PyPI - icdev - Versions diffs - 0.0.3__py3-none-any.whl - Mend

icdev 0.0.3__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1214) hide show

args/agent_config.yaml +113 -0
args/audit_regimes/cisa_sbd.json +381 -0
args/audit_regimes/cmmc_l2.json +906 -0
args/audit_regimes/dod_cssp.json +393 -0
args/audit_regimes/dodi_5000_87.json +297 -0
args/audit_regimes/fedramp_moderate.json +650 -0
args/audit_regimes/ieee_1012.json +373 -0
args/audit_regimes/nist_800_171.json +624 -0
args/audit_regimes/nist_800_53.json +907 -0
args/cloudforge_blueprints/aws_commercial.yaml +29 -0
args/cloudforge_blueprints/aws_govcloud_il4.yaml +34 -0
args/cloudforge_blueprints/aws_govcloud_il5.yaml +38 -0
args/cloudforge_blueprints/azure_commercial.yaml +28 -0
args/cloudforge_blueprints/azure_gov_il4.yaml +32 -0
args/cloudforge_blueprints/azure_gov_il5.yaml +36 -0
args/cloudforge_blueprints/gcp_commercial.yaml +28 -0
args/cloudforge_blueprints/oci_commercial.yaml +28 -0
args/cloudforge_config.yaml +231 -0
args/cloudforge_runbook_templates/backup_verify.yaml +98 -0
args/cloudforge_runbook_templates/dr_failover.yaml +107 -0
args/cloudforge_runbook_templates/health_check.yaml +97 -0
args/cloudforge_runbook_templates/incident_response.yaml +101 -0
args/cloudforge_runbook_templates/migration_cutover.yaml +105 -0
args/cloudforge_runbook_templates/patch_rollout.yaml +92 -0
args/cloudforge_runbook_templates/zone_provision.yaml +93 -0
args/code_pattern_config.yaml +151 -0
args/code_quality_config.yaml +47 -0
args/compliance_config.yaml +17 -0
args/control_inheritance.yaml +177 -0
args/csp_mcp_config.yaml +41 -0
args/cui_markings.yaml +35 -0
args/databridge_config.yaml +232 -0
args/db_config.yaml +116 -0
args/decision_tables/agent_trust_decision.yaml +143 -0
args/decision_tables/ato_boundary_impact.yaml +132 -0
args/decision_tables/deployment_approval.yaml +152 -0
args/degradation_matrix.yaml +163 -0
args/devsecops_config.yaml +286 -0
args/endpoint_security_config.yaml +207 -0
args/exit_criteria.yaml +102 -0
args/feature_flags.yaml +235 -0
args/file_access_tiers.yaml +88 -0
args/forge_studio/blueprint_config.yaml +27 -0
args/forge_studio/component_catalog.json +411 -0
args/forge_studio/workflow_templates.yaml +103 -0
args/govcon_config.yaml +41 -0
args/harness_config.yaml +67 -0
args/innovation_config.yaml +321 -0
args/knowledge_graph_config.yaml +113 -0
args/llm_config.yaml +222 -0
args/marketplace_config.yaml +260 -0
args/monitoring_config.yaml +127 -0
args/mosa_config.yaml +190 -0
args/observability_tracing_config.yaml +170 -0
args/owasp_agentic_config.yaml +171 -0
args/pipeline_gates.yaml +197 -0
args/project_defaults.yaml +235 -0
args/prompt_chains.yaml +163 -0
args/rag_config.yaml +167 -0
args/research_config.yaml +89 -0
args/resilience_config.yaml +197 -0
args/ricoas_config.yaml +191 -0
args/security_gates.yaml +763 -0
args/storage_config.yaml +63 -0
args/writeguard_config.yaml +131 -0
args/zta_config.yaml +247 -0
context/__init__.py +6 -0
context/agent/__init__.py +6 -0
context/agent/response_schemas/__init__.py +6 -0
context/agent/response_schemas/debate_position.json +46 -0
context/agent/response_schemas/fitness_scorecard.json +74 -0
context/agent/response_schemas/review_decision.json +39 -0
context/agent/response_schemas/task_decomposition.json +82 -0
context/agent/response_schemas/veto_decision.json +40 -0
context/agentic/__init__.py +6 -0
context/agentic/architecture_patterns.md +269 -0
context/agentic/capability_registry.yaml +223 -0
context/agentic/csp_integration.md +30 -0
context/agentic/csp_mcp_registry.yaml +280 -0
context/agentic/fitness_rubric.md +56 -0
context/agentic/governance_baseline.md +205 -0
context/ci/__init__.py +6 -0
context/ci/worktree_templates.json +44 -0
context/cloud/__init__.py +6 -0
context/cloud/csp_service_registry.json +739 -0
context/compliance/__init__.py +6 -0
context/compliance/ai_rmf_crosswalk.yaml +226 -0
context/compliance/atlas_mitigations.json +293 -0
context/compliance/atlas_techniques.json +833 -0
context/compliance/cisa_sbd_requirements.json +477 -0
context/compliance/cjis_security_policy.json +522 -0
context/compliance/cmmc_practices.json +2494 -0
context/compliance/cmmc_report_template.md +142 -0
context/compliance/cnssi_1253_overlay.json +109 -0
context/compliance/control_crosswalk.json +1914 -0
context/compliance/control_families/__init__.py +6 -0
context/compliance/csp_certifications.json +251 -0
context/compliance/cssp_report_template.md +193 -0
context/compliance/cui_templates/__init__.py +6 -0
context/compliance/cui_templates/banner_block.txt +4 -0
context/compliance/cui_templates/code_header.txt +8 -0
context/compliance/cui_templates/document_template.md +35 -0
context/compliance/data_type_framework_map.json +321 -0
context/compliance/data_type_registry.json +147 -0
context/compliance/dod_cssp_8530.json +463 -0
context/compliance/eu_ai_act_annex_iii.json +108 -0
context/compliance/export_templates/__init__.py +6 -0
context/compliance/export_templates/emass_controls.csv.j2 +4 -0
context/compliance/export_templates/evidence_package.md.j2 +39 -0
context/compliance/export_templates/executive_summary.md.j2 +55 -0
context/compliance/export_templates/poam_tracking.csv.j2 +4 -0
context/compliance/fedramp_20x_ksi_schemas.json +133 -0
context/compliance/fedramp_high_baseline.json +4370 -0
context/compliance/fedramp_moderate_baseline.json +2183 -0
context/compliance/fedramp_report_template.md +181 -0
context/compliance/fips_200_areas.json +362 -0
context/compliance/gao_ai_accountability.json +262 -0
context/compliance/hipaa_security_rule.json +720 -0
context/compliance/hitrust_csf_v11.json +930 -0
context/compliance/impact_level_profiles.json +251 -0
context/compliance/incident_response_template.md +1110 -0
context/compliance/iso27001_2022_controls.json +750 -0
context/compliance/iso27001_nist_bridge.json +382 -0
context/compliance/iso42001_controls.json +254 -0
context/compliance/ivv_checklist_template.md +80 -0
context/compliance/ivv_report_template.md +116 -0
context/compliance/ivv_requirements.json +372 -0
context/compliance/mosa_crosswalk.json +327 -0
context/compliance/mosa_framework.json +250 -0
context/compliance/narrative_templates/AC.md.j2 +101 -0
context/compliance/narrative_templates/AU.md.j2 +106 -0
context/compliance/narrative_templates/IA.md.j2 +104 -0
context/compliance/narrative_templates/SC.md.j2 +102 -0
context/compliance/narrative_templates/SI.md.j2 +111 -0
context/compliance/narrative_templates/__init__.py +6 -0
context/compliance/narrative_templates/default.md.j2 +50 -0
context/compliance/narrative_templates/executive_summary.j2 +27 -0
context/compliance/narrative_templates/poam_milestone.j2 +19 -0
context/compliance/narrative_templates/ssp_section.j2 +11 -0
context/compliance/nist_800_171_controls.json +1552 -0
context/compliance/nist_800_207_crosswalk.json +399 -0
context/compliance/nist_800_207_zta.json +258 -0
context/compliance/nist_800_53.json +324 -0
context/compliance/nist_ai_600_1_genai.json +326 -0
context/compliance/nist_ai_rmf.json +206 -0
context/compliance/nist_sp_800_60_types.json +1667 -0
context/compliance/omb_m25_21_high_impact_ai.json +248 -0
context/compliance/omb_m26_04_unbiased_ai.json +262 -0
context/compliance/owasp_agentic_asi.json +133 -0
context/compliance/owasp_agentic_threats.json +285 -0
context/compliance/owasp_llm_top10.json +274 -0
context/compliance/pci_dss_v4.json +510 -0
context/compliance/poam_template.md +117 -0
context/compliance/safeai_controls.json +512 -0
context/compliance/sbd_report_template.md +77 -0
context/compliance/siem_config_templates/__init__.py +6 -0
context/compliance/siem_config_templates/filebeat.yml +213 -0
context/compliance/siem_config_templates/log_sources.json +208 -0
context/compliance/soc2_trust_criteria.json +661 -0
context/compliance/ssp_template.md +432 -0
context/compliance/stig_templates/__init__.py +6 -0
context/compliance/stig_templates/webapp_stig.json +139 -0
context/compliance/xai_requirements.json +108 -0
context/dashboard/__init__.py +6 -0
context/dashboard/nlq_examples.json +50 -0
context/dashboard/schema_descriptions.json +23 -0
context/icdev_methodology.md +100 -0
context/integration/__init__.py +6 -0
context/integration/approval_workflows.json +32 -0
context/integration/gitlab_field_mappings.json +33 -0
context/integration/jira_field_mappings.json +32 -0
context/integration/reqif_export_schema.json +23 -0
context/integration/servicenow_field_mappings.json +22 -0
context/languages/__init__.py +6 -0
context/languages/framework_patterns.json +205 -0
context/languages/language_registry.json +279 -0
context/llm/__init__.py +6 -0
context/llm/example_provider.py +89 -0
context/marketplace/assets/writeguard-core.yaml +100 -0
context/marketplace/assets/writeguard-govcon.yaml +45 -0
context/marketplace/assets/writeguard-style-guides.yaml +44 -0
context/mbse/__init__.py +6 -0
context/mbse/des_report_template.md +162 -0
context/mbse/des_requirements.json +411 -0
context/mbse/digital_thread_patterns.json +403 -0
context/mbse/reqif_schema.json +280 -0
context/mbse/sysml_element_types.json +432 -0
context/oscal/NIST_SP-800-53_rev5_catalog.json +254987 -0
context/oscal/README.md +43 -0
context/patterns/__init__.py +6 -0
context/profiles/__init__.py +6 -0
context/profiles/dod_baseline_v1.yaml +145 -0
context/profiles/fedramp_baseline_v1.yaml +143 -0
context/profiles/financial_baseline_v1.yaml +142 -0
context/profiles/healthcare_baseline_v1.yaml +135 -0
context/profiles/law_enforcement_v1.yaml +129 -0
context/profiles/startup_v1.yaml +134 -0
context/rag/source_mappings.json +42 -0
context/requirements/__init__.py +6 -0
context/requirements/ambiguity_patterns.json +97 -0
context/requirements/boundary_impact_rules.json +123 -0
context/requirements/default_constitutions.json +67 -0
context/requirements/document_extraction_rules.json +58 -0
context/requirements/gap_patterns.json +108 -0
context/requirements/readiness_rubric.json +78 -0
context/requirements/red_alternative_patterns.json +210 -0
context/requirements/safe_templates.json +72 -0
context/requirements/spec_quality_checklist.json +122 -0
context/research/regulatory_registry.json +114 -0
context/research/verticals/cybersecurity.json +127 -0
context/research/verticals/defense.json +104 -0
context/research/verticals/fintech.json +125 -0
context/research/verticals/healthcare.json +118 -0
context/research/verticals/logistics.json +117 -0
context/research/verticals/trading.json +145 -0
context/simulation/__init__.py +6 -0
context/simulation/architecture_patterns.json +36 -0
context/simulation/coa_templates.json +38 -0
context/simulation/cost_models.json +23 -0
context/simulation/risk_categories.json +46 -0
context/supply_chain/__init__.py +6 -0
context/supply_chain/isa_templates.json +129 -0
context/supply_chain/nist_800_161_controls.json +247 -0
context/supply_chain/scrm_risk_matrix.json +147 -0
context/templates/__init__.py +6 -0
context/templates/ansible/__init__.py +6 -0
context/templates/ansible/playbooks/__init__.py +6 -0
context/templates/ansible/roles/__init__.py +6 -0
context/templates/gitlab_ci/__init__.py +6 -0
context/templates/grafana/__init__.py +6 -0
context/templates/kubernetes/__init__.py +6 -0
context/templates/project/__init__.py +6 -0
context/templates/project/api/__init__.py +6 -0
context/templates/project/cli/__init__.py +6 -0
context/templates/project/data_pipeline/__init__.py +6 -0
context/templates/project/iac/__init__.py +6 -0
context/templates/project/javascript_frontend/__init__.py +6 -0
context/templates/project/javascript_frontend/src/__init__.py +6 -0
context/templates/project/javascript_frontend/tests/__init__.py +6 -0
context/templates/project/microservice/__init__.py +6 -0
context/templates/project/python_backend/__init__.py +6 -0
context/templates/project/python_backend/src/__init__.py +6 -0
context/templates/project/python_backend/tests/__init__.py +6 -0
context/templates/project/python_backend/tests/features/__init__.py +6 -0
context/templates/project/python_backend/tests/steps/__init__.py +6 -0
context/templates/terraform/__init__.py +6 -0
context/templates/terraform/govcloud_base/__init__.py +6 -0
context/templates/terraform/modules/__init__.py +6 -0
context/tone/__init__.py +6 -0
context/writing/grammar_rules/common_errors.json +306 -0
context/writing/grammar_rules/govcon_vocabulary.json +113 -0
context/writing/style_guides/academic.yaml +43 -0
context/writing/style_guides/business.yaml +42 -0
context/writing/style_guides/government.yaml +59 -0
context/writing/style_guides/proposal.yaml +58 -0
context/writing/style_guides/technical.yaml +43 -0
docs/adr/README.md +66 -0
docs/adr/connector-forge-decisions.md +318 -0
docs/adr/core-decisions.md +289 -0
docs/adr/db-decisions.md +94 -0
docs/adr/harness-decisions.md +122 -0
docs/adr/innovation-decisions.md +262 -0
docs/adr/marketplace-decisions.md +109 -0
docs/adr/sbd-decisions.md +109 -0
docs/adr/scale-engine-decisions.md +108 -0
docs/adr/writeguard-decisions.md +136 -0
docs/architecture/bounded-contexts.md +1032 -0
docs/features/phase-65-writeguard.md +139 -0
docs/features/phase-66-marketplace-commerce.md +79 -0
docs/features/phase-67-knowledge-ingestion-rag-autodraft.md +97 -0
docs/features/phase-68-enhanced-autodraft-pipeline.md +109 -0
docs/features/phase-69-proposalai-marketplace-module.md +131 -0
docs/features/phase-70-databridge.md +214 -0
docs/features/phase-71-databridge-messaging.md +102 -0
docs/implementation-plan-architecture-evolution.md +614 -0
docs/marketplace/CONTRIBUTING.md +124 -0
docs/marketplace/module_manifest_schema.yaml +83 -0
docs/research/ai-architecture-patterns-2024-2026.md +1236 -0
docs/research/app-builder-platform-analysis.md +582 -0
docs/research/architecture-patterns-c4-ddd-agentic.md +871 -0
docs/research/flowable-boat-competitive-analysis.md +426 -0
docs/research/modern-dev-practices-2024-2026.md +1615 -0
docs/research/secure-by-design-cloudyrion-adaptation.md +270 -0
goals/agent_management.md +144 -0
goals/ai_accountability.md +90 -0
goals/ai_narratives.md +79 -0
goals/ai_transparency.md +76 -0
goals/ato_simulator.md +78 -0
goals/audit_engine.md +177 -0
goals/bite_sized_plans.md +225 -0
goals/boundary_supply_chain.md +206 -0
goals/brainstorming_gate.md +186 -0
goals/build_app.md +604 -0
goals/cato_live_evidence.md +77 -0
goals/cloudforge.md +106 -0
goals/code_intelligence.md +197 -0
goals/compliance_workflow.md +858 -0
goals/connector_forge.md +133 -0
goals/databridge.md +128 -0
goals/deploy_workflow.md +390 -0
goals/developer_scorecard.md +78 -0
goals/devsecops_workflow.md +408 -0
goals/firmware_sbom.md +79 -0
goals/forge_hub.md +78 -0
goals/golden_path.md +77 -0
goals/harness_engineering.md +91 -0
goals/integration_testing.md +189 -0
goals/knowledge_graph.md +128 -0
goals/maintenance_audit.md +196 -0
goals/manifest.md +50 -0
goals/monitoring.md +126 -0
goals/mosa_workflow.md +463 -0
goals/multi_agent_orchestration.md +68 -0
goals/observability_traceability_xai.md +154 -0
goals/owasp_agentic_security.md +395 -0
goals/pr_intelligence.md +78 -0
goals/requirements_intake.md +213 -0
goals/secure_by_design.md +135 -0
goals/security_scan.md +381 -0
goals/self_healing.md +120 -0
goals/simulation_engine.md +111 -0
goals/subagent_review.md +205 -0
goals/systematic_debugging.md +257 -0
goals/tdd_workflow.md +403 -0
goals/template_exchange.md +77 -0
goals/thread_heatmap.md +77 -0
goals/threat_modeler.md +77 -0
goals/verification_iron_law.md +192 -0
goals/vsm_dashboard.md +76 -0
goals/writeguard.md +89 -0
goals/zero_trust_architecture.md +403 -0
hardprompts/__init__.py +6 -0
hardprompts/agent/__init__.py +6 -0
hardprompts/agent/agentic_architect.md +100 -0
hardprompts/agent/debate_prompt.md +32 -0
hardprompts/agent/fitness_evaluation.md +48 -0
hardprompts/agent/governance_review.md +214 -0
hardprompts/agent/reviewer_prompt.md +34 -0
hardprompts/agent/skill_design.md +172 -0
hardprompts/agent/task_decomposition.md +275 -0
hardprompts/agent/veto_check_prompt.md +33 -0
hardprompts/architect/__init__.py +6 -0
hardprompts/architect/api_design.md +283 -0
hardprompts/architect/data_model.md +277 -0
hardprompts/architect/system_design.md +180 -0
hardprompts/builder/__init__.py +6 -0
hardprompts/builder/code_generation.md +59 -0
hardprompts/builder/refactor.md +58 -0
hardprompts/builder/scaffold_project.md +69 -0
hardprompts/builder/test_generation.md +87 -0
hardprompts/ci/__init__.py +6 -0
hardprompts/ci/worktree_setup.md +35 -0
hardprompts/compliance/__init__.py +6 -0
hardprompts/compliance/cmmc_assessment.md +63 -0
hardprompts/compliance/cssp_assessment.md +75 -0
hardprompts/compliance/cui_marking.md +86 -0
hardprompts/compliance/fedramp_assessment.md +55 -0
hardprompts/compliance/ivv_assessment.md +96 -0
hardprompts/compliance/poam_generation.md +57 -0
hardprompts/compliance/sbd_assessment.md +101 -0
hardprompts/compliance/security_categorization.md +74 -0
hardprompts/compliance/ssp_generation.md +56 -0
hardprompts/compliance/stig_evaluation.md +63 -0
hardprompts/dashboard/__init__.py +6 -0
hardprompts/dashboard/nlq_system_prompt.md +26 -0
hardprompts/infra/__init__.py +6 -0
hardprompts/infra/k8s_manifests.md +118 -0
hardprompts/infra/pipeline_generation.md +160 -0
hardprompts/infra/terraform_generation.md +92 -0
hardprompts/integration/__init__.py +6 -0
hardprompts/integration/approval_review.md +17 -0
hardprompts/integration/jira_mapping.md +25 -0
hardprompts/integration/servicenow_mapping.md +14 -0
hardprompts/knowledge/__init__.py +6 -0
hardprompts/knowledge/pattern_detection.md +73 -0
hardprompts/knowledge/recommendation_engine.md +90 -0
hardprompts/knowledge/root_cause_analysis.md +91 -0
hardprompts/maintenance/__init__.py +6 -0
hardprompts/maintenance/maintenance_assessment.md +82 -0
hardprompts/mbse/__init__.py +6 -0
hardprompts/mbse/digital_thread.md +67 -0
hardprompts/mbse/model_import.md +62 -0
hardprompts/mbse/model_to_code.md +65 -0
hardprompts/modernization/__init__.py +6 -0
hardprompts/modernization/legacy_analysis.md +93 -0
hardprompts/modernization/migration_planning.md +150 -0
hardprompts/modernization/seven_r_assessment.md +107 -0
hardprompts/proposal_draft.md +53 -0
hardprompts/rag_citation.md +12 -0
hardprompts/rag_rerank.md +31 -0
hardprompts/requirements/__init__.py +6 -0
hardprompts/requirements/bdd_generation.md +35 -0
hardprompts/requirements/clarification_prioritization.md +29 -0
hardprompts/requirements/decomposition.md +60 -0
hardprompts/requirements/document_extraction.md +45 -0
hardprompts/requirements/gap_detection.md +70 -0
hardprompts/requirements/intake_conversation.md +101 -0
hardprompts/requirements/readiness_assessment.md +39 -0
hardprompts/requirements/spec_quality.md +33 -0
hardprompts/requirements/traceability_analysis.md +23 -0
hardprompts/security/__init__.py +6 -0
hardprompts/security/endpoint_security.md +78 -0
hardprompts/security/threat_model.md +70 -0
hardprompts/security/vulnerability_assessment.md +81 -0
hardprompts/simulation/__init__.py +6 -0
hardprompts/simulation/architecture_impact.md +27 -0
hardprompts/simulation/coa_alternative.md +27 -0
hardprompts/simulation/coa_generation.md +25 -0
hardprompts/simulation/compliance_impact.md +28 -0
hardprompts/simulation/cost_estimation.md +33 -0
hardprompts/simulation/risk_assessment.md +28 -0
hardprompts/translation/code_translation.md +68 -0
hardprompts/translation/dependency_suggestion.md +44 -0
hardprompts/translation/test_translation.md +64 -0
hardprompts/translation/translation_repair.md +59 -0
icdev-0.0.3.dist-info/METADATA +909 -0
icdev-0.0.3.dist-info/RECORD +1214 -0
icdev-0.0.3.dist-info/WHEEL +5 -0
icdev-0.0.3.dist-info/entry_points.txt +9 -0
icdev-0.0.3.dist-info/licenses/LICENSE +201 -0
icdev-0.0.3.dist-info/licenses/NOTICE +11 -0
icdev-0.0.3.dist-info/top_level.txt +7 -0
memory/MEMORY.md +52 -0
memory/logs/2026-02-14.md +17 -0
memory/logs/2026-03-03.md +2 -0
memory/logs/__init__.py +1 -0
tools/a2a/icdev_callback_client.py +210 -0
tools/agent/cards/architect_card.json +29 -0
tools/agent/cards/builder_card.json +34 -0
tools/agent/cards/compliance_card.json +29 -0
tools/agent/cards/connector_forge_card.json +49 -0
tools/agent/cards/devsecops_zta_card.json +24 -0
tools/agent/cards/knowledge_card.json +29 -0
tools/agent/cards/monitor_card.json +29 -0
tools/agent/cards/orchestrator_card.json +29 -0
tools/agent/cards/requirements_analyst_card.json +24 -0
tools/agent/cards/security_card.json +29 -0
tools/agent/cards/simulation_card.json +24 -0
tools/agent/cards/supply_chain_card.json +24 -0
tools/analysis/__init__.py +1 -0
tools/analysis/code_analyzer.py +770 -0
tools/analysis/runtime_feedback.py +379 -0
tools/analytics/__init__.py +2 -0
tools/analytics/scorecard.py +538 -0
tools/analytics/vsm_engine.py +612 -0
tools/architecture/__init__.py +2 -0
tools/architecture/adr_extractor.py +393 -0
tools/audit/__init__.py +1 -0
tools/audit/audit_logger.py +199 -0
tools/audit/audit_query.py +153 -0
tools/audit/decision_recorder.py +73 -0
tools/audit_engine/__init__.py +12 -0
tools/audit_engine/ai_advisor.py +906 -0
tools/audit_engine/cli.py +286 -0
tools/audit_engine/comparator.py +305 -0
tools/audit_engine/eject_scaffolder.py +399 -0
tools/audit_engine/engine.py +614 -0
tools/audit_engine/git_fetcher.py +341 -0
tools/audit_engine/regime_loader.py +200 -0
tools/audit_engine/regime_updater.py +325 -0
tools/audit_engine/report_card.py +289 -0
tools/audit_engine/scanner.py +684 -0
tools/audit_engine/self_heal.py +1042 -0
tools/ci/__init__.py +2 -0
tools/ci/connectors/__init__.py +2 -0
tools/ci/connectors/base_connector.py +80 -0
tools/ci/connectors/connector_registry.py +188 -0
tools/ci/connectors/mattermost_connector.py +159 -0
tools/ci/connectors/slack_connector.py +197 -0
tools/ci/core/__init__.py +2 -0
tools/ci/core/air_gap_detector.py +115 -0
tools/ci/core/comment_handler.py +192 -0
tools/ci/core/conversation_manager.py +480 -0
tools/ci/core/event_envelope.py +500 -0
tools/ci/core/event_router.py +444 -0
tools/ci/core/failure_parser.py +397 -0
tools/ci/core/recovery_engine.py +527 -0
tools/ci/gate_enforcer.py +361 -0
tools/ci/modules/__init__.py +2 -0
tools/ci/modules/agent.py +271 -0
tools/ci/modules/git_ops.py +175 -0
tools/ci/modules/state.py +117 -0
tools/ci/modules/vcs.py +303 -0
tools/ci/modules/workflow_ops.py +295 -0
tools/ci/modules/worktree.py +337 -0
tools/ci/pipeline_config_generator.py +558 -0
tools/ci/pr_intelligence.py +485 -0
tools/ci/triggers/__init__.py +2 -0
tools/ci/triggers/gitlab_task_monitor.py +327 -0
tools/ci/triggers/poll_trigger.py +237 -0
tools/ci/triggers/webhook_server.py +356 -0
tools/ci/workflows/__init__.py +2 -0
tools/ci/workflows/icdev_build.py +140 -0
tools/ci/workflows/icdev_comply.py +284 -0
tools/ci/workflows/icdev_document.py +152 -0
tools/ci/workflows/icdev_e2e.py +188 -0
tools/ci/workflows/icdev_patch.py +186 -0
tools/ci/workflows/icdev_plan.py +202 -0
tools/ci/workflows/icdev_plan_build.py +41 -0
tools/ci/workflows/icdev_plan_build_test.py +46 -0
tools/ci/workflows/icdev_plan_build_test_review.py +47 -0
tools/ci/workflows/icdev_review.py +126 -0
tools/ci/workflows/icdev_sdlc.py +261 -0
tools/ci/workflows/icdev_test.py +240 -0
tools/cli/__init__.py +1 -0
tools/cli/output_formatter.py +756 -0
tools/cloudforge/__init__.py +12 -0
tools/cloudforge/airgap/__init__.py +2 -0
tools/cloudforge/airgap/il_classifier.py +70 -0
tools/cloudforge/airgap/offline_validator.py +42 -0
tools/cloudforge/airgap/shift_emulator.py +155 -0
tools/cloudforge/airgap/sneakernet.py +91 -0
tools/cloudforge/cd_hub/__init__.py +2 -0
tools/cloudforge/cd_hub/canary_deployer.py +88 -0
tools/cloudforge/cd_hub/gitops_renderer.py +123 -0
tools/cloudforge/cd_hub/hub_controller.py +143 -0
tools/cloudforge/cd_hub/pipeline_bridge.py +30 -0
tools/cloudforge/cd_hub/rollback_engine.py +29 -0
tools/cloudforge/cd_hub/spoke_agent.py +51 -0
tools/cloudforge/compliance/__init__.py +2 -0
tools/cloudforge/compliance/ato_accelerator.py +272 -0
tools/cloudforge/compliance/control_inheritor.py +127 -0
tools/cloudforge/compliance/evidence_generator.py +129 -0
tools/cloudforge/compliance/poam_bridge.py +41 -0
tools/cloudforge/compliance/ssp_bridge.py +52 -0
tools/cloudforge/compliance/stig_bridge.py +41 -0
tools/cloudforge/container_forge/__init__.py +2 -0
tools/cloudforge/container_forge/bigbang_renderer.py +85 -0
tools/cloudforge/container_forge/hardener.py +169 -0
tools/cloudforge/container_forge/image_scanner_bridge.py +33 -0
tools/cloudforge/container_forge/runtime_policy.py +87 -0
tools/cloudforge/container_forge/sbom_bridge.py +42 -0
tools/cloudforge/finops/__init__.py +2 -0
tools/cloudforge/finops/anomaly_detector.py +78 -0
tools/cloudforge/finops/budget_tracker.py +96 -0
tools/cloudforge/finops/chargeback.py +69 -0
tools/cloudforge/finops/cost_collector.py +141 -0
tools/cloudforge/finops/optimizer.py +55 -0
tools/cloudforge/hybrid/__init__.py +2 -0
tools/cloudforge/hybrid/connection_manager.py +141 -0
tools/cloudforge/hybrid/dns_federator.py +56 -0
tools/cloudforge/hybrid/health_monitor.py +108 -0
tools/cloudforge/hybrid/identity_federator.py +53 -0
tools/cloudforge/hybrid/network_bridge.py +68 -0
tools/cloudforge/hybrid/topology_manager.py +147 -0
tools/cloudforge/hybrid/workload_abstractor.py +92 -0
tools/cloudforge/iac/__init__.py +2 -0
tools/cloudforge/iac/drift_detector.py +154 -0
tools/cloudforge/iac/module_library.py +265 -0
tools/cloudforge/iac/opentofu_adapter.py +89 -0
tools/cloudforge/iac/pulumi_renderer.py +292 -0
tools/cloudforge/iac/state_backend.py +146 -0
tools/cloudforge/iac/terraform_renderer.py +626 -0
tools/cloudforge/landing_zone/__init__.py +2 -0
tools/cloudforge/landing_zone/blueprint_loader.py +98 -0
tools/cloudforge/landing_zone/blueprint_validator.py +113 -0
tools/cloudforge/landing_zone/zone_provisioner.py +306 -0
tools/cloudforge/landing_zone/zone_state.py +143 -0
tools/cloudforge/mbse_thread/__init__.py +2 -0
tools/cloudforge/mbse_thread/ato_thread_weaver.py +111 -0
tools/cloudforge/mbse_thread/control_tracer.py +68 -0
tools/cloudforge/mbse_thread/system_boundary.py +83 -0
tools/cloudforge/metastore/__init__.py +2 -0
tools/cloudforge/metastore/dependency_graph.py +202 -0
tools/cloudforge/metastore/discovery.py +192 -0
tools/cloudforge/metastore/registry.py +185 -0
tools/cloudforge/metastore/rto_tracker.py +92 -0
tools/cloudforge/metastore/runbook_linker.py +82 -0
tools/cloudforge/migration/__init__.py +2 -0
tools/cloudforge/migration/assessor.py +187 -0
tools/cloudforge/migration/cutover_orchestrator.py +117 -0
tools/cloudforge/migration/databridge_bridge.py +92 -0
tools/cloudforge/migration/planner.py +98 -0
tools/cloudforge/migration/risk_scorer.py +97 -0
tools/cloudforge/migration/validation_runner.py +45 -0
tools/cloudforge/migration/workload_inventory.py +107 -0
tools/cloudforge/provider.py +319 -0
tools/cloudforge/providers/__init__.py +2 -0
tools/cloudforge/providers/aws_commercial.py +92 -0
tools/cloudforge/providers/aws_govcloud.py +229 -0
tools/cloudforge/providers/aws_secret.py +83 -0
tools/cloudforge/providers/azure_commercial.py +80 -0
tools/cloudforge/providers/azure_gov.py +91 -0
tools/cloudforge/providers/azure_secret.py +71 -0
tools/cloudforge/providers/gcp.py +102 -0
tools/cloudforge/providers/oci.py +102 -0
tools/cloudforge/registry.py +140 -0
tools/cloudforge/runbooks/__init__.py +2 -0
tools/cloudforge/runbooks/ai_generator.py +119 -0
tools/cloudforge/runbooks/dag_validator.py +219 -0
tools/cloudforge/runbooks/engine.py +470 -0
tools/cloudforge/runbooks/models.py +99 -0
tools/cloudforge/runbooks/snippet_library.py +158 -0
tools/cloudforge/runbooks/template_loader.py +122 -0
tools/cloudforge/runbooks/visualization.py +108 -0
tools/cloudforge/siem/__init__.py +2 -0
tools/cloudforge/siem/alert_rules.py +86 -0
tools/cloudforge/siem/correlation_engine.py +61 -0
tools/cloudforge/siem/log_aggregator.py +113 -0
tools/cloudforge/siem/siem_dashboard_data.py +28 -0
tools/cloudforge/supply_chain/__init__.py +2 -0
tools/cloudforge/supply_chain/bridge.py +33 -0
tools/cloudforge/supply_chain/iac_dependency_scanner.py +36 -0
tools/cloudforge/supply_chain/provider_trust_scorer.py +54 -0
tools/compat/__init__.py +21 -0
tools/compat/cli_harmonizer.py +251 -0
tools/compat/datetime_utils.py +18 -0
tools/compat/db_utils.py +190 -0
tools/compat/platform_utils.py +123 -0
tools/compliance/__init__.py +1 -0
tools/compliance/accountability_manager.py +391 -0
tools/compliance/ai_accountability_audit.py +287 -0
tools/compliance/ai_impact_assessor.py +267 -0
tools/compliance/ai_incident_response.py +295 -0
tools/compliance/ai_inventory_manager.py +233 -0
tools/compliance/ai_reassessment_scheduler.py +250 -0
tools/compliance/ai_transparency_audit.py +247 -0
tools/compliance/atlas_assessor.py +276 -0
tools/compliance/atlas_report_generator.py +1199 -0
tools/compliance/base_assessor.py +591 -0
tools/compliance/cato_live_engine.py +607 -0
tools/compliance/cato_monitor.py +1371 -0
tools/compliance/cato_scheduler.py +698 -0
tools/compliance/cjis_assessor.py +76 -0
tools/compliance/classification_manager.py +1340 -0
tools/compliance/cmmc_assessor.py +1478 -0
tools/compliance/cmmc_report_generator.py +1087 -0
tools/compliance/compliance_detector.py +452 -0
tools/compliance/compliance_exporter.py +418 -0
tools/compliance/compliance_status.py +810 -0
tools/compliance/control_mapper.py +488 -0
tools/compliance/crosswalk_engine.py +1208 -0
tools/compliance/cssp_assessor.py +1032 -0
tools/compliance/cssp_evidence_collector.py +716 -0
tools/compliance/cssp_report_generator.py +1103 -0
tools/compliance/cui_marker.py +387 -0
tools/compliance/diagram_validator.py +599 -0
tools/compliance/emass/__init__.py +2 -0
tools/compliance/emass/emass_client.py +822 -0
tools/compliance/emass/emass_export.py +758 -0
tools/compliance/emass/emass_sync.py +807 -0
tools/compliance/eu_ai_act_classifier.py +193 -0
tools/compliance/evidence_collector.py +459 -0
tools/compliance/fairness_assessor.py +310 -0
tools/compliance/fedramp_20x_ksi_emitter.py +692 -0
tools/compliance/fedramp_assessor.py +1795 -0
tools/compliance/fedramp_authorization_packager.py +137 -0
tools/compliance/fedramp_ksi_generator.py +349 -0
tools/compliance/fedramp_report_generator.py +1115 -0
tools/compliance/fips199_categorizer.py +869 -0
tools/compliance/fips200_validator.py +304 -0
tools/compliance/firmware_sbom.py +646 -0
tools/compliance/gao_ai_assessor.py +228 -0
tools/compliance/gao_evidence_builder.py +302 -0
tools/compliance/hipaa_assessor.py +78 -0
tools/compliance/hitrust_assessor.py +49 -0
tools/compliance/incident_response_plan.py +705 -0
tools/compliance/inheritance_engine.py +693 -0
tools/compliance/iso27001_assessor.py +92 -0
tools/compliance/iso42001_assessor.py +114 -0
tools/compliance/ivv_assessor.py +2314 -0
tools/compliance/ivv_report_generator.py +1649 -0
tools/compliance/model_card_generator.py +291 -0
tools/compliance/mosa_assessor.py +117 -0
tools/compliance/multi_regime_assessor.py +441 -0
tools/compliance/narrative_generator.py +1012 -0
tools/compliance/narrative_quality_gate.py +701 -0
tools/compliance/narrative_workflow.py +814 -0
tools/compliance/nist_800_207_assessor.py +191 -0
tools/compliance/nist_ai_600_1_assessor.py +185 -0
tools/compliance/nist_ai_rmf_assessor.py +110 -0
tools/compliance/nist_lookup.py +244 -0
tools/compliance/omb_m25_21_assessor.py +225 -0
tools/compliance/omb_m26_04_assessor.py +185 -0
tools/compliance/oscal_catalog_adapter.py +395 -0
tools/compliance/oscal_generator.py +2157 -0
tools/compliance/oscal_tools.py +1182 -0
tools/compliance/oscal_validator.py +692 -0
tools/compliance/owasp_agentic_assessor.py +227 -0
tools/compliance/owasp_asi_assessor.py +197 -0
tools/compliance/owasp_llm_assessor.py +245 -0
tools/compliance/pci_dss_assessor.py +80 -0
tools/compliance/pi_compliance_tracker.py +1447 -0
tools/compliance/poam_generator.py +388 -0
tools/compliance/resolve_marking.py +272 -0
tools/compliance/sbd_assessor.py +2070 -0
tools/compliance/sbd_report_generator.py +1223 -0
tools/compliance/sbom_generator.py +993 -0
tools/compliance/siem_config_generator.py +661 -0
tools/compliance/slsa_attestation_generator.py +479 -0
tools/compliance/soc2_assessor.py +77 -0
tools/compliance/ssp_generator.py +556 -0
tools/compliance/stig_checker.py +712 -0
tools/compliance/swft_evidence_bundler.py +326 -0
tools/compliance/system_card_generator.py +303 -0
tools/compliance/template_exchange.py +513 -0
tools/compliance/traceability_matrix.py +1268 -0
tools/compliance/universal_classification_manager.py +1159 -0
tools/compliance/xacta/__init__.py +2 -0
tools/compliance/xacta/xacta_client.py +438 -0
tools/compliance/xacta/xacta_export.py +546 -0
tools/compliance/xacta/xacta_sync.py +322 -0
tools/compliance/xai_assessor.py +231 -0
tools/core/__init__.py +2 -0
tools/core/circuit_breaker.py +353 -0
tools/core/compliance_sidecar.py +344 -0
tools/core/container.py +110 -0
tools/core/errors.py +256 -0
tools/core/feature_flags.py +311 -0
tools/core/task_dlq.py +350 -0
tools/dashboard/__init__.py +2 -0
tools/dashboard/app.py +6288 -0
tools/dashboard/templates/agent_evolution.html +287 -0
tools/dashboard/templates/agents/list.html +71 -0
tools/dashboard/templates/agents.html +132 -0
tools/dashboard/templates/architecture.html +289 -0
tools/dashboard/templates/ato_simulator.html +170 -0
tools/dashboard/templates/audit_engine.html +844 -0
tools/dashboard/templates/base.html +236 -0
tools/dashboard/templates/cato_live.html +116 -0
tools/dashboard/templates/cloudforge.html +195 -0
tools/dashboard/templates/cloudforge_finops.html +111 -0
tools/dashboard/templates/cloudforge_hybrid.html +122 -0
tools/dashboard/templates/cloudforge_metastore.html +234 -0
tools/dashboard/templates/cloudforge_migration.html +87 -0
tools/dashboard/templates/cloudforge_runbooks.html +201 -0
tools/dashboard/templates/cloudforge_siem.html +94 -0
tools/dashboard/templates/compliance_accel.html +292 -0
tools/dashboard/templates/crashes.html +122 -0
tools/dashboard/templates/databridge.html +305 -0
tools/dashboard/templates/databridge_analytics.html +195 -0
tools/dashboard/templates/databridge_mapping.html +345 -0
tools/dashboard/templates/databridge_messaging.html +321 -0
tools/dashboard/templates/decisions.html +258 -0
tools/dashboard/templates/devices.html +151 -0
tools/dashboard/templates/devsecops_maturity.html +278 -0
tools/dashboard/templates/edge_ai.html +128 -0
tools/dashboard/templates/firmware.html +120 -0
tools/dashboard/templates/firmware_sbom.html +193 -0
tools/dashboard/templates/forge_hub.html +196 -0
tools/dashboard/templates/forge_studio.html +379 -0
tools/dashboard/templates/forge_studio_analytics.html +360 -0
tools/dashboard/templates/forge_studio_builder.html +1637 -0
tools/dashboard/templates/forge_studio_compliance.html +310 -0
tools/dashboard/templates/forge_studio_deploy.html +573 -0
tools/dashboard/templates/forge_studio_enterprise.html +888 -0
tools/dashboard/templates/forge_studio_marketplace.html +502 -0
tools/dashboard/templates/forge_studio_workflow.html +696 -0
tools/dashboard/templates/golden_path.html +175 -0
tools/dashboard/templates/govcon.html +280 -0
tools/dashboard/templates/harness.html +148 -0
tools/dashboard/templates/index.html +207 -0
tools/dashboard/templates/intelligence.html +336 -0
tools/dashboard/templates/knowledge/index.html +190 -0
tools/dashboard/templates/knowledge_graph.html +739 -0
tools/dashboard/templates/login.html +51 -0
tools/dashboard/templates/marketplace.html +336 -0
tools/dashboard/templates/marketplace_admin.html +247 -0
tools/dashboard/templates/missions.html +403 -0
tools/dashboard/templates/narratives.html +154 -0
tools/dashboard/templates/pr_intelligence.html +151 -0
tools/dashboard/templates/proposals/detail.html +300 -0
tools/dashboard/templates/proposals/list.html +52 -0
tools/dashboard/templates/proposals/sam_detail.html +132 -0
tools/dashboard/templates/proposals/section_detail.html +375 -0
tools/dashboard/templates/research.html +222 -0
tools/dashboard/templates/resilience.html +300 -0
tools/dashboard/templates/scorecard.html +162 -0
tools/dashboard/templates/simulator.html +131 -0
tools/dashboard/templates/template_exchange.html +147 -0
tools/dashboard/templates/thread_heatmap.html +151 -0
tools/dashboard/templates/threat_model.html +195 -0
tools/dashboard/templates/vsm.html +141 -0
tools/dashboard/templates/writeguard.html +277 -0
tools/databridge/__init__.py +5 -0
tools/databridge/agent/__init__.py +2 -0
tools/databridge/agent/daemon.py +227 -0
tools/databridge/agent/tunnel.py +101 -0
tools/databridge/agent/ws_relay.py +91 -0
tools/databridge/analytics.py +167 -0
tools/databridge/arrow_pipeline.py +327 -0
tools/databridge/connection_manager.py +424 -0
tools/databridge/connector.py +331 -0
tools/databridge/connectors/__init__.py +2 -0
tools/databridge/connectors/argocd_connector.py +160 -0
tools/databridge/connectors/avro_connector.py +203 -0
tools/databridge/connectors/azure_blob.py +63 -0
tools/databridge/connectors/cdc_connector.py +205 -0
tools/databridge/connectors/csv_connector.py +172 -0
tools/databridge/connectors/datadog_connector.py +153 -0
tools/databridge/connectors/discord_messaging.py +215 -0
tools/databridge/connectors/dynamics365.py +151 -0
tools/databridge/connectors/elasticsearch_connector.py +145 -0
tools/databridge/connectors/email_base.py +114 -0
tools/databridge/connectors/excel_connector.py +175 -0
tools/databridge/connectors/fsspec_base.py +300 -0
tools/databridge/connectors/gcs.py +53 -0
tools/databridge/connectors/github_connector.py +138 -0
tools/databridge/connectors/gitlab_connector.py +132 -0
tools/databridge/connectors/gmail_connector.py +182 -0
tools/databridge/connectors/hdfs.py +57 -0
tools/databridge/connectors/health_base.py +401 -0
tools/databridge/connectors/hubspot.py +124 -0
tools/databridge/connectors/imap_connector.py +171 -0
tools/databridge/connectors/jenkins_connector.py +138 -0
tools/databridge/connectors/jira_connector.py +86 -0
tools/databridge/connectors/json_connector.py +184 -0
tools/databridge/connectors/kafka_connector.py +246 -0
tools/databridge/connectors/kinesis_connector.py +238 -0
tools/databridge/connectors/local_fs.py +30 -0
tools/databridge/connectors/matrix.py +197 -0
tools/databridge/connectors/mattermost_messaging.py +184 -0
tools/databridge/connectors/messaging_base.py +172 -0
tools/databridge/connectors/mssql.py +63 -0
tools/databridge/connectors/mysql.py +57 -0
tools/databridge/connectors/netsuite.py +170 -0
tools/databridge/connectors/o365_mail.py +196 -0
tools/databridge/connectors/oracle.py +65 -0
tools/databridge/connectors/pagerduty_connector.py +162 -0
tools/databridge/connectors/parquet_connector.py +131 -0
tools/databridge/connectors/postgresql.py +58 -0
tools/databridge/connectors/s3.py +65 -0
tools/databridge/connectors/saas_base.py +198 -0
tools/databridge/connectors/salesforce.py +126 -0
tools/databridge/connectors/sap.py +89 -0
tools/databridge/connectors/servicenow.py +60 -0
tools/databridge/connectors/signal_messaging.py +150 -0
tools/databridge/connectors/slack_messaging.py +203 -0
tools/databridge/connectors/smtp_connector.py +126 -0
tools/databridge/connectors/soap_base.py +258 -0
tools/databridge/connectors/splunk_connector.py +171 -0
tools/databridge/connectors/sql_base.py +310 -0
tools/databridge/connectors/sqlite_connector.py +76 -0
tools/databridge/connectors/teams.py +148 -0
tools/databridge/connectors/telegram.py +192 -0
tools/databridge/connectors/whatsapp.py +137 -0
tools/databridge/data_profiler.py +99 -0
tools/databridge/forge/__init__.py +6 -0
tools/databridge/forge/base_selector.py +150 -0
tools/databridge/forge/code_generator.py +206 -0
tools/databridge/forge/community_hub.py +539 -0
tools/databridge/forge/forge_agent.py +306 -0
tools/databridge/forge/import_handler.py +133 -0
tools/databridge/forge/integration_tester.py +127 -0
tools/databridge/forge/marketplace_publisher.py +164 -0
tools/databridge/forge/promoter.py +159 -0
tools/databridge/forge/sandbox_manager.py +257 -0
tools/databridge/forge/spec_parser.py +358 -0
tools/databridge/forge/static_validator.py +363 -0
tools/databridge/forge/templates/__init__.py +591 -0
tools/databridge/format_converter.py +188 -0
tools/databridge/mapping_engine.py +348 -0
tools/databridge/messaging/__init__.py +5 -0
tools/databridge/messaging/agent_bridge.py +254 -0
tools/databridge/messaging/message_envelope.py +111 -0
tools/databridge/messaging/message_logger.py +204 -0
tools/databridge/messaging/messaging_daemon.py +326 -0
tools/databridge/messaging/oauth2_manager.py +411 -0
tools/databridge/pii_detector.py +221 -0
tools/databridge/registry.py +352 -0
tools/databridge/relay_server.py +105 -0
tools/databridge/scale/__init__.py +16 -0
tools/databridge/scale/backpressure.py +134 -0
tools/databridge/scale/chunked_pipeline.py +169 -0
tools/databridge/scale/connection_pool.py +293 -0
tools/databridge/scale/engine.py +492 -0
tools/databridge/scale/worker_pool.py +140 -0
tools/databridge/scale/write_batcher.py +250 -0
tools/databridge/schema_engine.py +324 -0
tools/databridge/stream_manager.py +225 -0
tools/databridge/sync_engine.py +411 -0
tools/databridge/transforms.py +302 -0
tools/db/__init__.py +1 -0
tools/db/backup.py +312 -0
tools/db/backup_manager.py +832 -0
tools/db/init_icdev_db.py +7753 -0
tools/db/init_sparkpilot_db.py +431 -0
tools/db/migrate.py +177 -0
tools/db/migrate_innovation_audit.py +165 -0
tools/db/migration_runner.py +548 -0
tools/db/migrations/001_baseline/meta.json +9 -0
tools/db/migrations/001_baseline/up.py +67 -0
tools/db/migrations/002_memory_enhancements/down.sql +8 -0
tools/db/migrations/002_memory_enhancements/meta.json +9 -0
tools/db/migrations/002_memory_enhancements/up.py +119 -0
tools/db/migrations/003_dev_profiles/meta.json +8 -0
tools/db/migrations/003_dev_profiles/up.py +93 -0
tools/db/migrations/004_innovation_engine/down.py +19 -0
tools/db/migrations/004_innovation_engine/up.py +227 -0
tools/db/migrations/005_phase_37_ai_security/down.py +19 -0
tools/db/migrations/005_phase_37_ai_security/up.py +257 -0
tools/db/migrations/006_phase_36_evolution/down.py +21 -0
tools/db/migrations/006_phase_36_evolution/up.py +323 -0
tools/db/migrations/007_phase_38_cloud/down.py +14 -0
tools/db/migrations/007_phase_38_cloud/up.py +110 -0
tools/db/migrations/008_phase36_37_integration/up.py +55 -0
tools/db/migrations/__init__.py +2 -0
tools/db/pg_migrate.py +642 -0
tools/db/storage.py +1080 -0
tools/decisions/__init__.py +2 -0
tools/decisions/dmn_engine.py +695 -0
tools/devsecops/__init__.py +2 -0
tools/devsecops/attestation_manager.py +449 -0
tools/devsecops/network_segmentation_generator.py +604 -0
tools/devsecops/pdp_config_generator.py +1246 -0
tools/devsecops/pipeline_security_generator.py +475 -0
tools/devsecops/policy_generator.py +644 -0
tools/devsecops/profile_manager.py +374 -0
tools/devsecops/service_mesh_generator.py +1063 -0
tools/devsecops/zta_maturity_scorer.py +355 -0
tools/devsecops/zta_terraform_generator.py +1301 -0
tools/edge_ai/__init__.py +2 -0
tools/edge_ai/model_manager.py +200 -0
tools/embedded/__init__.py +2 -0
tools/embedded/cmake_generator.py +318 -0
tools/embedded/crash_analyzer.py +191 -0
tools/embedded/nl_to_firmware.py +277 -0
tools/events/__init__.py +1 -0
tools/events/event_bus.py +199 -0
tools/finetune/pair_generator.py +832 -0
tools/fleet/__init__.py +2 -0
tools/fleet/device_registry.py +148 -0
tools/fleet/ota_manager.py +153 -0
tools/forge_studio/__init__.py +13 -0
tools/forge_studio/analytics/__init__.py +0 -0
tools/forge_studio/analytics/process_miner.py +383 -0
tools/forge_studio/audit.py +183 -0
tools/forge_studio/blueprint/__init__.py +2 -0
tools/forge_studio/blueprint/build_tracker.py +317 -0
tools/forge_studio/blueprint/export_engine.py +441 -0
tools/forge_studio/blueprint/parent_client.py +335 -0
tools/forge_studio/catalog/__init__.py +2 -0
tools/forge_studio/catalog/component_registry.py +176 -0
tools/forge_studio/catalog/schema_validator.py +193 -0
tools/forge_studio/compliance/__init__.py +1 -0
tools/forge_studio/compliance/compliance_wiring.py +554 -0
tools/forge_studio/deploy/__init__.py +1 -0
tools/forge_studio/deploy/airgap_packager.py +466 -0
tools/forge_studio/deploy/deploy_engine.py +1792 -0
tools/forge_studio/deploy/env_manager.py +431 -0
tools/forge_studio/eject/__init__.py +2 -0
tools/forge_studio/eject/docker_compose_generator.py +237 -0
tools/forge_studio/eject/eject_engine.py +230 -0
tools/forge_studio/eject/expo_scaffolder.py +303 -0
tools/forge_studio/eject/nextjs_scaffolder.py +338 -0
tools/forge_studio/enterprise/__init__.py +0 -0
tools/forge_studio/enterprise/custom_frameworks.py +826 -0
tools/forge_studio/enterprise/hardening_engine.py +1530 -0
tools/forge_studio/enterprise/sso_manager.py +718 -0
tools/forge_studio/enterprise/whitelabel_engine.py +887 -0
tools/forge_studio/formula/__init__.py +0 -0
tools/forge_studio/formula/expression_engine.py +562 -0
tools/forge_studio/formula/formula_registry.py +265 -0
tools/forge_studio/generator/__init__.py +2 -0
tools/forge_studio/generator/app_generator.py +584 -0
tools/forge_studio/generator/complexity_detector.py +368 -0
tools/forge_studio/generator/prompt_templates.py +104 -0
tools/forge_studio/generator/spec_builder.py +192 -0
tools/forge_studio/intake_bridge.py +898 -0
tools/forge_studio/marketplace/__init__.py +0 -0
tools/forge_studio/marketplace/component_hub.py +428 -0
tools/forge_studio/models.py +369 -0
tools/forge_studio/renderer/__init__.py +2 -0
tools/forge_studio/renderer/json_render_engine.py +623 -0
tools/forge_studio/renderer/layout_engine.py +214 -0
tools/forge_studio/renderer/rn_component_map.py +182 -0
tools/forge_studio/supabase/__init__.py +2 -0
tools/forge_studio/supabase/auth_generator.py +283 -0
tools/forge_studio/supabase/migration_generator.py +93 -0
tools/forge_studio/supabase/schema_generator.py +281 -0
tools/forge_studio/tenant_manager.py +387 -0
tools/forge_studio/workflow/__init__.py +2 -0
tools/forge_studio/workflow/bpmn_adapter.py +489 -0
tools/govcon/draft_orchestrator.py +1151 -0
tools/govcon/engine_enrichment.py +373 -0
tools/govcon/knowledge_base.py +487 -0
tools/govcon/knowledge_ingestion.py +510 -0
tools/govcon/sam_scanner.py +754 -0
tools/harness/__init__.py +6 -0
tools/harness/exit_criteria_evaluator.py +231 -0
tools/harness/maturity_assessor.py +347 -0
tools/harness/scaffold_harness.py +416 -0
tools/harness/trace_analyzer.py +281 -0
tools/infra/__init__.py +1 -0
tools/infra/ansible_generator.py +867 -0
tools/infra/dockerfile_generator.py +359 -0
tools/infra/infra_status.py +384 -0
tools/infra/ironbank_metadata_generator.py +403 -0
tools/infra/k8s_generator.py +1000 -0
tools/infra/pipeline_generator.py +830 -0
tools/infra/rollback.py +389 -0
tools/infra/terraform_generator.py +1140 -0
tools/infra/terraform_generator_azure.py +1252 -0
tools/infra/terraform_generator_gcp.py +951 -0
tools/infra/terraform_generator_ibm.py +359 -0
tools/infra/terraform_generator_oci.py +918 -0
tools/infra/terraform_generator_onprem.py +318 -0
tools/knowledge/__init__.py +1 -0
tools/knowledge/knowledge_ingest.py +281 -0
tools/knowledge/pattern_detector.py +681 -0
tools/knowledge/recommendation_engine.py +449 -0
tools/knowledge/self_heal_analyzer.py +492 -0
tools/knowledge_graph/__init__.py +2 -0
tools/knowledge_graph/graph_rag.py +498 -0
tools/knowledge_graph/ingester.py +406 -0
tools/knowledge_graph/insight_generator.py +369 -0
tools/knowledge_graph/text_network.py +832 -0
tools/llm/__init__.py +72 -0
tools/llm/anthropic_provider.py +170 -0
tools/llm/azure_openai_provider.py +338 -0
tools/llm/bedrock_provider.py +315 -0
tools/llm/embedding_provider.py +438 -0
tools/llm/gemini_provider.py +381 -0
tools/llm/ibm_watsonx_provider.py +231 -0
tools/llm/oci_genai_provider.py +462 -0
tools/llm/ollama_provider.py +350 -0
tools/llm/openai_provider.py +225 -0
tools/llm/prompt_registry.py +447 -0
tools/llm/provider.py +355 -0
tools/llm/provider_sdk.py +175 -0
tools/llm/router.py +1124 -0
tools/llm/semantic_cache.py +394 -0
tools/llm/vertex_ai_provider.py +374 -0
tools/maintenance/__init__.py +2 -0
tools/maintenance/dependency_scanner.py +1016 -0
tools/maintenance/maintenance_auditor.py +804 -0
tools/maintenance/remediation_engine.py +957 -0
tools/maintenance/vulnerability_checker.py +978 -0
tools/manifest.md +1066 -0
tools/marketplace/asset_installer.py +639 -0
tools/marketplace/feedback_validator.py +359 -0
tools/marketplace/license_client.py +458 -0
tools/marketplace/module_crypto.py +544 -0
tools/marketplace/module_runtime.py +236 -0
tools/marketplace/token_store.py +264 -0
tools/mbse/__init__.py +3 -0
tools/mbse/des_assessor.py +1173 -0
tools/mbse/des_report_generator.py +787 -0
tools/mbse/diagram_extractor.py +792 -0
tools/mbse/digital_thread.py +1650 -0
tools/mbse/model_code_generator.py +1115 -0
tools/mbse/model_control_mapper.py +410 -0
tools/mbse/pi_model_tracker.py +1079 -0
tools/mbse/reqif_parser.py +1468 -0
tools/mbse/sync_engine.py +1789 -0
tools/mbse/thread_heatmap.py +445 -0
tools/mbse/xmi_parser.py +1558 -0
tools/mcp/builder_server.py +64 -0
tools/mcp/compliance_server.py +64 -0
tools/mcp/connector_forge_server.py +155 -0
tools/mcp/core_server.py +64 -0
tools/mcp/devsecops_server.py +11 -0
tools/mcp/devsecops_zta_server.py +64 -0
tools/mcp/knowledge_server.py +64 -0
tools/mcp/monitor_server.py +64 -0
tools/mcp/ops_server.py +300 -0
tools/mcp/requirements_analyst_server.py +64 -0
tools/mcp/requirements_server.py +11 -0
tools/mcp/security_server.py +64 -0
tools/mcp/simulation_server.py +64 -0
tools/mcp/supply_chain_server.py +64 -0
tools/mcp/tool_registry.py +299 -0
tools/memory/__init__.py +2 -0
tools/memory/auto_capture.py +346 -0
tools/memory/embed_memory.py +157 -0
tools/memory/history_compressor.py +334 -0
tools/memory/hybrid_search.py +235 -0
tools/memory/maintenance_cron.py +288 -0
tools/memory/memory_consolidation.py +439 -0
tools/memory/memory_db.py +132 -0
tools/memory/memory_read.py +101 -0
tools/memory/memory_write.py +221 -0
tools/memory/semantic_search.py +138 -0
tools/memory/time_decay.py +434 -0
tools/missions/__init__.py +2 -0
tools/missions/mission_engine.py +459 -0
tools/monitor/__init__.py +1 -0
tools/monitor/alert_correlator.py +486 -0
tools/monitor/auto_resolver.py +603 -0
tools/monitor/health_checker.py +507 -0
tools/monitor/heartbeat_daemon.py +779 -0
tools/monitor/log_analyzer.py +507 -0
tools/monitor/metric_collector.py +484 -0
tools/mosa/__init__.py +10 -0
tools/mosa/icd_generator.py +358 -0
tools/mosa/modular_design_analyzer.py +682 -0
tools/mosa/mosa_code_enforcer.py +348 -0
tools/mosa/tsp_generator.py +265 -0
tools/observability/__init__.py +100 -0
tools/observability/genai_attributes.py +88 -0
tools/observability/instrumentation.py +140 -0
tools/observability/mlflow_exporter.py +193 -0
tools/observability/otel_tracer.py +168 -0
tools/observability/provenance/__init__.py +3 -0
tools/observability/provenance/prov_recorder.py +322 -0
tools/observability/shap/__init__.py +3 -0
tools/observability/shap/agent_shap.py +274 -0
tools/observability/sqlite_tracer.py +360 -0
tools/observability/trace_context.py +205 -0
tools/observability/tracer.py +230 -0
tools/orchestration/__init__.py +1 -0
tools/orchestration/peer_channels.py +254 -0
tools/orchestration/saga_coordinator.py +390 -0
tools/project/__init__.py +1 -0
tools/project/manifest_loader.py +418 -0
tools/project/project_create.py +350 -0
tools/project/project_list.py +171 -0
tools/project/project_scaffold.py +1715 -0
tools/project/project_status.py +478 -0
tools/project/session_context_builder.py +752 -0
tools/project/validate_manifest.py +54 -0
tools/rag/corrective_rag.py +582 -0
tools/rag/source_registry.py +482 -0
tools/requirements/__init__.py +1 -0
tools/requirements/ai_governance_scorer.py +207 -0
tools/requirements/boundary_analyzer.py +1281 -0
tools/requirements/clarification_engine.py +605 -0
tools/requirements/complexity_scorer.py +369 -0
tools/requirements/consistency_analyzer.py +789 -0
tools/requirements/constitution_manager.py +592 -0
tools/requirements/decomposition_engine.py +764 -0
tools/requirements/document_extractor.py +1002 -0
tools/requirements/elicitation_techniques.py +508 -0
tools/requirements/gap_detector.py +260 -0
tools/requirements/intake_engine.py +2175 -0
tools/requirements/prd_generator.py +839 -0
tools/requirements/prd_validator.py +584 -0
tools/requirements/readiness_scorer.py +302 -0
tools/requirements/spec_organizer.py +1015 -0
tools/requirements/spec_quality_checker.py +1083 -0
tools/requirements/traceability_builder.py +566 -0
tools/research/__init__.py +3 -0
tools/research/academic_scanner.py +130 -0
tools/research/build_buy_analyzer.py +229 -0
tools/research/challenge_scorer.py +280 -0
tools/research/community_scanner.py +174 -0
tools/research/cross_engine_bridge.py +124 -0
tools/research/dossier_generator.py +305 -0
tools/research/landscape_scanner.py +315 -0
tools/research/regulatory_scanner.py +248 -0
tools/research/research_manager.py +469 -0
tools/research/source_scanner.py +150 -0
tools/research/vertical_loader.py +118 -0
tools/saas/__init__.py +0 -0
tools/saas/licensing/__init__.py +0 -0
tools/saas/licensing/license_validator.py +345 -0
tools/scaffold/__init__.py +2 -0
tools/scaffold/golden_path.py +504 -0
tools/security/__init__.py +1 -0
tools/security/agent_output_validator.py +330 -0
tools/security/agent_trust_scorer.py +652 -0
tools/security/ai_bom_generator.py +718 -0
tools/security/ai_telemetry_logger.py +469 -0
tools/security/atlas_red_team.py +541 -0
tools/security/code_pattern_scanner.py +382 -0
tools/security/confabulation_detector.py +265 -0
tools/security/container_scanner.py +489 -0
tools/security/dependency_auditor.py +942 -0
tools/security/endpoint_security_scanner.py +626 -0
tools/security/mcp_tool_authorizer.py +242 -0
tools/security/output_verifier.py +427 -0
tools/security/prompt_injection_detector.py +737 -0
tools/security/sast_runner.py +946 -0
tools/security/secret_detector.py +376 -0
tools/security/threat_modeler.py +678 -0
tools/security/tool_chain_validator.py +357 -0
tools/security/vuln_scanner.py +536 -0
tools/simulation/__init__.py +2 -0
tools/simulation/ato_simulator.py +517 -0
tools/simulation/coa_generator.py +1539 -0
tools/simulation/monte_carlo.py +745 -0
tools/simulation/scenario_manager.py +1060 -0
tools/simulation/simulation_engine.py +1091 -0
tools/simulator/__init__.py +2 -0
tools/simulator/sim_runner.py +272 -0
tools/supply_chain/__init__.py +2 -0
tools/supply_chain/cve_triager.py +690 -0
tools/supply_chain/dependency_graph.py +630 -0
tools/supply_chain/isa_manager.py +526 -0
tools/supply_chain/scrm_assessor.py +531 -0
tools/supply_chain/slsa_verifier.py +473 -0
tools/testing/__init__.py +2 -0
tools/testing/acceptance_validator.py +411 -0
tools/testing/api_surface_extractor.py +749 -0
tools/testing/claude_dir_validator.py +831 -0
tools/testing/data_types.py +199 -0
tools/testing/e2e_runner.py +715 -0
tools/testing/fuzz_cli.py +306 -0
tools/testing/health_check.py +483 -0
tools/testing/platform_check.py +143 -0
tools/testing/production_audit.py +1836 -0
tools/testing/production_remediate.py +803 -0
tools/testing/screenshot_validator.py +538 -0
tools/testing/smoke_test.py +283 -0
tools/testing/test_agent_models.py +117 -0
tools/testing/test_orchestrator.py +957 -0
tools/testing/utils.py +229 -0
tools/writeguard/__init__.py +1 -0
tools/writeguard/main.py +1 -0
tools/writing/__init__.py +7 -0
tools/writing/ai_content_detector.py +316 -0
tools/writing/analysis_engine.py +454 -0
tools/writing/batch_analyzer.py +276 -0
tools/writing/coherence_analyzer.py +221 -0
tools/writing/govcon_bridge.py +509 -0
tools/writing/grammar_checker.py +270 -0
tools/writing/plagiarism_detector.py +106 -0
tools/writing/readability_scorer.py +201 -0
tools/writing/rewriter.py +96 -0
tools/writing/signal_registrar.py +167 -0
tools/writing/snippet_manager.py +276 -0
tools/writing/style_enforcer.py +220 -0
tools/writing/style_guide_manager.py +438 -0
tools/writing/tone_profiler.py +168 -0

context/compliance/safeai_controls.json ADDED Viewed

@@ -0,0 +1,512 @@
+{
+  "metadata": {
+    "title": "SAFE-AI: AI-Affected NIST 800-53 Rev 5 Controls",
+    "source": "Synthesis of NIST AI RMF (AI 100-1), MITRE ATLAS, OWASP LLM Top 10 v2025, EO 14110, DoD Responsible AI Strategy",
+    "classification": "CUI // SP-CTI",
+    "version": "1.0",
+    "last_updated": "2026-02-21",
+    "description": "NIST 800-53 Rev 5 controls that have AI-specific concerns, enhanced guidance, or modified implementation requirements when LLMs or autonomous AI agents are deployed. Each control includes the standard NIST requirement augmented with AI-specific risk narrative, implementation guidance for AI systems, and cross-references to OWASP LLM Top 10 and MITRE ATLAS. This catalog enables dual-use assessment: traditional IT security plus AI-specific security posture in a single unified control set."
+  },
+  "controls": [
+    {
+      "control_id": "AC-2",
+      "title": "Account Management",
+      "family": "Access Control",
+      "ai_concern": "AI agents require service accounts with specific permissions to execute tools, call APIs, and access databases. Autonomous agents may create, modify, or escalate accounts without human oversight. Multi-agent architectures require per-agent identity with individually scoped permissions.",
+      "ai_guidance": "Implement least-privilege for all AI agent service accounts. Monitor automated account actions with anomaly detection. Require human-in-the-loop for privilege escalation. Each agent in a multi-agent system must have a unique service account with individually auditable permissions.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM06"],
+      "related_atlas": ["AML.T0086"]
+    },
+    {
+      "control_id": "AC-3",
+      "title": "Access Enforcement",
+      "family": "Access Control",
+      "ai_concern": "LLMs may bypass access controls through prompt injection, tool misuse, or by generating code/commands that circumvent authorization checks. AI agents with function-calling capabilities can access resources beyond their intended scope if tool permissions are not enforced at the platform level.",
+      "ai_guidance": "Enforce access controls at the tool/function level, not just the user level. AI agent tool calls must be authorized against an allowlist. Apply mandatory access control (MAC) on all AI-accessible resources. Validate that LLM-generated commands respect authorization boundaries before execution.",
+      "risk_level": "critical",
+      "related_owasp_llm": ["LLM01", "LLM06"],
+      "related_atlas": ["AML.T0040", "AML.T0051"]
+    },
+    {
+      "control_id": "AC-4",
+      "title": "Information Flow Enforcement",
+      "family": "Access Control",
+      "ai_concern": "LLMs can inadvertently transfer information across security domains through their responses, context windows, or shared embedding stores. RAG systems may retrieve documents from higher classification levels and include them in responses to lower-classified users. Cross-domain LLM deployments require strict information flow enforcement.",
+      "ai_guidance": "Implement cross-domain guards for LLM responses in multi-level security environments. Enforce data classification on all RAG sources and filter retrieval results by user clearance. Apply output DLP scanning for classification spillage. Separate embedding stores by classification level.",
+      "risk_level": "critical",
+      "related_owasp_llm": ["LLM02", "LLM08"],
+      "related_atlas": ["AML.T0024", "AML.T0025"]
+    },
+    {
+      "control_id": "AC-6",
+      "title": "Least Privilege",
+      "family": "Access Control",
+      "ai_concern": "AI agents often receive overly broad permissions for convenience, especially when using function-calling or tool-use capabilities. Default configurations may grant agents access to all available tools. Agents may request elevated privileges dynamically through conversational manipulation.",
+      "ai_guidance": "Apply per-agent tool allowlists restricting callable functions. Block destructive operations (deploy, delete, modify infrastructure) from AI agents by default. Require explicit human approval for any privilege escalation requested by an AI agent. Implement agent permission boundaries per environment (dev/staging/prod).",
+      "risk_level": "critical",
+      "related_owasp_llm": ["LLM06"],
+      "related_atlas": ["AML.T0086", "AML.T0040"]
+    },
+    {
+      "control_id": "AC-6(1)",
+      "title": "Least Privilege | Authorize Access to Security Functions",
+      "family": "Access Control",
+      "ai_concern": "AI agents should never have direct access to security functions such as modifying access control policies, changing audit configurations, or managing encryption keys unless explicitly authorized with human oversight.",
+      "ai_guidance": "Prohibit AI agent access to security administration functions by default. Any AI-initiated security configuration change must require human-in-the-loop approval. Implement domain authority veto for security-critical operations.",
+      "risk_level": "critical",
+      "related_owasp_llm": ["LLM06"],
+      "related_atlas": ["AML.T0086"]
+    },
+    {
+      "control_id": "AC-17",
+      "title": "Remote Access",
+      "family": "Access Control",
+      "ai_concern": "AI agents may be accessed or controlled remotely through messaging channels (Slack, Teams, Telegram), API endpoints, or remote command gateways. Remote AI agent access introduces additional attack surface for prompt injection, unauthorized command execution, and classification spillage across channels with different security levels.",
+      "ai_guidance": "Enforce user binding ceremonies before allowing remote AI agent commands. Apply per-channel classification ceilings (IL-aware response filtering). Implement rate limiting and command allowlists for all remote AI agent interfaces. Block destructive commands on all remote channels.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM06", "LLM01"],
+      "related_atlas": ["AML.T0051"]
+    },
+    {
+      "control_id": "AC-19",
+      "title": "Access Control for Mobile Devices",
+      "family": "Access Control",
+      "ai_concern": "Mobile AI assistants and LLM-powered apps on mobile devices may cache sensitive context, conversation history, or model weights locally. AI voice interfaces on mobile devices introduce additional eavesdropping and social engineering risks.",
+      "ai_guidance": "Enforce encryption at rest for all AI conversation caches on mobile devices. Implement automatic conversation purging after session timeout. Disable AI voice interfaces in physically insecure locations. Apply mobile device management (MDM) policies to AI-enabled applications.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM02"],
+      "related_atlas": ["AML.T0024"]
+    },
+    {
+      "control_id": "AC-20",
+      "title": "Use of External Systems",
+      "family": "Access Control",
+      "ai_concern": "AI agents that call external APIs, search the web, or interact with third-party services introduce external system dependencies. LLM tool-use capabilities may connect to untrusted external systems, enabling indirect prompt injection through external content or data exfiltration through outbound API calls.",
+      "ai_guidance": "Maintain an allowlist of approved external systems for AI agent access. Monitor all outbound AI agent API calls. Apply content sanitization on data received from external systems before feeding to LLMs. Block AI agent access to external systems in air-gapped environments.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM01", "LLM03"],
+      "related_atlas": ["AML.T0043", "AML.T0042"]
+    },
+    {
+      "control_id": "AT-2",
+      "title": "Literacy Training and Awareness",
+      "family": "Awareness and Training",
+      "ai_concern": "Personnel interacting with AI systems may not understand AI-specific risks including hallucinations, prompt injection, overreliance on AI-generated content, and the limitations of LLM reasoning. Without AI literacy training, users may trust AI outputs without verification, share sensitive data in prompts, or fail to recognize adversarial manipulation.",
+      "ai_guidance": "Include AI-specific security awareness in mandatory training: prompt injection risks, hallucination recognition, sensitive data handling in AI prompts, AI content verification requirements, and reporting procedures for suspicious AI behavior. Train users to label and verify AI-generated content.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM09"],
+      "related_atlas": ["AML.T0047"]
+    },
+    {
+      "control_id": "AT-3",
+      "title": "Role-Based Training",
+      "family": "Awareness and Training",
+      "ai_concern": "Developers building AI systems, security analysts reviewing AI outputs, and administrators managing AI infrastructure require specialized role-based training on AI-specific threats (MITRE ATLAS), secure AI development practices, prompt engineering security, and AI incident response procedures.",
+      "ai_guidance": "Provide role-based AI security training: developers receive secure AI coding practices (OWASP LLM Top 10), security analysts receive MITRE ATLAS and AI threat hunting, administrators receive AI infrastructure security (model serving, embedding stores, RAG pipelines). Track completion in training management system.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM09"],
+      "related_atlas": ["AML.T0047"]
+    },
+    {
+      "control_id": "AT-6",
+      "title": "Training Feedback",
+      "family": "Awareness and Training",
+      "ai_concern": "AI systems used for training content generation may produce inaccurate, biased, or fabricated training materials if not subject to human review. AI-generated training assessments may not accurately measure comprehension of AI-specific security risks.",
+      "ai_guidance": "Require human expert review of all AI-generated training content before deployment. Implement feedback mechanisms for users to report AI training material inaccuracies. Track AI-generated vs human-authored training content separately.",
+      "risk_level": "low",
+      "related_owasp_llm": ["LLM09"],
+      "related_atlas": ["AML.T0048"]
+    },
+    {
+      "control_id": "AU-2",
+      "title": "Event Logging",
+      "family": "Audit and Accountability",
+      "ai_concern": "AI systems generate novel event types that traditional audit logging may not capture: prompt injection attempts, model inference requests, tool/function calls, agent-to-agent communications, token consumption, confidence scores, and hallucination detection events. Without AI-specific audit events, security monitoring is blind to AI-specific attacks.",
+      "ai_guidance": "Configure audit logging for all AI-specific events: prompt submissions, model responses, tool/function calls, agent communications, token usage, prompt injection detection alerts, confidence score thresholds, and human-in-the-loop decisions. Include AI telemetry in SIEM forwarding.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM06", "LLM10"],
+      "related_atlas": ["AML.T0086"]
+    },
+    {
+      "control_id": "AU-3",
+      "title": "Content of Audit Records",
+      "family": "Audit and Accountability",
+      "ai_concern": "AI audit records must capture context beyond traditional IT events: the full prompt (or hash for classified), model ID and version, agent identity, tool/function called, response confidence score, token count, and any prompt injection detection flags. Standard audit record formats may not accommodate these AI-specific fields.",
+      "ai_guidance": "Extend audit record schema to include AI-specific fields: model_id, agent_id, prompt_hash, tool_calls, token_count, confidence_score, injection_flags, response_classification. Store AI audit records in append-only tables. Ensure audit records are sufficient for AI incident forensics.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM06", "LLM10"],
+      "related_atlas": ["AML.T0086"]
+    },
+    {
+      "control_id": "AU-6",
+      "title": "Audit Record Review, Analysis, and Reporting",
+      "family": "Audit and Accountability",
+      "ai_concern": "AI audit logs contain high-volume, high-velocity data that may overwhelm traditional manual review processes. AI-specific attack patterns (prompt injection, data exfiltration through responses, excessive agency) require specialized analysis rules and detection logic.",
+      "ai_guidance": "Implement automated analysis rules for AI-specific audit patterns: repeated prompt injection attempts, unusual tool call sequences, anomalous token consumption, information leakage patterns in responses, and agent communication anomalies. Integrate AI telemetry with SIEM for correlation with traditional security events.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM01", "LLM10"],
+      "related_atlas": ["AML.T0051", "AML.T0029"]
+    },
+    {
+      "control_id": "AU-12",
+      "title": "Audit Record Generation",
+      "family": "Audit and Accountability",
+      "ai_concern": "AI components (model inference engines, agent orchestrators, RAG pipelines, embedding services) must generate audit records at the component level. Multi-agent systems require correlation of audit records across agents to reconstruct decision chains.",
+      "ai_guidance": "Ensure all AI infrastructure components generate audit records: model serving endpoints, agent orchestrators, tool execution layers, RAG retrieval pipelines, and embedding services. Use correlation IDs to link related AI audit events across multi-agent workflows. Implement tamper-evident logging (HMAC signing) for AI audit trails.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM06"],
+      "related_atlas": ["AML.T0086"]
+    },
+    {
+      "control_id": "AU-16",
+      "title": "Cross-Organizational Audit Logging",
+      "family": "Audit and Accountability",
+      "ai_concern": "Federated AI systems, marketplace-shared AI components, and cross-tenant AI services require audit correlation across organizational boundaries. AI audit data may contain sensitive prompt content that must be filtered before cross-organizational sharing.",
+      "ai_guidance": "Implement audit record sanitization for cross-organizational sharing (redact prompt content, retain metadata). Establish AI-specific audit sharing agreements for federated AI deployments. Correlate AI audit events across tenant boundaries for marketplace-installed components.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM03"],
+      "related_atlas": ["AML.T0042"]
+    },
+    {
+      "control_id": "CA-2",
+      "title": "Control Assessments",
+      "family": "Assessment, Authorization, and Monitoring",
+      "ai_concern": "Traditional control assessments may not cover AI-specific risks. Assessment methodologies must include AI red-teaming (prompt injection, jailbreaking, data extraction), model robustness testing, AI supply chain review, and evaluation of human-in-the-loop effectiveness.",
+      "ai_guidance": "Include AI-specific assessment activities: prompt injection red-teaming, model robustness evaluation, AI supply chain audit (AI-BOM review), human-in-the-loop gate effectiveness testing, and MITRE ATLAS technique coverage assessment. Document AI-specific findings separately for specialized remediation.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM01", "LLM03"],
+      "related_atlas": ["AML.T0051", "AML.T0042"]
+    },
+    {
+      "control_id": "CA-7",
+      "title": "Continuous Monitoring",
+      "family": "Assessment, Authorization, and Monitoring",
+      "ai_concern": "AI systems exhibit emergent behaviors that may not be detected by traditional continuous monitoring. Model drift, prompt injection patterns, hallucination rates, and anomalous agent behavior require AI-specific continuous monitoring capabilities. cATO programs must include AI-specific evidence freshness tracking.",
+      "ai_guidance": "Implement AI-specific continuous monitoring: model performance drift detection, prompt injection attempt tracking, hallucination rate monitoring, agent behavior anomaly detection, token consumption trends, and AI-BOM currency checks. Feed AI telemetry into cATO evidence pipeline.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM04", "LLM09"],
+      "related_atlas": ["AML.T0020", "AML.T0047"]
+    },
+    {
+      "control_id": "CA-8",
+      "title": "Penetration Testing",
+      "family": "Assessment, Authorization, and Monitoring",
+      "ai_concern": "Standard penetration testing does not cover AI-specific attack vectors. AI systems require specialized red-team testing covering prompt injection (direct and indirect), jailbreak techniques, data extraction through model responses, agent manipulation, embedding poisoning, and model inversion attacks.",
+      "ai_guidance": "Include AI-specific scenarios in penetration testing: prompt injection (OWASP LLM01), system prompt extraction (LLM07), data exfiltration through responses (LLM02), agent privilege escalation (LLM06), RAG poisoning (LLM08), and model denial of service (LLM10). Use MITRE ATLAS as the adversarial framework for AI penetration testing.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM01", "LLM02", "LLM06"],
+      "related_atlas": ["AML.T0051", "AML.T0024", "AML.T0086"]
+    },
+    {
+      "control_id": "CM-2",
+      "title": "Baseline Configuration",
+      "family": "Configuration Management",
+      "ai_concern": "AI systems require baselines for model versions, hyperparameters, system prompt configurations, tool/function registrations, embedding model versions, and RAG pipeline configurations. These AI-specific configuration elements change independently of traditional infrastructure baselines.",
+      "ai_guidance": "Maintain AI-specific baseline configurations: model ID and version, system prompt content (hashed for classified), tool/function registration list, embedding model and dimension, RAG pipeline configuration, and agent permission boundaries. Version-control all AI configurations alongside infrastructure baselines.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM03", "LLM04"],
+      "related_atlas": ["AML.T0042", "AML.T0020"]
+    },
+    {
+      "control_id": "CM-3",
+      "title": "Configuration Change Control",
+      "family": "Configuration Management",
+      "ai_concern": "Changes to AI system configurations (model updates, prompt modifications, tool additions, embedding re-indexing) can have unpredictable effects on system behavior. Model updates may introduce new vulnerabilities or alter safety properties. Prompt changes can inadvertently weaken security controls.",
+      "ai_guidance": "Apply change control to all AI configuration changes: model version updates, system prompt modifications, tool/function additions or removals, embedding model changes, and RAG data source changes. Require security review for prompt changes that affect safety or access control logic. Test AI behavior regression after configuration changes.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM03", "LLM04"],
+      "related_atlas": ["AML.T0042", "AML.T0020"]
+    },
+    {
+      "control_id": "CM-7",
+      "title": "Least Functionality",
+      "family": "Configuration Management",
+      "ai_concern": "AI systems should expose only the minimum necessary tools, functions, and capabilities. Default LLM deployments often include broad tool-use capabilities that exceed operational requirements. Unused model capabilities (code execution, web browsing, file system access) increase attack surface.",
+      "ai_guidance": "Disable all AI capabilities not required for the specific use case. Implement tool allowlists rather than denylists. Remove code execution capabilities from LLMs that only need text generation. Disable web browsing for air-gapped deployments. Restrict file system access to specific approved directories.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM06"],
+      "related_atlas": ["AML.T0086", "AML.T0040"]
+    },
+    {
+      "control_id": "CM-8",
+      "title": "System Component Inventory",
+      "family": "Configuration Management",
+      "ai_concern": "Traditional component inventories do not capture AI-specific components: models, datasets, embedding stores, RAG corpora, plugins, and AI-specific middleware. An AI Bill of Materials (AI-BOM) is needed to supplement the SBOM for full supply chain visibility.",
+      "ai_guidance": "Maintain an AI Bill of Materials (AI-BOM) alongside the SBOM, documenting: model provenance (source, training data lineage, license), embedding models and stores, RAG data sources and their classification, plugins and extensions with versions, and AI middleware components. Update AI-BOM on every model or component change.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM03"],
+      "related_atlas": ["AML.T0042", "AML.T0010"]
+    },
+    {
+      "control_id": "IA-2",
+      "title": "Identification and Authentication (Organizational Users)",
+      "family": "Identification and Authentication",
+      "ai_concern": "AI agents acting on behalf of users create identity delegation challenges. The system must distinguish between actions taken directly by a human user versus actions delegated to an AI agent acting under that user's authority. AI-generated requests must carry both the delegating user's identity and the agent's service identity.",
+      "ai_guidance": "Implement dual-identity tracking for AI agent actions: the human principal who initiated the workflow and the AI agent identity executing it. Require re-authentication for AI agents requesting elevated privileges. Log the full identity chain (human -> agent -> tool) in all audit records.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM06"],
+      "related_atlas": ["AML.T0086"]
+    },
+    {
+      "control_id": "IA-8",
+      "title": "Identification and Authentication (Non-Organizational Users)",
+      "family": "Identification and Authentication",
+      "ai_concern": "External AI services (cloud LLM APIs, third-party model endpoints) and federated AI agents from partner organizations require authentication and authorization. AI-to-AI authentication (A2A protocol) must use mutual TLS or equivalent strong authentication to prevent impersonation.",
+      "ai_guidance": "Authenticate all external AI service connections with strong credentials (API keys with rotation, OAuth tokens, mTLS). Implement agent-to-agent authentication using mutual TLS within Kubernetes clusters. Validate agent identity cards (/.well-known/agent.json) before accepting inter-agent communications.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM03"],
+      "related_atlas": ["AML.T0042"]
+    },
+    {
+      "control_id": "IA-9",
+      "title": "Service Identification and Authentication",
+      "family": "Identification and Authentication",
+      "ai_concern": "AI model serving endpoints, embedding services, and RAG retrieval APIs must be authenticated to prevent model substitution attacks, embedding poisoning through unauthorized write access, and unauthorized inference requests. In multi-model architectures, each model endpoint must be individually authenticated.",
+      "ai_guidance": "Implement service-level authentication for all AI infrastructure: model serving endpoints require API key or mTLS, embedding write operations require elevated service credentials, RAG retrieval APIs enforce caller authentication, and model registry access requires signed requests.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM03", "LLM08"],
+      "related_atlas": ["AML.T0042", "AML.T0010"]
+    },
+    {
+      "control_id": "IR-4",
+      "title": "Incident Handling",
+      "family": "Incident Response",
+      "ai_concern": "AI-specific incidents (prompt injection attacks, model compromise, training data poisoning, AI-enabled social engineering, hallucination-caused mission impact) require specialized incident response procedures. Traditional IR playbooks do not cover AI-specific containment (model quarantine, prompt rollback, embedding store isolation) or evidence preservation (conversation logs, model snapshots, RAG state).",
+      "ai_guidance": "Develop AI-specific incident response procedures covering: model quarantine and rollback, system prompt emergency override, embedding store isolation, conversation log preservation with classification markings, model snapshot capture for forensics, and AI vendor notification. Include AI-specific scenarios in tabletop exercises.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM01", "LLM04"],
+      "related_atlas": ["AML.T0051", "AML.T0020"]
+    },
+    {
+      "control_id": "IR-6",
+      "title": "Incident Reporting",
+      "family": "Incident Response",
+      "ai_concern": "AI incidents may require reporting to specialized bodies beyond traditional CISO channels: AI ethics boards, MITRE ATLAS for technique cataloging, model vendors for vulnerability coordination, and government AI oversight bodies per EO 14110 requirements.",
+      "ai_guidance": "Establish AI-specific incident reporting channels: internal AI safety team, AI vendor security team, MITRE ATLAS contribution (for novel attack techniques), and government AI oversight per EO 14110. Include AI-specific incident classification criteria in the reporting taxonomy.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM01", "LLM04"],
+      "related_atlas": ["AML.T0051", "AML.T0020"]
+    },
+    {
+      "control_id": "MA-3",
+      "title": "Maintenance Tools",
+      "family": "Maintenance",
+      "ai_concern": "AI system maintenance tools (model fine-tuning utilities, embedding re-indexing scripts, RAG pipeline management, AI debugging and prompt engineering tools) have elevated access to model weights, training data, and system prompts. Compromised maintenance tools can introduce backdoors or extract sensitive model artifacts.",
+      "ai_guidance": "Control access to AI maintenance tools with the same rigor as security administration tools. Require multi-factor authentication for model fine-tuning and re-training operations. Log all maintenance tool usage. Verify integrity of maintenance tools before use. Restrict AI debugging tools to non-production environments.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM04", "LLM03"],
+      "related_atlas": ["AML.T0020", "AML.T0042"]
+    },
+    {
+      "control_id": "PM-11",
+      "title": "Mission and Business Process Definition",
+      "family": "Program Management",
+      "ai_concern": "Organizations must define acceptable AI use cases, prohibited AI applications, and risk tolerance for AI-assisted decision-making aligned with DoD Responsible AI principles (reliable, equitable, traceable, robust, governable). Mission-critical processes enhanced by AI require explicit risk acceptance for AI failure modes.",
+      "ai_guidance": "Document approved AI use cases with explicit risk acceptance for each. Define prohibited AI applications (autonomous lethal decision-making, unsupervised classification decisions, unmonitored PII processing). Establish AI risk tolerance thresholds aligned with DoD Responsible AI principles and organizational risk appetite.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM09"],
+      "related_atlas": ["AML.T0047"]
+    },
+    {
+      "control_id": "PM-32",
+      "title": "Purposing",
+      "family": "Program Management",
+      "ai_concern": "AI systems must have clearly defined purposes and boundaries. Purpose drift (using an AI system for tasks beyond its original design) introduces unassessed risks. Models trained for one task may behave unpredictably when repurposed for another.",
+      "ai_guidance": "Document the intended purpose, scope, and boundaries for each AI system deployment. Require re-assessment when AI systems are repurposed beyond original scope. Implement technical controls to enforce purpose boundaries (tool allowlists, prompt restrictions, output format constraints).",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM06", "LLM09"],
+      "related_atlas": ["AML.T0086"]
+    },
+    {
+      "control_id": "RA-3",
+      "title": "Risk Assessment",
+      "family": "Risk Assessment",
+      "ai_concern": "Traditional risk assessments do not cover AI-specific threats cataloged in MITRE ATLAS. AI systems introduce novel risk categories: model manipulation, training data poisoning, adversarial machine learning, emergent behavior, hallucination impact, and AI supply chain compromise. Risk assessment must incorporate AI-specific threat intelligence.",
+      "ai_guidance": "Include MITRE ATLAS techniques in threat modeling for AI systems. Assess risks specific to LLM deployment: prompt injection likelihood, hallucination impact severity, data leakage exposure, agent autonomy risk, and supply chain compromise probability. Use OWASP LLM Top 10 as supplementary risk framework.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM01", "LLM02", "LLM03", "LLM04"],
+      "related_atlas": ["AML.T0051", "AML.T0024", "AML.T0042", "AML.T0020"]
+    },
+    {
+      "control_id": "RA-5",
+      "title": "Vulnerability Monitoring and Scanning",
+      "family": "Risk Assessment",
+      "ai_concern": "AI systems have vulnerability categories beyond traditional CVEs: adversarial robustness weaknesses, prompt injection susceptibilities, model inversion vulnerabilities, and embedding store exposure. Standard vulnerability scanners do not detect AI-specific vulnerabilities.",
+      "ai_guidance": "Implement AI-specific vulnerability scanning: prompt injection testing (automated red-team), adversarial robustness evaluation, model inversion resistance testing, and AI dependency vulnerability scanning (model supply chain). Integrate AI vulnerability findings into the standard vulnerability management workflow.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM01", "LLM03"],
+      "related_atlas": ["AML.T0051", "AML.T0042"]
+    },
+    {
+      "control_id": "RA-10",
+      "title": "Threat Hunting",
+      "family": "Risk Assessment",
+      "ai_concern": "AI-specific threat hunting requires specialized detection of adversarial ML techniques: prompt injection campaigns, model exfiltration attempts, training data poisoning indicators, embedding store manipulation, and coordinated AI abuse patterns. Traditional threat hunting playbooks do not cover MITRE ATLAS techniques.",
+      "ai_guidance": "Develop AI-specific threat hunting hypotheses based on MITRE ATLAS: detect prompt injection patterns across user sessions, identify model output anomalies indicating compromise, hunt for embedding store tampering, analyze token consumption patterns for abuse, and correlate AI telemetry with network-level indicators.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM01", "LLM04"],
+      "related_atlas": ["AML.T0051", "AML.T0020"]
+    },
+    {
+      "control_id": "SA-3",
+      "title": "System Development Life Cycle",
+      "family": "System and Services Acquisition",
+      "ai_concern": "AI system development introduces additional lifecycle phases not covered by traditional SDLC: data collection and curation, model training and validation, prompt engineering and testing, AI-specific security testing (red-teaming), and ongoing model monitoring and retraining. AI development must integrate responsible AI principles throughout the lifecycle.",
+      "ai_guidance": "Extend SDLC to include AI-specific phases: data governance and curation, model development with bias testing, prompt security review, AI red-team testing, AI-specific acceptance criteria, and post-deployment model monitoring. Apply TDD practices to AI components (test prompts, expected outputs, boundary conditions).",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM04", "LLM09"],
+      "related_atlas": ["AML.T0020", "AML.T0047"]
+    },
+    {
+      "control_id": "SA-9",
+      "title": "External System Services",
+      "family": "System and Services Acquisition",
+      "ai_concern": "Cloud LLM APIs (Bedrock, Azure OpenAI, Anthropic API) are external services requiring supply chain risk assessment. Model providers may update models without notice, changing behavior. External AI services may log prompts containing sensitive data. Service availability affects AI-dependent mission systems.",
+      "ai_guidance": "Assess cloud LLM providers as critical external services. Negotiate data handling agreements that prohibit prompt logging or training on customer data. Implement model version pinning to prevent unannounced behavior changes. Maintain fallback chains across providers for operational resilience. Monitor provider SLAs and model deprecation notices.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM03"],
+      "related_atlas": ["AML.T0042"]
+    },
+    {
+      "control_id": "SA-11",
+      "title": "Developer Testing and Evaluation",
+      "family": "System and Services Acquisition",
+      "ai_concern": "AI-generated code must undergo the same security testing as human-written code (SAST, dependency audit, secret detection). Additionally, AI systems require prompt injection testing, output validation testing, and adversarial robustness evaluation that traditional testing frameworks do not provide.",
+      "ai_guidance": "Apply full security testing pipeline to AI-generated code: SAST, dependency audit, secret detection, and CUI marking verification. Add AI-specific test categories: prompt injection resistance, output sanitization validation, hallucination detection, tool call authorization testing, and agent boundary enforcement.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM05", "LLM01"],
+      "related_atlas": ["AML.T0048", "AML.T0051"]
+    },
+    {
+      "control_id": "SA-15",
+      "title": "Development Process, Standards, and Tools",
+      "family": "System and Services Acquisition",
+      "ai_concern": "AI development tools (training frameworks, prompt engineering IDEs, model serving infrastructure) must meet the same security standards as other development tools. AI-assisted development tools (Copilot, Claude Code, Codex) introduce AI-specific risks into the development process itself.",
+      "ai_guidance": "Apply security standards to AI development tools and infrastructure. Vet AI-assisted coding tools for data handling (prompt logging, code telemetry). Enforce code review on AI-generated code regardless of source. Maintain approved tool lists for AI development and AI-assisted development.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM03", "LLM05"],
+      "related_atlas": ["AML.T0042"]
+    },
+    {
+      "control_id": "SC-4",
+      "title": "Information in Shared Resources",
+      "family": "System and Communications Protection",
+      "ai_concern": "LLM context windows, shared embedding stores, and multi-tenant model serving infrastructure may leak information across users, sessions, or tenants. Shared GPU memory in model serving may retain residual data from previous inference requests. RAG systems with shared vector stores may expose cross-tenant documents.",
+      "ai_guidance": "Implement context isolation between user sessions and tenants in LLM deployments. Clear GPU memory between inference requests for sensitive workloads. Enforce tenant isolation in shared embedding stores. Apply per-tenant RAG retrieval filtering. Verify context window isolation in multi-tenant model serving.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM02", "LLM08"],
+      "related_atlas": ["AML.T0024", "AML.T0025"]
+    },
+    {
+      "control_id": "SC-5",
+      "title": "Denial-of-Service Protection",
+      "family": "System and Communications Protection",
+      "ai_concern": "AI systems are vulnerable to denial-of-service through resource exhaustion: excessively long prompts, recursive agent loops, compute-intensive queries, denial-of-wallet attacks through API abuse, and adversarial inputs designed to maximize inference latency. AI-specific DoS attacks target expensive inference resources rather than network bandwidth.",
+      "ai_guidance": "Implement AI-specific DoS protections: maximum token limits per request and session, prompt length validation, agent loop detection with circuit breakers, per-user and per-tenant rate limiting on inference endpoints, cost-based throttling at budget thresholds, and query complexity analysis before inference.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM10"],
+      "related_atlas": ["AML.T0029", "AML.T0034"]
+    },
+    {
+      "control_id": "SC-7",
+      "title": "Boundary Protection",
+      "family": "System and Communications Protection",
+      "ai_concern": "AI systems that interact with external content (web search, document retrieval, API calls) create boundary crossings that traditional network perimeter controls may not govern. LLM tool-use capabilities can initiate outbound connections that bypass application-layer firewalls. Indirect prompt injection exploits boundary crossings to inject malicious instructions.",
+      "ai_guidance": "Apply boundary protection to AI system data flows: control outbound connections from AI agents, filter external content before LLM ingestion (sanitize for indirect prompt injection), enforce egress rules on AI inference endpoints, and monitor AI-initiated network connections. In air-gapped environments, disable all external data retrieval capabilities.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM01", "LLM03"],
+      "related_atlas": ["AML.T0043", "AML.T0042"]
+    },
+    {
+      "control_id": "SC-8",
+      "title": "Transmission Confidentiality and Integrity",
+      "family": "System and Communications Protection",
+      "ai_concern": "AI inference traffic (prompts and responses) may contain sensitive data and must be encrypted in transit. Agent-to-agent communications in multi-agent architectures must use mutual TLS. Telemetry and audit data from AI systems must be transmitted securely to monitoring endpoints.",
+      "ai_guidance": "Encrypt all AI inference traffic (prompts and responses) with TLS 1.2+ or mTLS. Enforce mutual TLS for agent-to-agent communications within Kubernetes clusters. Encrypt AI telemetry and audit log transmission. Apply FIPS 140-2 validated encryption for AI traffic in Gov/DoD environments.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM02"],
+      "related_atlas": ["AML.T0024"]
+    },
+    {
+      "control_id": "SC-13",
+      "title": "Cryptographic Protection",
+      "family": "System and Communications Protection",
+      "ai_concern": "AI model weights, embeddings, and training data represent high-value intellectual property and may contain memorized sensitive data. Cryptographic protection must extend to model artifacts at rest and in transit. Model signing ensures integrity and provenance verification.",
+      "ai_guidance": "Apply FIPS 140-2 validated cryptographic protection to: model weights at rest and in transit, embedding stores containing classified or CUI document representations, training data archives, and AI configuration artifacts. Implement model signing for provenance verification. Use encrypted model registries.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM03"],
+      "related_atlas": ["AML.T0010"]
+    },
+    {
+      "control_id": "SC-28",
+      "title": "Protection of Information at Rest",
+      "family": "System and Communications Protection",
+      "ai_concern": "AI systems store sensitive data at rest in novel formats: model weights (which may memorize training data), vector embeddings (which encode document content), conversation logs (which contain user prompts), and fine-tuning datasets. These AI-specific data stores require encryption at rest with classification-appropriate key management.",
+      "ai_guidance": "Encrypt all AI data at rest: model weight files, vector embedding databases, conversation log stores, fine-tuning datasets, and RAG document corpora. Apply classification-appropriate encryption (FIPS 140-2 for CUI, NSA Type 1 for classified). Implement key management that separates encryption keys from AI data stores.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM02", "LLM07"],
+      "related_atlas": ["AML.T0024"]
+    },
+    {
+      "control_id": "SI-3",
+      "title": "Malicious Code Protection",
+      "family": "System and Information Integrity",
+      "ai_concern": "AI-generated code may contain malicious patterns (backdoors, logic bombs, data exfiltration) either through model compromise, training data poisoning, or adversarial prompt manipulation. Traditional malware signatures do not detect AI-introduced malicious logic. LLM tool outputs may contain executable payloads.",
+      "ai_guidance": "Run SAST and behavioral analysis on all AI-generated code before integration. Scan LLM tool outputs for executable content. Apply sandboxing for AI-generated code execution. Monitor for known AI-introduced vulnerability patterns (insecure defaults, backdoor patterns, obfuscated logic).",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM05", "LLM04"],
+      "related_atlas": ["AML.T0048", "AML.T0020"]
+    },
+    {
+      "control_id": "SI-4",
+      "title": "System Monitoring",
+      "family": "System and Information Integrity",
+      "ai_concern": "AI systems require specialized monitoring beyond traditional system metrics: model performance drift, hallucination rates, prompt injection attempt frequency, agent behavior anomalies, token consumption trends, and AI-specific security events. Without AI-specific monitoring, attacks against AI components go undetected.",
+      "ai_guidance": "Implement AI-specific monitoring dashboards tracking: model inference latency and error rates, prompt injection detection alerts, hallucination rate trends, agent tool call patterns, token consumption by user and project, embedding store access patterns, and AI security event correlation. Set alert thresholds for anomalous AI behavior.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM10", "LLM01"],
+      "related_atlas": ["AML.T0029", "AML.T0051"]
+    },
+    {
+      "control_id": "SI-7",
+      "title": "Software, Firmware, and Information Integrity",
+      "family": "System and Information Integrity",
+      "ai_concern": "AI model integrity must be verified at deployment and runtime. Model weight tampering, embedding store corruption, and system prompt modification can compromise AI system behavior without triggering traditional integrity checks. Integrity verification must cover all AI artifacts: model files, embedding indices, system prompts, and tool configurations.",
+      "ai_guidance": "Implement integrity verification for all AI artifacts: cryptographic checksums on model weight files, hash verification on embedding store contents, version-controlled system prompts with change detection, and signed tool/function configurations. Alert on any unauthorized modification of AI artifacts.",
+      "risk_level": "high",
+      "related_owasp_llm": ["LLM04", "LLM03"],
+      "related_atlas": ["AML.T0020", "AML.T0010"]
+    },
+    {
+      "control_id": "SI-10",
+      "title": "Information Input Validation",
+      "family": "System and Information Integrity",
+      "ai_concern": "LLM inputs (prompts) are the primary attack vector for prompt injection, the most critical AI-specific vulnerability. Traditional input validation (SQL injection, XSS prevention) does not address natural language prompt injection. AI systems require AI-specific input validation: prompt injection detection, input length limits, encoding checks, and content policy enforcement.",
+      "ai_guidance": "Implement multi-layered input validation for LLM prompts: pattern-based prompt injection detection, ML-based injection classifiers, input length and token limits, base64/encoding attack detection, content policy enforcement, and structural validation for tool-calling inputs. Deploy prompt injection detection as a pre-processing stage before model inference.",
+      "risk_level": "critical",
+      "related_owasp_llm": ["LLM01"],
+      "related_atlas": ["AML.T0051", "AML.T0054"]
+    },
+    {
+      "control_id": "SI-12",
+      "title": "Information Management and Retention",
+      "family": "System and Information Integrity",
+      "ai_concern": "AI conversation logs, prompt histories, model training data, and inference metadata contain sensitive data that must be managed according to retention policies. LLM providers may retain prompts for model improvement unless explicitly opted out. Conversation logs containing classified or CUI data require retention and disposal aligned with records management policies.",
+      "ai_guidance": "Establish retention policies for AI-specific data: conversation logs, prompt histories, model training data, inference metadata, and AI audit records. Ensure LLM provider agreements prohibit prompt retention for training. Implement automated purging of AI conversation data per retention schedule. Apply classification-appropriate disposal to AI data stores.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM02"],
+      "related_atlas": ["AML.T0024"]
+    },
+    {
+      "control_id": "SI-18",
+      "title": "Personally Identifiable Information Quality",
+      "family": "System and Information Integrity",
+      "ai_concern": "AI systems processing PII may generate inaccurate personal information through hallucination, combine PII from multiple sources inappropriately, or create synthetic PII that is mistaken for real data. AI-generated PII assessments, recommendations, or decisions must be verified for accuracy before action.",
+      "ai_guidance": "Implement PII quality checks on AI-generated outputs: verify any AI-generated personal information against authoritative sources, flag AI-generated PII for human review, prohibit AI systems from creating or modifying PII records without human confirmation, and monitor for PII hallucination in AI responses.",
+      "risk_level": "moderate",
+      "related_owasp_llm": ["LLM09"],
+      "related_atlas": ["AML.T0048"]
+    }
+  ]
+}

context/compliance/sbd_report_template.md ADDED Viewed

@@ -0,0 +1,77 @@
+{{cui_banner_top}}
+# Secure by Design Assessment Report
+**Project:** {{project_name}}
+**Project ID:** {{project_id}}
+**Classification:** {{classification}}
+**Assessment Date:** {{assessment_date}}
+**Report Version:** {{version}}
+**Assessor:** {{assessor}}
+**Framework:** CISA Secure by Design + DoDI 5000.87 + NIST SP 800-218 SSDF
+---
+## 1. Executive Summary
+**Overall SbD Score:** {{overall_score}}%
+**Gate Result:** {{gate_result}}
+**Domains Assessed:** {{domains_assessed}} / 14
+**Critical Requirements Not Satisfied:** {{critical_not_satisfied}}
+{{executive_summary}}
+## 2. CISA Secure by Design Commitment Status
+The following table shows compliance with the 7 CISA Secure by Design commitments:
+{{cisa_commitment_table}}
+## 3. Domain Assessment Summary
+{{domain_scores_table}}
+## 4. Detailed Domain Assessments
+{{domain_details}}
+## 5. Auto-Check Results
+{{auto_check_results}}
+## 6. Manual Review Items
+The following requirements require manual verification:
+{{manual_review_items}}
+## 7. Findings and Remediation
+### Critical Findings
+{{critical_findings}}
+### Remediation Recommendations
+{{remediation_table}}
+## 8. Evidence Artifacts
+{{evidence_summary}}
+## 9. NIST 800-53 Control Mapping
+{{nist_control_mapping}}
+## 10. Assessment Methodology
+This assessment was conducted using the ICDEV SbD Assessor tool against the CISA Secure by Design requirements catalog (35 requirements across 14 domains). Automated checks were performed where possible; requirements marked as "semi" or "manual" are flagged for human review.
+**Scoring Formula:** Score = 100 x (satisfied + partially_satisfied x 0.5 + risk_accepted x 0.75) / assessable_count
+**Gate Logic:** PASS if 0 critical-priority requirements have status "not_satisfied"
+---
+**Prepared by:** {{assessor}}
+**Date:** {{assessment_date}}
+{{cui_banner_bottom}}

context/compliance/siem_config_templates/__init__.py ADDED Viewed

@@ -0,0 +1,6 @@
+# CUI // SP-CTI
+# Controlled by: Department of Defense
+# CUI Category: CTI
+# Distribution: D
+# POC: ICDEV System Administrator
+# Package marker for PyPI distribution