iris-security-anthropic 0.1.0__tar.gz

iris_security_anthropic-0.1.0/PKG-INFO

@@ -0,0 +1,50 @@
+Metadata-Version: 2.4
+Name: iris-security-anthropic
+Version: 0.1.0
+Summary: IRIS governance for Anthropic Claude — Cedar policy on every API call
+Author-email: IRIS Platform <sdk@iris.ai>
+License: Apache-2.0
+Project-URL: Homepage, https://github.com/gimartinb/iris-sdk
+Project-URL: Repository, https://github.com/gimartinb/iris-sdk
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: iris-security-core>=0.1.0
+Requires-Dist: iris-security-sdk>=0.1.0
+Provides-Extra: anthropic
+Requires-Dist: anthropic>=0.25; extra == "anthropic"
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-asyncio>=0.23; extra == "dev"
+Requires-Dist: ruff>=0.4; extra == "dev"
+
+# iris-anthropic
+
+Drop-in IRIS governance for the [Anthropic Python SDK](https://github.com/anthropics/anthropic-sdk-python).
+
+Replace one line:
+
+```python
+# client = anthropic.Anthropic()
+client = IrisAnthropic(passport=passport)
+```
+
+Every `client.messages.create()` and `client.messages.stream()` call is evaluated against Cedar policy, recorded in the Evidence Vault, and enforced per `IRIS_ENV` (warn in dev, block in production).
+
+## Install
+
+```bash
+pip install iris-anthropic
+```
+
+## Quickstart
+
+See [examples/governed_claude.py](examples/governed_claude.py).
+
+## Environment
+
+| `IRIS_ENV`   | Behavior                                      |
+|-------------|-----------------------------------------------|
+| `dev`       | Fail open — warnings to stderr, never block   |
+| `production`| Fail closed — `IrisViolationError` on deny    |
+
+Defaults to `dev` when unset.

iris_security_anthropic-0.1.0/README.md

@@ -0,0 +1,31 @@
+# iris-anthropic
+
+Drop-in IRIS governance for the [Anthropic Python SDK](https://github.com/anthropics/anthropic-sdk-python).
+
+Replace one line:
+
+```python
+# client = anthropic.Anthropic()
+client = IrisAnthropic(passport=passport)
+```
+
+Every `client.messages.create()` and `client.messages.stream()` call is evaluated against Cedar policy, recorded in the Evidence Vault, and enforced per `IRIS_ENV` (warn in dev, block in production).
+
+## Install
+
+```bash
+pip install iris-anthropic
+```
+
+## Quickstart
+
+See [examples/governed_claude.py](examples/governed_claude.py).
+
+## Environment
+
+| `IRIS_ENV`   | Behavior                                      |
+|-------------|-----------------------------------------------|
+| `dev`       | Fail open — warnings to stderr, never block   |
+| `production`| Fail closed — `IrisViolationError` on deny    |
+
+Defaults to `dev` when unset.

iris_security_anthropic-0.1.0/examples/governed_claude.py

@@ -0,0 +1,31 @@
+"""
+Minimal IRIS + Anthropic integration — one line changes from the stock SDK.
+
+Replace:
+    client = anthropic.Anthropic()
+With:
+    client = IrisAnthropic(passport=passport)
+
+All other Anthropic usage stays the same.
+"""
+
+from iris import AgentPassport, ComplianceTag
+from iris_anthropic import IrisAnthropic
+
+passport = AgentPassport(
+    name="support-agent",
+    owner="team@company.com",
+    compliance_tags=[ComplianceTag.COLORADO_AI_ACT],
+    is_high_risk_ai=False,
+)
+
+client = IrisAnthropic(passport=passport)
+
+message = client.messages.create(
+    model="claude-sonnet-4-6",
+    max_tokens=1024,
+    messages=[{"role": "user", "content": "Help this customer."}],
+)
+
+# IRIS evaluated this call. Policy enforced. Evidence logged.
+print(message.content[0].text)

iris_security_anthropic-0.1.0/iris_anthropic/__init__.py

@@ -0,0 +1,43 @@
+"""
+IRIS Anthropic integration — one-line drop-in for anthropic.Anthropic().
+
+Quickstart:
+    from iris_anthropic import IrisAnthropic
+    from iris import AgentPassport, ComplianceTag
+
+    passport = AgentPassport(
+        name="support-agent",
+        owner="team@company.com",
+        compliance_tags=[ComplianceTag.COLORADO_AI_ACT],
+    )
+    client = IrisAnthropic(passport=passport)
+    message = client.messages.create(model="claude-sonnet-4-6", ...)
+"""
+
+from __future__ import annotations
+
+from iris import IrisViolationError
+from iris_core.models.passport import (
+    AgentPassport,
+    ComplianceTag,
+    DataClassification,
+    Environment,
+)
+from iris_core.models.policy import Violation
+
+from iris_anthropic.client import IrisAnthropic, IrisAnthropicAsync
+from iris_anthropic.guardrails import check_prompt_for_violations
+
+__version__ = "0.1.0"
+
+__all__ = [
+    "IrisAnthropic",
+    "IrisAnthropicAsync",
+    "IrisViolationError",
+    "AgentPassport",
+    "ComplianceTag",
+    "DataClassification",
+    "Environment",
+    "Violation",
+    "check_prompt_for_violations",
+]

iris_security_anthropic-0.1.0/iris_anthropic/_governance.py

@@ -0,0 +1,144 @@
+"""Shared IRIS evaluation helpers for Anthropic SDK integration."""
+
+from __future__ import annotations
+
+import logging
+import os
+import sys
+import threading
+from pathlib import Path
+from typing import List, Optional
+
+from iris import IrisViolationError
+from iris_core.engine.cedar import CedarEngine, EvaluationContext
+from iris_core.rbac.context import UserContext
+from iris_core.evidence.vault import EvidenceVault
+from iris_core.models.passport import AgentPassport, Environment
+from iris_core.models.policy import PolicyResult, Violation
+
+logger = logging.getLogger("iris.anthropic")
+
+_VAULT_LOCK = threading.Lock()
+
+
+def current_environment() -> Environment:
+    return Environment(os.environ.get("IRIS_ENV", "dev"))
+
+
+def has_policy_loaded(engine: CedarEngine, passport: AgentPassport) -> bool:
+    return bool(engine._policy_cache.get(passport.agent_id))
+
+
+def load_passport_policy(engine: CedarEngine, passport: AgentPassport) -> None:
+    if not passport.policy_ref:
+        return
+    policy_path = Path(passport.policy_ref)
+    if not policy_path.is_absolute():
+        policy_path = Path.cwd() / policy_path
+    if policy_path.exists():
+        engine.load_policy_file(passport.agent_id, policy_path)
+
+
+def apply_no_policy_gate(
+    engine: CedarEngine,
+    passport: AgentPassport,
+    env: Environment,
+    result: PolicyResult,
+) -> PolicyResult:
+    """Fail open in dev/test when no policy is loaded; fail closed in staging/prod."""
+    if has_policy_loaded(engine, passport):
+        return result
+    if env in (Environment.DEV, Environment.TEST):
+        if result.decision == "DENY":
+            return PolicyResult(
+                decision="PERMIT_WITH_WARNINGS",
+                violations=result.violations,
+                agent_id=result.agent_id,
+                action=result.action,
+                resource=result.resource,
+                environment=result.environment,
+            )
+    return result
+
+
+def merge_prompt_violations(result: PolicyResult, prompt_violations: List[Violation]) -> PolicyResult:
+    if not prompt_violations:
+        return result
+    from iris_core.models.policy import Severity
+
+    violations = list(result.violations) + list(prompt_violations)
+    critical = [v for v in violations if v.severity == Severity.CRITICAL]
+    if critical:
+        decision = "DENY"
+    elif violations and result.decision == "PERMIT":
+        env = Environment(result.environment) if result.environment else Environment.DEV
+        if env in (Environment.DEV, Environment.TEST):
+            decision = "PERMIT_WITH_WARNINGS"
+        else:
+            high = [v for v in violations if v.severity in (Severity.HIGH, Severity.CRITICAL)]
+            decision = "DENY" if high else "PERMIT_WITH_WARNINGS"
+    else:
+        decision = result.decision
+    return PolicyResult(
+        decision=decision,
+        violations=violations,
+        agent_id=result.agent_id,
+        action=result.action,
+        resource=result.resource,
+        environment=result.environment,
+    )
+
+
+def evaluate_api_call(
+    engine: CedarEngine,
+    vault: EvidenceVault,
+    passport: AgentPassport,
+    env: Environment,
+    *,
+    data_classification: Optional[str] = None,
+    prompt_violations: Optional[List[Violation]] = None,
+    additional: Optional[dict] = None,
+    dlp_prompt_findings: Optional[list] = None,
+    user_email: Optional[str] = None,
+    user_role: Optional[str] = None,
+) -> PolicyResult:
+    user_ctx = UserContext.from_params(user_email, user_role)
+    ctx = EvaluationContext(
+        agent_id=passport.agent_id,
+        action="call",
+        resource="anthropic-api",
+        resource_type="api",
+        environment=env,
+        data_classification=data_classification or passport.data_classification.value,
+        dlp_prompt_findings=dlp_prompt_findings,
+        additional=additional or {},
+        **user_ctx.evaluation_fields(),
+    )
+    result = engine.evaluate(passport, ctx)
+    result = apply_no_policy_gate(engine, passport, env, result)
+    result = merge_prompt_violations(result, prompt_violations or [])
+    with _VAULT_LOCK:
+        vault.record(ctx, result)
+    return result
+
+
+def enforce_result(result: PolicyResult, env: Environment) -> None:
+    if result.decision == "DENY":
+        if env in (Environment.DEV, Environment.TEST):
+            for violation in result.violations:
+                msg = (
+                    f"[IRIS WARNING] {violation.message} "
+                    f"Remediation: {violation.remediation}"
+                )
+                logger.warning(msg)
+                print(msg, file=sys.stderr)
+            return
+        raise IrisViolationError(result)
+    if result.decision == "PERMIT_WITH_WARNINGS":
+        for violation in result.violations:
+            msg = (
+                f"[IRIS WARNING] {violation.message} "
+                f"Remediation: {violation.remediation}"
+            )
+            logger.warning(msg)
+            print(msg, file=sys.stderr)

iris_security_anthropic-0.1.0/iris_anthropic/client.py

@@ -0,0 +1,224 @@
+"""Drop-in Anthropic client wrapper with IRIS governance on every messages call."""
+
+from __future__ import annotations
+
+from typing import Any, List, Optional
+
+from iris_core.dlp import DLPScanner
+from iris_core.dlp.enforcement import (
+    enforce_prompt_dlp,
+    extract_anthropic_response_text,
+    handle_response_dlp,
+)
+from iris_core.engine.cedar import CedarEngine
+from iris_core.evidence.vault import EvidenceVault
+from iris_core.models.passport import AgentPassport
+from iris_anthropic._governance import (
+    current_environment,
+    enforce_result,
+    evaluate_api_call,
+    load_passport_policy,
+)
+from iris_anthropic.guardrails import (
+    check_prompt_for_violations,
+    effective_data_classification,
+)
+
+
+def _lazy_anthropic():
+    import anthropic
+
+    return anthropic
+
+
+def _extract_prompt_text(kwargs: dict) -> str:
+    parts: List[str] = []
+    system = kwargs.get("system")
+    if system:
+        if isinstance(system, str):
+            parts.append(system)
+        elif isinstance(system, list):
+            for block in system:
+                if isinstance(block, dict):
+                    text = block.get("text") or block.get("content")
+                    if text:
+                        parts.append(str(text))
+    for msg in kwargs.get("messages") or []:
+        if not isinstance(msg, dict):
+            continue
+        content = msg.get("content")
+        if isinstance(content, str):
+            parts.append(content)
+        elif isinstance(content, list):
+            for block in content:
+                if isinstance(block, dict):
+                    text = block.get("text") or block.get("content")
+                    if text:
+                        parts.append(str(text))
+    return "\n".join(parts)
+
+
+class _IrisAnthropicClientBase:
+    _passport: AgentPassport
+    _engine: CedarEngine
+    _vault: EvidenceVault
+    _dlp: DLPScanner
+    _user_email: Optional[str] = None
+    _user_role: Optional[str] = None
+
+
+class _GovernedMessagesBase:
+    """Uses the parent client so engine/vault stay in sync when replaced in tests."""
+
+    def __init__(self, parent: _IrisAnthropicClientBase, messages_resource: Any):
+        self._parent = parent
+        self._messages = messages_resource
+
+    @property
+    def _passport(self) -> AgentPassport:
+        return self._parent._passport
+
+    @property
+    def _engine(self) -> CedarEngine:
+        return self._parent._engine
+
+    @property
+    def _vault(self) -> EvidenceVault:
+        return self._parent._vault
+
+    def _govern_kwargs(self, kwargs: dict) -> None:
+        env = current_environment()
+        prompt = _extract_prompt_text(kwargs)
+        dlp_result = enforce_prompt_dlp(
+            self._parent._dlp,
+            self._vault,
+            self._passport,
+            env,
+            prompt,
+            resource="anthropic-api",
+        )
+        prompt_violations = check_prompt_for_violations(prompt, self._passport)
+        data_classification = effective_data_classification(prompt, self._passport)
+        additional = {
+            "model": kwargs.get("model"),
+            "max_tokens": kwargs.get("max_tokens"),
+            "prompt_violation_count": len(prompt_violations),
+        }
+        if prompt_violations:
+            additional["prompt_violations"] = [v.rule_id for v in prompt_violations]
+
+        result = evaluate_api_call(
+            self._engine,
+            self._vault,
+            self._passport,
+            env,
+            data_classification=data_classification,
+            prompt_violations=prompt_violations,
+            additional=additional,
+            dlp_prompt_findings=dlp_result.findings,
+            user_email=self._parent._user_email,
+            user_role=self._parent._user_role,
+        )
+        enforce_result(result, env)
+
+    def _scan_response(self, response: Any) -> Any:
+        env = current_environment()
+        response_text = extract_anthropic_response_text(response)
+        blocked, _ = handle_response_dlp(
+            self._parent._dlp,
+            self._vault,
+            self._passport,
+            env,
+            response_text,
+            response,
+            resource="anthropic-api",
+        )
+        return blocked
+
+
+class IrisMessagesResource(_GovernedMessagesBase):
+    def create(self, **kwargs: Any) -> Any:
+        self._govern_kwargs(kwargs)
+        response = self._messages.create(**kwargs)
+        return self._scan_response(response)
+
+    def stream(self, **kwargs: Any) -> Any:
+        self._govern_kwargs(kwargs)
+        return self._messages.stream(**kwargs)
+
+
+class IrisMessagesResourceAsync(_GovernedMessagesBase):
+    async def create(self, **kwargs: Any) -> Any:
+        self._govern_kwargs(kwargs)
+        response = await self._messages.create(**kwargs)
+        return self._scan_response(response)
+
+    async def stream(self, **kwargs: Any) -> Any:
+        self._govern_kwargs(kwargs)
+        return await self._messages.stream(**kwargs)
+
+
+class IrisAnthropic(_IrisAnthropicClientBase):
+    """
+    Drop-in replacement for anthropic.Anthropic() with IRIS governance.
+
+    Pass an AgentPassport and the same kwargs you would give Anthropic().
+    All attributes not defined here are proxied to the underlying client.
+    """
+
+    def __init__(
+        self,
+        passport: AgentPassport,
+        user_email: Optional[str] = None,
+        user_role: Optional[str] = None,
+        **anthropic_kwargs: Any,
+    ):
+        from iris_core.dev_trust import print_dev_trust_message
+
+        print_dev_trust_message()
+        anthropic = _lazy_anthropic()
+        self._passport = passport
+        self._user_email = user_email
+        self._user_role = user_role
+        self._engine = CedarEngine()
+        self._vault = EvidenceVault(agent_id=passport.agent_id)
+        self._dlp = DLPScanner(passport)
+        load_passport_policy(self._engine, passport)
+        self._client = anthropic.Anthropic(**anthropic_kwargs)
+        self._messages_resource = IrisMessagesResource(self, self._client.messages)
+
+    @property
+    def messages(self) -> IrisMessagesResource:
+        return self._messages_resource
+
+    def __getattr__(self, name: str) -> Any:
+        return getattr(self._client, name)
+
+
+class IrisAnthropicAsync(_IrisAnthropicClientBase):
+    """Async drop-in replacement for anthropic.AsyncAnthropic()."""
+
+    def __init__(
+        self,
+        passport: AgentPassport,
+        user_email: Optional[str] = None,
+        user_role: Optional[str] = None,
+        **anthropic_kwargs: Any,
+    ):
+        anthropic = _lazy_anthropic()
+        self._passport = passport
+        self._user_email = user_email
+        self._user_role = user_role
+        self._engine = CedarEngine()
+        self._vault = EvidenceVault(agent_id=passport.agent_id)
+        self._dlp = DLPScanner(passport)
+        load_passport_policy(self._engine, passport)
+        self._client = anthropic.AsyncAnthropic(**anthropic_kwargs)
+        self._messages_resource = IrisMessagesResourceAsync(self, self._client.messages)
+
+    @property
+    def messages(self) -> IrisMessagesResourceAsync:
+        return self._messages_resource
+
+    def __getattr__(self, name: str) -> Any:
+        return getattr(self._client, name)

iris_security_anthropic-0.1.0/iris_anthropic/guardrails.py

@@ -0,0 +1,101 @@
+"""Prompt guardrails for Anthropic API calls — scan-only, non-blocking."""
+
+from __future__ import annotations
+
+import re
+from typing import List
+
+from iris_core.models.passport import AgentPassport, DataClassification
+from iris_core.models.policy import Severity, Violation
+
+_SSN = re.compile(r"\b\d{3}-\d{2}-\d{4}\b")
+_CREDIT_CARD = re.compile(r"\b(?:\d{4}[-\s]?){3}\d{4}\b")
+_DOB = re.compile(
+    r"\b(?:0[1-9]|1[0-2])[/-](?:0[1-9]|[12]\d|3[01])[/-](?:19|20)\d{2}\b"
+)
+_CROSS_REGION = re.compile(r"cn-north|china|beijing", re.IGNORECASE)
+_HIGH_RISK_DOMAIN = re.compile(r"\b(loan|diagnosis|hiring)\b", re.IGNORECASE)
+
+
+def check_prompt_for_violations(prompt: str, passport: AgentPassport) -> List[Violation]:
+    """
+    Scan prompt text for policy-relevant patterns.
+
+    Returns violations without blocking — the caller merges them into evaluation.
+    """
+    if not prompt:
+        return []
+
+    violations: List[Violation] = []
+
+    if _SSN.search(prompt) or _CREDIT_CARD.search(prompt) or _DOB.search(prompt):
+        violations.append(
+            Violation(
+                rule_id="IRIS-DATA-001",
+                severity=Severity.HIGH,
+                message=(
+                    f"Prompt for agent '{passport.name}' may contain PII "
+                    f"(SSN, payment card, or date-of-birth pattern). "
+                    f"Passport data classification is '{passport.data_classification.value}'."
+                ),
+                compliance_refs=[
+                    "colorado-ai-act:impact-assessment",
+                    "gdpr:data-minimization",
+                ],
+                remediation=(
+                    "Remove sensitive identifiers from the prompt or update the agent "
+                    "passport data_classification to match the data being processed."
+                ),
+            )
+        )
+
+    if _CROSS_REGION.search(prompt):
+        violations.append(
+            Violation(
+                rule_id="IRIS-XR-001",
+                severity=Severity.CRITICAL,
+                message=(
+                    f"Prompt for agent '{passport.name}' references restricted "
+                    f"cross-region geography (China / cn-north)."
+                ),
+                compliance_refs=["china-pipl:cross-border-transfer"],
+                remediation=(
+                    "Remove cross-region references from the prompt or document an "
+                    "approved exception with your security engineer."
+                ),
+            )
+        )
+
+    if _HIGH_RISK_DOMAIN.search(prompt):
+        violations.append(
+            Violation(
+                rule_id="CO-004",
+                severity=Severity.HIGH,
+                message=(
+                    f"Prompt for agent '{passport.name}' references a high-risk "
+                    f"consequential domain (loan, diagnosis, or hiring). "
+                    f"Consumer opt-out and consent may be required under SB 24-205."
+                ),
+                compliance_refs=["colorado-ai-act:sb-24-205:consumer-opt-out"],
+                remediation=(
+                    "Set user_consent_logged=True in policy context for consequential "
+                    "actions, or run 'iris compliance assess --agent "
+                    f"{passport.agent_id} --framework colorado-ai-act'."
+                ),
+            )
+        )
+
+    return violations
+
+
+def prompt_suggests_pii(prompt: str) -> bool:
+    """Whether guardrails detected PII patterns (used to elevate data_classification)."""
+    if not prompt:
+        return False
+    return bool(_SSN.search(prompt) or _CREDIT_CARD.search(prompt) or _DOB.search(prompt))
+
+
+def effective_data_classification(prompt: str, passport: AgentPassport) -> str:
+    if prompt_suggests_pii(prompt):
+        return DataClassification.PII.value
+    return passport.data_classification.value

iris_security_anthropic-0.1.0/iris_security_anthropic.egg-info/PKG-INFO

@@ -0,0 +1,50 @@
+Metadata-Version: 2.4
+Name: iris-security-anthropic
+Version: 0.1.0
+Summary: IRIS governance for Anthropic Claude — Cedar policy on every API call
+Author-email: IRIS Platform <sdk@iris.ai>
+License: Apache-2.0
+Project-URL: Homepage, https://github.com/gimartinb/iris-sdk
+Project-URL: Repository, https://github.com/gimartinb/iris-sdk
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: iris-security-core>=0.1.0
+Requires-Dist: iris-security-sdk>=0.1.0
+Provides-Extra: anthropic
+Requires-Dist: anthropic>=0.25; extra == "anthropic"
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-asyncio>=0.23; extra == "dev"
+Requires-Dist: ruff>=0.4; extra == "dev"
+
+# iris-anthropic
+
+Drop-in IRIS governance for the [Anthropic Python SDK](https://github.com/anthropics/anthropic-sdk-python).
+
+Replace one line:
+
+```python
+# client = anthropic.Anthropic()
+client = IrisAnthropic(passport=passport)
+```
+
+Every `client.messages.create()` and `client.messages.stream()` call is evaluated against Cedar policy, recorded in the Evidence Vault, and enforced per `IRIS_ENV` (warn in dev, block in production).
+
+## Install
+
+```bash
+pip install iris-anthropic
+```
+
+## Quickstart
+
+See [examples/governed_claude.py](examples/governed_claude.py).
+
+## Environment
+
+| `IRIS_ENV`   | Behavior                                      |
+|-------------|-----------------------------------------------|
+| `dev`       | Fail open — warnings to stderr, never block   |
+| `production`| Fail closed — `IrisViolationError` on deny    |
+
+Defaults to `dev` when unset.

iris_security_anthropic-0.1.0/iris_security_anthropic.egg-info/SOURCES.txt

@@ -0,0 +1,14 @@
+README.md
+pyproject.toml
+examples/governed_claude.py
+iris_anthropic/__init__.py
+iris_anthropic/_governance.py
+iris_anthropic/client.py
+iris_anthropic/guardrails.py
+iris_security_anthropic.egg-info/PKG-INFO
+iris_security_anthropic.egg-info/SOURCES.txt
+iris_security_anthropic.egg-info/dependency_links.txt
+iris_security_anthropic.egg-info/requires.txt
+iris_security_anthropic.egg-info/top_level.txt
+tests/conftest.py
+tests/test_anthropic_integration.py

iris_security_anthropic-0.1.0/iris_security_anthropic.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

iris_security_anthropic-0.1.0/iris_security_anthropic.egg-info/requires.txt

@@ -0,0 +1,10 @@
+iris-security-core>=0.1.0
+iris-security-sdk>=0.1.0
+
+[anthropic]
+anthropic>=0.25
+
+[dev]
+pytest>=8.0
+pytest-asyncio>=0.23
+ruff>=0.4

iris_security_anthropic-0.1.0/iris_security_anthropic.egg-info/top_level.txt

@@ -0,0 +1,4 @@
+dist
+examples
+iris_anthropic
+tests

iris_security_anthropic-0.1.0/pyproject.toml

@@ -0,0 +1,39 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "iris-security-anthropic"
+version = "0.1.0"
+description = "IRIS governance for Anthropic Claude — Cedar policy on every API call"
+readme = "README.md"
+license = { text = "Apache-2.0" }
+requires-python = ">=3.10"
+authors = [{ name = "IRIS Platform", email = "sdk@iris.ai" }]
+dependencies = [
+  "iris-security-core>=0.1.0",
+  "iris-security-sdk>=0.1.0",
+]
+
+[project.optional-dependencies]
+anthropic = ["anthropic>=0.25"]
+dev = [
+  "pytest>=8.0",
+  "pytest-asyncio>=0.23",
+  "ruff>=0.4",
+]
+
+[project.urls]
+Homepage = "https://github.com/gimartinb/iris-sdk"
+Repository = "https://github.com/gimartinb/iris-sdk"
+
+[tool.setuptools.packages.find]
+where = ["."]
+
+[tool.ruff]
+line-length = 100
+target-version = "py310"
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+asyncio_mode = "auto"

iris_security_anthropic-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

iris_security_anthropic-0.1.0/tests/conftest.py

@@ -0,0 +1,11 @@
+"""Test fixtures — isolate Evidence Vault from the developer home directory."""
+
+from __future__ import annotations
+
+import pytest
+
+
+@pytest.fixture(autouse=True)
+def iris_home_tmp(monkeypatch, tmp_path):
+    """Write ~/.iris evidence under pytest tmp_path."""
+    monkeypatch.setenv("HOME", str(tmp_path))

iris_security_anthropic-0.1.0/tests/test_anthropic_integration.py

@@ -0,0 +1,262 @@
+"""
+Integration tests for iris-anthropic — mocked Anthropic API, no network calls.
+"""
+
+from __future__ import annotations
+
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+from iris import IrisViolationError
+from iris_core.engine.cedar import CedarEngine
+from iris_core.evidence.vault import EvidenceVault
+from iris_core.models.passport import (
+    AgentPassport,
+    ComplianceTag,
+    DataClassification,
+    Environment,
+)
+from iris_anthropic import IrisAnthropic, check_prompt_for_violations
+from iris_anthropic.guardrails import prompt_suggests_pii
+
+
+@pytest.fixture
+def compliant_passport():
+    return AgentPassport(
+        name="support-agent",
+        owner="team@company.com",
+        data_classification=DataClassification.INTERNAL,
+        compliance_tags=[ComplianceTag.COLORADO_AI_ACT],
+        environments=[Environment.DEV, Environment.PRODUCTION],
+        is_high_risk_ai=True,
+        evidence_vault_id="vault-abc",
+        intent_ref="governance/agents/support-agent/policy-intent.md",
+    )
+
+
+@pytest.fixture
+def high_risk_incomplete_passport():
+    return AgentPassport(
+        name="loan-agent",
+        owner="gmoney@gmail.com",
+        compliance_tags=[ComplianceTag.COLORADO_AI_ACT],
+        environments=[Environment.DEV, Environment.PRODUCTION],
+        is_high_risk_ai=True,
+        evidence_vault_id=None,
+        intent_ref=None,
+    )
+
+
+def _mock_anthropic_module():
+    mock_module = MagicMock()
+    mock_response = MagicMock()
+    mock_response.content = [MagicMock(text="Hello from Claude")]
+    mock_client = MagicMock()
+    mock_client.messages.create.return_value = mock_response
+    mock_client.messages.stream.return_value = iter([mock_response])
+    mock_module.Anthropic.return_value = mock_client
+    return mock_module, mock_client
+
+
+class TestIrisAnthropicClient:
+    def test_client_permits_allowed_call(self, compliant_passport, tmp_path, monkeypatch):
+        monkeypatch.setenv("IRIS_ENV", "dev")
+        mock_module, mock_client = _mock_anthropic_module()
+        engine = CedarEngine()
+        engine.load_policy(compliant_passport.agent_id, "permit(principal, action, resource);")
+        vault = EvidenceVault(agent_id=compliant_passport.agent_id, vault_dir=tmp_path)
+
+        with patch.dict("sys.modules", {"anthropic": mock_module}):
+            client = IrisAnthropic(passport=compliant_passport)
+            client._engine = engine
+            client._vault = vault
+
+            result = client.messages.create(
+                model="claude-sonnet-4-6",
+                max_tokens=1024,
+                messages=[{"role": "user", "content": "Help this customer."}],
+            )
+
+        assert result.content[0].text == "Hello from Claude"
+        mock_client.messages.create.assert_called_once()
+        events = vault.get_events()
+        assert len(events) == 1
+        assert events[0]["decision"] in ("PERMIT", "PERMIT_WITH_WARNINGS")
+
+    def test_client_blocks_denied_call_in_production(
+        self, high_risk_incomplete_passport, tmp_path, monkeypatch
+    ):
+        monkeypatch.setenv("IRIS_ENV", "production")
+        mock_module, _ = _mock_anthropic_module()
+        engine = CedarEngine()
+        engine.load_policy(
+            high_risk_incomplete_passport.agent_id,
+            "permit(principal, action, resource);",
+        )
+        vault = EvidenceVault(
+            agent_id=high_risk_incomplete_passport.agent_id, vault_dir=tmp_path
+        )
+
+        with patch.dict("sys.modules", {"anthropic": mock_module}):
+            client = IrisAnthropic(passport=high_risk_incomplete_passport)
+            client._engine = engine
+            client._vault = vault
+
+            with pytest.raises(IrisViolationError) as exc_info:
+                client.messages.create(
+                    model="claude-sonnet-4-6",
+                    max_tokens=1024,
+                    messages=[{"role": "user", "content": "Help this customer."}],
+                )
+
+        assert exc_info.value.result.decision == "DENY"
+        assert any(v.rule_id == "CO-001" for v in exc_info.value.result.violations)
+        mock_module.Anthropic.return_value.messages.create.assert_not_called()
+
+    def test_client_warns_in_dev_environment(
+        self, high_risk_incomplete_passport, tmp_path, monkeypatch, capsys
+    ):
+        monkeypatch.setenv("IRIS_ENV", "dev")
+        mock_module, mock_client = _mock_anthropic_module()
+        engine = CedarEngine()
+        engine.load_policy(
+            high_risk_incomplete_passport.agent_id,
+            "permit(principal, action, resource);",
+        )
+        vault = EvidenceVault(
+            agent_id=high_risk_incomplete_passport.agent_id, vault_dir=tmp_path
+        )
+
+        with patch.dict("sys.modules", {"anthropic": mock_module}):
+            client = IrisAnthropic(passport=high_risk_incomplete_passport)
+            client._engine = engine
+            client._vault = vault
+
+            client.messages.create(
+                model="claude-sonnet-4-6",
+                max_tokens=1024,
+                messages=[{"role": "user", "content": "Help this customer."}],
+            )
+
+        mock_client.messages.create.assert_called_once()
+        captured = capsys.readouterr()
+        assert "[IRIS WARNING]" in captured.err
+        events = vault.get_events()
+        assert events[0]["decision"] == "DENY"
+
+    def test_streaming_intercept(self, compliant_passport, tmp_path, monkeypatch):
+        monkeypatch.setenv("IRIS_ENV", "dev")
+        mock_module, mock_client = _mock_anthropic_module()
+        engine = CedarEngine()
+        engine.load_policy(compliant_passport.agent_id, "permit(principal, action, resource);")
+        vault = EvidenceVault(agent_id=compliant_passport.agent_id, vault_dir=tmp_path)
+
+        with patch.dict("sys.modules", {"anthropic": mock_module}):
+            client = IrisAnthropic(passport=compliant_passport)
+            client._engine = engine
+            client._vault = vault
+
+            stream = client.messages.stream(
+                model="claude-sonnet-4-6",
+                max_tokens=256,
+                messages=[{"role": "user", "content": "Stream a short reply."}],
+            )
+            list(stream)
+
+        mock_client.messages.stream.assert_called_once()
+        assert len(vault.get_events()) == 1
+
+    def test_evidence_vault_records_every_call(self, compliant_passport, tmp_path, monkeypatch):
+        monkeypatch.setenv("IRIS_ENV", "dev")
+        mock_module, _ = _mock_anthropic_module()
+        engine = CedarEngine()
+        engine.load_policy(compliant_passport.agent_id, "permit(principal, action, resource);")
+        vault = EvidenceVault(agent_id=compliant_passport.agent_id, vault_dir=tmp_path)
+
+        with patch.dict("sys.modules", {"anthropic": mock_module}):
+            client = IrisAnthropic(passport=compliant_passport)
+            client._engine = engine
+            client._vault = vault
+
+            client.messages.create(
+                model="claude-sonnet-4-6",
+                max_tokens=100,
+                messages=[{"role": "user", "content": "First call"}],
+            )
+            client.messages.create(
+                model="claude-sonnet-4-6",
+                max_tokens=100,
+                messages=[{"role": "user", "content": "Second call"}],
+            )
+
+        events = vault.get_events()
+        assert len(events) == 2
+        assert all(e["action"] == "call" for e in events)
+        assert all(e["resource"] == "anthropic-api" for e in events)
+
+    def test_drop_in_replacement_api_compatibility(self, compliant_passport, monkeypatch):
+        monkeypatch.setenv("IRIS_ENV", "dev")
+        mock_module, mock_client = _mock_anthropic_module()
+        mock_client.api_key = "sk-test-key"
+        mock_client.base_url = "https://api.anthropic.com"
+
+        with patch.dict("sys.modules", {"anthropic": mock_module}):
+            client = IrisAnthropic(passport=compliant_passport, api_key="sk-test-key")
+
+        assert client.api_key == "sk-test-key"
+        assert client.base_url == "https://api.anthropic.com"
+        mock_module.Anthropic.assert_called_once_with(api_key="sk-test-key")
+
+
+class TestPromptGuardrails:
+    def test_pii_pattern_detection_in_prompt(self, compliant_passport):
+        violations = check_prompt_for_violations(
+            "Customer SSN is 123-45-6789 for verification.",
+            compliant_passport,
+        )
+        assert any(v.rule_id == "IRIS-DATA-001" for v in violations)
+        assert prompt_suggests_pii("123-45-6789")
+
+    def test_cross_region_pattern_in_prompt(self, compliant_passport):
+        violations = check_prompt_for_violations(
+            "Deploy model to cn-north-1 region.",
+            compliant_passport,
+        )
+        assert any(v.rule_id == "IRIS-XR-001" for v in violations)
+
+    def test_high_risk_domain_keyword(self, compliant_passport):
+        violations = check_prompt_for_violations(
+            "Review this loan application for approval.",
+            compliant_passport,
+        )
+        assert any(v.rule_id == "CO-004" for v in violations)
+
+    def test_production_blocks_cross_region_prompt(
+        self, compliant_passport, tmp_path, monkeypatch
+    ):
+        monkeypatch.setenv("IRIS_ENV", "production")
+        mock_module, mock_client = _mock_anthropic_module()
+        engine = CedarEngine()
+        engine.load_policy(compliant_passport.agent_id, "permit(principal, action, resource);")
+        vault = EvidenceVault(agent_id=compliant_passport.agent_id, vault_dir=tmp_path)
+
+        with patch.dict("sys.modules", {"anthropic": mock_module}):
+            client = IrisAnthropic(passport=compliant_passport)
+            client._engine = engine
+            client._vault = vault
+
+            with pytest.raises(IrisViolationError) as exc_info:
+                client.messages.create(
+                    model="claude-sonnet-4-6",
+                    max_tokens=100,
+                    messages=[
+                        {
+                            "role": "user",
+                            "content": "Send data to beijing data center.",
+                        }
+                    ],
+                )
+
+        assert any(v.rule_id == "IRIS-XR-001" for v in exc_info.value.result.violations)
+        mock_client.messages.create.assert_not_called()