iris-security-cli 0.2.16__tar.gz → 0.2.17__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (72) hide show
  1. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/PKG-INFO +16 -3
  2. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/README.md +13 -0
  3. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/compliance_scan_cmd.py +26 -0
  4. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/main.py +14 -6
  5. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_security_cli.egg-info/PKG-INFO +16 -3
  6. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_security_cli.egg-info/SOURCES.txt +1 -0
  7. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_security_cli.egg-info/requires.txt +2 -2
  8. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/pyproject.toml +3 -3
  9. iris_security_cli-0.2.17/tests/test_compliance_scan_fail_on.py +56 -0
  10. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/__init__.py +0 -0
  11. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/action_plan.py +0 -0
  12. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/assess.py +0 -0
  13. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/audit_log.py +0 -0
  14. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/cedar_parser.py +0 -0
  15. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/certify.py +0 -0
  16. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/compiler_config.py +0 -0
  17. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/compliance_check_cmd.py +0 -0
  18. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/compliance_fix.py +0 -0
  19. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/cost.py +0 -0
  20. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/declare.py +0 -0
  21. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/delegation.py +0 -0
  22. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/discover.py +0 -0
  23. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/dlp_cmd.py +0 -0
  24. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/drift.py +0 -0
  25. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/enforce.py +0 -0
  26. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/entitlements_cmd.py +0 -0
  27. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/evidence.py +0 -0
  28. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/explain.py +0 -0
  29. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/framework_suggest.py +0 -0
  30. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/framework_test.py +0 -0
  31. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/hitl.py +0 -0
  32. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/license_cmd.py +0 -0
  33. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/list_cmd.py +0 -0
  34. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/mcp_server.py +0 -0
  35. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/models_cmd.py +0 -0
  36. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/onboarding_report.py +0 -0
  37. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/org_policy.py +0 -0
  38. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/policy_cache.py +0 -0
  39. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/policy_commit.py +0 -0
  40. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/policy_diff.py +0 -0
  41. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/policy_status.py +0 -0
  42. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/preview.py +0 -0
  43. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/quickstart.py +0 -0
  44. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/redteam.py +0 -0
  45. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/regulatory.py +0 -0
  46. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/scan_govern.py +0 -0
  47. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/scan_report.py +0 -0
  48. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/scm.py +0 -0
  49. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/sentinel.py +0 -0
  50. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/status_cmd.py +0 -0
  51. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/users.py +0 -0
  52. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/vault.py +0 -0
  53. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/watch.py +0 -0
  54. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_cli/witness.py +0 -0
  55. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_security_cli.egg-info/dependency_links.txt +0 -0
  56. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_security_cli.egg-info/entry_points.txt +0 -0
  57. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/iris_security_cli.egg-info/top_level.txt +0 -0
  58. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/setup.cfg +0 -0
  59. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_audit_log.py +0 -0
  60. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_docs_pages_check.py +0 -0
  61. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_entitlements_display.py +0 -0
  62. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_evidence.py +0 -0
  63. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_evidence_export.py +0 -0
  64. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_evidence_query.py +0 -0
  65. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_framework_suggest.py +0 -0
  66. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_framework_test.py +0 -0
  67. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_hitl_cli.py +0 -0
  68. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_list_cmd.py +0 -0
  69. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_mcp_model_governance.py +0 -0
  70. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_policy_diff.py +0 -0
  71. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_quickstart.py +0 -0
  72. {iris_security_cli-0.2.16 → iris_security_cli-0.2.17}/tests/test_vocabulary.py +0 -0
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: iris-security-cli
3
- Version: 0.2.16
3
+ Version: 0.2.17
4
4
  Summary: IRIS CLI — declare, compile, preview, enforce, witness, certify, sentinel
5
5
  License: Apache-2.0
6
6
  Project-URL: Homepage, https://github.com/gimartinb/iris-sdk
@@ -15,8 +15,8 @@ Classifier: Programming Language :: Python :: 3.11
15
15
  Classifier: Programming Language :: Python :: 3.12
16
16
  Requires-Python: >=3.10
17
17
  Description-Content-Type: text/markdown
18
- Requires-Dist: iris-security-core>=0.1.16
19
- Requires-Dist: iris-security-sdk>=0.2.16
18
+ Requires-Dist: iris-security-core>=0.1.17
19
+ Requires-Dist: iris-security-sdk>=0.2.17
20
20
  Requires-Dist: click>=8.1
21
21
  Requires-Dist: rich>=13.0
22
22
  Requires-Dist: pyyaml>=6.0
@@ -45,3 +45,16 @@ iris register --name my-agent --owner you@company.com --team my-team --complianc
45
45
  iris scan
46
46
  iris compliance check --framework colorado-ai-act
47
47
  ```
48
+
49
+ ## GitHub Action
50
+
51
+ Add AI governance to CI with the composite Action in this repo (offline by default):
52
+
53
+ ```yaml
54
+ - uses: IRIS-Security/iris-cli@v1
55
+ with:
56
+ command: compliance scan
57
+ fail-on: blocker
58
+ ```
59
+
60
+ Optional `--push` to IRIS Cloud when `api-key` is set. See [GitHub Action docs](https://iris-security.github.io/iris-sdk/github-action.html).
@@ -20,3 +20,16 @@ iris register --name my-agent --owner you@company.com --team my-team --complianc
20
20
  iris scan
21
21
  iris compliance check --framework colorado-ai-act
22
22
  ```
23
+
24
+ ## GitHub Action
25
+
26
+ Add AI governance to CI with the composite Action in this repo (offline by default):
27
+
28
+ ```yaml
29
+ - uses: IRIS-Security/iris-cli@v1
30
+ with:
31
+ command: compliance scan
32
+ fail-on: blocker
33
+ ```
34
+
35
+ Optional `--push` to IRIS Cloud when `api-key` is set. See [GitHub Action docs](https://iris-security.github.io/iris-sdk/github-action.html).
@@ -7,6 +7,7 @@
7
7
  from __future__ import annotations
8
8
 
9
9
  import os
10
+ import sys
10
11
  from pathlib import Path
11
12
 
12
13
  import click
@@ -23,6 +24,21 @@ from iris_core.compliance.workload_eval import (
23
24
 
24
25
  console = Console()
25
26
 
27
+ _SEVERITY_RANK = {"blocker": 0, "required": 1, "recommended": 2}
28
+
29
+
30
+ def _exit_on_fail_threshold(obligations: list[dict], fail_on: str) -> None:
31
+ if fail_on == "none":
32
+ return
33
+ threshold = _SEVERITY_RANK[fail_on]
34
+ blocking = [
35
+ obligation
36
+ for obligation in obligations
37
+ if _SEVERITY_RANK.get(obligation.get("severity", "recommended"), 9) <= threshold
38
+ ]
39
+ if blocking:
40
+ sys.exit(1)
41
+
26
42
 
27
43
  def _resolve_profile(
28
44
  *,
@@ -166,6 +182,13 @@ def _push_profile(profile: dict) -> None:
166
182
  @click.option("--proxy", "litellm_proxy", help="LiteLLM proxy base URL")
167
183
  @click.option("--lookback-days", default=30, show_default=True, help="Langfuse lookback window")
168
184
  @click.option("--push", is_flag=True, help="POST profile to cloud when IRIS_API_KEY is set")
185
+ @click.option(
186
+ "--fail-on",
187
+ default="none",
188
+ type=click.Choice(["blocker", "required", "none"]),
189
+ show_default=True,
190
+ help="Exit 1 when obligations meet or exceed this severity (CI integration)",
191
+ )
169
192
  @click.option("--json", "as_json", is_flag=True, help="Output raw JSON")
170
193
  def compliance_scan_cmd(
171
194
  path: str,
@@ -174,6 +197,7 @@ def compliance_scan_cmd(
174
197
  litellm_proxy: str | None,
175
198
  lookback_days: int,
176
199
  push: bool,
200
+ fail_on: str,
177
201
  as_json: bool,
178
202
  ) -> None:
179
203
  """Detect workload attributes and evaluate local regulatory obligations (offline)."""
@@ -196,6 +220,7 @@ def compliance_scan_cmd(
196
220
  click.echo(json.dumps({"profile": profile, "obligations": obligations}, indent=2))
197
221
  if push:
198
222
  _push_profile(profile)
223
+ _exit_on_fail_threshold(obligations, fail_on)
199
224
  return
200
225
 
201
226
  console.print(
@@ -214,3 +239,4 @@ def compliance_scan_cmd(
214
239
  )
215
240
  if push:
216
241
  _push_profile(profile)
242
+ _exit_on_fail_threshold(obligations, fail_on)
@@ -50,7 +50,7 @@ class IrisCLI(click.Group):
50
50
 
51
51
  @click.group(cls=IrisCLI)
52
52
  @click.version_option(
53
- version="0.2.16",
53
+ version="0.2.17",
54
54
  prog_name="iris",
55
55
  message="%(prog)s %(version)s · AARM Core conformant (R1–R6) · "
56
56
  "AIUC-1 Q1 2026 aligned · https://iris-security.io",
@@ -485,12 +485,20 @@ framework.add_command(framework_suggest, name="suggest")
485
485
  from iris_cli.assess import compliance_assess
486
486
  compliance.add_command(compliance_assess)
487
487
 
488
- # Wire in evidence commands
489
- from iris_cli.evidence import evidence
490
- cli.add_command(evidence)
488
+ # Wire in evidence commands (optional — requires iris-security-core>=0.1.17 exporters)
489
+ try:
490
+ from iris_cli.evidence import evidence
491
491
 
492
- from iris_cli.vault import vault
493
- cli.add_command(vault)
492
+ cli.add_command(evidence)
493
+ except ModuleNotFoundError:
494
+ pass
495
+
496
+ try:
497
+ from iris_cli.vault import vault
498
+
499
+ cli.add_command(vault)
500
+ except ModuleNotFoundError:
501
+ pass
494
502
 
495
503
  from iris_cli.framework_test import test as framework_test_cmd_legacy
496
504
  # framework_test kept for internal imports; certify is the primary command
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: iris-security-cli
3
- Version: 0.2.16
3
+ Version: 0.2.17
4
4
  Summary: IRIS CLI — declare, compile, preview, enforce, witness, certify, sentinel
5
5
  License: Apache-2.0
6
6
  Project-URL: Homepage, https://github.com/gimartinb/iris-sdk
@@ -15,8 +15,8 @@ Classifier: Programming Language :: Python :: 3.11
15
15
  Classifier: Programming Language :: Python :: 3.12
16
16
  Requires-Python: >=3.10
17
17
  Description-Content-Type: text/markdown
18
- Requires-Dist: iris-security-core>=0.1.16
19
- Requires-Dist: iris-security-sdk>=0.2.16
18
+ Requires-Dist: iris-security-core>=0.1.17
19
+ Requires-Dist: iris-security-sdk>=0.2.17
20
20
  Requires-Dist: click>=8.1
21
21
  Requires-Dist: rich>=13.0
22
22
  Requires-Dist: pyyaml>=6.0
@@ -45,3 +45,16 @@ iris register --name my-agent --owner you@company.com --team my-team --complianc
45
45
  iris scan
46
46
  iris compliance check --framework colorado-ai-act
47
47
  ```
48
+
49
+ ## GitHub Action
50
+
51
+ Add AI governance to CI with the composite Action in this repo (offline by default):
52
+
53
+ ```yaml
54
+ - uses: IRIS-Security/iris-cli@v1
55
+ with:
56
+ command: compliance scan
57
+ fail-on: blocker
58
+ ```
59
+
60
+ Optional `--push` to IRIS Cloud when `api-key` is set. See [GitHub Action docs](https://iris-security.github.io/iris-sdk/github-action.html).
@@ -54,6 +54,7 @@ iris_security_cli.egg-info/entry_points.txt
54
54
  iris_security_cli.egg-info/requires.txt
55
55
  iris_security_cli.egg-info/top_level.txt
56
56
  tests/test_audit_log.py
57
+ tests/test_compliance_scan_fail_on.py
57
58
  tests/test_docs_pages_check.py
58
59
  tests/test_entitlements_display.py
59
60
  tests/test_evidence.py
@@ -1,5 +1,5 @@
1
- iris-security-core>=0.1.16
2
- iris-security-sdk>=0.2.16
1
+ iris-security-core>=0.1.17
2
+ iris-security-sdk>=0.2.17
3
3
  click>=8.1
4
4
  rich>=13.0
5
5
  pyyaml>=6.0
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
4
4
 
5
5
  [project]
6
6
  name = "iris-security-cli"
7
- version = "0.2.16"
7
+ version = "0.2.17"
8
8
  description = "IRIS CLI — declare, compile, preview, enforce, witness, certify, sentinel"
9
9
  readme = "README.md"
10
10
  license = { text = "Apache-2.0" }
@@ -20,8 +20,8 @@ classifiers = [
20
20
  "Programming Language :: Python :: 3.12",
21
21
  ]
22
22
  dependencies = [
23
- "iris-security-core>=0.1.16",
24
- "iris-security-sdk>=0.2.16",
23
+ "iris-security-core>=0.1.17",
24
+ "iris-security-sdk>=0.2.17",
25
25
  "click>=8.1",
26
26
  "rich>=13.0",
27
27
  "pyyaml>=6.0",
@@ -0,0 +1,56 @@
1
+ """Tests for iris compliance scan --fail-on CI thresholds."""
2
+
3
+ from __future__ import annotations
4
+
5
+ from click.testing import CliRunner
6
+
7
+ from iris_cli.main import cli
8
+
9
+
10
+ def test_compliance_scan_fail_on_blocker_exits_nonzero(monkeypatch):
11
+ runner = CliRunner()
12
+ profile = {
13
+ "providers": ["openai"],
14
+ "frameworks": ["langchain"],
15
+ "models": ["gpt-4"],
16
+ "data_categories": ["pii"],
17
+ "deployment_regions": ["eu"],
18
+ "agent_count": 5,
19
+ "autonomy_level": "autonomous",
20
+ "customer_facing": True,
21
+ }
22
+ obligations = [
23
+ {"severity": "blocker", "framework_key": "eu_ai_act", "recommended_action": "test"},
24
+ ]
25
+
26
+ monkeypatch.setattr(
27
+ "iris_cli.compliance_scan_cmd.detect_workload",
28
+ lambda path: profile,
29
+ )
30
+ monkeypatch.setattr(
31
+ "iris_cli.compliance_scan_cmd.evaluate_workload_profile",
32
+ lambda profile: obligations,
33
+ )
34
+
35
+ result = runner.invoke(cli, ["compliance", "scan", "--json", "--fail-on", "blocker"])
36
+ assert result.exit_code == 1
37
+
38
+
39
+ def test_compliance_scan_fail_on_none_always_zero(monkeypatch):
40
+ runner = CliRunner()
41
+ profile = {"providers": [], "frameworks": [], "models": [], "agent_count": 0}
42
+ obligations = [
43
+ {"severity": "blocker", "framework_key": "eu_ai_act", "recommended_action": "test"},
44
+ ]
45
+
46
+ monkeypatch.setattr(
47
+ "iris_cli.compliance_scan_cmd.detect_workload",
48
+ lambda path: profile,
49
+ )
50
+ monkeypatch.setattr(
51
+ "iris_cli.compliance_scan_cmd.evaluate_workload_profile",
52
+ lambda profile: obligations,
53
+ )
54
+
55
+ result = runner.invoke(cli, ["compliance", "scan", "--json", "--fail-on", "none"])
56
+ assert result.exit_code == 0