probity 0.1.0__py3-none-any.whl

probity/__init__.py

@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+"""Probity — continuous, auditable NIS2 compliance evidence."""
+
+__version__ = "0.1.0"

probity/__main__.py

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+from probity.cli import main
+
+if __name__ == "__main__":
+    raise SystemExit(main())

probity/cli.py

@@ -0,0 +1,251 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+from __future__ import annotations
+
+import argparse
+from collections.abc import Callable, Sequence
+from typing import cast
+
+from probity.commands.registry import Command, discovered_commands
+from probity.connectors.base import Connector
+from probity.connectors.cyclonedx_connector import CycloneDxConnector
+from probity.connectors.mock_assets import MockAssetsConnector
+from probity.connectors.mock_backup import MockBackupConnector
+from probity.connectors.mock_cloud import MockCloudConnector
+from probity.connectors.mock_governance import MockGovernanceConnector
+from probity.connectors.mock_idp import MockIdpConnector
+from probity.connectors.mock_pipeline import MockPipelineConnector
+from probity.connectors.mock_sbom import MockSbomConnector
+from probity.connectors.mock_sca import MockScaConnector
+from probity.connectors.mock_siem import MockSiemConnector
+from probity.connectors.mock_tls import MockTlsConnector
+from probity.connectors.mock_training import MockTrainingConnector
+from probity.connectors.osv_connector import OsvConnector
+from probity.connectors.registry import discovered_sources
+from probity.connectors.restic_connector import ResticConnector
+from probity.connectors.sslyze_connector import SslyzeConnector
+from probity.connectors.testssl_connector import TesttsslConnector
+from probity.connectors.trivy_connector import TrivyConnector
+from probity.connectors.veeam_connector import VeeamConnector
+from probity.controls import ALL_CONTROLS
+from probity.engine.runner import Scan
+from probity.model.enums import Status
+from probity.model.finding import Report
+from probity.report.history import Trend, append_snapshot, compute_trend, load_snapshots
+from probity.report.registry import all_formats
+from probity.scan_addons.registry import discovered_addons
+
+# Active controls come from the single-source-of-truth registry in
+# probity.controls so the catalogue cannot drift between the CLI and runner.
+CONTROLS = ALL_CONTROLS
+
+
+def add_source_args(parser: argparse.ArgumentParser) -> None:
+    """Attach the shared connector-source flags to ``parser``.
+
+    Public so registered commands (e.g. the Enterprise ``watch``) can reuse the
+    exact same source flags as ``scan``. Identity facts come from a file source
+    (``--source``); live identity sources (e.g. Entra) are contributed by
+    externally registered connector sources, so Core never has to be edited.
+    """
+    parser.add_argument("--source", help="Path to identity source JSON (mock_idp).")
+    parser.add_argument("--cloud", help="Path to cloud storage source JSON (mock_cloud).")
+    parser.add_argument("--tls", help="Path to TLS endpoint source JSON (mock_tls).")
+    parser.add_argument("--testssl", help="Path to real testssl.sh --jsonfile output.")
+    parser.add_argument("--sslyze", help="Path to real sslyze --json_out output.")
+    parser.add_argument("--backup", help="Path to backup-jobs source JSON (mock_backup).")
+    parser.add_argument("--veeam", help="Path to real Veeam B&R job-report JSON.")
+    parser.add_argument("--restic", help="Path to real restic snapshots --json output.")
+    parser.add_argument("--sca", help="Path to dependency/CVE source JSON (mock_sca).")
+    parser.add_argument("--osv", help="Path to real osv-scanner --format json output.")
+    parser.add_argument("--sbom", help="Path to SBOM component source JSON (mock_sbom).")
+    parser.add_argument("--cyclonedx", help="Path to a real CycloneDX JSON BOM.")
+    parser.add_argument(
+        "--governance",
+        help="Path to governance records JSON (documents + suppliers) for SOFT controls.",
+    )
+    parser.add_argument(
+        "--assets",
+        help="Path to asset-management JSON (assets + vulnscans + patches) for C02/C12/C14.",
+    )
+    parser.add_argument("--trivy", help="Path to real Trivy --format json output for C12.")
+    parser.add_argument(
+        "--siem",
+        help="Path to SIEM JSON (log sources + detection rules) for C03/C04.",
+    )
+    parser.add_argument("--pipeline", help="Path to CI/CD pipeline config JSON for C13.")
+    parser.add_argument("--training", help="Path to HR/LMS training records JSON for C16.")
+    # Externally registered connector sources (e.g. the Enterprise package) add
+    # their own flags here, so the CLI never has to be edited to gain them.
+    for source in discovered_sources():
+        source.add_arguments(parser)
+
+
+def _configure_scan(parser: argparse.ArgumentParser) -> None:
+    add_source_args(parser)
+    parser.add_argument("--format", choices=sorted(all_formats()), default="text")
+    parser.add_argument(
+        "--out",
+        help="Write the report to this file instead of stdout (required for --format pdf).",
+    )
+    parser.add_argument(
+        "--history",
+        help="Append-only JSONL store; records this scan and reports the score trend.",
+    )
+    # Externally registered scan add-ons (e.g. the Enterprise multi-framework
+    # coverage view) contribute their own flags here, so Core never has to be
+    # edited to gain post-scan behaviour.
+    for addon in discovered_addons():
+        addon.add_arguments(parser)
+
+
+# Core ships a single command. Service commands (watch/serve) are Enterprise-only
+# and join via the probity.commands entry point (see docs/TIERING.md).
+BUILTIN_COMMANDS: tuple[Command, ...] = (
+    Command(
+        name="scan",
+        help="Run controls against sources and emit findings.",
+        configure=_configure_scan,
+        run=lambda args: _run_scan(args),
+    ),
+)
+
+
+def _all_commands() -> list[Command]:
+    """Builtin commands plus any registered via entry points (plugins appended)."""
+    return [*BUILTIN_COMMANDS, *discovered_commands()]
+
+
+def build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(
+        prog="probity", description="Continuous NIS2 compliance evidence."
+    )
+    sub = parser.add_subparsers(dest="command", required=True)
+    for command in _all_commands():
+        cp = sub.add_parser(command.name, help=command.help)
+        command.configure(cp)
+        cp.set_defaults(_run=command.run)
+    return parser
+
+
+_TREND_ARROW = {"up": "▲", "down": "▼", "flat": "▬", "first": "•"}
+
+
+def _render_trend(trend: Trend) -> str:
+    arrow = _TREND_ARROW[trend.direction]
+    if trend.previous is None:
+        return f"Trend {arrow} first recorded scan — score {trend.current}%."
+    sign = "+" if trend.delta >= 0 else ""
+    return (
+        f"Trend {arrow} {trend.direction} — score {trend.current}% "
+        f"({sign}{trend.delta} vs previous {trend.previous}%)."
+    )
+
+
+def _emit(report: Report, fmt: str, out: str | None) -> None:
+    """Render the report in ``fmt`` to ``out`` (file) or stdout via the registry.
+
+    Binary formats (e.g. PDF) always require ``--out``; text formats print to
+    stdout unless a path is given. The format set is the builtin formats plus any
+    registered by plugins, so this stays correct as Enterprise adds formats.
+    """
+    report_format = all_formats()[fmt]
+    rendered = report_format.render(report)
+    if report_format.binary:
+        if not out:
+            raise SystemExit(f"--format {fmt} requires --out FILE")
+        if not isinstance(rendered, bytes):
+            raise TypeError(f"format {fmt!r} is binary but did not render bytes")
+        with open(out, "wb") as fh:
+            fh.write(rendered)
+        print(f"Wrote {fmt} evidence pack to {out}")
+        return
+    if not isinstance(rendered, str):
+        raise TypeError(f"format {fmt!r} is text but did not render str")
+    if out:
+        with open(out, "w", encoding="utf-8") as fh:
+            fh.write(rendered)
+        print(f"Wrote {fmt} report to {out}")
+    else:
+        print(rendered)
+
+
+def build_connectors(args: argparse.Namespace) -> list[Connector]:
+    """Build the connector list from the shared source flags on ``args``.
+
+    Public so registered commands (e.g. the Enterprise ``watch``) build the
+    exact same connector set as ``scan``. File sources are built first, then any
+    connectors contributed by externally registered sources (plugins). At least
+    one evidence source must resolve to a connector, or the run is refused.
+    """
+    connectors: list[Connector] = []
+    if args.source:
+        connectors.append(MockIdpConnector(args.source))
+    if args.cloud:
+        connectors.append(MockCloudConnector(args.cloud))
+    if args.tls:
+        connectors.append(MockTlsConnector(args.tls))
+    if args.testssl:
+        connectors.append(TesttsslConnector(args.testssl))
+    if args.sslyze:
+        connectors.append(SslyzeConnector(args.sslyze))
+    if args.backup:
+        connectors.append(MockBackupConnector(args.backup))
+    if args.veeam:
+        connectors.append(VeeamConnector(args.veeam))
+    if args.restic:
+        connectors.append(ResticConnector(args.restic))
+    if args.sca:
+        connectors.append(MockScaConnector(args.sca))
+    if args.osv:
+        connectors.append(OsvConnector(args.osv))
+    if args.sbom:
+        connectors.append(MockSbomConnector(args.sbom))
+    if args.cyclonedx:
+        connectors.append(CycloneDxConnector(args.cyclonedx))
+    if args.governance:
+        connectors.append(MockGovernanceConnector(args.governance))
+    if args.assets:
+        connectors.append(MockAssetsConnector(args.assets))
+    if args.trivy:
+        connectors.append(TrivyConnector(args.trivy))
+    if args.siem:
+        connectors.append(MockSiemConnector(args.siem))
+    if args.pipeline:
+        connectors.append(MockPipelineConnector(args.pipeline))
+    if args.training:
+        connectors.append(MockTrainingConnector(args.training))
+    # Append connectors contributed by externally registered sources (plugins).
+    for source in discovered_sources():
+        connectors.extend(source.build(args))
+    if not connectors:
+        raise SystemExit("provide at least one evidence source (e.g. --source FILE)")
+    return connectors
+
+
+def _run_scan(args: argparse.Namespace) -> int:
+    report = Scan(build_connectors(args), CONTROLS).run()
+    _emit(report, args.format, args.out)
+    if args.history:
+        append_snapshot(report, args.history)
+        trend = compute_trend(load_snapshots(args.history))
+        print(_render_trend(trend))
+    # Registered scan add-ons run after the report is emitted. Each is inert
+    # unless its own flag is set, so default scan output is unchanged.
+    for addon in discovered_addons():
+        addon.after_scan(report, args)
+    failed = any(f.status is Status.FAIL for f in report.findings)
+    return 1 if failed else 0
+
+
+def main(argv: Sequence[str] | None = None) -> int:
+    args = build_parser().parse_args(argv)
+    # Every subparser stores its command's run callable under ``_run`` via
+    # set_defaults, so dispatch needs no per-command branch here.
+    run = cast("Callable[[argparse.Namespace], int]", args._run)
+    return run(args)
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

probity/commands/__init__.py

@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+"""CLI subcommand seam.
+
+Core ships the ``scan`` command. Service commands (``watch``, ``serve``) are
+Enterprise-only and register through the ``probity.commands`` entry-point group
+defined in :mod:`probity.commands.registry`.
+"""
+
+from __future__ import annotations

probity/commands/registry.py

@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+from __future__ import annotations
+
+import argparse
+from collections.abc import Callable
+from dataclasses import dataclass
+from typing import cast
+
+from probity.plugins import load_plugins
+
+# Entry-point group the Enterprise package (or any third party) registers extra
+# CLI subcommands under — e.g. the service-layer ``watch`` and ``serve``.
+COMMAND_GROUP = "probity.commands"
+
+
+@dataclass(frozen=True)
+class Command:
+    """A named CLI subcommand.
+
+    ``configure`` receives the freshly created subparser to attach its own
+    flags; ``run`` executes the command from parsed args and returns a process
+    exit code. Core ships ``scan``; registered commands extend the CLI with no
+    edit to Core's dispatch.
+    """
+
+    name: str
+    help: str
+    configure: Callable[[argparse.ArgumentParser], None]
+    run: Callable[[argparse.Namespace], int]
+
+
+def discovered_commands() -> list[Command]:
+    """Subcommands registered via entry points (empty in a plain Core install)."""
+    return cast("list[Command]", load_plugins(COMMAND_GROUP))

probity/connectors/__init__.py

@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+

probity/connectors/base.py

@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+from collections.abc import Iterable
+
+from probity.model.fact import Fact
+
+
+class Connector(ABC):
+    """Reads a real system and emits Facts. Plugin unit (UDS module pattern)."""
+
+    id: str = ""
+    title: str = ""
+
+    @abstractmethod
+    def collect(self) -> Iterable[Fact]:
+        """Return facts observed from the source. Must not raise on an empty source."""
+        raise NotImplementedError

probity/connectors/cyclonedx_connector.py

@@ -0,0 +1,59 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+"""Real SBOM connector backed by a CycloneDX JSON bill of materials.
+
+Unlike :class:`~probity.connectors.mock_sbom.MockSbomConnector`, this reads an
+actual CycloneDX BOM produced by a standard tool (`cyclonedx-py`,
+`syft -o cyclonedx-json`, `cdxgen`). No credentials and no network are needed
+at scan time: the operator generates the BOM (free, offline) and hands Probity
+the file as auditable supply-chain evidence.
+
+A component's mere presence in a real BOM proves an SBOM exists for it; the
+BOM's own ``metadata.timestamp`` is that SBOM's generation date. This emits the
+same ``sbom.component`` facts the mock does, so C09 consumes either unchanged
+and keeps its fail-closed staleness check (a BOM with no timestamp leaves
+``generated_at`` blank, which C09 fails closed).
+"""
+
+from __future__ import annotations
+
+import json
+from collections.abc import Iterable
+from pathlib import Path
+from typing import Any, cast
+
+from probity.connectors.base import Connector
+from probity.connectors.mock_sbom import SBOM_KIND
+from probity.model.fact import Fact
+
+
+class CycloneDxConnector(Connector):
+    """Emits one ``sbom.component`` fact per component listed in the BOM."""
+
+    id = "cyclonedx"
+    title = "SBOM (CycloneDX JSON bill of materials)"
+
+    def __init__(self, source: str | Path | dict[str, Any]) -> None:
+        self._source = source
+
+    def _load(self) -> dict[str, Any]:
+        if isinstance(self._source, dict):
+            return self._source
+        raw = Path(self._source).read_text(encoding="utf-8")
+        return cast(dict[str, Any], json.loads(raw))
+
+    def collect(self) -> Iterable[Fact]:
+        payload = self._load()
+        generated_at = str(payload.get("metadata", {}).get("timestamp", ""))
+        for comp in payload.get("components", []):
+            name = comp.get("name", "")
+            version = comp.get("version", "")
+            data = {
+                "name": name,
+                "version": version,
+                "has_sbom": True,
+                "generated_at": generated_at,
+                "purl": comp.get("purl", ""),
+            }
+            yield Fact(kind=SBOM_KIND, key=f"{name}@{version}", data=data)

probity/connectors/mock_assets.py

@@ -0,0 +1,66 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+"""File-backed asset-management connector for the asset-plane HARD controls.
+
+A real deployment fuses a CMDB / cloud inventory, a vulnerability scanner, and a
+patch/EDR console; this single connector stands in for all three and emits the
+per-asset facts they would provide:
+
+* ``asset.record`` — inventory entry (C02)::
+
+      {"id": "vm-1", "name": "prod-db", "type": "vm",
+       "managed": true, "last_seen": "2026-06-03T12:00:00+00:00"}
+
+* ``vulnscan.target`` — scan coverage per asset (C12)::
+
+      {"id": "vm-1", "asset": "prod-db", "critical": true,
+       "last_scan": "2026-05-20T00:00:00+00:00", "scanner": "nessus"}
+
+* ``patch.host`` — patch state per host (C14)::
+
+      {"id": "vm-1", "host": "prod-db", "critical": true,
+       "last_patched": "2026-05-28T00:00:00+00:00", "pending_critical": 0}
+
+Dates are ISO-8601. Real connectors (cloud API, scanner export, EDR) emit the
+same facts, so the controls run unchanged.
+"""
+
+from __future__ import annotations
+
+import json
+from collections.abc import Iterable
+from pathlib import Path
+from typing import Any, cast
+
+from probity.connectors.base import Connector
+from probity.model.fact import Fact
+
+ASSET_KIND = "asset.record"
+VULNSCAN_KIND = "vulnscan.target"
+PATCH_KIND = "patch.host"
+
+
+class MockAssetsConnector(Connector):
+    """Emits ``asset.record``, ``vulnscan.target`` and ``patch.host`` facts."""
+
+    id = "mock_assets"
+    title = "Mock Asset Management (file-backed)"
+
+    def __init__(self, source: str | Path | dict[str, Any]) -> None:
+        self._source = source
+
+    def _load(self) -> dict[str, Any]:
+        if isinstance(self._source, dict):
+            return self._source
+        raw = Path(self._source).read_text(encoding="utf-8")
+        return cast(dict[str, Any], json.loads(raw))
+
+    def collect(self) -> Iterable[Fact]:
+        payload = self._load()
+        for asset in payload.get("assets", []):
+            yield Fact(kind=ASSET_KIND, key=str(asset["id"]), data=dict(asset))
+        for target in payload.get("vulnscans", []):
+            yield Fact(kind=VULNSCAN_KIND, key=str(target["id"]), data=dict(target))
+        for host in payload.get("patches", []):
+            yield Fact(kind=PATCH_KIND, key=str(host["id"]), data=dict(host))

probity/connectors/mock_backup.py

@@ -0,0 +1,45 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+"""File-backed backup-job connector for development and tests."""
+
+from __future__ import annotations
+
+import json
+from collections.abc import Iterable
+from pathlib import Path
+from typing import Any, cast
+
+from probity.connectors.base import Connector
+from probity.model.fact import Fact
+
+BACKUP_KIND = "backup.job"
+
+
+class MockBackupConnector(Connector):
+    """Emits one ``backup.job`` fact per declared backup job.
+
+    Source JSON shape::
+
+        {"backups": [
+            {"id": "b1", "asset": "prod-db", "critical": true,
+             "last_backup": "2026-06-03T00:00:00+00:00", "retention_days": 30}
+        ]}
+    """
+
+    id = "mock_backup"
+    title = "Mock Backup Jobs (file-backed)"
+
+    def __init__(self, source: str | Path | dict[str, Any]) -> None:
+        self._source = source
+
+    def _load(self) -> dict[str, Any]:
+        if isinstance(self._source, dict):
+            return self._source
+        raw = Path(self._source).read_text(encoding="utf-8")
+        return cast(dict[str, Any], json.loads(raw))
+
+    def collect(self) -> Iterable[Fact]:
+        payload = self._load()
+        for job in payload.get("backups", []):
+            yield Fact(kind=BACKUP_KIND, key=str(job["id"]), data=dict(job))

probity/connectors/mock_cloud.py

@@ -0,0 +1,45 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+"""File-backed cloud storage connector for development and tests."""
+
+from __future__ import annotations
+
+import json
+from collections.abc import Iterable
+from pathlib import Path
+from typing import Any, cast
+
+from probity.connectors.base import Connector
+from probity.model.fact import Fact
+
+STORAGE_KIND = "storage.volume"
+
+
+class MockCloudConnector(Connector):
+    """Emits one ``storage.volume`` fact per declared volume.
+
+    Source JSON shape::
+
+        {"volumes": [
+            {"id": "v1", "name": "prod-db", "encrypted": true,
+             "kms": "managed", "contains_pii": true}
+        ]}
+    """
+
+    id = "mock_cloud"
+    title = "Mock Cloud Storage (file-backed)"
+
+    def __init__(self, source: str | Path | dict[str, Any]) -> None:
+        self._source = source
+
+    def _load(self) -> dict[str, Any]:
+        if isinstance(self._source, dict):
+            return self._source
+        raw = Path(self._source).read_text(encoding="utf-8")
+        return cast(dict[str, Any], json.loads(raw))
+
+    def collect(self) -> Iterable[Fact]:
+        payload = self._load()
+        for volume in payload.get("volumes", []):
+            yield Fact(kind=STORAGE_KIND, key=str(volume["id"]), data=dict(volume))

probity/connectors/mock_governance.py

@@ -0,0 +1,58 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+"""File-backed governance connector for the SOFT (policy) controls.
+
+SOFT controls reason over governance artifacts whose *existence and currency*
+are machine-checkable but whose *adequacy* needs a human auditor. This single
+connector feeds them all:
+
+* ``governance.document`` — a policy / procedure record (C01, C05, C15)::
+
+      {"id": "pol-sec", "type": "security_policy", "title": "InfoSec Policy",
+       "approved_at": "2025-09-01", "review_due": "2026-09-01"}
+
+* ``governance.supplier`` — a critical-supplier risk record (C11)::
+
+      {"id": "sup-acme", "name": "AcmeCloud", "criticality": "high",
+       "risk_assessed_at": "2026-01-15"}
+
+Dates are ISO-8601 (date or datetime). A real deployment would replace this
+with an export from a GRC / policy-management tool emitting the same facts.
+"""
+
+from __future__ import annotations
+
+import json
+from collections.abc import Iterable
+from pathlib import Path
+from typing import Any, cast
+
+from probity.connectors.base import Connector
+from probity.model.fact import Fact
+
+DOCUMENT_KIND = "governance.document"
+SUPPLIER_KIND = "governance.supplier"
+
+
+class MockGovernanceConnector(Connector):
+    """Emits ``governance.document`` and ``governance.supplier`` facts."""
+
+    id = "mock_governance"
+    title = "Mock Governance Records (file-backed)"
+
+    def __init__(self, source: str | Path | dict[str, Any]) -> None:
+        self._source = source
+
+    def _load(self) -> dict[str, Any]:
+        if isinstance(self._source, dict):
+            return self._source
+        raw = Path(self._source).read_text(encoding="utf-8")
+        return cast(dict[str, Any], json.loads(raw))
+
+    def collect(self) -> Iterable[Fact]:
+        payload = self._load()
+        for doc in payload.get("documents", []):
+            yield Fact(kind=DOCUMENT_KIND, key=str(doc["id"]), data=dict(doc))
+        for supplier in payload.get("suppliers", []):
+            yield Fact(kind=SUPPLIER_KIND, key=str(supplier["id"]), data=dict(supplier))

probity/connectors/mock_idp.py

@@ -0,0 +1,45 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 Janier Rodríguez
+
+from __future__ import annotations
+
+import json
+from collections.abc import Iterable
+from pathlib import Path
+from typing import Any, cast
+
+from probity.connectors.base import Connector
+from probity.model.fact import Fact
+
+ACCOUNT_KIND = "identity.account"
+
+
+class MockIdpConnector(Connector):
+    """File-backed identity provider connector for development and tests.
+
+    Source JSON shape::
+
+        {"accounts": [
+            {"id": "u1", "display_name": "Alice", "enabled": true,
+             "privileged": true, "mfa_enabled": true, "hr_active": true}
+        ]}
+
+    Every account becomes one ``identity.account`` fact.
+    """
+
+    id = "mock_idp"
+    title = "Mock Identity Provider (file-backed)"
+
+    def __init__(self, source: str | Path | dict[str, Any]) -> None:
+        self._source = source
+
+    def _load(self) -> dict[str, Any]:
+        if isinstance(self._source, dict):
+            return self._source
+        raw = Path(self._source).read_text(encoding="utf-8")
+        return cast(dict[str, Any], json.loads(raw))
+
+    def collect(self) -> Iterable[Fact]:
+        payload = self._load()
+        for account in payload.get("accounts", []):
+            yield Fact(kind=ACCOUNT_KIND, key=str(account["id"]), data=dict(account))