lfguard 0.1.0__tar.gz

lfguard-0.1.0/CHANGELOG.md

@@ -0,0 +1,105 @@
+# Changelog
+
+## 0.1.0
+
+- Initial release of `lfguard`.
+- Adds the `lfguard` CLI with `init`, `schema`, `check`, `validate`, `lint`,
+  `audit`, `plan`, `sample`, `bootstrap`, `doctor`, `permissions`,
+  `completion`, `snapshot`, and conservative `apply` commands.
+- Adds desired-policy lint checks for undefined LF-Tag keys and values.
+- Adds a `check` command for one-step offline validation and lint gates.
+- Uses `check` in generated policy/demo workflows and release smoke tests.
+- Emphasizes `check` in first-run quickstarts before planning changes.
+- Adds policy summary reports for compact review of desired and current state.
+- Adds text, JSON, and Markdown output for reviewable audit and plan workflows.
+- Adds SARIF output for audit and lint findings.
+- Adds an offline install check for optional AWS and YAML integrations.
+- Adds `doctor --require` checks for failing CI when required optional extras
+  are missing.
+- Adds a `permissions` command for generating starter IAM policies for
+  read-only, additive apply, and destructive apply workflows.
+- Adds a `completion` command for bash, zsh, and fish shell completions.
+- Adds a `--github-summary` option for GitHub Actions job summaries across
+  lint, summary, audit, plan, and apply workflows.
+- Adds a copyable GitHub Code Scanning workflow for lint and audit SARIF
+  uploads.
+- Adds a `--fail-on-changes` option for CI plan gates.
+- Adds a `--fail-on-severity` option for error-only audit gates.
+- Adds severity summaries to audit text, JSON, and Markdown reports.
+- Adds `--output-file` report capture for audit, plan, and apply workflows.
+- Adds `--output-file` diagnostics capture for doctor and validate workflows.
+- Documents GitHub Actions report artifact uploads and preserves CI build artifacts.
+- Adds a CLI reference with command semantics, common options, and exit codes.
+- Adds YAML starter policy generation and a YAML example policy.
+- Adds `init --template` starter policies for a data-domain example or blank
+  policy skeleton.
+- Ships a JSON Schema for desired/current state files.
+- Adds importable planning and audit APIs under `lakeformation_guard`.
+- Supports LF-Tag definitions, resource tag assignments, and Lake Formation grants.
+- Includes an optional boto3 adapter for live AWS inventory and execution.
+- Ships offline JSON/YAML desired-state workflows and example policy files.
+- Adds an examples guide and PyPI metadata links for first-run discoverability.
+- Adds PyPI discovery keywords for policy-as-code, drift detection, data lake,
+  and data governance searches.
+- Adds an adoption checklist for moving from offline demo to CI and controlled
+  apply workflows.
+- Adds a report-format guide for audit, plan, apply, and CI artifacts.
+- Adds a safety model guide for conservative defaults and destructive changes.
+- Adds a Lake Formation operating guide covering IAM/Lake Formation interaction,
+  LF-Tag best practices, hybrid access mode, `IAMAllowedPrincipals`, and
+  antipatterns.
+- Tightens README and CLI guidance around the core `check`, `audit`, `plan`,
+  and conservative `apply` workflow while keeping scaffolds secondary.
+- Adds lint coverage and docs for AWS LF-Tag behavior: lower-case storage,
+  one resource value per key, expression AND/OR semantics, and `*` value
+  wildcards in LF-Tag policy grants.
+- Adds a tag and permission matrix for LF-Tag inheritance, column overrides,
+  grant shape interactions, expression matching, permission behavior, and
+  `lfguard` support boundaries.
+- Adds opinionated governance lint for broad principals, `ALL`/`SUPER`,
+  mutating permissions, grant option, wildcard LF-Tag policies, and named
+  database/table grant exceptions.
+- Adds a positioning guide for how `lfguard` fits with infrastructure tools,
+  raw boto3, and console workflows.
+- Calls out README scope limits early so new users can evaluate fit quickly.
+- Adds a README capability matrix for quick PyPI-page evaluation.
+- Adds a troubleshooting guide for common install, AWS, planning, and CI issues.
+- Adds GitHub issue and pull request templates for safer community reports.
+- Adds a copyable GitHub Actions drift-check workflow under `examples/`.
+- Adds a copyable pre-commit validation hook example under `examples/`.
+- Adds an architecture guide for package boundaries, data flow, and AWS adapter
+  responsibilities.
+- Adds a roadmap with near-term priorities, evaluation questions, and non-goals.
+- Adds publish-ready release notes for the first public PyPI release.
+- Documents `pipx` and `uv tool` install paths for CLI users.
+- Adds a `sample` command for generating a runnable offline demo after install,
+  including a local README with copy-paste commands.
+- Adds `sample --include-ci` for generating an offline GitHub Actions demo
+  workflow alongside the sample files.
+- Adds a `bootstrap` command for generating a starter policy repository layout
+  with schema, CI, pre-commit, and rollout README files.
+- Adds JSON, YAML, and combined output formats for generated sample demos.
+- Adds a state-format guide with examples for each supported resource kind.
+- Adds an AWS API coverage guide for live inventory and apply calls.
+- Adds an FAQ for safety, scope, credentials, and adoption questions.
+- Adds CI and release workflow smoke tests for the built wheel.
+- Adds a release workflow gate that installs and smoke-tests the package from
+  PyPI after publishing.
+- Retries the post-publish PyPI install briefly to tolerate index propagation.
+- Verifies the exact PyPI version matching the GitHub release tag.
+- Fails the release workflow early when the GitHub release tag does not match
+  package metadata.
+- Verifies release artifact filenames and embedded wheel/sdist metadata before
+  upload.
+- Adds an optional `bootstrap --include-live-drift` scaffold for scheduled
+  GitHub OIDC drift checks and starter read-only IAM policy JSON.
+- Adds an optional `bootstrap --include-code-scanning` scaffold for uploading
+  `lfguard` lint and drift SARIF findings to GitHub Code Scanning.
+- Adds an optional `bootstrap --include-review-template` scaffold for CODEOWNERS
+  and Lake Formation policy pull request checklists.
+- Adds an optional `bootstrap --include-editor-config` scaffold for VS Code
+  schema validation against generated desired policy files.
+- Adds docs tests for internal Markdown links.
+- Adds package metadata tests for version, console scripts, and project URLs.
+- Modernizes the build backend requirement for current setuptools releases.
+- Uses SPDX license metadata without deprecated license classifiers.

lfguard-0.1.0/CONTRIBUTING.md

@@ -0,0 +1,38 @@
+# Contributing
+
+Thanks for improving `lfguard`.
+
+## Development Setup
+
+```bash
+python -m venv .venv
+. .venv/bin/activate
+python -m pip install -e ".[dev,aws,yaml]"
+python -m unittest discover -s tests
+```
+
+## Reporting Issues
+
+Use the GitHub bug report template for reproducible behavior and include
+sanitized desired/current state when possible. Run `lfguard doctor --output json`
+and remove any sensitive account, principal, catalog, or path details before
+posting output.
+
+Use the feature request template for new resource shapes, report formats,
+workflow integrations, or safety-model changes.
+
+## Design Constraints
+
+- Keep audit and plan logic deterministic and AWS-free.
+- Keep boto3 calls in the adapter layer.
+- Default plans must remain conservative: no revokes or removals unless the user explicitly enables them.
+- Add tests for every planner, audit, or apply behavior change.
+- Prefer JSON-compatible public payloads so CLI output can be consumed by CI systems.
+
+## Release Checks
+
+```bash
+python -m unittest discover -s tests
+python -m build
+python -m twine check dist/*
+```

lfguard-0.1.0/LICENSE

@@ -0,0 +1,156 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and
+distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright
+owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities
+that control, are controlled by, or are under common control with that entity.
+For the purposes of this definition, "control" means (i) the power, direct or
+indirect, to cause the direction or management of such entity, whether by
+contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising
+permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including
+but not limited to software source code, documentation source, and configuration
+files.
+
+"Object" form shall mean any form resulting from mechanical transformation or
+translation of a Source form, including but not limited to compiled object code,
+generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form,
+made available under the License, as indicated by a copyright notice that is
+included in or attached to the work.
+
+"Derivative Works" shall mean any work, whether in Source or Object form, that
+is based on (or derived from) the Work and for which the editorial revisions,
+annotations, elaborations, or other modifications represent, as a whole, an
+original work of authorship. For the purposes of this License, Derivative Works
+shall not include works that remain separable from, or merely link (or bind by
+name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original version
+of the Work and any modifications or additions to that Work or Derivative Works
+thereof, that is intentionally submitted to Licensor for inclusion in the Work by
+the copyright owner or by an individual or Legal Entity authorized to submit on
+behalf of the copyright owner. For the purposes of this definition, "submitted"
+means any form of electronic, verbal, or written communication sent to the
+Licensor or its representatives, including but not limited to communication on
+electronic mailing lists, source code control systems, and issue tracking
+systems that are managed by, or on behalf of, the Licensor for the purpose of
+discussing and improving the Work, but excluding communication that is
+conspicuously marked or otherwise designated in writing by the copyright owner
+as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
+of whom a Contribution has been received by Licensor and subsequently
+incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of this
+License, each Contributor hereby grants to You a perpetual, worldwide,
+non-exclusive, no-charge, royalty-free, irrevocable copyright license to
+reproduce, prepare Derivative Works of, publicly display, publicly perform,
+sublicense, and distribute the Work and such Derivative Works in Source or
+Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of this License,
+each Contributor hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable patent license to make, have made, use,
+offer to sell, sell, import, and otherwise transfer the Work, where such license
+applies only to those patent claims licensable by such Contributor that are
+necessarily infringed by their Contribution(s) alone or by combination of their
+Contribution(s) with the Work to which such Contribution(s) was submitted. If
+You institute patent litigation against any entity alleging that the Work or a
+Contribution incorporated within the Work constitutes direct or contributory
+patent infringement, then any patent licenses granted to You under this License
+for that Work shall terminate as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the Work or
+Derivative Works thereof in any medium, with or without modifications, and in
+Source or Object form, provided that You meet the following conditions:
+
+(a) You must give any other recipients of the Work or Derivative Works a copy of
+this License; and
+
+(b) You must cause any modified files to carry prominent notices stating that
+You changed the files; and
+
+(c) You must retain, in the Source form of any Derivative Works that You
+distribute, all copyright, patent, trademark, and attribution notices from the
+Source form of the Work, excluding those notices that do not pertain to any part
+of the Derivative Works; and
+
+(d) If the Work includes a "NOTICE" text file as part of its distribution, then
+any Derivative Works that You distribute must include a readable copy of the
+attribution notices contained within such NOTICE file, excluding those notices
+that do not pertain to any part of the Derivative Works, in at least one of the
+following places: within a NOTICE text file distributed as part of the
+Derivative Works; within the Source form or documentation, if provided along
+with the Derivative Works; or, within a display generated by the Derivative
+Works, if and wherever such third-party notices normally appear. The contents of
+the NOTICE file are for informational purposes only and do not modify the
+License. You may add Your own attribution notices within Derivative Works that
+You distribute, alongside or as an addendum to the NOTICE text from the Work,
+provided that such additional attribution notices cannot be construed as
+modifying the License.
+
+You may add Your own copyright statement to Your modifications and may provide
+additional or different license terms and conditions for use, reproduction, or
+distribution of Your modifications, or for any such Derivative Works as a whole,
+provided Your use, reproduction, and distribution of the Work otherwise complies
+with the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise, any
+Contribution intentionally submitted for inclusion in the Work by You to the
+Licensor shall be under the terms and conditions of this License, without any
+additional terms or conditions. Notwithstanding the above, nothing herein shall
+supersede or modify the terms of any separate license agreement you may have
+executed with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade names,
+trademarks, service marks, or product names of the Licensor, except as required
+for reasonable and customary use in describing the origin of the Work and
+reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or agreed to in
+writing, Licensor provides the Work on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied, including, without limitation,
+any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or
+FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the
+appropriateness of using or redistributing the Work and assume any risks
+associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory, whether in
+tort (including negligence), contract, or otherwise, unless required by
+applicable law (such as deliberate and grossly negligent acts) or agreed to in
+writing, shall any Contributor be liable to You for damages, including any
+direct, indirect, special, incidental, or consequential damages of any character
+arising as a result of this License or out of the use or inability to use the
+Work, including but not limited to damages for loss of goodwill, work stoppage,
+computer failure or malfunction, or any and all other commercial damages or
+losses, even if such Contributor has been advised of the possibility of such
+damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing the Work or
+Derivative Works thereof, You may choose to offer, and charge a fee for,
+acceptance of support, warranty, indemnity, or other liability obligations and
+rights consistent with this License. However, in accepting such obligations, You
+may act only on Your own behalf and on Your sole responsibility, not on behalf
+of any other Contributor, and only if You agree to indemnify, defend, and hold
+each Contributor harmless for any liability incurred by, or claims asserted
+against, such Contributor by reason of your accepting any such warranty or
+additional liability.
+
+END OF TERMS AND CONDITIONS

lfguard-0.1.0/MANIFEST.in

@@ -0,0 +1,12 @@
+include LICENSE
+include README.md
+include pyproject.toml
+include setup.cfg
+include setup.py
+include src/lakeformation_guard/py.typed
+include CHANGELOG.md
+include CONTRIBUTING.md
+include SECURITY.md
+recursive-include docs *.md *.json
+recursive-include examples *.json *.md *.yaml *.yml
+recursive-include tests *.py