with open(args.controls_file, "r") as f:
+                updates["controls"] = json.load(f)
+        result = update_framework(args.update, updates, project_id=args.project_id)
+
+    elif args.delete:
+        result = delete_framework(args.delete, project_id=args.project_id)
+
+    elif args.assess:
+        if not args.app_id or not args.framework_id:
+            print(json.dumps({"status": "error", "error": "--app-id and --framework-id required"}))
+            sys.exit(1)
+        result = assess_app_against_framework(
+            app_id=args.app_id,
+            framework_id=args.framework_id,
+            project_id=args.project_id,
+        )
+
+    elif args.results:
+        if not args.app_id:
+            print(json.dumps({"status": "error", "error": "--app-id required"}))
+            sys.exit(1)
+        result = get_framework_results(
+            app_id=args.app_id,
+            framework_id=args.framework_id or None,
+        )
+
+    elif args.seed:
+        result = seed_example_frameworks()
+
+    else:
+        parser.print_help()
+        sys.exit(0)
+
+    print(json.dumps(result, indent=2, default=str))
+
+
+if __name__ == "__main__":
+    main()