icdev 0.0.3__py3-none-any.whl

tools/forge_studio/enterprise/hardening_engine.py

@@ -0,0 +1,1530 @@
+# CUI // SP-CTI
+"""Hardening engine — IL4+ deployment hardening presets and FedRAMP package assembly
+for Forge Studio apps.
+
+Provides:
+- Hardening presets (IL4, IL5, FedRAMP Moderate/High, DoD STIG) with per-control
+  Terraform HCL and Kubernetes manifest generation
+- Multi-cloud support (AWS, Azure, GCP) with provider-specific security configs
+- FedRAMP authorization package assembly (SSP, CIS, CMP, IRP, POA&M)
+- All generation is deterministic — no LLM in deployment path
+
+Architecture decisions:
+- D-FS-P6-4: Hardening presets generate additional Terraform/K8s configs
+- D-FS-P6-5: FedRAMP package is deterministic document assembly
+- D-FS-DEPLOY-2: All IaC is deterministic template generation
+
+CLI: python tools/forge_studio/enterprise/hardening_engine.py --apply --app-id "..." --preset il4_standard --provider aws --json
+"""
+from __future__ import annotations
+
+import json
+import logging
+import os
+import uuid
+from datetime import datetime, timezone
+from typing import Any, Dict, List, Optional
+
+from tools.forge_studio.audit import log_forge_event
+
+logger = logging.getLogger("forge_studio.enterprise.hardening")
+
+# ---------------------------------------------------------------------------
+# Hardening presets
+# ---------------------------------------------------------------------------
+
+HARDENING_PRESETS: Dict[str, Dict[str, Any]] = {
+    "il4_standard": {
+        "name": "IL4 Standard",
+        "description": "DoD Impact Level 4 — CUI protection with encryption, logging, and access control",
+        "controls": [
+            "encryption_at_rest", "encryption_in_transit", "network_segmentation",
+            "logging_monitoring", "access_control", "container_hardening",
+            "secret_management", "backup_recovery",
+        ],
+    },
+    "il5_high": {
+        "name": "IL5 High",
+        "description": "DoD Impact Level 5 — higher-impact CUI with full hardening stack",
+        "controls": [
+            "encryption_at_rest", "encryption_in_transit", "network_segmentation",
+            "logging_monitoring", "access_control", "container_hardening",
+            "secret_management", "backup_recovery", "vulnerability_scanning",
+            "incident_response",
+        ],
+    },
+    "fedramp_moderate": {
+        "name": "FedRAMP Moderate",
+        "description": "FedRAMP Moderate baseline — 325 controls for cloud services authorization",
+        "controls": [
+            "encryption_at_rest", "encryption_in_transit", "network_segmentation",
+            "logging_monitoring", "access_control", "secret_management",
+            "backup_recovery", "vulnerability_scanning",
+        ],
+    },
+    "fedramp_high": {
+        "name": "FedRAMP High",
+        "description": "FedRAMP High baseline — 421 controls for high-impact cloud systems",
+        "controls": [
+            "encryption_at_rest", "encryption_in_transit", "network_segmentation",
+            "logging_monitoring", "access_control", "container_hardening",
+            "secret_management", "backup_recovery", "vulnerability_scanning",
+            "incident_response",
+        ],
+    },
+    "dod_stig": {
+        "name": "DoD STIG",
+        "description": "DoD Security Technical Implementation Guide — comprehensive hardening checklist",
+        "controls": [
+            "encryption_at_rest", "encryption_in_transit", "network_segmentation",
+            "logging_monitoring", "access_control", "container_hardening",
+            "secret_management", "backup_recovery", "vulnerability_scanning",
+            "incident_response",
+        ],
+    },
+}
+
+SUPPORTED_PROVIDERS = ["aws", "azure", "gcp"]
+
+# ---------------------------------------------------------------------------
+# DB schema
+# ---------------------------------------------------------------------------
+
+HARDENING_SCHEMA = """
+CREATE TABLE IF NOT EXISTS forge_studio_hardening_configs (
+    id TEXT PRIMARY KEY,
+    app_id TEXT NOT NULL,
+    preset TEXT NOT NULL,
+    provider TEXT NOT NULL,
+    controls_applied_json TEXT,
+    terraform_additions_json TEXT,
+    k8s_additions_json TEXT,
+    status TEXT DEFAULT 'applied' CHECK(status IN ('applied','superseded','reverted')),
+    classification TEXT DEFAULT 'CUI // SP-CTI',
+    created_at TEXT NOT NULL
+);
+"""
+
+
+def ensure_hardening_tables():
+    """Create hardening tables if they don't exist."""
+    from tools.db.storage import get_connection
+
+    with get_connection() as conn:
+        for stmt in HARDENING_SCHEMA.split(";"):
+            s = stmt.strip()
+            if s and not s.startswith("--"):
+                conn.execute(s)
+
+    logger.info("Forge Studio hardening tables ensured")
+
+
+# ---------------------------------------------------------------------------
+# Preset listing
+# ---------------------------------------------------------------------------
+
+def get_hardening_presets() -> List[Dict[str, Any]]:
+    """List available hardening presets.
+
+    Returns:
+        List of preset dicts with id, name, description, controls.
+    """
+    return [
+        {"id": pid, "name": p["name"], "description": p["description"],
+         "controls": p["controls"], "controls_count": len(p["controls"])}
+        for pid, p in HARDENING_PRESETS.items()
+    ]
+
+
+# ---------------------------------------------------------------------------
+# Provider-specific Terraform generators
+# ---------------------------------------------------------------------------
+
+def _generate_aws_hardening(preset: str, app_name: str) -> Dict[str, str]:
+    """Generate AWS-specific hardening Terraform HCL.
+
+    Args:
+        preset: Preset ID from HARDENING_PRESETS.
+        app_name: Application name for resource naming.
+
+    Returns:
+        Dict of filename -> HCL content.
+    """
+    controls = HARDENING_PRESETS.get(preset, {}).get("controls", [])
+    safe_name = app_name.replace("-", "_").replace(" ", "_").lower()[:32]
+    files: Dict[str, str] = {}
+
+    if "encryption_at_rest" in controls:
+        files["hardening_kms.tf"] = f"""# CUI // SP-CTI — KMS encryption at rest
+resource "aws_kms_key" "{safe_name}_key" {{
+  description             = "Encryption key for {app_name}"
+  deletion_window_in_days = 30
+  enable_key_rotation     = true
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+    Preset         = "{preset}"
+  }}
+}}
+
+resource "aws_kms_alias" "{safe_name}_alias" {{
+  name          = "alias/{safe_name}-key"
+  target_key_id = aws_kms_key.{safe_name}_key.key_id
+}}
+"""
+
+    if "encryption_in_transit" in controls:
+        files["hardening_tls.tf"] = f"""# CUI // SP-CTI — TLS 1.2+ enforcement and HSTS
+resource "aws_lb_listener" "{safe_name}_https" {{
+  load_balancer_arn = aws_lb.{safe_name}.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+  certificate_arn   = var.acm_certificate_arn
+
+  default_action {{
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.{safe_name}.arn
+  }}
+}}
+
+resource "aws_lb_listener" "{safe_name}_http_redirect" {{
+  load_balancer_arn = aws_lb.{safe_name}.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {{
+    type = "redirect"
+    redirect {{
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }}
+  }}
+}}
+"""
+
+    if "network_segmentation" in controls:
+        files["hardening_network.tf"] = f"""# CUI // SP-CTI — VPC segmentation, security groups, NACLs
+resource "aws_security_group" "{safe_name}_app_sg" {{
+  name_prefix = "{safe_name}-app-"
+  vpc_id      = var.vpc_id
+
+  ingress {{
+    from_port       = 443
+    to_port         = 443
+    protocol        = "tcp"
+    security_groups = [aws_security_group.{safe_name}_alb_sg.id]
+    description     = "HTTPS from ALB only"
+  }}
+
+  egress {{
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow outbound"
+  }}
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+
+resource "aws_security_group" "{safe_name}_alb_sg" {{
+  name_prefix = "{safe_name}-alb-"
+  vpc_id      = var.vpc_id
+
+  ingress {{
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "HTTPS inbound"
+  }}
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+
+resource "aws_network_acl" "{safe_name}_nacl" {{
+  vpc_id     = var.vpc_id
+  subnet_ids = var.private_subnet_ids
+
+  ingress {{
+    protocol   = "tcp"
+    rule_no    = 100
+    action     = "allow"
+    cidr_block = var.vpc_cidr
+    from_port  = 443
+    to_port    = 443
+  }}
+
+  ingress {{
+    protocol   = "tcp"
+    rule_no    = 200
+    action     = "allow"
+    cidr_block = var.vpc_cidr
+    from_port  = 5432
+    to_port    = 5432
+  }}
+
+  egress {{
+    protocol   = "tcp"
+    rule_no    = 100
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 443
+    to_port    = 443
+  }}
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+"""
+
+    if "logging_monitoring" in controls:
+        files["hardening_logging.tf"] = f"""# CUI // SP-CTI — CloudTrail, CloudWatch, audit log shipping
+resource "aws_cloudtrail" "{safe_name}_trail" {{
+  name                          = "{safe_name}-trail"
+  s3_bucket_name                = aws_s3_bucket.{safe_name}_audit.id
+  include_global_service_events = true
+  is_multi_region_trail         = true
+  enable_log_file_validation    = true
+  kms_key_id                    = aws_kms_key.{safe_name}_key.arn
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+
+resource "aws_s3_bucket" "{safe_name}_audit" {{
+  bucket_prefix = "{safe_name}-audit-"
+  force_destroy = false
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+
+resource "aws_s3_bucket_versioning" "{safe_name}_audit_versioning" {{
+  bucket = aws_s3_bucket.{safe_name}_audit.id
+  versioning_configuration {{
+    status = "Enabled"
+  }}
+}}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "{safe_name}_audit_enc" {{
+  bucket = aws_s3_bucket.{safe_name}_audit.id
+  rule {{
+    apply_server_side_encryption_by_default {{
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = aws_kms_key.{safe_name}_key.arn
+    }}
+  }}
+}}
+
+resource "aws_cloudwatch_log_group" "{safe_name}_logs" {{
+  name              = "/app/{safe_name}"
+  retention_in_days = 365
+  kms_key_id        = aws_kms_key.{safe_name}_key.arn
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+"""
+
+    if "access_control" in controls:
+        files["hardening_iam.tf"] = f"""# CUI // SP-CTI — IAM roles, least privilege, MFA enforcement
+resource "aws_iam_role" "{safe_name}_task_role" {{
+  name_prefix = "{safe_name}-task-"
+
+  assume_role_policy = jsonencode({{
+    Version = "2012-10-17"
+    Statement = [{{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {{
+        Service = "ecs-tasks.amazonaws.com"
+      }}
+    }}]
+  }})
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+
+resource "aws_iam_role_policy" "{safe_name}_task_policy" {{
+  name_prefix = "{safe_name}-task-"
+  role        = aws_iam_role.{safe_name}_task_role.id
+
+  policy = jsonencode({{
+    Version = "2012-10-17"
+    Statement = [
+      {{
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = "${{aws_cloudwatch_log_group.{safe_name}_logs.arn}}:*"
+      }},
+      {{
+        Effect = "Allow"
+        Action = [
+          "kms:Decrypt",
+          "kms:GenerateDataKey"
+        ]
+        Resource = aws_kms_key.{safe_name}_key.arn
+      }},
+      {{
+        Effect = "Allow"
+        Action = [
+          "secretsmanager:GetSecretValue"
+        ]
+        Resource = "arn:aws:secretsmanager:*:*:secret:{safe_name}-*"
+      }}
+    ]
+  }})
+}}
+"""
+
+    if "container_hardening" in controls:
+        files["hardening_container.tf"] = f"""# CUI // SP-CTI — Container hardening (ECS task definition)
+# Note: Non-root, read-only rootfs, resource limits enforced at task level
+# See also: k8s_hardening/ for Kubernetes PodSecurityPolicy
+
+variable "{safe_name}_container_cpu" {{
+  description = "CPU units for container"
+  type        = number
+  default     = 512
+}}
+
+variable "{safe_name}_container_memory" {{
+  description = "Memory (MiB) for container"
+  type        = number
+  default     = 1024
+}}
+"""
+
+    if "secret_management" in controls:
+        files["hardening_secrets.tf"] = f"""# CUI // SP-CTI — AWS Secrets Manager (no plaintext secrets)
+resource "aws_secretsmanager_secret" "{safe_name}_db_creds" {{
+  name_prefix = "{safe_name}-db-"
+  kms_key_id  = aws_kms_key.{safe_name}_key.arn
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+
+resource "aws_secretsmanager_secret" "{safe_name}_app_secrets" {{
+  name_prefix = "{safe_name}-app-"
+  kms_key_id  = aws_kms_key.{safe_name}_key.arn
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+"""
+
+    if "backup_recovery" in controls:
+        files["hardening_backup.tf"] = f"""# CUI // SP-CTI — RDS snapshots, S3 versioning, cross-region backup
+resource "aws_db_instance" "{safe_name}_rds_backup_config" {{
+  # Applied as override to existing RDS instance
+  backup_retention_period    = 35
+  backup_window              = "03:00-04:00"
+  copy_tags_to_snapshot      = true
+  deletion_protection        = true
+  storage_encrypted          = true
+  kms_key_id                 = aws_kms_key.{safe_name}_key.arn
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+
+  lifecycle {{
+    prevent_destroy = true
+  }}
+}}
+
+resource "aws_s3_bucket_versioning" "{safe_name}_data_versioning" {{
+  bucket = aws_s3_bucket.{safe_name}_data.id
+  versioning_configuration {{
+    status = "Enabled"
+  }}
+}}
+"""
+
+    if "vulnerability_scanning" in controls:
+        files["hardening_scanning.tf"] = f"""# CUI // SP-CTI — ECR scan, SecurityHub, GuardDuty
+resource "aws_ecr_repository" "{safe_name}_repo" {{
+  name                 = "{safe_name}"
+  image_tag_mutability = "IMMUTABLE"
+
+  image_scanning_configuration {{
+    scan_on_push = true
+  }}
+
+  encryption_configuration {{
+    encryption_type = "KMS"
+    kms_key         = aws_kms_key.{safe_name}_key.arn
+  }}
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+
+resource "aws_securityhub_account" "{safe_name}_sechub" {{}}
+
+resource "aws_guardduty_detector" "{safe_name}_guardduty" {{
+  enable = true
+
+  datasources {{
+    s3_logs {{
+      enable = true
+    }}
+  }}
+}}
+"""
+
+    if "incident_response" in controls:
+        files["hardening_incident.tf"] = f"""# CUI // SP-CTI — SNS alerts, CloudWatch alarms, auto-scaling triggers
+resource "aws_sns_topic" "{safe_name}_alerts" {{
+  name              = "{safe_name}-security-alerts"
+  kms_master_key_id = aws_kms_key.{safe_name}_key.id
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+
+resource "aws_cloudwatch_metric_alarm" "{safe_name}_high_error_rate" {{
+  alarm_name          = "{safe_name}-high-error-rate"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 2
+  metric_name         = "5XXError"
+  namespace           = "AWS/ApplicationELB"
+  period              = 300
+  statistic           = "Sum"
+  threshold           = 10
+  alarm_description   = "High 5XX error rate for {app_name}"
+  alarm_actions       = [aws_sns_topic.{safe_name}_alerts.arn]
+
+  dimensions = {{
+    LoadBalancer = aws_lb.{safe_name}.arn_suffix
+  }}
+}}
+
+resource "aws_cloudwatch_metric_alarm" "{safe_name}_cpu_high" {{
+  alarm_name          = "{safe_name}-cpu-high"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 3
+  metric_name         = "CPUUtilization"
+  namespace           = "AWS/ECS"
+  period              = 300
+  statistic           = "Average"
+  threshold           = 80
+  alarm_description   = "High CPU for {app_name}"
+  alarm_actions       = [aws_sns_topic.{safe_name}_alerts.arn]
+}}
+"""
+
+    return files
+
+
+def _generate_azure_hardening(preset: str, app_name: str) -> Dict[str, str]:
+    """Generate Azure-specific hardening Terraform HCL.
+
+    Args:
+        preset: Preset ID from HARDENING_PRESETS.
+        app_name: Application name for resource naming.
+
+    Returns:
+        Dict of filename -> HCL content.
+    """
+    controls = HARDENING_PRESETS.get(preset, {}).get("controls", [])
+    safe_name = app_name.replace("-", "_").replace(" ", "_").lower()[:32]
+    files: Dict[str, str] = {}
+
+    if "encryption_at_rest" in controls:
+        files["hardening_keyvault.tf"] = f"""# CUI // SP-CTI — Azure Key Vault encryption at rest
+resource "azurerm_key_vault" "{safe_name}_kv" {{
+  name                        = "{safe_name[:20]}kv"
+  location                    = var.location
+  resource_group_name         = var.resource_group_name
+  tenant_id                   = var.tenant_id
+  sku_name                    = "premium"
+  purge_protection_enabled    = true
+  soft_delete_retention_days  = 90
+  enable_rbac_authorization   = true
+
+  network_acls {{
+    default_action = "Deny"
+    bypass         = "AzureServices"
+  }}
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+"""
+
+    if "encryption_in_transit" in controls:
+        files["hardening_tls.tf"] = f"""# CUI // SP-CTI — TLS 1.2+ enforcement
+resource "azurerm_application_gateway" "{safe_name}_appgw_ssl" {{
+  # SSL policy overlay for existing app gateway
+  ssl_policy {{
+    policy_type          = "Custom"
+    min_protocol_version = "TLSv1_2"
+    cipher_suites = [
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    ]
+  }}
+}}
+"""
+
+    if "network_segmentation" in controls:
+        files["hardening_network.tf"] = f"""# CUI // SP-CTI — NSG rules, VNet segmentation
+resource "azurerm_network_security_group" "{safe_name}_nsg" {{
+  name                = "{safe_name}-nsg"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  security_rule {{
+    name                       = "AllowHTTPS"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }}
+
+  security_rule {{
+    name                       = "DenyAll"
+    priority                   = 4096
+    direction                  = "Inbound"
+    access                     = "Deny"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "*"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }}
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+"""
+
+    if "logging_monitoring" in controls:
+        files["hardening_logging.tf"] = f"""# CUI // SP-CTI — Azure Monitor, Sentinel, diagnostic settings
+resource "azurerm_log_analytics_workspace" "{safe_name}_logs" {{
+  name                = "{safe_name}-logs"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  sku                 = "PerGB2018"
+  retention_in_days   = 365
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+
+resource "azurerm_sentinel_log_analytics_workspace_onboarding" "{safe_name}_sentinel" {{
+  workspace_id = azurerm_log_analytics_workspace.{safe_name}_logs.id
+}}
+"""
+
+    if "access_control" in controls:
+        files["hardening_rbac.tf"] = f"""# CUI // SP-CTI — Azure RBAC, managed identity
+resource "azurerm_user_assigned_identity" "{safe_name}_identity" {{
+  name                = "{safe_name}-identity"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+"""
+
+    if "vulnerability_scanning" in controls:
+        files["hardening_defender.tf"] = f"""# CUI // SP-CTI — Microsoft Defender for Cloud
+resource "azurerm_security_center_subscription_pricing" "{safe_name}_defender" {{
+  tier          = "Standard"
+  resource_type = "ContainerRegistry"
+}}
+"""
+
+    if "secret_management" in controls:
+        files["hardening_secrets.tf"] = f"""# CUI // SP-CTI — Azure Key Vault secrets references
+resource "azurerm_key_vault_secret" "{safe_name}_db_url" {{
+  name         = "{safe_name}-db-url"
+  value        = "placeholder-rotate-after-deploy"
+  key_vault_id = azurerm_key_vault.{safe_name}_kv.id
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+"""
+
+    if "incident_response" in controls:
+        files["hardening_alerts.tf"] = f"""# CUI // SP-CTI — Azure Monitor alerts
+resource "azurerm_monitor_action_group" "{safe_name}_alerts" {{
+  name                = "{safe_name}-security-alerts"
+  resource_group_name = var.resource_group_name
+  short_name          = "{safe_name[:12]}"
+
+  tags = {{
+    Application    = "{app_name}"
+    Classification = "CUI // SP-CTI"
+  }}
+}}
+"""
+
+    return files
+
+
+def _generate_gcp_hardening(preset: str, app_name: str) -> Dict[str, str]:
+    """Generate GCP-specific hardening Terraform HCL.
+
+    Args:
+        preset: Preset ID from HARDENING_PRESETS.
+        app_name: Application name for resource naming.
+
+    Returns:
+        Dict of filename -> HCL content.
+    """
+    controls = HARDENING_PRESETS.get(preset, {}).get("controls", [])
+    safe_name = app_name.replace("-", "_").replace(" ", "_").lower()[:32]
+    files: Dict[str, str] = {}
+
+    if "encryption_at_rest" in controls:
+        files["hardening_kms.tf"] = f"""# CUI // SP-CTI — GCP KMS encryption at rest
+resource "google_kms_key_ring" "{safe_name}_ring" {{
+  name     = "{safe_name}-ring"
+  location = var.region
+}}
+
+resource "google_kms_crypto_key" "{safe_name}_key" {{
+  name            = "{safe_name}-key"
+  key_ring        = google_kms_key_ring.{safe_name}_ring.id
+  rotation_period = "7776000s"  # 90 days
+
+  labels = {{
+    application    = "{safe_name}"
+    classification = "cui"
+  }}
+}}
+"""
+
+    if "network_segmentation" in controls:
+        files["hardening_network.tf"] = f"""# CUI // SP-CTI — VPC Service Controls, firewall rules
+resource "google_compute_firewall" "{safe_name}_allow_https" {{
+  name    = "{safe_name}-allow-https"
+  network = var.vpc_network
+
+  allow {{
+    protocol = "tcp"
+    ports    = ["443"]
+  }}
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["{safe_name}"]
+}}
+
+resource "google_compute_firewall" "{safe_name}_deny_all" {{
+  name     = "{safe_name}-deny-all"
+  network  = var.vpc_network
+  priority = 65534
+
+  deny {{
+    protocol = "all"
+  }}
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["{safe_name}"]
+}}
+"""
+
+    if "logging_monitoring" in controls:
+        files["hardening_logging.tf"] = f"""# CUI // SP-CTI — Cloud Audit Logs, SCC
+resource "google_project_iam_audit_config" "{safe_name}_audit" {{
+  project = var.project_id
+  service = "allServices"
+
+  audit_log_config {{
+    log_type = "ADMIN_READ"
+  }}
+  audit_log_config {{
+    log_type = "DATA_READ"
+  }}
+  audit_log_config {{
+    log_type = "DATA_WRITE"
+  }}
+}}
+"""
+
+    if "vulnerability_scanning" in controls:
+        files["hardening_scc.tf"] = f"""# CUI // SP-CTI — Security Command Center
+resource "google_scc_organization_custom_module" "{safe_name}_scc" {{
+  organization     = var.org_id
+  display_name     = "{app_name} Security Module"
+  enablement_state = "ENABLED"
+
+  custom_config {{
+    predicate {{
+      expression = "resource.type == \\"gce_instance\\""
+    }}
+    resource_selector {{
+      resource_types = ["compute.googleapis.com/Instance"]
+    }}
+    severity    = "HIGH"
+    description = "Custom security module for {app_name}"
+    recommendation = "Review instance configuration"
+  }}
+}}
+"""
+
+    if "secret_management" in controls:
+        files["hardening_secrets.tf"] = f"""# CUI // SP-CTI — GCP Secret Manager
+resource "google_secret_manager_secret" "{safe_name}_db_creds" {{
+  secret_id = "{safe_name}-db-credentials"
+
+  replication {{
+    auto {{}}
+  }}
+
+  labels = {{
+    application    = "{safe_name}"
+    classification = "cui"
+  }}
+}}
+"""
+
+    if "incident_response" in controls:
+        files["hardening_alerts.tf"] = f"""# CUI // SP-CTI — GCP Monitoring alerts
+resource "google_monitoring_notification_channel" "{safe_name}_alerts" {{
+  display_name = "{app_name} Security Alerts"
+  type         = "email"
+
+  labels = {{
+    email_address = "security@example.com"
+  }}
+}}
+
+resource "google_monitoring_alert_policy" "{safe_name}_error_rate" {{
+  display_name = "{app_name} High Error Rate"
+  combiner     = "OR"
+
+  conditions {{
+    display_name = "High 5xx error rate"
+    condition_threshold {{
+      filter          = "resource.type = \\"cloud_run_revision\\" AND metric.type = \\"run.googleapis.com/request_count\\" AND metric.labels.response_code_class = \\"5xx\\""
+      duration        = "300s"
+      comparison      = "COMPARISON_GT"
+      threshold_value = 10
+    }}
+  }}
+
+  notification_channels = [google_monitoring_notification_channel.{safe_name}_alerts.name]
+}}
+"""
+
+    return files
+
+
+def _generate_k8s_hardening(preset: str, app_name: str) -> Dict[str, str]:
+    """Generate Kubernetes hardening manifests.
+
+    Includes: NetworkPolicy (default-deny), Pod security standards,
+    ResourceQuota, LimitRange, and ExternalSecret.
+
+    Args:
+        preset: Preset ID from HARDENING_PRESETS.
+        app_name: Application name for resource naming.
+
+    Returns:
+        Dict of filename -> YAML content.
+    """
+    controls = HARDENING_PRESETS.get(preset, {}).get("controls", [])
+    safe_name = app_name.replace("_", "-").replace(" ", "-").lower()[:50]
+    files: Dict[str, str] = {}
+
+    if "network_segmentation" in controls:
+        files["network-policy.yaml"] = f"""# CUI // SP-CTI — Default-deny NetworkPolicy
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {safe_name}-default-deny
+  labels:
+    app: {safe_name}
+    classification: cui-sp-cti
+spec:
+  podSelector:
+    matchLabels:
+      app: {safe_name}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: {safe_name}
+      ports:
+        - protocol: TCP
+          port: 8080
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: {safe_name}-db
+      ports:
+        - protocol: TCP
+          port: 5432
+    - to: []
+      ports:
+        - protocol: TCP
+          port: 443
+"""
+
+    if "container_hardening" in controls:
+        files["pod-security.yaml"] = f"""# CUI // SP-CTI — Pod security standards (restricted)
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {safe_name}
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit: restricted
+    classification: cui-sp-cti
+---
+# SecurityContext template for deployments
+# Apply to each container in the pod spec:
+#   securityContext:
+#     runAsNonRoot: true
+#     runAsUser: 1000
+#     readOnlyRootFilesystem: true
+#     allowPrivilegeEscalation: false
+#     capabilities:
+#       drop: ["ALL"]
+#     seccompProfile:
+#       type: RuntimeDefault
+"""
+
+        files["resource-quota.yaml"] = f"""# CUI // SP-CTI — ResourceQuota and LimitRange
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {safe_name}-quota
+  namespace: {safe_name}
+  labels:
+    classification: cui-sp-cti
+spec:
+  hard:
+    requests.cpu: "4"
+    requests.memory: 8Gi
+    limits.cpu: "8"
+    limits.memory: 16Gi
+    pods: "20"
+    services: "10"
+    persistentvolumeclaims: "5"
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: {safe_name}-limits
+  namespace: {safe_name}
+  labels:
+    classification: cui-sp-cti
+spec:
+  limits:
+    - default:
+        cpu: "500m"
+        memory: 512Mi
+      defaultRequest:
+        cpu: "100m"
+        memory: 128Mi
+      type: Container
+"""
+
+    if "secret_management" in controls:
+        files["external-secrets.yaml"] = f"""# CUI // SP-CTI — ExternalSecret for secrets manager integration
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: {safe_name}-secret-store
+  namespace: {safe_name}
+  labels:
+    classification: cui-sp-cti
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: us-gov-west-1
+      auth:
+        jwt:
+          serviceAccountRef:
+            name: {safe_name}-sa
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {safe_name}-db-creds
+  namespace: {safe_name}
+  labels:
+    classification: cui-sp-cti
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: {safe_name}-secret-store
+    kind: SecretStore
+  target:
+    name: {safe_name}-db-credentials
+  data:
+    - secretKey: DATABASE_URL
+      remoteRef:
+        key: {safe_name}-db-credentials
+        property: url
+"""
+
+    return files
+
+
+# ---------------------------------------------------------------------------
+# Apply hardening
+# ---------------------------------------------------------------------------
+
+def apply_hardening(
+    app_id: str,
+    preset: str,
+    provider: str,
+    output_dir: str = "",
+    project_id: str = "",
+) -> Dict[str, Any]:
+    """Apply a hardening preset to an app for a specific cloud provider.
+
+    Generates additional Terraform HCL and Kubernetes manifests based on the
+    selected preset and provider. Optionally writes files to output_dir.
+
+    Args:
+        app_id: Forge Studio app ID.
+        preset: Preset ID (il4_standard, il5_high, fedramp_moderate, fedramp_high, dod_stig).
+        provider: Cloud provider (aws, azure, gcp).
+        output_dir: Directory to write generated files (optional).
+        project_id: Project context for audit trail.
+
+    Returns:
+        {status, config_id, controls_applied, terraform_files, k8s_files}
+    """
+    from tools.db.storage import get_connection
+
+    if preset not in HARDENING_PRESETS:
+        return {"status": "error", "error": f"Unknown preset: {preset}. Valid: {list(HARDENING_PRESETS.keys())}"}
+    if provider not in SUPPORTED_PROVIDERS:
+        return {"status": "error", "error": f"Unknown provider: {provider}. Valid: {SUPPORTED_PROVIDERS}"}
+
+    # Look up app name
+    app_name = app_id
+    with get_connection() as conn:
+        row = conn.execute(
+            "SELECT name FROM forge_studio_apps WHERE id = ?", (app_id,),
+        ).fetchone()
+        if row:
+            app_name = row[0]
+
+    # Generate provider-specific Terraform
+    tf_generators = {
+        "aws": _generate_aws_hardening,
+        "azure": _generate_azure_hardening,
+        "gcp": _generate_gcp_hardening,
+    }
+    terraform_files = tf_generators[provider](preset, app_name)
+
+    # Generate K8s manifests (provider-agnostic)
+    k8s_files = _generate_k8s_hardening(preset, app_name)
+
+    controls = HARDENING_PRESETS[preset]["controls"]
+
+    # Store config
+    config_id = f"harden-{uuid.uuid4().hex[:12]}"
+    now = datetime.now(timezone.utc).isoformat()
+
+    with get_connection() as conn:
+        # Mark any existing configs as superseded
+        conn.execute(
+            "UPDATE forge_studio_hardening_configs SET status = 'superseded' "
+            "WHERE app_id = ? AND status = 'applied'",
+            (app_id,),
+        )
+        conn.execute(
+            "INSERT INTO forge_studio_hardening_configs "
+            "(id, app_id, preset, provider, controls_applied_json, "
+            "terraform_additions_json, k8s_additions_json, status, "
+            "classification, created_at) "
+            "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
+            (
+                config_id, app_id, preset, provider,
+                json.dumps(controls),
+                json.dumps(terraform_files),
+                json.dumps(k8s_files),
+                "applied",
+                "CUI // SP-CTI",
+                now,
+            ),
+        )
+
+    # Write files if output_dir specified
+    files_written = []
+    if output_dir:
+        tf_dir = os.path.join(output_dir, "terraform", "hardening")
+        k8s_dir = os.path.join(output_dir, "k8s", "hardening")
+        os.makedirs(tf_dir, exist_ok=True)
+        os.makedirs(k8s_dir, exist_ok=True)
+
+        for fname, content in terraform_files.items():
+            fpath = os.path.join(tf_dir, fname)
+            with open(fpath, "w", encoding="utf-8") as f:
+                f.write(content)
+            files_written.append(fpath)
+
+        for fname, content in k8s_files.items():
+            fpath = os.path.join(k8s_dir, fname)
+            with open(fpath, "w", encoding="utf-8") as f:
+                f.write(content)
+            files_written.append(fpath)
+
+    log_forge_event("forge_studio_hardening_applied", {
+        "config_id": config_id,
+        "app_id": app_id,
+        "preset": preset,
+        "provider": provider,
+        "controls_count": len(controls),
+        "terraform_file_count": len(terraform_files),
+        "k8s_file_count": len(k8s_files),
+    }, project_id=project_id)
+
+    logger.info("Applied hardening %s (preset=%s, provider=%s) to app %s",
+                config_id, preset, provider, app_id)
+
+    return {
+        "status": "success",
+        "config_id": config_id,
+        "preset": preset,
+        "provider": provider,
+        "controls_applied": controls,
+        "terraform_files": list(terraform_files.keys()),
+        "k8s_files": list(k8s_files.keys()),
+        "files_written": files_written,
+    }
+
+
+# ---------------------------------------------------------------------------
+# FedRAMP package assembly
+# ---------------------------------------------------------------------------
+
+def generate_fedramp_package(
+    app_id: str,
+    baseline: str = "moderate",
+    project_id: str = "",
+) -> Dict[str, Any]:
+    """Assemble a FedRAMP authorization package for an app.
+
+    Generates deterministic documents (no LLM):
+    1. System Security Plan (SSP) summary
+    2. Control Implementation Summary (CIS)
+    3. Continuous Monitoring Plan (CMP)
+    4. Incident Response Plan (IRP)
+    5. POA&M summary
+
+    Args:
+        app_id: Forge Studio app ID.
+        baseline: FedRAMP baseline (moderate or high).
+        project_id: Project context for audit trail.
+
+    Returns:
+        {status, package_id, documents: [{name, content, format}]}
+    """
+    from tools.db.storage import get_connection
+
+    if baseline not in ("moderate", "high"):
+        return {"status": "error", "error": f"Unknown baseline: {baseline}. Valid: moderate, high"}
+
+    # Look up app details
+    app_name = app_id
+    app_desc = ""
+    with get_connection() as conn:
+        row = conn.execute(
+            "SELECT name, description FROM forge_studio_apps WHERE id = ?", (app_id,),
+        ).fetchone()
+        if row:
+            app_name = row[0] or app_id
+            app_desc = row[1] or ""
+
+    now = datetime.now(timezone.utc).isoformat()
+    now_date = now[:10]
+    package_id = f"fedramp-{uuid.uuid4().hex[:12]}"
+    baseline_upper = baseline.upper()
+    controls_count = 325 if baseline == "moderate" else 421
+
+    documents = []
+
+    # 1. System Security Plan summary
+    ssp_content = f"""# System Security Plan (SSP) — {app_name}
+# Classification: CUI // SP-CTI
+# FedRAMP Baseline: {baseline_upper}
+# Generated: {now_date}
+
+## 1. System Identification
+- **System Name:** {app_name}
+- **Description:** {app_desc or 'Forge Studio generated application'}
+- **FedRAMP Baseline:** {baseline_upper}
+- **Impact Level:** {'Moderate' if baseline == 'moderate' else 'High'}
+- **Package ID:** {package_id}
+
+## 2. System Boundary
+- **Deployment Model:** Cloud (IaaS/PaaS)
+- **Data Classification:** CUI // SP-CTI
+- **Authorization Boundary:** Application tier, database tier, load balancer, object storage
+- **Interconnections:** Cloud provider APIs, external identity provider (SAML/OIDC)
+
+## 3. Security Controls
+- **Baseline Controls:** {controls_count}
+- **Control Families:** AC, AU, AT, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, RA, SA, SC, SI, SR
+- **Inherited Controls:** Cloud provider infrastructure controls (FedRAMP authorized CSP)
+- **Hybrid Controls:** Application-level implementation with CSP infrastructure support
+- **Application-Specific:** Access control, audit logging, encryption, input validation
+
+## 4. Data Flow
+1. User -> HTTPS (TLS 1.2+) -> Load Balancer -> Application Container
+2. Application Container -> Encrypted Connection -> Database (encrypted at rest)
+3. Application Container -> HTTPS -> Object Storage (encrypted, versioned)
+4. All actions -> Append-only Audit Trail -> Log Aggregation (365-day retention)
+
+## 5. Authorization Status
+- **Status:** In Progress
+- **Target Authorization Date:** TBD
+- **Continuous Monitoring:** Automated evidence collection, monthly vulnerability scans
+"""
+    documents.append({"name": "SSP_Summary.md", "content": ssp_content, "format": "markdown"})
+
+    # 2. Control Implementation Summary
+    cis_content = f"""# Control Implementation Summary — {app_name}
+# Classification: CUI // SP-CTI
+# FedRAMP Baseline: {baseline_upper}
+# Generated: {now_date}
+
+## Control Implementation Status
+
+| Family | Description | Total | Implemented | Inherited | Planned |
+|--------|------------|-------|-------------|-----------|---------|
+| AC | Access Control | {'47' if baseline == 'high' else '32'} | Auto-generated | CSP | — |
+| AU | Audit and Accountability | {'16' if baseline == 'high' else '12'} | Auto-generated | CSP | — |
+| AT | Awareness and Training | 5 | Organizational | — | — |
+| CM | Configuration Management | {'14' if baseline == 'high' else '11'} | Auto-generated | CSP | — |
+| CP | Contingency Planning | {'13' if baseline == 'high' else '10'} | Partial | CSP | Org |
+| IA | Identification and Authentication | {'13' if baseline == 'high' else '11'} | Auto-generated | CSP | — |
+| IR | Incident Response | {'10' if baseline == 'high' else '8'} | Template | — | Org |
+| SC | System and Communications Protection | {'44' if baseline == 'high' else '27'} | Auto-generated | CSP | — |
+| SI | System and Information Integrity | {'17' if baseline == 'high' else '13'} | Auto-generated | CSP | — |
+
+## Implementation Methods
+- **Auto-generated:** Controls implemented by Forge Studio hardening engine (IaC, K8s manifests)
+- **Inherited:** Controls satisfied by FedRAMP-authorized Cloud Service Provider
+- **Organizational:** Controls requiring organizational policy and procedures
+- **Template:** Controls with generated templates requiring organizational customization
+"""
+    documents.append({"name": "Control_Implementation_Summary.md", "content": cis_content, "format": "markdown"})
+
+    # 3. Continuous Monitoring Plan
+    cmp_content = f"""# Continuous Monitoring Plan — {app_name}
+# Classification: CUI // SP-CTI
+# FedRAMP Baseline: {baseline_upper}
+# Generated: {now_date}
+
+## 1. Monitoring Strategy
+
+### Evidence Freshness Thresholds
+| Evidence Type | Current (Green) | Stale (Yellow) | Expired (Red) |
+|--------------|----------------|----------------|----------------|
+| Vulnerability Scans | <= 30 days | <= 90 days | > 90 days |
+| Configuration Audits | <= 30 days | <= 90 days | > 90 days |
+| Access Reviews | <= 30 days | <= 90 days | > 90 days |
+| Penetration Tests | <= 365 days | <= 450 days | > 450 days |
+| Incident Response Tests | <= 365 days | <= 450 days | > 450 days |
+
+### Automated Scanning Schedule
+| Scan Type | Frequency | Tool | Gate Behavior |
+|-----------|-----------|------|---------------|
+| Vulnerability scan | Weekly | Trivy + ECR | Block on Critical/High |
+| Dependency audit | Daily | pip-audit, npm audit | Block on Critical |
+| Secret detection | Per commit | secret_detector.py | Block on any finding |
+| SAST | Per commit | Bandit, ruff | Block on High severity |
+| Container scan | Per build | ECR, Trivy | Block on Critical |
+| Compliance check | Daily | cato_live_engine.py | Alert on drift |
+
+## 2. Reporting
+- **Monthly:** Vulnerability summary, POA&M updates, control assessment delta
+- **Quarterly:** Full control reassessment, risk posture report
+- **Annual:** Comprehensive security assessment, penetration test
+- **Ad-hoc:** Significant change trigger, incident trigger
+
+## 3. Deviation Handling
+1. Finding detected -> Auto-create POA&M entry
+2. Severity classification -> SLA assignment (Critical: 72h, High: 30d, Moderate: 90d, Low: 180d)
+3. Remediation tracking -> Evidence collection -> Closure verification
+"""
+    documents.append({"name": "Continuous_Monitoring_Plan.md", "content": cmp_content, "format": "markdown"})
+
+    # 4. Incident Response Plan
+    irp_content = f"""# Incident Response Plan — {app_name}
+# Classification: CUI // SP-CTI
+# FedRAMP Baseline: {baseline_upper}
+# Generated: {now_date}
+
+## 1. Incident Categories
+
+| Category | Severity | Response SLA | Notification |
+|----------|----------|-------------|--------------|
+| Data breach (CUI) | Critical | 1 hour | FedRAMP PMO, US-CERT within 1h |
+| Unauthorized access | High | 4 hours | Security team, management |
+| Malware/ransomware | High | 4 hours | Security team, CSP |
+| Service disruption | Medium | 8 hours | Operations team |
+| Policy violation | Low | 24 hours | Security team |
+
+## 2. Response Phases
+
+### Phase 1: Detection & Analysis
+- Automated alerting via CloudWatch/Sentinel alarms
+- SNS notification to on-call security personnel
+- Initial triage and severity classification
+- Evidence preservation (audit logs, snapshots)
+
+### Phase 2: Containment
+- Network isolation (security group modification)
+- Credential rotation (Secrets Manager)
+- Service quarantine (container stop, DNS redirect)
+- Communication to stakeholders
+
+### Phase 3: Eradication & Recovery
+- Root cause identification
+- Vulnerability remediation
+- System restoration from verified backups
+- Verification testing
+
+### Phase 4: Post-Incident
+- Lessons learned documentation
+- POA&M updates
+- Control enhancement recommendations
+- FedRAMP notification (if applicable)
+
+## 3. Contact Information
+| Role | Responsibility | Contact |
+|------|---------------|---------|
+| Incident Commander | Overall response coordination | [TBD] |
+| Security Analyst | Technical investigation | [TBD] |
+| System Administrator | System remediation | [TBD] |
+| Communications Lead | Stakeholder notification | [TBD] |
+| FedRAMP Liaison | Regulatory notification | [TBD] |
+"""
+    documents.append({"name": "Incident_Response_Plan.md", "content": irp_content, "format": "markdown"})
+
+    # 5. POA&M summary
+    poam_content = f"""# Plan of Action and Milestones (POA&M) — {app_name}
+# Classification: CUI // SP-CTI
+# FedRAMP Baseline: {baseline_upper}
+# Generated: {now_date}
+
+## Summary
+- **System:** {app_name}
+- **Baseline:** FedRAMP {baseline_upper}
+- **Assessment Date:** {now_date}
+- **Open Items:** To be populated after initial assessment
+
+## POA&M Template
+
+| ID | Weakness | Control | Severity | Status | Scheduled Completion | Milestone |
+|----|----------|---------|----------|--------|---------------------|-----------|
+| POAM-001 | [Finding description] | [Control ID] | [Cat I/II/III] | Open | [Date] | [Description] |
+
+## Remediation SLAs
+| Severity | FedRAMP SLA | Internal SLA |
+|----------|-------------|-------------|
+| Critical (Cat I) | 30 days | 72 hours |
+| High (Cat II) | 90 days | 30 days |
+| Moderate (Cat III) | 180 days | 90 days |
+| Low | 365 days | 180 days |
+
+## Notes
+- POA&M entries are auto-generated from vulnerability scans and compliance assessments
+- All entries tracked in append-only audit trail (NIST AU compliance)
+- Overdue items trigger automated alerts and management escalation
+"""
+    documents.append({"name": "POAM_Summary.md", "content": poam_content, "format": "markdown"})
+
+    log_forge_event("forge_studio_fedramp_package_generated", {
+        "package_id": package_id,
+        "app_id": app_id,
+        "baseline": baseline,
+        "document_count": len(documents),
+        "documents": [d["name"] for d in documents],
+    }, project_id=project_id)
+
+    logger.info("Generated FedRAMP package for app %s (%d documents)", app_id, len(documents))
+
+    return {
+        "status": "success",
+        "package_id": package_id,
+        "app_id": app_id,
+        "baseline": baseline,
+        "documents": documents,
+    }
+
+
+# ---------------------------------------------------------------------------
+# Status query
+# ---------------------------------------------------------------------------
+
+def get_hardening_status(app_id: str) -> Dict[str, Any]:
+    """Get the latest hardening config and FedRAMP package status for an app.
+
+    Args:
+        app_id: Forge Studio app ID.
+
+    Returns:
+        {app_id, hardening: {...} or None, has_fedramp_package: bool}
+    """
+    from tools.db.storage import get_connection
+
+    with get_connection() as conn:
+        row = conn.execute(
+            "SELECT id, preset, provider, controls_applied_json, status, created_at "
+            "FROM forge_studio_hardening_configs "
+            "WHERE app_id = ? AND status = 'applied' "
+            "ORDER BY created_at DESC LIMIT 1",
+            (app_id,),
+        ).fetchone()
+
+    hardening = None
+    if row:
+        hardening = {
+            "id": row[0],
+            "preset": row[1],
+            "provider": row[2],
+            "controls_applied": json.loads(row[3]) if row[3] else [],
+            "status": row[4],
+            "created_at": row[5],
+        }
+
+    # Check for FedRAMP package in audit trail
+    has_fedramp = False
+    with get_connection() as conn:
+        pkg_row = conn.execute(
+            "SELECT COUNT(*) FROM audit_trail "
+            "WHERE event_type = 'forge_studio_fedramp_package_generated' "
+            "AND details LIKE ?",
+            (f'%"app_id": "{app_id}"%',),
+        ).fetchone()
+        if pkg_row and pkg_row[0] > 0:
+            has_fedramp = True
+
+    return {
+        "app_id": app_id,
+        "hardening": hardening,
+        "has_fedramp_package": has_fedramp,
+    }
+
+
+# ---------------------------------------------------------------------------
+# CLI
+# ---------------------------------------------------------------------------
+
+def main():
+    import argparse
+    import sys
+
+    parser = argparse.ArgumentParser(description="Forge Studio Hardening Engine")
+    parser.add_argument("--presets", action="store_true", help="List available hardening presets")
+    parser.add_argument("--apply", action="store_true", help="Apply a hardening preset")
+    parser.add_argument("--fedramp", action="store_true", help="Generate FedRAMP package")
+    parser.add_argument("--status", action="store_true", help="Get hardening status for an app")
+    parser.add_argument("--app-id", type=str, default="", help="Forge Studio app ID")
+    parser.add_argument("--preset", type=str, default="il4_standard", help="Hardening preset")
+    parser.add_argument("--provider", type=str, default="aws", help="Cloud provider (aws, azure, gcp)")
+    parser.add_argument("--baseline", type=str, default="moderate", help="FedRAMP baseline (moderate, high)")
+    parser.add_argument("--output-dir", type=str, default="", help="Output directory for generated files")
+    parser.add_argument("--project-id", type=str, default="", help="Project ID for audit")
+    parser.add_argument("--json", action="store_true", help="JSON output")
+    args = parser.parse_args()
+
+    ensure_hardening_tables()
+
+    if args.presets:
+        result = get_hardening_presets()
+    elif args.apply:
+        if not args.app_id:
+            print(json.dumps({"status": "error", "error": "--app-id required"}))
+            sys.exit(1)
+        result = apply_hardening(
+            app_id=args.app_id,
+            preset=args.preset,
+            provider=args.provider,
+            output_dir=args.output_dir,
+            project_id=args.project_id,
+        )
+    elif args.fedramp:
+        if not args.app_id:
+            print(json.dumps({"status": "error", "error": "--app-id required"}))
+            sys.exit(1)
+        result = generate_fedramp_package(
+            app_id=args.app_id,
+            baseline=args.baseline,
+            project_id=args.project_id,
+        )
+    elif args.status:
+        if not args.app_id:
+            print(json.dumps({"status": "error", "error": "--app-id required"}))
+            sys.exit(1)
+        result = get_hardening_status(args.app_id)
+    else:
+        parser.print_help()
+        sys.exit(0)
+
+    print(json.dumps(result, indent=2, default=str))
+
+
+if __name__ == "__main__":
+    main()