iris-security-cli 0.1.0__py3-none-any.whl

iris_cli/main.py

@@ -0,0 +1,542 @@
+"""
+IRIS CLI — the developer's command-line interface for agent governance.
+
+Commands:
+  iris scan                    — scan governance directory for policy violations
+  iris policy generate         — generate Cedar policy from intent file
+  iris policy compile          — compile natural language to Cedar
+  iris policy diff             — preview Cedar changes offline (no API cost)
+  iris policy check            — validate policy against compliance framework
+  iris register                — register a new agent (creates passport.yaml)
+  iris compliance check        — run compliance check against a framework
+  iris compliance report       — generate a compliance report (PDF/markdown)
+
+This CLI is the traction instrument. Every 'iris scan' or 'iris policy check'
+is a weekly active developer event.
+"""
+
+import click
+import sys
+from pathlib import Path
+from rich.console import Console
+from rich.panel import Panel
+
+console = Console()
+
+
+@click.group()
+@click.version_option(version="0.1.0", prog_name="iris")
+def cli():
+    """
+    IRIS — AI Agent Governance Platform
+
+    Discover, register, and govern AI agents locally.
+    Colorado AI Act compliant out of the box.
+
+    Docs: https://docs.iris.ai
+    """
+    pass
+
+
+# ── iris scan ─────────────────────────────────────────────────────────────────
+
+@cli.command()
+@click.option("--dir", "scan_dir", type=Path, default=Path.cwd(), help="Directory to scan")
+@click.option("--framework", "-f", default=None, help="Compliance framework (e.g. colorado-ai-act)")
+@click.option("--format", "output_format", default="table", type=click.Choice(["table", "json", "markdown"]))
+@click.option("--fail-on", default="critical", type=click.Choice(["critical", "high", "any"]))
+@click.option(
+    "--discover",
+    is_flag=True,
+    help="Scan Python/TypeScript source files for ungoverned AI agent patterns",
+)
+@click.option(
+    "--auto-register",
+    is_flag=True,
+    help="Write passport.yaml drafts for each ungoverned finding (does not register)",
+)
+def scan(scan_dir: Path, framework: str, output_format: str, fail_on: str, discover: bool, auto_register: bool):
+    """
+    Scan governance directory for policy violations.
+
+    Finds all passport.yaml files and checks them against the
+    configured compliance frameworks. Exits with code 1 if violations
+    above the --fail-on threshold are found (for CI integration).
+
+    With --discover, also crawls Python and TypeScript files for ungoverned
+    LLM/agent patterns (LangChain, OpenAI, Anthropic, CrewAI, etc.).
+
+    Examples:
+      iris scan
+      iris scan --framework colorado-ai-act
+      iris scan --discover
+      iris scan --discover --auto-register
+      iris scan --format json | jq '.violations[]'
+    """
+    from iris import iris_scan
+    from iris_core.models.policy import Severity
+
+    if discover:
+        from iris_core.discovery.scanner import CodebaseScanner
+        from iris_core.models.passport import AgentPassport, ComplianceTag, DataClassification
+        from iris_cli.scan_report import render_discover_scan
+
+        scanner = CodebaseScanner()
+        discover_result = scanner.scan_directory(scan_dir)
+        drafts_written = []
+
+        if auto_register:
+            gov_root = scan_dir / "governance" / "agents"
+            for finding in discover_result.ungoverned_findings:
+                agent_dir = gov_root / finding.agent_name_hint
+                passport_path = agent_dir / "passport.yaml"
+                if passport_path.exists():
+                    continue
+                agent_dir.mkdir(parents=True, exist_ok=True)
+                draft = AgentPassport(
+                    name=finding.agent_name_hint,
+                    owner="CHANGE_ME@company.com",
+                    team="CHANGE_ME",
+                    compliance_tags=[ComplianceTag.COLORADO_AI_ACT],
+                    data_classification=DataClassification.INTERNAL,
+                    is_high_risk_ai="--high-risk" in finding.suggested_command,
+                    description=(
+                        f"Auto-drafted from ungoverned scan finding in "
+                        f"{finding.file_path}:{finding.line_number}"
+                    ),
+                )
+                passport_path.write_text(draft.to_yaml())
+                drafts_written.append(passport_path)
+
+        if output_format == "json":
+            import json
+
+            payload = {
+                "scan_timestamp": discover_result.scan_timestamp,
+                "files_scanned": discover_result.files_scanned,
+                "lines_scanned": discover_result.lines_scanned,
+                "governed_agents": [p.name for p in discover_result.governed_agents],
+                "ungoverned_findings": [
+                    {
+                        "file_path": f.file_path,
+                        "line_number": f.line_number,
+                        "pattern_matched": f.pattern_matched,
+                        "framework_detected": f.framework_detected,
+                        "agent_name_hint": f.agent_name_hint,
+                        "suggested_command": f.suggested_command,
+                        "risk_level": f.risk_level,
+                        "risk_reason": f.risk_reason,
+                    }
+                    for f in discover_result.ungoverned_findings
+                ],
+                "shadow_agents": [
+                    {
+                        "resource_path": s.resource_path,
+                        "resource_name": s.resource_name,
+                        "namespace": s.namespace,
+                        "reason": s.reason,
+                    }
+                    for s in discover_result.shadow_agents
+                ],
+            }
+            click.echo(json.dumps(payload, indent=2))
+        else:
+            render_discover_scan(
+                console,
+                discover_result,
+                scan_dir,
+                framework=framework,
+                auto_register=auto_register,
+                drafts_written=drafts_written,
+            )
+
+        if discover_result.ungoverned_findings:
+            sys.exit(1)
+        sys.exit(0)
+
+    console.print(Panel(
+        f"[bold]IRIS Governance Scan[/bold]\n"
+        f"Directory: {scan_dir}\n"
+        f"Framework: {framework or 'all active bundles'}",
+        style="blue"
+    ))
+
+    violations = iris_scan(directory=scan_dir, framework=framework)
+
+    if not violations:
+        console.print("\n[bold green]✓ All agents passed compliance check[/bold green]")
+        sys.exit(0)
+
+    if output_format == "table":
+        from iris_cli.scan_report import render_violations_table
+
+        render_violations_table(console, violations)
+
+    elif output_format == "json":
+        import json
+        output = [{"rule_id": v.rule_id, "severity": v.severity.value, "message": v.message, "remediation": v.remediation, "compliance_refs": v.compliance_refs} for v in violations]
+        click.echo(json.dumps(output, indent=2))
+
+    threshold_map = {"critical": Severity.CRITICAL, "high": Severity.HIGH, "any": Severity.LOW}
+    threshold = threshold_map[fail_on]
+    blocking = [v for v in violations if v.severity.value >= threshold.value]
+    if blocking:
+        sys.exit(1)
+
+
+# ── iris register ──────────────────────────────────────────────────────────────
+
+@cli.command()
+@click.option("--name", prompt="Agent name", help="Agent identifier (kebab-case)")
+@click.option("--owner", prompt="Owner email", help="Owner email address")
+@click.option("--team", prompt="Team name", help="Team or squad name")
+@click.option("--env", multiple=True, default=["dev"], help="Environments (repeatable)")
+@click.option("--high-risk", is_flag=True, default=False, help="Flag as high-risk AI (Colorado AI Act)")
+@click.option("--compliance", "-c", multiple=True, help="Compliance frameworks to tag")
+@click.option("--dir", "output_dir", type=Path, default=None)
+def register(name, owner, team, env, high_risk, compliance, output_dir):
+    """
+    Register a new agent — creates passport.yaml in the governance directory.
+
+    Creates the full GitOps governance structure for a new agent:
+      governance/agents/<name>/passport.yaml
+      governance/agents/<name>/policy-intent.md  (template)
+
+    Example:
+      iris register --name payment-agent --owner alice@co.com --team platform
+    """
+    from iris import IrisAgent, DataClassification, ComplianceTag
+
+    compliance_list = list(compliance) or ["colorado-ai-act"]
+    output = output_dir or (Path.cwd() / "governance" / "agents" / name)
+    output.mkdir(parents=True, exist_ok=True)
+
+    agent = IrisAgent(
+        name=name,
+        owner=owner,
+        team=team,
+        compliance=compliance_list,
+        environments=list(env),
+        is_high_risk_ai=high_risk,
+        policy_dir=output,
+    )
+
+    # Write passport
+    (output / "passport.yaml").write_text(agent.passport.to_yaml())
+
+    # Write intent template
+    intent_template = f"""# Policy Intent — {name}
+
+> Edit this file to describe what your agent is allowed to do.
+> Then run: iris policy compile --agent {name}
+
+## What this agent does
+[Describe the agent's purpose here]
+
+## What it is allowed to access
+[List the tools, APIs, and data sources this agent needs]
+
+## What it must never do
+[List explicit prohibitions]
+
+## Compliance notes
+[Any compliance-specific context]
+"""
+    (output / "policy-intent.md").write_text(intent_template)
+
+    console.print(Panel(
+        f"[bold green]✓ Agent registered[/bold green]\n\n"
+        f"Name: [cyan]{name}[/cyan]\n"
+        f"Passport: {output / 'passport.yaml'}\n"
+        f"Intent template: {output / 'policy-intent.md'}\n\n"
+        f"Next step: Edit [bold]{output / 'policy-intent.md'}[/bold]\n"
+        f"Then run:  [bold]iris policy compile --agent {name}[/bold]",
+        style="green"
+    ))
+
+
+# ── iris policy ────────────────────────────────────────────────────────────────
+
+@cli.group()
+def policy():
+    """Policy management commands."""
+    pass
+
+
+@policy.command("compile")
+@click.option("--agent", required=True, help="Agent name")
+@click.option("--intent", type=Path, default=None, help="Path to policy-intent.md")
+@click.option("--dir", "governance_dir", type=Path, default=None)
+@click.option("--dry-run", is_flag=True, help="Show generated Cedar without writing to disk")
+def policy_compile(agent, intent, governance_dir, dry_run):
+    """
+    Compile a natural language policy-intent.md to Cedar.
+
+    Reads the policy-intent.md for the agent, sends it to the IRIS
+    policy compiler (your LLM — see ~/.iris/config.yaml), validates
+    against compliance bundles, and writes the generated Cedar.
+
+    Always caches policy-draft.cedar for offline `iris policy diff`.
+
+    Requires your API key: ANTHROPIC_API_KEY or OPENAI_API_KEY.
+
+    Example:
+      iris policy compile --agent payment-agent
+      iris policy compile --agent payment-agent --dry-run
+    """
+    from pathlib import Path
+
+    from iris_core.models.passport import AgentPassport
+
+    from iris_cli.compiler_config import compiler_info, create_policy_compiler
+    from iris_cli.policy_cache import save_policy_draft
+
+    gov_dir = governance_dir or Path.cwd() / "governance" / "agents" / agent
+    passport_file = gov_dir / "passport.yaml"
+    intent_file = intent or gov_dir / "policy-intent.md"
+
+    if not passport_file.exists():
+        console.print(f"[red]Passport not found: {passport_file}[/red]")
+        console.print(f"Run: iris register --name {agent}")
+        sys.exit(1)
+
+    if not intent_file.exists():
+        console.print(f"[red]Intent file not found: {intent_file}[/red]")
+        sys.exit(1)
+
+    passport = AgentPassport.from_yaml(passport_file.read_text())
+    intent_text = intent_file.read_text()
+
+    with console.status(f"[bold blue]Compiling policy for {agent}...[/bold blue]"):
+        compiler = create_policy_compiler()
+        result = compiler.compile(intent_text, passport)
+
+    if result.has_blocking_violations():
+        console.print("\n[bold red]Policy compilation blocked[/bold red]")
+        for v in result.violations:
+            console.print(f"\n[red]✗ {v.rule_id}[/red]: {v.message}")
+            console.print(f"  [yellow]Remediation:[/yellow] {v.remediation}")
+        console.print("\n[yellow]Contact your security engineer to resolve these violations.[/yellow]")
+        sys.exit(1)
+
+    backend, model = compiler_info(compiler)
+    draft_path = save_policy_draft(
+        gov_dir, intent_text, result.cedar_policy, backend, model
+    )
+
+    if dry_run:
+        console.print("\n[bold]Generated Cedar policy (dry run):[/bold]")
+        console.print(result.cedar_policy)
+        console.print(f"\n[dim]Draft cached: {draft_path}[/dim]")
+        console.print(f"[dim]Run: iris policy diff --agent {agent}[/dim]")
+    else:
+        (gov_dir / "policy.cedar").write_text(result.cedar_policy)
+        console.print(f"[bold green]✓ Policy compiled: {gov_dir / 'policy.cedar'}[/bold green]")
+        console.print(f"[dim]Draft cached: {draft_path}[/dim]")
+
+    if result.warnings:
+        for w in result.warnings:
+            console.print(f"[yellow]Warning:[/yellow] {w}")
+
+
+from iris_cli.policy_diff import policy_diff
+policy.add_command(policy_diff)
+
+
+# ── iris license ───────────────────────────────────────────────────────────────
+
+@cli.group()
+def license():
+    """IRIS Pro license management."""
+    pass
+
+
+@license.command("activate")
+@click.argument("key")
+def license_activate(key: str):
+    """
+    Activate an IRIS Pro license key.
+
+    Validates the key format and saves it to ~/.iris/license.key.
+    You can also set IRIS_LICENSE_KEY in your environment.
+
+    Example:
+      iris license activate IRIS-XXXX-XXXX-XXXX-XXXX
+    """
+    from iris_core.compliance.license import (
+        IrisLicense,
+        validate_license_key_format,
+        write_license_key,
+    )
+
+    key = key.strip()
+    if not validate_license_key_format(key):
+        console.print(
+            "[red]Invalid license key format.[/red]\n"
+            "Expected: IRIS-XXXX-XXXX-XXXX-XXXX (uppercase letters and digits)\n"
+            "Get a license: https://iris.ai/pricing"
+        )
+        sys.exit(1)
+
+    path = write_license_key(key)
+    result = IrisLicense().check("gdpr")
+    expiry = result.expires_at or "—"
+    console.print(
+        Panel(
+            f"[bold green]✓ License activated[/bold green]\n\n"
+            f"Tier: [cyan]{result.tier}[/cyan]\n"
+            f"Expires: {expiry}\n"
+            f"Saved to: {path}\n\n"
+            f"Pro bundles unlocked: gdpr, hipaa, soc2",
+            style="green",
+        )
+    )
+
+
+@license.command("status")
+def license_status():
+    """
+    Show current license status and available compliance bundles.
+
+    Example:
+      iris license status
+    """
+    from iris_core.compliance.license import (
+        FREE_BUNDLES,
+        PAID_BUNDLES,
+        IrisLicense,
+        _read_license_key,
+    )
+
+    key = _read_license_key()
+    result = IrisLicense().check("gdpr")
+    if result.valid:
+        status_line = f"[bold green]Active[/bold green] — tier [cyan]{result.tier}[/cyan]"
+        if result.expires_at:
+            status_line += f", expires {result.expires_at}"
+        key_display = f"{key[:9]}…{key[-4:]}" if key and len(key) > 16 else (key or "—")
+    elif result.reason == "no_key":
+        status_line = "[yellow]No license key[/yellow] — free bundles only"
+        key_display = "—"
+    else:
+        status_line = f"[red]Invalid license[/red] ({result.reason})"
+        key_display = "—"
+
+    free_list = ", ".join(sorted(FREE_BUNDLES))
+    paid_list = ", ".join(sorted(PAID_BUNDLES))
+    paid_status = (
+        "[green]available[/green]"
+        if result.valid
+        else "[dim]requires Pro license[/dim]"
+    )
+
+    console.print(
+        Panel(
+            f"{status_line}\n"
+            f"Key: {key_display}\n\n"
+            f"[bold]Free bundles:[/bold] {free_list}\n"
+            f"[bold]Pro bundles:[/bold]  {paid_list} ({paid_status})",
+            title="IRIS License",
+            style="blue",
+        )
+    )
+
+
+# ── iris compliance ────────────────────────────────────────────────────────────
+
+@cli.group()
+def compliance():
+    """Compliance checking and reporting commands."""
+    pass
+
+# Wire in the assess command
+from iris_cli.assess import compliance_assess
+compliance.add_command(compliance_assess)
+
+# Wire in evidence commands
+from iris_cli.evidence import evidence
+cli.add_command(evidence)
+
+
+@compliance.command("check")
+@click.option("--agent", default=None, help="Specific agent to check (or all)")
+@click.option("--framework", "-f", default="colorado-ai-act")
+@click.option("--dir", "governance_dir", type=Path, default=None)
+def compliance_check(agent, framework, governance_dir):
+    """
+    Check an agent against a compliance framework.
+
+    Shows a detailed breakdown of which rules pass and fail,
+    with plain-English remediation guidance for each failure.
+
+    Example:
+      iris compliance check --framework colorado-ai-act
+      iris compliance check --agent payment-agent --framework hipaa
+    """
+    from iris_core.compliance.registry import ComplianceRegistry
+    from iris import AgentPassport
+
+    gov_dir = governance_dir or Path.cwd() / "governance" / "agents"
+    registry = ComplianceRegistry()
+
+    passports_to_check = []
+    if agent:
+        passport_file = gov_dir / agent / "passport.yaml"
+        if passport_file.exists():
+            passports_to_check.append(AgentPassport.from_yaml(passport_file.read_text()))
+    else:
+        for f in gov_dir.rglob("passport.yaml"):
+            try:
+                passports_to_check.append(AgentPassport.from_yaml(f.read_text()))
+            except Exception:
+                pass
+
+    if not passports_to_check:
+        console.print("[yellow]No agent passports found.[/yellow]")
+        sys.exit(0)
+
+    all_pass = True
+    for passport in passports_to_check:
+        violations = registry.check_passport(passport, framework)
+        status = "[bold green]PASS[/bold green]" if not violations else "[bold red]FAIL[/bold red]"
+        console.print(f"\nAgent: [cyan]{passport.name}[/cyan] — {status}")
+
+        if violations:
+            all_pass = False
+            for v in violations:
+                console.print(f"  [red]✗[/red] [{v.rule_id}] {v.message}")
+                console.print(f"     [yellow]→[/yellow] {v.remediation}")
+        else:
+            console.print(f"  [green]✓[/green] All {framework} rules satisfied")
+
+        for note in registry.last_check_notes:
+            console.print(f"  [dim]ℹ {note}[/dim]")
+
+    sys.exit(0 if all_pass else 1)
+
+
+if __name__ == "__main__":
+    cli()
+
+
+@cli.group()
+def mcp():
+    """MCP server commands for Cursor IDE integration."""
+    pass
+
+
+@mcp.command("start")
+def mcp_start():
+    """
+    Start the IRIS MCP server for Cursor IDE.
+
+    Cursor connects to this server to get real-time compliance
+    feedback as you write agent code.
+
+    Example:
+      iris mcp start
+    """
+    from iris_cli.mcp_server import start
+    console.print("[bold blue]IRIS MCP server starting on stdio...[/bold blue]")
+    console.print("[dim]Cursor is now connected to IRIS governance.[/dim]")
+    start()