icdev 0.0.3__py3-none-any.whl

tools/security/mcp_tool_authorizer.py

@@ -0,0 +1,242 @@
+#!/usr/bin/env python3
+# CUI // SP-CTI
+"""MCP Tool Authorizer — per-tool RBAC for MCP servers (D261).
+
+Stateless authorization engine that evaluates tool access based on
+role-tool matrix defined in owasp_agentic_config.yaml. Uses
+deny-first evaluation with fnmatch wildcard support.
+
+Pattern: stateless config-driven authorization (no DB)
+ADRs: D261 (MCP per-tool RBAC in YAML)
+
+Roles:
+    admin     — Full access to all tools
+    pm        — Project/task management, compliance views
+    developer — Build, test, lint, format, knowledge
+    isso      — Compliance, security, assessment tools
+    co        — Read-only project/agent status
+
+CLI:
+    python tools/security/mcp_tool_authorizer.py --check --role developer --tool scaffold --json
+    python tools/security/mcp_tool_authorizer.py --list --role pm --json
+    python tools/security/mcp_tool_authorizer.py --validate --json
+"""
+
+import argparse
+import json
+from fnmatch import fnmatch
+from pathlib import Path
+from typing import Dict, List, Optional
+
+import yaml
+
+BASE_DIR = Path(__file__).resolve().parent.parent.parent
+CONFIG_PATH = BASE_DIR / "args" / "owasp_agentic_config.yaml"
+
+
+def _load_config() -> Dict:
+    """Load MCP authorization config from YAML."""
+    if CONFIG_PATH.exists():
+        with open(CONFIG_PATH) as f:
+            cfg = yaml.safe_load(f) or {}
+        return cfg.get("mcp_authorization", {})
+    return {}
+
+
+class MCPToolAuthorizer:
+    """Per-tool RBAC for MCP servers (D261).
+
+    Stateless authorizer — no DB required. Evaluates access by:
+    1. Check deny list first (explicit deny always wins)
+    2. Check allow list (fnmatch wildcards supported)
+    3. Fall back to default_policy (deny)
+    """
+
+    def __init__(self, config: Optional[Dict] = None):
+        self._config = config or _load_config()
+        self._default_policy = self._config.get("default_policy", "deny")
+        self._matrix = self._config.get("role_tool_matrix", {})
+
+    def authorize(self, role: str, tool_name: str) -> Dict:
+        """Authorize a tool call for a given role.
+
+        Returns:
+            Dict with allowed bool, role, tool, reason.
+        """
+        if role not in self._matrix:
+            return {
+                "allowed": self._default_policy == "allow",
+                "role": role,
+                "tool": tool_name,
+                "reason": f"Unknown role '{role}' — default policy: {self._default_policy}",
+            }
+
+        role_config = self._matrix[role]
+        deny_list = role_config.get("deny", [])
+        allow_list = role_config.get("allow", [])
+
+        # Step 1: Check deny list first (explicit deny wins)
+        for pattern in deny_list:
+            if fnmatch(tool_name.lower(), pattern.lower()):
+                return {
+                    "allowed": False,
+                    "role": role,
+                    "tool": tool_name,
+                    "reason": f"Denied by explicit deny rule: {pattern}",
+                }
+
+        # Step 2: Check allow list
+        for pattern in allow_list:
+            if fnmatch(tool_name.lower(), pattern.lower()):
+                return {
+                    "allowed": True,
+                    "role": role,
+                    "tool": tool_name,
+                    "reason": f"Allowed by rule: {pattern}",
+                }
+
+        # Step 3: Default policy
+        return {
+            "allowed": self._default_policy == "allow",
+            "role": role,
+            "tool": tool_name,
+            "reason": f"No matching rule — default policy: {self._default_policy}",
+        }
+
+    def list_allowed_tools(self, role: str) -> Dict:
+        """List all explicitly allowed and denied tools for a role.
+
+        Returns:
+            Dict with role, allow patterns, deny patterns, default_policy.
+        """
+        if role not in self._matrix:
+            return {
+                "role": role,
+                "error": f"Unknown role '{role}'",
+                "known_roles": list(self._matrix.keys()),
+            }
+
+        role_config = self._matrix[role]
+        return {
+            "role": role,
+            "allow": role_config.get("allow", []),
+            "deny": role_config.get("deny", []),
+            "default_policy": self._default_policy,
+        }
+
+    def get_roles(self) -> List[str]:
+        """Return list of configured roles."""
+        return list(self._matrix.keys())
+
+    def validate_config(self) -> Dict:
+        """Validate the authorization configuration.
+
+        Checks:
+            - All roles have at least one allow or deny rule
+            - No role has conflicting allow and deny patterns
+            - Known MCP tool names are covered
+
+        Returns:
+            Dict with valid bool, warnings, errors.
+        """
+        errors = []
+        warnings = []
+
+        if not self._matrix:
+            errors.append("No role_tool_matrix configured")
+            return {"valid": False, "errors": errors, "warnings": warnings}
+
+        expected_roles = {"admin", "pm", "developer", "isso", "co"}
+        configured_roles = set(self._matrix.keys())
+
+        missing = expected_roles - configured_roles
+        if missing:
+            warnings.append(f"Missing expected roles: {', '.join(sorted(missing))}")
+
+        extra = configured_roles - expected_roles
+        if extra:
+            warnings.append(f"Extra roles configured: {', '.join(sorted(extra))}")
+
+        for role, config in self._matrix.items():
+            allow_list = config.get("allow", [])
+            deny_list = config.get("deny", [])
+
+            if not allow_list and not deny_list:
+                warnings.append(f"Role '{role}' has no allow or deny rules")
+
+            # Check for conflicts (same pattern in both allow and deny)
+            for allow_pat in allow_list:
+                for deny_pat in deny_list:
+                    if allow_pat == deny_pat:
+                        errors.append(
+                            f"Role '{role}': pattern '{allow_pat}' in both allow and deny"
+                        )
+
+        return {
+            "valid": len(errors) == 0,
+            "roles": sorted(configured_roles),
+            "role_count": len(configured_roles),
+            "default_policy": self._default_policy,
+            "errors": errors,
+            "warnings": warnings,
+        }
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="MCP Tool Authorizer — per-tool RBAC (D261)"
+    )
+    parser.add_argument("--check", action="store_true", help="Check tool authorization")
+    parser.add_argument("--list", action="store_true", help="List allowed tools for role")
+    parser.add_argument("--validate", action="store_true", help="Validate configuration")
+    parser.add_argument("--role", help="Role to check/list")
+    parser.add_argument("--tool", help="Tool name to check")
+    parser.add_argument("--json", action="store_true", help="Output as JSON")
+    args = parser.parse_args()
+
+    authorizer = MCPToolAuthorizer()
+
+    if args.check:
+        if not args.role or not args.tool:
+            print("Error: --check requires --role and --tool",
+                  file=__import__("sys").stderr)
+            __import__("sys").exit(1)
+        result = authorizer.authorize(args.role, args.tool)
+    elif args.list:
+        if not args.role:
+            print("Error: --list requires --role",
+                  file=__import__("sys").stderr)
+            __import__("sys").exit(1)
+        result = authorizer.list_allowed_tools(args.role)
+    elif args.validate:
+        result = authorizer.validate_config()
+    else:
+        parser.print_help()
+        return
+
+    if args.json:
+        print(json.dumps(result, indent=2))
+    else:
+        if args.check:
+            status = "ALLOWED" if result["allowed"] else "DENIED"
+            print(f"Authorization: {status}")
+            print(f"  Role: {result['role']}")
+            print(f"  Tool: {result['tool']}")
+            print(f"  Reason: {result['reason']}")
+        elif args.list:
+            print(f"Role: {result['role']}")
+            print(f"  Allow: {', '.join(result.get('allow', []))}")
+            print(f"  Deny: {', '.join(result.get('deny', []))}")
+            print(f"  Default: {result.get('default_policy', 'deny')}")
+        elif args.validate:
+            status = "VALID" if result["valid"] else "INVALID"
+            print(f"Config Validation: {status}")
+            print(f"  Roles: {', '.join(result.get('roles', []))}")
+            for e in result.get("errors", []):
+                print(f"  [ERROR] {e}")
+            for w in result.get("warnings", []):
+                print(f"  [WARN] {w}")
+
+
+if __name__ == "__main__":
+    main()

tools/security/output_verifier.py

@@ -0,0 +1,427 @@
+# CUI // SP-CTI
+"""Post-generation output verification gate (D-ARCH-12).
+
+Checks LLM responses for leaked sensitive content before returning to users.
+All detection is regex-based and deterministic -- no LLM calls.
+
+Detection categories:
+    1. System prompt leaks (instruction fragments, persona definitions)
+    2. Credential patterns (API keys, tokens, connection strings)
+    3. Classification overflow (SECRET, TS//SCI above CUI ceiling)
+    4. PII patterns (SSN, credit cards, unexpected email addresses)
+    5. Internal path leaks (absolute paths, internal URLs, DB table names)
+
+Usage:
+    python tools/security/output_verifier.py --verify --text "some output"
+    python tools/security/output_verifier.py --verify --file /path/to/output.txt
+    python tools/security/output_verifier.py --check-credentials --text "AKIA..."
+    python tools/security/output_verifier.py --stats --json
+"""
+
+import argparse
+import json
+import re
+import sys
+from typing import Any, Dict, List, Optional
+
+
+# Optional ICDEV imports
+_HAS_SESSION_PURPOSE = False
+try:
+    from tools.agent.session_purpose import get_current_purpose  # type: ignore
+    _HAS_SESSION_PURPOSE = True
+except ImportError:
+    pass
+
+
+class SecurityGateError(Exception):
+    """Raised when gate_output encounters a critical or blocking violation."""
+
+    def __init__(self, message: str, violations: List[Dict[str, Any]]):
+        super().__init__(message)
+        self.violations = violations
+
+
+# ---------------------------------------------------------------------------
+# Detection pattern tuples: (compiled_regex, description, severity)
+# For prompt leaks severity is always "high".
+# ---------------------------------------------------------------------------
+
+_PROMPT_LEAK_PATTERNS: List[tuple] = [
+    (re.compile(r"You are a[n]?\s+(?:AI|assistant|helpful|language model)", re.I),
+     "System persona definition detected"),
+    (re.compile(r"Your instructions are", re.I),
+     "Instruction leak detected"),
+    (re.compile(r"(?:^|\n)\s*System:\s*", re.M),
+     "System role marker detected"),
+    (re.compile(r"<<SYS>>", re.I), "Llama-style system tag detected"),
+    (re.compile(r"\[INST\]|\[/INST\]", re.I), "Instruction tag detected"),
+    (re.compile(r"<\|system\|>|<\|user\|>|<\|assistant\|>", re.I),
+     "Chat template tag leaked"),
+    (re.compile(r"(?:^|\n)\s*###\s*(?:System|Instructions?|Prompt)\s*:", re.I | re.M),
+     "Markdown instruction header leaked"),
+    (re.compile(r"As an AI (?:language )?model,?\s+I", re.I),
+     "AI self-reference detected"),
+    (re.compile(r"my programming (?:tells|instructs|requires) me", re.I),
+     "Programming instruction reference"),
+    (re.compile(r"I (?:was|am) (?:programmed|trained|instructed) to", re.I),
+     "Training instruction reference"),
+]
+
+_CREDENTIAL_PATTERNS: List[tuple] = [
+    (re.compile(r"AKIA[0-9A-Z]{16}"), "AWS Access Key ID", "critical"),
+    (re.compile(r"(?:aws_secret_access_key|secret_key)\s*[=:]\s*\S{20,}"),
+     "AWS Secret Access Key assignment", "critical"),
+    (re.compile(r"\bsk-[a-zA-Z0-9]{20,}"), "OpenAI-style API key", "critical"),
+    (re.compile(r"\bpk_(?:live|test)_[a-zA-Z0-9]{20,}"),
+     "Stripe-style publishable key", "high"),
+    (re.compile(r"\bsk_(?:live|test)_[a-zA-Z0-9]{20,}"),
+     "Stripe-style secret key", "critical"),
+    (re.compile(r"(?:Bearer|bearer)\s+[a-zA-Z0-9_\-\.]{20,}"),
+     "Bearer token", "high"),
+    (re.compile(r"(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}"),
+     "GitHub personal access token", "critical"),
+    (re.compile(r"(?:password|passwd|pwd)\s*[=:]\s*['\"]?[^\s'\"]{8,}", re.I),
+     "Password assignment", "high"),
+    (re.compile(r"(?:postgresql|postgres|mysql|mongodb|redis)://[^\s]{10,}", re.I),
+     "Database connection string", "critical"),
+    (re.compile(r"(?:api[_-]?key|apikey)\s*[=:]\s*['\"]?[a-zA-Z0-9_\-]{16,}", re.I),
+     "Generic API key assignment", "high"),
+    (re.compile(r"-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----"),
+     "Private key block", "critical"),
+    (re.compile(r"(?:eyJ[a-zA-Z0-9_-]{10,}\.){2}[a-zA-Z0-9_-]{10,}"),
+     "JWT token", "high"),
+    (re.compile(r"xox[bporas]-[a-zA-Z0-9\-]{10,}"), "Slack token", "critical"),
+]
+
+_CLASSIFICATION_OVERFLOW_PATTERNS: List[tuple] = [
+    (re.compile(r"\bSECRET\b(?!\s*(?:key|token|password|access|detective|"
+                r"agent|santa|garden|menu|ingredient|recipe|sauce))", re.I),
+     "SECRET classification marking", "critical"),
+    (re.compile(r"\bTOP\s+SECRET\b", re.I),
+     "TOP SECRET classification marking", "critical"),
+    (re.compile(r"\bTS\s*//\s*SCI\b", re.I),
+     "TS//SCI classification marking", "critical"),
+    (re.compile(r"\bNOFORN\b", re.I), "NOFORN dissemination control", "critical"),
+    (re.compile(r"\bREL\s+TO\b", re.I), "REL TO dissemination control", "high"),
+    (re.compile(r"\bORCON\b", re.I), "ORCON dissemination control", "critical"),
+    (re.compile(r"\bPROPIN\b", re.I), "PROPIN dissemination control", "high"),
+    (re.compile(r"\bFISA\b", re.I), "FISA marking", "critical"),
+]
+
+_PII_PATTERNS: List[tuple] = [
+    (re.compile(r"\b\d{3}-\d{2}-\d{4}\b"), "Social Security Number", "critical"),
+    (re.compile(r"\b(?:4\d{3}|5[1-5]\d{2}|6(?:011|5\d{2}))[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b"),
+     "Credit card number", "critical"),
+    (re.compile(r"\b(?:3[47]\d{2})[- ]?\d{6}[- ]?\d{5}\b"),
+     "American Express card", "critical"),
+    (re.compile(r"\b[A-Za-z0-9._%+-]+@(?!example\.com\b|test\.com\b|localhost\b)"
+                r"[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b"),
+     "Email address in output", "medium"),
+    (re.compile(r"\b\d{3}[- ]?\d{3}[- ]?\d{4}\b"), "Phone number", "low"),
+]
+
+_INTERNAL_PATH_PATTERNS: List[tuple] = [
+    (re.compile(r"(?:[A-Z]:\\|/(?:home|Users|var|opt|etc|usr)/)[^\s\"'<>]{5,}"),
+     "Absolute filesystem path", "medium"),
+    (re.compile(r"https?://(?:localhost|127\.0\.0\.1|10\.\d+\.\d+\.\d+|"
+                r"192\.168\.\d+\.\d+|172\.(?:1[6-9]|2\d|3[01])\.\d+\.\d+)[:/][^\s]*"),
+     "Internal/private network URL", "high"),
+    (re.compile(r"(?:sqlite|data)://[^\s]{5,}", re.I),
+     "Database URI in output", "medium"),
+    (re.compile(r"(?:FROM|JOIN|INTO|UPDATE|CREATE TABLE)\s+[a-z_]{3,}\s", re.I),
+     "SQL table reference", "low"),
+]
+
+# Internal stats
+_stats: Dict[str, Any] = {
+    "total_checks": 0,
+    "violations_by_type": {
+        "prompt_leak": 0, "credential_leak": 0, "classification_overflow": 0,
+        "pii_leak": 0, "internal_path": 0, "goal_deviation": 0,
+    },
+    "block_count": 0,
+}
+
+_SEVERITY_RANK = {"low": 1, "medium": 2, "high": 3, "critical": 4}
+
+
+def _violation(vtype: str, severity: str, pattern: str,
+               location: int, description: str) -> Dict[str, Any]:
+    """Create a standardised violation dict."""
+    return {"type": vtype, "severity": severity, "pattern": pattern,
+            "location": location, "description": description}
+
+
+def _mask(text: str, keep_start: int = 6, keep_end: int = 4) -> str:
+    """Mask sensitive text for safe reporting."""
+    if len(text) > keep_start + keep_end + 3:
+        return text[:keep_start] + "***" + text[-keep_end:]
+    return text[:3] + "***"
+
+
+def check_leaked_prompts(text: str) -> List[Dict[str, Any]]:
+    """Detect system prompt fragments and instruction leakage."""
+    violations = []
+    for pat, desc in _PROMPT_LEAK_PATTERNS:
+        for m in pat.finditer(text):
+            violations.append(_violation(
+                "prompt_leak", "high", desc, m.start(),
+                f"Potential system prompt leak: '{m.group()[:80]}'"))
+    return violations
+
+
+def check_credential_leaks(text: str) -> List[Dict[str, Any]]:
+    """Detect API keys, passwords, connection strings, and tokens."""
+    violations = []
+    for pat, desc, sev in _CREDENTIAL_PATTERNS:
+        for m in pat.finditer(text):
+            violations.append(_violation(
+                "credential_leak", sev, desc, m.start(),
+                f"Credential detected: {_mask(m.group())}"))
+    return violations
+
+
+def check_classification_overflow(text: str,
+                                  max_level: str = "CUI // SP-CTI") -> List[Dict[str, Any]]:
+    """Ensure output does not contain classification markings above the ceiling."""
+    violations = []
+    for pat, desc, sev in _CLASSIFICATION_OVERFLOW_PATTERNS:
+        for m in pat.finditer(text):
+            violations.append(_violation(
+                "classification_overflow", sev, desc, m.start(),
+                f"Marking '{m.group()}' exceeds max level '{max_level}'"))
+    return violations
+
+
+def _check_pii(text: str) -> List[Dict[str, Any]]:
+    """Detect PII patterns (SSN, credit cards, emails, phone numbers)."""
+    violations = []
+    for pat, desc, sev in _PII_PATTERNS:
+        for m in pat.finditer(text):
+            violations.append(_violation(
+                "pii_leak", sev, desc, m.start(),
+                f"PII detected: {_mask(m.group(), 4, 2)}"))
+    return violations
+
+
+def _check_internal_paths(text: str) -> List[Dict[str, Any]]:
+    """Detect internal filesystem paths, private URLs, and DB references."""
+    violations = []
+    for pat, desc, sev in _INTERNAL_PATH_PATTERNS:
+        for m in pat.finditer(text):
+            violations.append(_violation(
+                "internal_path", sev, desc, m.start(),
+                f"Internal reference: '{m.group()[:100]}'"))
+    return violations
+
+
+def check_goal_deviation(text: str, session_purpose: Optional[str]) -> List[Dict[str, Any]]:
+    """Check whether output is relevant to the declared session purpose.
+
+    Uses keyword overlap as a lightweight relevance proxy.
+    """
+    if not session_purpose:
+        return []
+    stop = frozenset("a an and are as at be but by for from has have i if in is it "
+                     "its my not of on or our the them then there this to we".split())
+
+    def tok(s: str) -> set:
+        return {t for t in re.findall(r"[a-zA-Z0-9][\w-]*", s.lower()) if t not in stop}
+
+    p_tok = tok(session_purpose)
+    if not p_tok:
+        return []
+    ratio = len(p_tok & tok(text[:2000])) / len(p_tok)
+    if ratio < 0.1 and len(text) > 200:
+        return [_violation(
+            "goal_deviation", "medium", "Low relevance to session purpose", 0,
+            f"Output has {ratio:.0%} overlap with purpose '{session_purpose[:80]}'. "
+            f"Potential goal deviation.")]
+    return []
+
+
+def _sanitize_text(text: str, violations: List[Dict[str, Any]]) -> str:
+    """Redact detected violations from the text."""
+    if not violations:
+        return text
+    ranges = []
+    for v in violations:
+        loc = v["location"]
+        qm = re.search(r"'([^']{1,120})'", v.get("description", ""))
+        if qm:
+            mt = qm.group(1)
+            pos = text.find(mt, max(0, loc - 5))
+            if pos >= 0:
+                ranges.append((pos, pos + len(mt), v["type"]))
+                continue
+        ranges.append((loc, min(loc + 20, len(text)), v["type"]))
+
+    ranges.sort(key=lambda r: r[0], reverse=True)
+    result = text
+    used = []
+    for s, e, vt in ranges:
+        if any(s < ue and e > us for us, ue, _ in used):
+            continue
+        s, e = max(0, s), min(len(result), e)
+        repl = f"[REDACTED:{vt}]"
+        result = result[:s] + repl + result[e:]
+        used.append((s, s + len(repl), vt))
+    return result
+
+
+def _risk_level(violations: List[Dict[str, Any]]) -> str:
+    """Determine overall risk level from highest severity violation."""
+    if not violations:
+        return "none"
+    mx = max(_SEVERITY_RANK.get(v["severity"], 0) for v in violations)
+    for lev, rank in _SEVERITY_RANK.items():
+        if rank == mx:
+            return lev
+    return "none"
+
+
+def verify_output(text: str,
+                  session_purpose: Optional[str] = None) -> Dict[str, Any]:
+    """Verify LLM output for leaked sensitive content.
+
+    Runs all detection categories and returns a comprehensive result dict
+    with: passed, violations, risk_level, sanitized_text, violation_count.
+    """
+    _stats["total_checks"] += 1
+    checks = [
+        ("prompt_leak", check_leaked_prompts(text)),
+        ("credential_leak", check_credential_leaks(text)),
+        ("classification_overflow", check_classification_overflow(text)),
+        ("pii_leak", _check_pii(text)),
+        ("internal_path", _check_internal_paths(text)),
+        ("goal_deviation", check_goal_deviation(text, session_purpose)),
+    ]
+    all_v: List[Dict[str, Any]] = []
+    for cat, viols in checks:
+        _stats["violations_by_type"][cat] += len(viols)
+        all_v.extend(viols)
+
+    rl = _risk_level(all_v)
+    return {"passed": len(all_v) == 0, "violations": all_v,
+            "risk_level": rl,
+            "sanitized_text": _sanitize_text(text, all_v) if all_v else text,
+            "violation_count": len(all_v),
+            "checks_run": [c for c, _ in checks]}
+
+
+def gate_output(text: str, session_purpose: Optional[str] = None,
+                block_on_high: bool = True) -> Dict[str, Any]:
+    """Verify output and raise SecurityGateError on critical/high violations.
+
+    Like verify_output but enforces blocking behaviour.  Critical violations
+    always block; high violations block when block_on_high is True.
+
+    Raises:
+        SecurityGateError: If blocking violations found.
+    """
+    result = verify_output(text, session_purpose)
+    blocking = [v for v in result["violations"]
+                if v["severity"] == "critical"
+                or (v["severity"] == "high" and block_on_high)]
+    if blocking:
+        _stats["block_count"] += 1
+        sc: Dict[str, int] = {}
+        for v in blocking:
+            sc[v["severity"]] = sc.get(v["severity"], 0) + 1
+        raise SecurityGateError(
+            f"Output blocked: {len(blocking)} violation(s) "
+            f"({', '.join(f'{c} {s}' for s, c in sc.items())})", blocking)
+    return result
+
+
+def get_stats() -> Dict[str, Any]:
+    """Return verification statistics."""
+    return {"total_checks": _stats["total_checks"],
+            "violations_by_type": dict(_stats["violations_by_type"]),
+            "block_count": _stats["block_count"]}
+
+
+def _read_input(args: argparse.Namespace) -> Optional[str]:
+    """Read text from --text or --file argument."""
+    if args.text:
+        return args.text
+    if getattr(args, "file", None):
+        try:
+            with open(args.file, "r", encoding="utf-8") as f:
+                return f.read()
+        except OSError as exc:
+            print(f"Error reading file: {exc}", file=sys.stderr)
+            sys.exit(1)
+    return None
+
+
+def main() -> None:
+    """CLI entry point."""
+    p = argparse.ArgumentParser(
+        description="Post-generation output verification gate (D-ARCH-12)")
+    p.add_argument("--verify", action="store_true", help="Run full verification")
+    p.add_argument("--check-credentials", action="store_true",
+                   help="Run only credential leak check")
+    p.add_argument("--text", type=str, help="Text to verify")
+    p.add_argument("--file", type=str, help="File path to read and verify")
+    p.add_argument("--session-purpose", type=str, default=None)
+    p.add_argument("--stats", action="store_true", help="Show statistics")
+    p.add_argument("--json", action="store_true", help="Output as JSON")
+    args = p.parse_args()
+
+    if args.stats:
+        s = get_stats()
+        if args.json:
+            print(json.dumps(s, indent=2))
+        else:
+            print("Output Verifier Statistics\n" + "=" * 40)
+            for k, v in s.items():
+                if isinstance(v, dict):
+                    print(f"  {k}:")
+                    for sk, sv in v.items():
+                        print(f"    {sk}: {sv}")
+                else:
+                    print(f"  {k}: {v}")
+        return
+
+    if args.check_credentials:
+        text = _read_input(args)
+        if text is None:
+            p.error("--check-credentials requires --text or --file")
+        viols = check_credential_leaks(text)
+        r = {"credential_violations": viols, "count": len(viols)}
+        if args.json:
+            print(json.dumps(r, indent=2))
+        else:
+            if viols:
+                print(f"Found {len(viols)} credential leak(s):")
+                for v in viols:
+                    print(f"  [{v['severity'].upper()}] {v['description']}")
+            else:
+                print("No credential leaks detected.")
+        return
+
+    if args.verify:
+        text = _read_input(args)
+        if text is None:
+            p.error("--verify requires --text or --file")
+        r = verify_output(text, session_purpose=args.session_purpose)
+        if args.json:
+            print(json.dumps(r, indent=2))
+        else:
+            status = "PASSED" if r["passed"] else "FAILED"
+            print(f"Verification: {status}  Risk: {r['risk_level']}  "
+                  f"Violations: {r['violation_count']}")
+            for v in r["violations"]:
+                print(f"  [{v['severity'].upper()}] {v['type']}: {v['description']}")
+            if r["violations"]:
+                print(f"\nSanitized preview:\n{r['sanitized_text'][:500]}")
+        return
+
+    p.print_help()
+    sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()