iris-security-core 0.1.0__py3-none-any.whl

iris_core/compliance/license.py

@@ -0,0 +1,144 @@
+"""
+IRIS Pro license gate — offline-first, Terraform-style.
+
+Free bundles (colorado-ai-act) never require a license.
+Paid bundles (gdpr, hipaa, soc2) require a valid IRIS license key.
+Post-funding: validate keys against the license server (no network calls today).
+"""
+
+from __future__ import annotations
+
+import os
+import re
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Optional
+
+LICENSE_KEY_PATTERN = re.compile(
+    r"^IRIS-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$"
+)
+TEST_LICENSE_KEY = "IRIS-TEST-0000-0000-0001"
+ENV_LICENSE_KEY = "IRIS_LICENSE_KEY"
+
+
+def license_file_path() -> Path:
+    return Path.home() / ".iris" / "license.key"
+
+FREE_BUNDLES = frozenset({"colorado-ai-act"})
+PAID_BUNDLES = frozenset({"gdpr", "hipaa", "soc2"})
+
+
+@dataclass
+class LicenseResult:
+    valid: bool
+    tier: str = "free"  # "free" | "pro" | "enterprise"
+    reason: str = "valid"  # "no_key" | "invalid" | "expired" | "valid"
+    expires_at: Optional[str] = None
+
+
+class IrisLicenseError(Exception):
+    """Raised when a paid compliance bundle is used without a valid license."""
+
+    def __init__(self, bundle_id: str, result: Optional[LicenseResult] = None):
+        self.bundle_id = bundle_id
+        self.result = result
+        super().__init__(build_license_required_message(bundle_id))
+
+
+def build_license_required_message(bundle_id: str) -> str:
+    return f"""
+┌─ IRIS Pro Bundle Required ─────────────────────────────┐
+│                                                         │
+│  The {bundle_id} compliance bundle is a paid feature.  │
+│                                                         │
+│  Free bundles: colorado-ai-act                         │
+│  Pro bundles:  gdpr, hipaa, soc2                       │
+│                                                         │
+│  Get access:                                            │
+│    iris license activate <your-key>                     │
+│    or set IRIS_LICENSE_KEY=your-key                     │
+│                                                         │
+│  Get a license: https://iris.ai/pricing                 │
+└─────────────────────────────────────────────────────────┘
+"""
+
+
+def is_paid_bundle(bundle_id: str) -> bool:
+    return bundle_id in PAID_BUNDLES
+
+
+def is_free_bundle(bundle_id: str) -> bool:
+    return bundle_id in FREE_BUNDLES
+
+
+def _read_license_key() -> Optional[str]:
+    env_key = os.environ.get(ENV_LICENSE_KEY, "").strip()
+    if env_key:
+        return env_key
+    path = license_file_path()
+    if path.exists():
+        return path.read_text().strip()
+    return None
+
+
+def validate_license_key_format(key: str) -> bool:
+    if key == TEST_LICENSE_KEY:
+        return True
+    return bool(LICENSE_KEY_PATTERN.match(key.strip()))
+
+
+class IrisLicense:
+    """Offline license validation for IRIS Pro compliance bundles."""
+
+    def check(self, bundle_id: str) -> LicenseResult:
+        if is_free_bundle(bundle_id):
+            return LicenseResult(valid=True, tier="free", reason="valid")
+
+        if not is_paid_bundle(bundle_id):
+            return LicenseResult(valid=True, tier="free", reason="valid")
+
+        key = _read_license_key()
+        if not key:
+            return LicenseResult(valid=False, tier="free", reason="no_key")
+
+        if not validate_license_key_format(key):
+            return LicenseResult(valid=False, tier="free", reason="invalid")
+
+        expires_at = "2099-12-31" if key == TEST_LICENSE_KEY else None
+        return LicenseResult(
+            valid=True,
+            tier="pro",
+            reason="valid",
+            expires_at=expires_at,
+        )
+
+
+def require_license(bundle_id: str) -> None:
+    """Raise IrisLicenseError if the bundle requires a license that is not present."""
+    if is_free_bundle(bundle_id):
+        return
+
+    result = IrisLicense().check(bundle_id)
+    if not result.valid:
+        raise IrisLicenseError(bundle_id, result)
+
+
+def write_license_key(key: str) -> Path:
+    """Persist a validated license key to ~/.iris/license.key."""
+    path = license_file_path()
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(key.strip())
+    return path
+
+
+def paid_bundles_available_note() -> str:
+    return (
+        "Pro compliance bundles (gdpr, hipaa, soc2) are available with an IRIS Pro license. "
+        "Run: iris license activate <your-key>  |  https://iris.ai/pricing"
+    )
+
+
+def has_unlimited_evidence_retention() -> bool:
+    """Pro/Enterprise licenses retain Evidence Vault events without the 30-day free limit."""
+    result = IrisLicense().check("gdpr")
+    return result.valid and result.tier in ("pro", "enterprise")

iris_core/compliance/registry.py

@@ -0,0 +1,111 @@
+"""Compliance registry — manages active compliance bundles and rule lookups."""
+
+from __future__ import annotations
+from typing import List, Dict, Any, Optional, Union
+from iris_core.models.policy import Violation, Severity
+from iris_core.compliance.license import (
+    IrisLicense,
+    is_paid_bundle,
+    paid_bundles_available_note,
+    require_license,
+)
+
+
+_BUNDLE_LOADERS = {
+    "colorado-ai-act": ("iris_core.compliance.bundles.colorado_ai_act", "get_colorado_rules"),
+    "gdpr": ("iris_core.compliance.bundles.gdpr", "get_gdpr_rules"),
+    "hipaa": ("iris_core.compliance.bundles.hipaa", "get_hipaa_rules"),
+    "soc2": ("iris_core.compliance.bundles.soc2", "get_soc2_rules"),
+}
+
+_PASSPORT_CHECKERS = {
+    "gdpr": ("iris_core.compliance.bundles.gdpr", "check_gdpr_passport"),
+    "hipaa": ("iris_core.compliance.bundles.hipaa", "check_hipaa_passport"),
+    "soc2": ("iris_core.compliance.bundles.soc2", "check_soc2_passport"),
+}
+
+
+class ComplianceRegistry:
+    """Registry of all active compliance bundles."""
+
+    def __init__(self) -> None:
+        self.last_check_notes: List[str] = []
+
+    def _load_bundle_rules(self, bundle_id: str) -> Dict[str, Any]:
+        import importlib
+
+        module_path, func_name = _BUNDLE_LOADERS[bundle_id]
+        module = importlib.import_module(module_path)
+        return getattr(module, func_name)()
+
+    def get_rules_for_bundles(self, bundles) -> Dict[str, Any]:
+        rules: Dict[str, Any] = {}
+        for b in bundles:
+            bval = b.value if hasattr(b, "value") else str(b)
+            if bval not in _BUNDLE_LOADERS:
+                continue
+            if is_paid_bundle(bval):
+                require_license(bval)
+            rules[bval] = self._load_bundle_rules(bval)
+        return rules
+
+    def _has_valid_license(self) -> bool:
+        return IrisLicense().check("gdpr").valid
+
+    def check_passport(
+        self,
+        passport,
+        framework: Optional[Union[str, List[str]]] = None,
+    ) -> List[Violation]:
+        self.last_check_notes = []
+        violations: List[Violation] = []
+        frameworks = [framework] if isinstance(framework, str) else (framework or [])
+        active = frameworks or [t.value for t in (passport.compliance_tags or [])]
+
+        licensed = self._has_valid_license()
+        skipped_paid: List[str] = []
+
+        if "colorado-ai-act" in active or not active:
+            if passport.is_high_risk_ai and not passport.evidence_vault_id:
+                violations.append(
+                    Violation(
+                        rule_id="CO-002",
+                        severity=Severity.CRITICAL,
+                        message=(
+                            f"Agent '{passport.name}' is high-risk but has no impact assessment."
+                        ),
+                        compliance_refs=["colorado-ai-act:sb-24-205:impact-assessment"],
+                        remediation="Run: iris compliance assess --agent " + passport.name,
+                    )
+                )
+            if not passport.intent_ref:
+                violations.append(
+                    Violation(
+                        rule_id="CO-003",
+                        severity=Severity.HIGH,
+                        message=(
+                            f"Agent '{passport.name}' has no transparency disclosure "
+                            "(policy-intent.md)."
+                        ),
+                        compliance_refs=["colorado-ai-act:sb-24-205:transparency"],
+                        remediation="Run: iris policy compile --agent " + passport.name,
+                    )
+                )
+
+        for paid_bundle in ("gdpr", "hipaa", "soc2"):
+            if paid_bundle not in active:
+                continue
+            if not licensed:
+                skipped_paid.append(paid_bundle)
+                continue
+            import importlib
+
+            module_path, func_name = _PASSPORT_CHECKERS[paid_bundle]
+            module = importlib.import_module(module_path)
+            checker = getattr(module, func_name)
+            violations.extend(checker(passport))
+
+        if skipped_paid:
+            self.last_check_notes.append(paid_bundles_available_note())
+
+        return violations

iris_core/discovery/__init__.py

@@ -0,0 +1,15 @@
+"""Codebase discovery — detect governed and ungoverned AI agent patterns."""
+
+from iris_core.discovery.scanner import (
+    CodebaseScanner,
+    ScanResult,
+    ShadowAgent,
+    UngovernedFinding,
+)
+
+__all__ = [
+    "CodebaseScanner",
+    "ScanResult",
+    "ShadowAgent",
+    "UngovernedFinding",
+]