PyPI - kekkai-cli - Versions diffs - 1.0.5__py3-none-any.whl → 1.1.1__py3-none-any.whl - Mend

kekkai-cli 1.0.5py3-none-any.whl → 1.1.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

kekkai/cli.py +789 -19
kekkai/compliance/__init__.py +68 -0
kekkai/compliance/hipaa.py +235 -0
kekkai/compliance/mappings.py +136 -0
kekkai/compliance/owasp.py +517 -0
kekkai/compliance/owasp_agentic.py +267 -0
kekkai/compliance/pci_dss.py +205 -0
kekkai/compliance/soc2.py +209 -0
kekkai/dojo.py +91 -14
kekkai/dojo_import.py +9 -1
kekkai/fix/__init__.py +47 -0
kekkai/fix/audit.py +278 -0
kekkai/fix/differ.py +427 -0
kekkai/fix/engine.py +500 -0
kekkai/fix/prompts.py +251 -0
kekkai/output.py +10 -12
kekkai/report/__init__.py +41 -0
kekkai/report/compliance_matrix.py +98 -0
kekkai/report/generator.py +365 -0
kekkai/report/html.py +69 -0
kekkai/report/pdf.py +63 -0
kekkai/report/unified.py +226 -0
kekkai/scanners/container.py +33 -3
kekkai/scanners/gitleaks.py +3 -1
kekkai/scanners/semgrep.py +1 -1
kekkai/scanners/trivy.py +1 -1
kekkai/threatflow/model_adapter.py +143 -1
kekkai/triage/__init__.py +54 -1
kekkai/triage/loader.py +196 -0
kekkai_cli-1.1.1.dist-info/METADATA +379 -0
{kekkai_cli-1.0.5.dist-info → kekkai_cli-1.1.1.dist-info}/RECORD +34 -33
{kekkai_cli-1.0.5.dist-info → kekkai_cli-1.1.1.dist-info}/entry_points.txt +0 -1
{kekkai_cli-1.0.5.dist-info → kekkai_cli-1.1.1.dist-info}/top_level.txt +0 -1
kekkai_cli-1.0.5.dist-info/METADATA +0 -135
portal/__init__.py +0 -19
portal/api.py +0 -155
portal/auth.py +0 -103
portal/enterprise/__init__.py +0 -32
portal/enterprise/audit.py +0 -435
portal/enterprise/licensing.py +0 -342
portal/enterprise/rbac.py +0 -276
portal/enterprise/saml.py +0 -595
portal/ops/__init__.py +0 -53
portal/ops/backup.py +0 -553
portal/ops/log_shipper.py +0 -469
portal/ops/monitoring.py +0 -517
portal/ops/restore.py +0 -469
portal/ops/secrets.py +0 -408
portal/ops/upgrade.py +0 -591
portal/tenants.py +0 -340
portal/uploads.py +0 -259
portal/web.py +0 -384
{kekkai_cli-1.0.5.dist-info → kekkai_cli-1.1.1.dist-info}/WHEEL +0 -0

kekkai_cli-1.0.5.dist-info/METADATA DELETED Viewed

@@ -1,135 +0,0 @@
-Metadata-Version: 2.4
-Name: kekkai-cli
-Version: 1.0.5
-Summary: Kekkai monorepo (local-first AppSec orchestration + compliance checker)
-Requires-Python: >=3.12
-Description-Content-Type: text/markdown
-Requires-Dist: rich>=13.0.0
-Requires-Dist: jsonschema>=4.20.0
-Requires-Dist: textual>=0.50.0
-Requires-Dist: httpx>=0.24.0
-<p align="center">
-  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
-</p>
-<p align="center"><i>One command. Clean AppSec reports.</i></p>
-<p align="center">
-  <img src="https://img.shields.io/badge/license-MIT-blue.svg"/>
-  <img src="https://img.shields.io/badge/status-active-brightgreen"/>
-</p>
-# Kekkai 🛡️
-**Security that moves at developer speed.**
-*Local-first orchestration for Trivy, Semgrep, and DefectDojo.*
-![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-recording.gif)
----
-## ⚡ Quick Start
-Stop fighting with Docker Compose. Start scanning in 30 seconds.
-### Installation
-**Option 1: pipx (Recommended - Isolated Environment)**
-```bash
-pipx install kekkai-cli
-```
-**Option 2: Homebrew (macOS/Linux)**
-```bash
-brew tap kademoslabs/tap
-brew install kekkai
-```
-**Option 3: Docker (No Python Required)**
-```bash
-# Build image
-docker build -t kademoslabs/kekkai:latest -f apps/kekkai/Dockerfile .
-# Run via wrapper script
-./scripts/kekkai-docker --help
-# Or set up alias
-alias kekkai="$(pwd)/scripts/kekkai-docker"
-```
-**Option 4: Scoop (Windows)**
-```powershell
-scoop bucket add kademoslabs https://github.com/kademoslabs/scoop-bucket
-scoop install kekkai
-```
-**Option 5: pip (Traditional)**
-```bash
-pip install kekkai-cli
-```
-### 1. Scan your project (Local)
-Run industry-standard scanners (Trivy, Semgrep, Gitleaks) in unified Docker containers without installing them individually.
-```bash
-cd your-repo
-kekkai scan
-```
-### 2. Spin up DefectDojo
-Launch a full local vulnerability management platform (Nginx, Postgres, Redis, Celery) with one command.
-```bash
-kekkai dojo up --wait --open
-```
-### 3. Generate a Threat Model (AI)
-Generate a STRIDE threat model and Data Flow Diagram using your local LLM.
-```bash
-kekkai threatflow --repo . --model-mode local
-```
----
-## 🛑 The Problem vs. Kekkai
-| Feature | The Old Way | The Kekkai Way |
-| --- | --- | --- |
-| **Tooling** | Manually install/update 5+ tools (Trivy, Semgrep, etc.) | **One Binary.** `kekkai scan` auto-pulls and runs the latest scanner containers. |
-| **Reporting** | Parse 5 different JSON formats manually. | **Unified Output.** One deduplicated `kekkai-report.json` for all findings. |
-| **DefectDojo** | Write a 200-line `docker-compose.yml` and debug networking. | **One Command.** `kekkai dojo up` automates the entire stack setup. |
-| **Threat Modeling** | Expensive consultants or manual whiteboarding. | **AI Agent.** `kekkai threatflow` generates `THREATS.md` locally. |
-| **CI/CD** | Write complex bash scripts to break builds. | **Policy Engine.** `kekkai scan --ci --fail-on high`. |
----
-## 🔒 Enterprise Features (Portal)
-For teams that need centralized management, **Kekkai Portal** offers:
-* **SAML 2.0 SSO** with Replay Protection
-* **Role-Based Access Control (RBAC)**
-* **Cryptographically Signed Audit Logs**
-*Built by Kademos Labs.*
----
-## 📚 Documentation
-- **[Automated Distribution Updates](docs/ci/automated-distributions.md)** - CI/CD distribution triggers
-- **[CI Architecture](/.docs/development/ci-architecture.md)** - Developer guide for distribution automation
-- **[Homebrew Maintenance](docs/ci/homebrew-maintenance.md)** - Homebrew tap management

portal/__init__.py DELETED Viewed

@@ -1,19 +0,0 @@
-"""Kekkai Hosted Portal - DefectDojo-backed multi-tenant security dashboard."""
-from __future__ import annotations
-__all__ = [
-    "AuthMethod",
-    "AuthResult",
-    "SAMLTenantConfig",
-    "Tenant",
-    "TenantStore",
-    "UploadResult",
-    "authenticate_request",
-    "process_upload",
-    "validate_upload",
-]
-from .auth import AuthResult, authenticate_request
-from .tenants import AuthMethod, SAMLTenantConfig, Tenant, TenantStore
-from .uploads import UploadResult, process_upload, validate_upload

portal/api.py DELETED Viewed

@@ -1,155 +0,0 @@
-"""Portal API endpoints for programmatic access.
-Provides REST API endpoints that expose the same data visible in the UI.
-All endpoints require authentication and enforce tenant isolation.
-"""
-from __future__ import annotations
-import json
-import logging
-import os
-from dataclasses import dataclass
-from pathlib import Path
-from typing import Any
-from .tenants import Tenant
-logger = logging.getLogger(__name__)
-@dataclass(frozen=True)
-class UploadInfo:
-    """Information about an upload."""
-    upload_id: str
-    filename: str
-    timestamp: str
-    file_hash: str
-    size_bytes: int
-@dataclass(frozen=True)
-class TenantStats:
-    """Statistics for a tenant."""
-    total_uploads: int
-    total_size_bytes: int
-    last_upload_time: str | None
-def get_tenant_info(tenant: Tenant) -> dict[str, Any]:
-    """Get tenant information for API response.
-    Args:
-        tenant: The authenticated tenant
-    Returns:
-        Dictionary containing tenant metadata
-    """
-    return {
-        "id": tenant.id,
-        "name": tenant.name,
-        "dojo_product_id": tenant.dojo_product_id,
-        "dojo_engagement_id": tenant.dojo_engagement_id,
-        "enabled": tenant.enabled,
-        "max_upload_size_mb": tenant.max_upload_size_mb,
-        "auth_method": tenant.auth_method.value,
-        "default_role": tenant.default_role,
-    }
-def list_uploads(tenant: Tenant, limit: int = 50) -> list[dict[str, Any]]:
-    """List recent uploads for a tenant.
-    Args:
-        tenant: The authenticated tenant
-        limit: Maximum number of uploads to return
-    Returns:
-        List of upload metadata dictionaries
-    """
-    upload_dir = Path(os.environ.get("PORTAL_UPLOAD_DIR", "/var/lib/kekkai-portal/uploads"))
-    tenant_dir = upload_dir / tenant.id
-    if not tenant_dir.exists():
-        return []
-    uploads: list[dict[str, Any]] = []
-    # Get all upload files for this tenant
-    try:
-        upload_files = sorted(
-            tenant_dir.glob("*.json"),
-            key=lambda p: p.stat().st_mtime,
-            reverse=True,
-        )[:limit]
-        for upload_file in upload_files:
-            stat = upload_file.stat()
-            uploads.append(
-                {
-                    "upload_id": upload_file.stem,
-                    "filename": upload_file.name,
-                    "timestamp": str(int(stat.st_mtime)),
-                    "size_bytes": stat.st_size,
-                }
-            )
-    except (OSError, PermissionError) as e:
-        logger.warning("Failed to list uploads for tenant %s: %s", tenant.id, e)
-    return uploads
-def get_tenant_stats(tenant: Tenant) -> dict[str, Any]:
-    """Get statistics for a tenant.
-    Args:
-        tenant: The authenticated tenant
-    Returns:
-        Dictionary containing tenant statistics
-    """
-    upload_dir = Path(os.environ.get("PORTAL_UPLOAD_DIR", "/var/lib/kekkai-portal/uploads"))
-    tenant_dir = upload_dir / tenant.id
-    if not tenant_dir.exists():
-        return {
-            "total_uploads": 0,
-            "total_size_bytes": 0,
-            "last_upload_time": None,
-        }
-    total_uploads = 0
-    total_size_bytes = 0
-    last_upload_time: int | None = None
-    try:
-        for upload_file in tenant_dir.glob("*.json"):
-            stat = upload_file.stat()
-            total_uploads += 1
-            total_size_bytes += stat.st_size
-            if last_upload_time is None or stat.st_mtime > last_upload_time:
-                last_upload_time = int(stat.st_mtime)
-    except (OSError, PermissionError) as e:
-        logger.warning("Failed to get stats for tenant %s: %s", tenant.id, e)
-    return {
-        "total_uploads": total_uploads,
-        "total_size_bytes": total_size_bytes,
-        "last_upload_time": str(last_upload_time) if last_upload_time else None,
-    }
-def serialize_api_response(data: dict[str, Any]) -> bytes:
-    """Serialize API response to JSON bytes.
-    Args:
-        data: Response data dictionary
-    Returns:
-        JSON-encoded bytes
-    """
-    return json.dumps(data, indent=2).encode("utf-8")

portal/auth.py DELETED Viewed

@@ -1,103 +0,0 @@
-"""Authentication middleware for portal API.
-Security controls:
-- ASVS V16.3.2: Log failed authorization attempts
-- Constant-time API key comparison to prevent timing attacks
-"""
-from __future__ import annotations
-import logging
-import re
-from dataclasses import dataclass
-from typing import TYPE_CHECKING
-from kekkai_core import redact
-from .tenants import Tenant, TenantStore
-if TYPE_CHECKING:
-    from collections.abc import Mapping
-logger = logging.getLogger(__name__)
-BEARER_PATTERN = re.compile(r"^Bearer\s+(\S+)$", re.IGNORECASE)
-@dataclass(frozen=True)
-class AuthResult:
-    """Result of authentication attempt."""
-    authenticated: bool
-    tenant: Tenant | None = None
-    error: str | None = None
-def authenticate_request(
-    headers: Mapping[str, str],
-    tenant_store: TenantStore,
-    client_ip: str = "unknown",
-) -> AuthResult:
-    """Authenticate a request using Bearer token.
-    Args:
-        headers: Request headers (case-insensitive lookup)
-        tenant_store: Tenant storage for API key verification
-        client_ip: Client IP for logging failed attempts
-    Returns:
-        AuthResult with tenant if authenticated, error otherwise
-    """
-    auth_header = _get_header(headers, "Authorization")
-    if not auth_header:
-        _log_auth_failure(client_ip, "missing_header")
-        return AuthResult(authenticated=False, error="Missing Authorization header")
-    match = BEARER_PATTERN.match(auth_header)
-    if not match:
-        _log_auth_failure(client_ip, "invalid_format")
-        return AuthResult(authenticated=False, error="Invalid Authorization format")
-    api_key = match.group(1)
-    if not api_key:
-        _log_auth_failure(client_ip, "empty_token")
-        return AuthResult(authenticated=False, error="Empty API token")
-    tenant = tenant_store.get_by_api_key(api_key)
-    if not tenant:
-        _log_auth_failure(client_ip, "invalid_token", api_key_prefix=api_key[:8])
-        return AuthResult(authenticated=False, error="Invalid API key")
-    if not tenant.enabled:
-        _log_auth_failure(client_ip, "tenant_disabled", tenant_id=tenant.id)
-        return AuthResult(authenticated=False, error="Tenant is disabled")
-    logger.info(
-        "auth.success client_ip=%s tenant_id=%s",
-        redact(client_ip),
-        tenant.id,
-    )
-    return AuthResult(authenticated=True, tenant=tenant)
-def _get_header(headers: Mapping[str, str], name: str) -> str | None:
-    """Get header value with case-insensitive lookup."""
-    for key, value in headers.items():
-        if key.lower() == name.lower():
-            return value
-    return None
-def _log_auth_failure(
-    client_ip: str,
-    reason: str,
-    tenant_id: str | None = None,
-    api_key_prefix: str | None = None,
-) -> None:
-    """Log authentication failure for security monitoring (ASVS V16.3.2)."""
-    parts = [f"auth.failure reason={reason}", f"client_ip={redact(client_ip)}"]
-    if tenant_id:
-        parts.append(f"tenant_id={tenant_id}")
-    if api_key_prefix:
-        parts.append(f"api_key_prefix={api_key_prefix}...")
-    logger.warning(" ".join(parts))

portal/enterprise/__init__.py DELETED Viewed

@@ -1,32 +0,0 @@
-"""Enterprise features for Kekkai Portal.
-Provides:
-- RBAC (Role-Based Access Control)
-- SAML 2.0 SSO integration
-- Audit logging
-- Enterprise license gating
-"""
-from __future__ import annotations
-from .audit import AuditEvent, AuditEventType, AuditLog
-from .licensing import EnterpriseLicense, LicenseStatus, LicenseValidator
-from .rbac import AuthorizationResult, Permission, RBACManager, Role
-from .saml import SAMLAssertion, SAMLConfig, SAMLError, SAMLProcessor
-__all__ = [
-    "AuditEvent",
-    "AuditEventType",
-    "AuditLog",
-    "AuthorizationResult",
-    "EnterpriseLicense",
-    "LicenseStatus",
-    "LicenseValidator",
-    "Permission",
-    "RBACManager",
-    "Role",
-    "SAMLAssertion",
-    "SAMLConfig",
-    "SAMLError",
-    "SAMLProcessor",
-]

kekkai-cli 1.0.5__py3-none-any.whl → 1.1.1__py3-none-any.whl

kekkai-cli 1.0.5py3-none-any.whl → 1.1.1py3-none-any.whl