iris-security-cli 0.1.0__tar.gz → 0.1.1__tar.gz

{iris_security_cli-0.1.0 → iris_security_cli-0.1.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iris-security-cli
-Version: 0.1.0
+Version: 0.1.1
 Summary: IRIS CLI — iris scan, iris register, iris policy, iris compliance
 License: Apache-2.0
 Project-URL: Homepage, https://github.com/gimartinb/iris-sdk
@@ -16,10 +16,12 @@ Classifier: Programming Language :: Python :: 3.12
 Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 Requires-Dist: iris-security-core>=0.1.0
-Requires-Dist: iris-security-sdk>=0.1.0
+Requires-Dist: iris-security-sdk>=0.1.1
 Requires-Dist: click>=8.1
 Requires-Dist: rich>=13.0
 Requires-Dist: pyyaml>=6.0
+Provides-Extra: scm
+Requires-Dist: iris-security-scm[all]>=0.1.0; extra == "scm"
 
 # iris-security-cli
 

iris_security_cli-0.1.1/iris_cli/action_plan.py

@@ -0,0 +1,305 @@
+"""Opinionated compliance action plan and score calculation."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Any
+
+from iris_core.models.passport import AgentPassport
+
+
+@dataclass
+class Action:
+    priority: int
+    command: str
+    why: str
+    time_estimate: str
+    rule_id: str
+    urgency: str  # "before deployment" | "this month"
+
+
+@dataclass
+class ActionPlan:
+    immediate_actions: list[Action] = field(default_factory=list)
+    next_30_days: list[Action] = field(default_factory=list)
+    current_scores: dict[str, float] = field(default_factory=dict)
+    estimated_time_to_compliant: str = "about 2 weeks"
+    one_liner: str = ""
+
+
+def progress_bar(score: float, width: int = 10) -> str:
+    filled = int(round(score * width))
+    filled = max(0, min(width, filled))
+    return "█" * filled + "░" * (width - filled)
+
+
+def _gov_dir(agent_name: str, base: Path | None = None) -> Path:
+    root = base or Path.cwd() / "governance" / "agents"
+    return root / agent_name
+
+
+def colorado_controls_passed(passport: AgentPassport, agent_dir: Path) -> tuple[int, int]:
+    """Return (satisfied, total) for Colorado AI Act controls."""
+    checks = [
+        bool(passport.is_high_risk_ai and passport.agent_id),
+        bool(passport.evidence_vault_id),
+        bool(passport.intent_ref),
+        (agent_dir / "policy.cedar").exists(),
+        bool(passport.last_reviewed_at),
+        (agent_dir / "impact-assessment.md").exists(),
+    ]
+    return sum(1 for c in checks if c), 6
+
+
+def nist_controls_passed(passport: AgentPassport, agent_dir: Path) -> tuple[int, int]:
+    """NIST AI RMF — 0 until iris test is run; stub for advisor display."""
+    test_file = agent_dir / "nist-ai-rmf-results.json"
+    if test_file.exists():
+        return 24, 24
+    return 0, 24
+
+
+def compliance_score(passport: AgentPassport, agent_dir: Path, framework: str) -> float:
+    if framework == "colorado-ai-act":
+        satisfied, total = colorado_controls_passed(passport, agent_dir)
+        return satisfied / total if total else 0.0
+    if framework == "nist-ai-rmf":
+        satisfied, total = nist_controls_passed(passport, agent_dir)
+        return satisfied / total if total else 0.0
+    return 0.0
+
+
+def detect_one_liner(answers: dict[str, Any]) -> str:
+    q4 = answers.get("q4", "")
+    if "health" in str(q4).lower() or "medical" in str(q4).lower():
+        return (
+            "from iris_anthropic import IrisAnthropic\n"
+            "client = IrisAnthropic(passport=your_passport)"
+        )
+    return (
+        "from iris_openai import IrisOpenAI\n"
+        "client = IrisOpenAI(passport=your_passport)"
+    )
+
+
+def build_action_plan(
+    agent_name: str | None,
+    answers: dict[str, Any],
+    recommendations: list[Any],
+    passport: dict[str, Any] | None = None,
+    governance_base: Path | None = None,
+) -> ActionPlan:
+    plan = ActionPlan()
+    name = agent_name or "my-agent"
+    spec = (passport or {}).get("spec", {})
+    agent_dir = _gov_dir(name, governance_base)
+    passport_exists = (agent_dir / "passport.yaml").exists()
+    has_assessment = bool(spec.get("evidence_vault_id")) or (agent_dir / "impact-assessment.md").exists()
+    has_policy = (agent_dir / "policy.cedar").exists()
+    is_high_risk = spec.get("is_high_risk_ai", False)
+    q2 = answers.get("q2", "")
+    q4 = answers.get("q4", "")
+    q6 = bool(answers.get("q6"))
+    q7 = set(answers.get("q7", []))
+
+    plan.one_liner = detect_one_liner(answers)
+    priority = 1
+
+    if not passport_exists:
+        risk_flag = " --high-risk" if answers.get("q5") or is_high_risk else ""
+        plan.immediate_actions.append(
+            Action(
+                priority=priority,
+                command=f"iris register --name {name} --compliance colorado-ai-act{risk_flag}",
+                why=(
+                    "Your agent needs an identity contract before production. "
+                    "The Colorado AI Act requires high-risk systems to be inventoried."
+                ),
+                time_estimate="2 minutes",
+                rule_id="CO-001",
+                urgency="before deployment",
+            )
+        )
+        priority += 1
+
+    if is_high_risk or answers.get("q5"):
+        if not has_assessment:
+            plan.immediate_actions.append(
+                Action(
+                    priority=priority,
+                    command=f"iris compliance assess --agent {name}",
+                    why=(
+                        "This generates the CO-002 impact assessment document. "
+                        "Without it, production deployment is blocked."
+                    ),
+                    time_estimate="5 minutes",
+                    rule_id="CO-002",
+                    urgency="before deployment",
+                )
+            )
+            priority += 1
+
+    plan.immediate_actions.append(
+        Action(
+            priority=priority,
+            command=plan.one_liner.split("\n")[0] + "\n     " + plan.one_liner.split("\n")[1],
+            why=(
+                "Runtime enforcement. IRIS blocks unapproved tool calls "
+                "and logs every decision to your local Evidence Vault."
+            ),
+            time_estimate="1 minute",
+            rule_id="CO-004",
+            urgency="before deployment",
+        )
+    )
+    priority += 1
+
+    if not has_policy:
+        plan.immediate_actions.append(
+            Action(
+                priority=priority,
+                command=f"iris policy compile --agent {name}",
+                why=(
+                    "Compiles your policy-intent.md to Cedar. "
+                    "Required for transparency (CO-003) and runtime gates."
+                ),
+                time_estimate="3 minutes",
+                rule_id="CO-003",
+                urgency="before deployment",
+            )
+        )
+
+    if q6 or "FedRAMP" in q7:
+        plan.next_30_days.append(
+            Action(
+                priority=1,
+                command="iris test --framework nist-ai-rmf",
+                why=(
+                    "Your federal deployment requires NIST AI RMF alignment. "
+                    "You are currently at 0 of 24 controls."
+                ),
+                time_estimate="ongoing — ~3 controls/week",
+                rule_id="NIST-001",
+                urgency="this month",
+            )
+        )
+
+    if "health" in str(q4).lower() or "HIPAA" in q7:
+        plan.next_30_days.append(
+            Action(
+                priority=2,
+                command="iris test --framework hipaa",
+                why="Health data handling requires HIPAA safeguards and audit controls.",
+                time_estimate="1-2 weeks",
+                rule_id="HIPAA-001",
+                urgency="this month",
+            )
+        )
+
+    if "financial" in str(q2).lower() or "financial" in str(q4).lower():
+        plan.next_30_days.append(
+            Action(
+                priority=3,
+                command="# Review CFPB fair lending controls with your compliance team",
+                why=(
+                    "Financial agents must document fair lending practices "
+                    "and non-discrimination review (CO-005)."
+                ),
+                time_estimate="this month",
+                rule_id="CO-005",
+                urgency="this month",
+            )
+        )
+
+    if "Outside the US" in set(answers.get("q8", [])):
+        plan.next_30_days.append(
+            Action(
+                priority=4,
+                command="iris test --framework gdpr",
+                why="EU users require GDPR data processing documentation and controls.",
+                time_estimate="2-3 weeks",
+                rule_id="GDPR-001",
+                urgency="this month",
+            )
+        )
+
+    if passport_exists:
+        from iris import AgentPassport
+
+        p = AgentPassport.from_yaml((agent_dir / "passport.yaml").read_text())
+        plan.current_scores["colorado-ai-act"] = compliance_score(p, agent_dir, "colorado-ai-act")
+    else:
+        plan.current_scores["colorado-ai-act"] = 0.0
+
+    plan.current_scores["nist-ai-rmf"] = 0.0
+    if agent_dir.exists() and (agent_dir / "passport.yaml").exists():
+        from iris import AgentPassport
+
+        p = AgentPassport.from_yaml((agent_dir / "passport.yaml").read_text())
+        plan.current_scores["nist-ai-rmf"] = compliance_score(p, agent_dir, "nist-ai-rmf")
+
+    remaining = sum(1 for a in plan.immediate_actions if a.command.startswith("iris"))
+    if remaining <= 1:
+        plan.estimated_time_to_compliant = "under 1 day"
+    elif remaining <= 3:
+        plan.estimated_time_to_compliant = "about 1 week"
+    else:
+        plan.estimated_time_to_compliant = "about 2 weeks"
+
+    return plan
+
+
+def render_action_plan(plan: ActionPlan, agent_name: str | None, console) -> None:
+    from rich.panel import Panel
+
+    lines = [
+        "Based on your answers, here is what to do, in order.",
+        "",
+        "[bold]THIS WEEK (before you deploy this agent):[/bold]",
+        "",
+    ]
+    for action in plan.immediate_actions:
+        lines.append(f"  [cyan]{action.priority}.[/cyan] Run: [bold]{action.command}[/bold]")
+        lines.append(f"     Why: {action.why}")
+        lines.append(f"     Time: {action.time_estimate}")
+        lines.append("")
+
+    if plan.next_30_days:
+        lines.append("[bold]NEXT 30 DAYS:[/bold]")
+        lines.append("")
+        for action in plan.next_30_days:
+            lines.append(f"  [cyan]{action.priority}.[/cyan] Run: [bold]{action.command}[/bold]")
+            lines.append(f"     Why: {action.why}")
+            lines.append(f"     Time: {action.time_estimate}")
+            lines.append("")
+
+    lines.append("[bold]CURRENT SCORE:[/bold]")
+    agent_dir = _gov_dir(agent_name) if agent_name else Path.cwd() / "governance" / "agents" / "my-agent"
+    passport_obj = None
+    if agent_name and (agent_dir / "passport.yaml").exists():
+        from iris import AgentPassport
+
+        passport_obj = AgentPassport.from_yaml((agent_dir / "passport.yaml").read_text())
+
+    for framework, score in plan.current_scores.items():
+        pct = int(score * 100)
+        bar = progress_bar(score)
+        if passport_obj is not None:
+            if framework == "colorado-ai-act":
+                satisfied, total = colorado_controls_passed(passport_obj, agent_dir)
+            else:
+                satisfied, total = nist_controls_passed(passport_obj, agent_dir)
+        else:
+            satisfied, total = (0, 6 if framework == "colorado-ai-act" else 24)
+        label = "Colorado AI Act" if framework == "colorado-ai-act" else "NIST AI RMF"
+        lines.append(f"  {label}: {satisfied} of {total} controls  {bar}  {pct}%")
+    lines.append("  [dim](Scores update automatically as you complete each step)[/dim]")
+    lines.append("")
+    lines.append(
+        f"Estimated time to compliant: [bold]{plan.estimated_time_to_compliant}[/bold]"
+    )
+    lines.append("")
+    lines.append("Run these commands now and your score changes in minutes.")
+
+    console.print(Panel("\n".join(lines), title="Your Compliance Action Plan", style="green"))

{iris_security_cli-0.1.0 → iris_security_cli-0.1.1}/iris_cli/assess.py

@@ -12,6 +12,7 @@ Outputs:
 """
 
 import click
+import json
 import uuid
 import yaml
 from datetime import datetime
@@ -379,12 +380,29 @@ the agent's capabilities, data access, or decision scope changes.*
 """
 
 
+def _load_answers(answers_path: Path | None) -> dict | None:
+    if answers_path is None:
+        return None
+    if not answers_path.exists():
+        raise click.ClickException(f"Answers file not found: {answers_path}")
+    data = json.loads(answers_path.read_text())
+    if not isinstance(data, dict):
+        raise click.ClickException(f"Answers file must be a JSON object: {answers_path}")
+    return data
+
+
 @click.command("assess")
 @click.option("--agent", required=True, help="Agent name to assess")
 @click.option("--assessor", default=None, help="Your name or email (recorded in audit trail)")
 @click.option("--dir", "governance_dir", type=Path, default=None)
 @click.option("--yes", "-y", is_flag=True, help="Skip confirmation prompt")
-def compliance_assess(agent, assessor, governance_dir, yes):
+@click.option(
+    "--answers",
+    type=click.Path(path_type=Path, exists=True),
+    default=None,
+    help="JSON file with pre-filled questionnaire answers (for automated demos)",
+)
+def compliance_assess(agent, assessor, governance_dir, yes, answers):
     """
     Run a Colorado AI Act impact assessment for an agent.
 
@@ -422,11 +440,12 @@ def compliance_assess(agent, assessor, governance_dir, yes):
         ):
             raise SystemExit(0)
 
-    # Run questionnaire
-    answers = run_questionnaire()
+    # Run questionnaire (or load pre-filled answers for demos)
+    preset_answers = _load_answers(answers)
+    questionnaire_answers = preset_answers if preset_answers is not None else run_questionnaire()
 
     # Calculate risk
-    risk_level, findings, recommendations = calculate_risk_level(answers)
+    risk_level, findings, recommendations = calculate_risk_level(questionnaire_answers)
 
     # Generate assessment ID and document
     assessment_id = f"IA-{agent}-{uuid.uuid4().hex[:8].upper()}"
@@ -439,7 +458,7 @@ def compliance_assess(agent, assessor, governance_dir, yes):
     assessment_md = generate_assessment_markdown(
         agent_name=agent,
         owner=owner,
-        answers=answers,
+        answers=questionnaire_answers,
         risk_level=risk_level,
         findings=findings,
         recommendations=recommendations,
@@ -460,7 +479,6 @@ def compliance_assess(agent, assessor, governance_dir, yes):
     # Write to local evidence vault
     vault_dir = Path.home() / ".iris" / "evidence" / agent
     vault_dir.mkdir(parents=True, exist_ok=True)
-    import json
     with open(vault_dir / "assessments.jsonl", "a") as f:
         f.write(json.dumps({
             "assessment_id": assessment_id,

{iris_security_cli-0.1.0 → iris_security_cli-0.1.1}/iris_cli/compiler_config.py

@@ -20,12 +20,15 @@ EXAMPLE_CONFIG = """\
 # Copy to ~/.iris/config.yaml and add your API key via environment variable.
 
 compiler:
-  backend: anthropic   # anthropic | openai
+  backend: anthropic   # anthropic | openai | google | mistral | groq | ollama | together
   model: claude-sonnet-4-6
 
 # API keys are read from environment variables (never stored here):
 #   export ANTHROPIC_API_KEY=sk-ant-...
 #   export OPENAI_API_KEY=sk-...
+#   export MISTRAL_API_KEY=...
+#   export GROQ_API_KEY=...
+# Or use LiteLLM: iris policy compile --litellm-model ollama/llama3.2
 """
 
 
@@ -41,14 +44,24 @@ def load_iris_config(config_path: Path | None = None) -> dict[str, Any]:
         return {}
 
 
-def create_policy_compiler(config_path: Path | None = None) -> PolicyCompiler:
-    """Build a PolicyCompiler using the developer's ~/.iris/config.yaml settings."""
+def create_policy_compiler(
+    config_path: Path | None = None,
+    llm_backend: str | None = None,
+    model: str | None = None,
+    litellm_model: str | None = None,
+) -> PolicyCompiler:
+    """Build a PolicyCompiler using CLI flags and ~/.iris/config.yaml settings."""
     cfg = load_iris_config(config_path).get("compiler", {})
     return PolicyCompiler(
-        llm_backend=cfg.get("backend", "anthropic"),
-        model=cfg.get("model", "claude-sonnet-4-6"),
+        llm_backend=llm_backend or cfg.get("backend"),
+        model=model or cfg.get("model"),
+        litellm_model=litellm_model,
     )
 
 
 def compiler_info(compiler: PolicyCompiler) -> tuple[str, str]:
+    if compiler._mode == "litellm":
+        return "litellm", compiler._litellm_model
+    if compiler._mode == "custom":
+        return "custom", compiler._model
     return compiler._llm_backend, compiler._model

iris_security_cli-0.1.1/iris_cli/dlp_cmd.py

@@ -0,0 +1,160 @@
+"""iris dlp — scan files and test prompts against DLP rules."""
+
+from __future__ import annotations
+
+import os
+import sys
+from pathlib import Path
+
+import click
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+
+console = Console()
+
+
+def _line_number_for_offset(text: str, offset: int) -> int:
+    return text.count("\n", 0, offset) + 1
+
+
+def _load_passport_for_agent(agent_name: str, governance_dir: Path):
+    from iris_core.models.passport import AgentPassport
+
+    passport_path = governance_dir / agent_name / "passport.yaml"
+    if not passport_path.exists():
+        for candidate in governance_dir.rglob("passport.yaml"):
+            passport = AgentPassport.from_yaml(candidate.read_text())
+            if passport.name == agent_name or candidate.parent.name == agent_name:
+                return passport
+        console.print(f"[red]Agent passport not found for '{agent_name}'.[/red]")
+        console.print(f"Expected: {governance_dir / agent_name / 'passport.yaml'}")
+        sys.exit(1)
+    return AgentPassport.from_yaml(passport_path.read_text())
+
+
+@click.group()
+def dlp():
+    """Data Loss Prevention scanning commands."""
+    pass
+
+
+@dlp.command("scan")
+@click.option("--file", "file_path", type=click.Path(exists=True, dir_okay=False), required=True)
+def dlp_scan(file_path: str):
+    """
+    Scan a file for sensitive data patterns.
+
+    Shows findings with line numbers and severity — useful for checking test fixtures.
+
+    Example:
+      iris dlp scan --file tests/fixtures/patient_record.txt
+    """
+    from iris_core.dlp import DLPScanner
+    from iris_core.models.passport import AgentPassport, DataClassification
+
+    text = Path(file_path).read_text()
+    passport = AgentPassport(
+        name="dlp-scan",
+        data_classification=DataClassification.PHI,
+    )
+    scanner = DLPScanner(passport)
+    result = scanner.scan(text, direction="prompt")
+
+    if not result.findings:
+        console.print(Panel("[bold green]✓ No sensitive data patterns detected[/bold green]", style="green"))
+        sys.exit(0)
+
+    table = Table(title=f"DLP findings — {file_path}")
+    table.add_column("Line", style="cyan")
+    table.add_column("Pattern", style="magenta")
+    table.add_column("Severity", style="yellow")
+    table.add_column("Rule", style="dim")
+    table.add_column("Message")
+
+    for finding in result.findings:
+        line = _line_number_for_offset(text, finding.match_start)
+        table.add_row(
+            str(line),
+            finding.pattern_id,
+            finding.severity.value,
+            finding.rule_id,
+            finding.message,
+        )
+
+    console.print(table)
+    console.print(
+        f"\n[dim]Scan completed in {result.scan_duration_ms:.2f}ms "
+        f"({len(result.findings)} finding(s))[/dim]"
+    )
+    sys.exit(1 if result.should_block else 0)
+
+
+@dlp.command("test")
+@click.option("--agent", required=True, help="Agent name from governance/agents/")
+@click.option("--prompt", required=True, help="Prompt text to test against the agent's DLP rules")
+@click.option("--dir", "governance_dir", type=click.Path(file_okay=False), default=None)
+def dlp_test(agent: str, prompt: str, governance_dir: str | None):
+    """
+    Test a prompt against an agent's DLP rules.
+
+    Shows what IRIS would do with that prompt in the current environment.
+
+    Example:
+      iris dlp test --agent payment-agent --prompt "Process SSN 123-45-6789"
+    """
+    from iris_core.dlp import DLPScanner
+    from iris_core.dlp.enforcement import dlp_policy_result
+    from iris_core.models.passport import Environment
+
+    gov_dir = Path(governance_dir) if governance_dir else Path.cwd() / "governance" / "agents"
+    passport = _load_passport_for_agent(agent, gov_dir)
+    env = Environment(os.environ.get("IRIS_ENV", "dev"))
+    scanner = DLPScanner(passport)
+    result = scanner.scan_prompt(prompt)
+
+    console.print(
+        Panel(
+            f"[bold]Agent:[/bold] {passport.name}\n"
+            f"[bold]Classification:[/bold] {passport.data_classification.value}\n"
+            f"[bold]Environment:[/bold] {env.value}",
+            title="IRIS DLP Test",
+            style="blue",
+        )
+    )
+
+    if not result.findings:
+        console.print("\n[bold green]✓ No DLP findings — prompt would be allowed[/bold green]")
+        sys.exit(0)
+
+    for finding in result.findings:
+        console.print(
+            f"\n[yellow]• {finding.pattern_id}[/yellow] "
+            f"({finding.severity.value}) — {finding.message}"
+        )
+        console.print(f"  Rule: {finding.rule_id}")
+        console.print(f"  Position: {finding.match_start}-{finding.match_end}")
+
+    if result.should_block:
+        action = "BLOCK (raise IrisViolationError)"
+    elif result.has_high:
+        action = (
+            "BLOCK in production"
+            if env in (Environment.PRODUCTION, Environment.STAGING)
+            else "WARN and continue in dev/test"
+        )
+    else:
+        action = "ALLOW with informational findings"
+
+    console.print(f"\n[bold]IRIS action:[/bold] {action}")
+    if result.redacted_text and result.redacted_text != prompt:
+        console.print("\n[bold]Redacted preview:[/bold]")
+        console.print(result.redacted_text)
+
+    policy = dlp_policy_result(result, passport, env, direction="prompt")
+    if policy.violations:
+        console.print(f"\n[dim]Primary violation: {policy.violations[0].rule_id}[/dim]")
+
+    sys.exit(1 if result.should_block or (
+        result.has_high and env in (Environment.PRODUCTION, Environment.STAGING)
+    ) else 0)