ventra 0.0.0.post26__tar.gz

ventra-0.0.0.post26/.env

@@ -0,0 +1,3 @@
+# Loaded by VS Code/Cursor (python.envFile) and local scripts.
+# Stops Python from writing __pycache__ / .pyc files in the repo.
+PYTHONDONTWRITEBYTECODE=1

ventra-0.0.0.post26/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,24 @@
+---
+name: Bug report
+about: Something isn't working
+labels: bug
+---
+
+**Component:** collector / ingester / console
+
+**What happened**
+A clear description of the bug.
+
+**To reproduce**
+Steps, command line, and (sanitized) inputs.
+
+**Expected**
+What you expected instead.
+
+**Environment**
+- Ventra version:
+- OS / runtime:
+- Cloud (if collector): AWS / Azure / GCP
+
+**Logs**
+Relevant output (scrub any account IDs, ARNs, IPs, or customer data).

ventra-0.0.0.post26/.github/ISSUE_TEMPLATE/collector_request.md

@@ -0,0 +1,24 @@
+---
+name: New collector / source request
+about: Propose a new artifact source for the collector + ingester
+labels: enhancement, collector
+---
+
+**Cloud & service**
+e.g. AWS Transit Gateway Flow Logs.
+
+**What it tells an investigator**
+Which of the four questions does it answer — who authenticated, what they did, what changed,
+or data exfil? Map to an ATT&CK Cloud technique if you can.
+
+**Read-only API actions required**
+List the `Describe*` / `Get*` / `List*` calls. Reminder: the collector is read-only — no
+mutating actions.
+
+**Tier**
+- [ ] Tier 1 (baseline, always collected)
+- [ ] Tier 2 (strongly recommended)
+- [ ] Tier 3 (conditional / on-demand)
+
+**Sample record (sanitized)**
+A scrubbed example of the source's output, to design the parser/normalizer.

ventra-0.0.0.post26/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,24 @@
+<!-- Thanks for contributing to Ventra. Keep PRs focused. -->
+
+## What & why
+
+<!-- What does this change and why? Link any issue. -->
+
+## Type
+
+- [ ] Collector (acquisition)
+- [ ] Ingester (parse / normalize / load)
+- [ ] Console (backend / frontend)
+- [ ] Docs / CI / infra
+
+## Forensic-soundness checklist
+
+- [ ] **No mutating cloud calls** added to the collector (the `readonly-guard` CI check passes).
+- [ ] Integrity guarantees unchanged, or change reviewed by a second maintainer.
+- [ ] No telemetry / outbound calls added to the console.
+- [ ] No real customer data committed — fixtures are synthetic/sanitized.
+
+## Tests
+
+- [ ] Added/updated tests (parser round-trip, collector moto test, or console e2e).
+- [ ] `pytest`, `ruff`, and the frontend `build` all pass locally.

ventra-0.0.0.post26/.github/workflows/ci.yml

@@ -0,0 +1,80 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  readonly-guard:
+    # The collector must never call a mutating cloud API. This gate fails the build if it does.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # setuptools-scm needs history + tags to build ventra
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install collector
+        run: pip install .
+      - name: Guard — registered collectors are read-only
+        run: python -m collector.tools.verify_readonly --collectors
+      - name: Guard — published IAM policy is read-only
+        run: python -m collector.tools.verify_readonly docs/iam-policies/aws-collector-readonly.json
+
+  python:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # setuptools-scm needs history + tags to build ventra
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install
+        run: |
+          pip install .[dev] ./ingester[dev] ./console/backend
+          pip install ruff
+      - name: Lint
+        run: ruff check collector ingester console/backend
+      - name: Schema validation
+        run: |
+          python - <<'PY'
+          import json, pathlib
+          for p in pathlib.Path("schemas").glob("*.json"):
+              json.loads(p.read_text())  # must parse
+              print("ok", p.name)
+          PY
+      - name: Tests
+        run: python -m pytest tests/ -q
+
+  frontend:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: console/frontend
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+      - run: npm install --no-audit --no-fund
+      - name: Typecheck
+        run: npm run typecheck
+      - name: Build
+        run: npm run build
+
+  secret-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

ventra-0.0.0.post26/.github/workflows/publish.yml

@@ -0,0 +1,71 @@
+# Publish Ventra to PyPI. Continuous delivery: every push to main publishes a new version, so
+# in CloudShell `pipx install ventra` (fresh) and `pipx upgrade ventra` (existing) always fetch
+# your latest pushed code — no tagging needed for day-to-day testing.
+#
+#   * push to main           → 0.1.1.postN published to PyPI (after tests pass)
+#   * push a tag `vX.Y.Z`    → clean X.Y.Z published + a GitHub Release (milestone)
+#
+# Both are normal versions that `pip`/`pipx` upgrade to by default. Tags are optional and just
+# give a tidy version number + release notes for a milestone (e.g. v1.0.0).
+#
+# PyPI trusted publisher (pypi.org → ventra → Publishing):
+#   Owner: Haggag-22   Repository: Ventra   Workflow: publish.yml   Environment: (any)
+name: Publish
+
+on:
+  push:
+    branches: ["main"]
+    tags: ["v*"]
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # full history + tags so setuptools-scm can resolve the version
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install
+        run: pip install .[dev] ./ingester[dev] ./console/backend
+      - name: Read-only guard
+        run: |
+          python -m collector.tools.verify_readonly --collectors
+          python -m collector.tools.verify_readonly docs/iam-policies/aws-collector-readonly.json
+      - name: Tests
+        run: python -m pytest tests/ -q
+
+  publish:
+    needs: test
+    runs-on: ubuntu-latest
+    # No `environment:` — the PyPI trusted publisher is set to "(any)" environment, so pinning
+    # one here would only add a GitHub Environment dependency (and a possible approval gate).
+    permissions:
+      id-token: write   # PyPI trusted publishing (OIDC)
+      contents: write   # create the GitHub Release
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Build ventra
+        run: |
+          pip install build
+          python -m build
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip-existing: true
+      - name: Create GitHub Release
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+          files: dist/*

ventra-0.0.0.post26/.gitignore

@@ -0,0 +1,44 @@
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+.eggs/
+build/
+dist/
+.venv/
+venv/
+.mypy_cache/
+.ruff_cache/
+.pytest_cache/
+.coverage
+htmlcov/
+
+# Node / Next.js
+node_modules/
+.next/
+out/
+.turbo/
+npm-debug.log*
+yarn-error.log*
+
+# Ventra runtime data — never commit real evidence (root store only)
+/cases/
+*.tar.zst
+*.tar.gz
+!tests/fixtures/**/*.tar.zst
+ventra-evidence/
+*.duckdb
+*.parquet
+!tests/fixtures/**/*.parquet
+
+# Keys & secrets
+*.pem
+*.key
+!docs/keys/*.pub
+
+# OS / editor
+.DS_Store
+.claude/
+.idea/
+.vscode/
+*.swp

ventra-0.0.0.post26/CHANGELOG.md

@@ -0,0 +1,24 @@
+# Changelog
+
+All notable changes to Ventra are documented here. Format follows
+[Keep a Changelog](https://keepachangelog.com/en/1.1.0/); versioning is
+[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- Project foundation: README, license (Apache-2.0), security policy, contributing guide.
+- **Evidence Package Format (EPF) v1** specification and JSON Schemas (manifest, package,
+  unified event).
+- **AWS collector** with Tier 1 baseline modules: account context, CloudTrail, VPC Flow
+  Logs config, GuardDuty, WAF, IAM snapshot, STS activity.
+- Read-only IAM policy for the AWS collector.
+- Packaging pipeline: tar + zstd, per-source SHA-256, manifest, detached signature.
+- **Ingester**: signature/hash verification, source parsers, normalizer to the unified
+  event schema, DuckDB/Parquet loader.
+- **Analyst console**: FastAPI backend + Next.js frontend with Cases, Overview, Timeline,
+  CloudTrail Analyzer, Identity, Network, Resources, Findings, Search, Report, and Settings.
+- Demo case fixtures and an end-to-end collect → ingest → render path.
+- Terraform reference forensics environment for the analyst workstation.
+
+[Unreleased]: https://github.com/Haggag-22/Ventra/commits/main

ventra-0.0.0.post26/CODE_OF_CONDUCT.md

@@ -0,0 +1,10 @@
+# Code of Conduct
+
+This project adopts the [Contributor Covenant v2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/).
+
+In short: be respectful, assume good faith, and keep discussion focused on the work.
+Harassment, discrimination, and personal attacks are not tolerated. Maintainers may remove
+contributions and contributors that violate these standards.
+
+Report concerns privately to `conduct@ventra-ir.example` (replace before public release).
+Reports are handled confidentially.

ventra-0.0.0.post26/CONTRIBUTING.md

@@ -0,0 +1,78 @@
+# Contributing to Ventra
+
+Thanks for helping build forensically-sound cloud IR tooling. This guide covers the
+ground rules that keep Ventra trustworthy.
+
+## Non-negotiables
+
+These are not style preferences — they are correctness requirements for an evidence tool:
+
+1. **The collector is read-only.** A PR that adds any mutating AWS/Azure/GCP API call to the
+   collector will be rejected. The CI `readonly-guard` check scans for disallowed verbs
+   (`Create*`, `Put*`, `Delete*`, `Update*`, `Modify*`, `Terminate*`, `Run*`, `Start*`,
+   `Stop*`, `Attach*`, `Associate*`, etc.). If you believe an exception is warranted, open
+   an issue first.
+2. **Never weaken integrity.** Hashing on acquisition, manifest signing, and ingest-time
+   verification are load-bearing. Changes here require a second maintainer review.
+3. **No telemetry, no outbound calls** in the console by default. No CDN fonts, no analytics,
+   no map tiles fetched at runtime. Ship assets locally.
+4. **Fixtures only.** Never commit real customer data. All test data must be synthetic or
+   thoroughly sanitized — see `tests/fixtures/README.md`.
+
+## Project layout
+
+- `collector/` — Python, `boto3`. Cloud providers (`aws/`, `azure/`, `gcp/`) each hold
+  their collector modules. Shared code lives in `lib/`. Every registered collector runs
+  on each invocation — no profiles or presets.
+- `bin/` — CloudShell bootstrap scripts (not part of the pip package).
+- `ingester/` — Python. `parsers/` (source-specific) → `normalizer/` (unified schema) →
+  `loaders/`. Parsers must be pure and independently versioned.
+- `console/backend/` — FastAPI over the case store. Thin; all RBAC enforced server-side.
+- `console/frontend/` — Next.js + Tailwind + shadcn-style components. One module per panel.
+
+## Development setup
+
+```bash
+# Python tooling (collector + ingester + backend)
+python -m venv .venv && source .venv/bin/activate
+pip install -e ".[dev]" -e "ingester[dev]" -e "console/backend[dev]"
+pre-commit install
+
+# Frontend
+cd console/frontend && npm install && npm run dev
+```
+
+## Standards
+
+- **Python**: `ruff` (lint + format), `mypy` (typed), `pytest`. Target 3.11+.
+- **TypeScript**: `eslint`, `prettier`, strict mode. No `any` without justification.
+- **Commits**: Conventional Commits (`feat:`, `fix:`, `docs:`, `parser:` …).
+- **Tests**: every parser ships with a fixture + a round-trip test. Every collector ships
+  with a mocked-boto3 test. The console ships with an e2e against the demo case.
+
+## Adding a new collector
+
+1. Add a module under `collector/aws/<group>/`.
+2. Register it in `collector/aws/registry.py` (it will run automatically on every collection).
+3. Add a fixture and a `moto`-mocked test under `tests/collector/`.
+4. Document the artifact in `docs/evidence-package-format.md` and the IAM actions it needs
+   in `docs/iam-policies/`.
+
+## Adding a new parser / source to the console
+
+1. Add a parser under `ingester/ventra_ingester/parsers/`.
+2. Map it to the unified schema in `normalizer/`.
+3. Add a fixture + round-trip test.
+4. If it introduces a new event category, update the console's category palette.
+
+## Pull requests
+
+Use the PR template. CI must be green: lint, type-check, unit, integration, e2e, schema
+validation, secret-scan, and `readonly-guard`. Keep PRs focused.
+
+## Versioning & releases
+
+The version is derived from git by setuptools-scm — never hand-edit a version string. Every
+push to `main` is published to PyPI as a `0.1.1.postN` version (continuous delivery), and a
+`v*` tag publishes a clean `X.Y.Z` plus a GitHub Release for a milestone. See
+[RELEASING.md](RELEASING.md).

ventra-0.0.0.post26/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

ventra-0.0.0.post26/Makefile

@@ -0,0 +1,66 @@
+# Ventra developer convenience targets.
+export PYTHONDONTWRITEBYTECODE := 1
+
+.PHONY: help install dev-setup demo ingest backend frontend dev gui test lint readonly-guard clean clean-pycache ensure-no-pycache install-hooks
+
+help:
+	@echo "Ventra targets:"
+	@echo "  make install        Install collector + ingester + backend (editable)"
+	@echo "  make gui            Same as: ventra gui (auto-setup + hot reload, no Docker)"
+	@echo "  make demo           Generate a synthetic evidence package into tests/fixtures/"
+	@echo "  make ingest         Ingest the demo package into ./cases"
+	@echo "  make backend        Run the console backend (uvicorn :8000, reload)"
+	@echo "  make frontend       Run the console frontend (next dev :8080)"
+	@echo "  make test           Run the Python test suite"
+	@echo "  make lint           ruff + frontend typecheck"
+	@echo "  make readonly-guard Verify the collector is read-only"
+	@echo "  make clean-pycache    Remove all __pycache__ folders locally"
+
+install:
+	pip install -e .[dev] -e ./ingester[dev] -e ./console/backend
+
+dev-setup: install clean-pycache ensure-no-pycache install-hooks
+	mkdir -p cases .ventra-uploads
+	cd console/frontend && npm install
+
+gui: clean-pycache
+	ventra gui
+
+# Alias of `gui`, kept for muscle memory.
+dev: gui
+
+demo:
+	python tests/fixtures/generate_demo_case.py --out tests/fixtures/
+
+ingest:
+	ventra-ingest tests/fixtures/case-*.tar.zst --case-store ./cases
+
+backend: clean-pycache
+	VENTRA_CASE_STORE=./cases VENTRA_UPLOAD_DIR=./.ventra-uploads \
+	uvicorn app.main:app --reload --host 127.0.0.1 --port 8000
+
+frontend:
+	cd console/frontend && npm run dev
+
+test: clean-pycache
+	pytest tests/ -q
+
+lint:
+	ruff check collector ingester console/backend
+	cd console/frontend && npm run typecheck
+
+readonly-guard:
+	python -m collector.tools.verify_readonly --collectors
+	python -m collector.tools.verify_readonly docs/iam-policies/aws-collector-readonly.json
+
+clean-pycache:
+	@./scripts/clean-pycache.sh
+
+ensure-no-pycache:
+	@chmod +x scripts/ensure-no-pycache.sh && ./scripts/ensure-no-pycache.sh
+
+install-hooks:
+	@./scripts/install-git-hooks.sh
+
+clean: clean-pycache
+	rm -rf cases .ventra-uploads tests/fixtures/case-*.tar.* tests/fixtures/case-*.sha256