V2.1.0

MANIFEST.in

@@ -0,0 +1,3 @@
+include src/nod/defaults/*.yaml
+include README.md
+include LICENSE

defaults/rules-security-baseline.yaml

@@ -1,49 +1,101 @@
+# nod Compliance Pack: Security Baseline
+# Version: 1.2 (Hardened Regex for v2.1.0)
+# Focus: Foundational cybersecurity hygiene for any AI project.
+
 profiles:
   security_baseline:
     badge_label: "Security Hardened"
+
     requirements:
-      - id: "Data Retention Policy"
+      # Data Protection
+      - id: "#+.*Data Retention"
+        label: "Data Retention Policy"
         tags: ["Privacy", "Data-Protection"]
         severity: "MEDIUM"
         remediation: "Define how long training inputs and inference outputs are stored."
-      - id: "Encryption at Rest"
-        tags: ["Security", "Encryption", "Storage"]
+
+      - id: "#+.*Encryption at Rest"
+        label: "Encryption (Rest)"
+        control_id: "SC-28"
+        tags: ["Security", "Storage"]
         severity: "HIGH"
         remediation: "Must explicitly state encryption protocols for stored data (e.g., AES-256)."
-      - id: "Encryption in Transit"
-        tags: ["Security", "Encryption", "Network"]
+
+      - id: "#+.*Encryption in Transit"
+        label: "Encryption (Transit)"
+        control_id: "SC-8"
+        tags: ["Security", "Network"]
         severity: "HIGH"
         remediation: "Must explicitly state encryption protocols for data in motion (e.g., TLS 1.3)."
-      - id: "Authentication Mechanisms"
+
+      # Identity & Access Management (IAM)
+      - id: "#+.*Authentication"
+        label: "Authentication"
         control_id: "AC-1"
         severity: "HIGH"
         remediation: "Define how users/systems are authenticated (e.g., MFA, SSO)."
-      - id: "Authorization Policy"
+
+      - id: "#+.*Authorization"
+        label: "Authorization"
         control_id: "AC-2"
         severity: "HIGH"
         remediation: "Define permission models (e.g., RBAC, Least Privilege)."
-      - id: "Secrets Management"
-        tags: ["Security", "Secrets"]
+
+      - id: "#+.*Secrets Management"
+        label: "Secrets Management"
+        control_id: "IA-5"
         severity: "CRITICAL"
         remediation: "Define how secrets (API keys) are managed, ensuring they are not hardcoded."
-      - id: "Audit Logging"
+
+      # Logging & Availability
+      - id: "#+.*Audit Log"
+        label: "Audit Logging"
         control_id: "AU-2"
         severity: "HIGH"
         remediation: "Ensure security-critical events (login failures, sensitive access) are logged centrally."
-      - id: "Rate Limiting"
-        tags: ["Security", "Availability"]
+
+      - id: "#+.*Rate Limit"
+        label: "Rate Limiting"
+        control_id: "SC-5"
         severity: "MEDIUM"
         remediation: "Define rate limits to prevent DoS attacks."
-      - id: "Energy Consumption"
+
+      # Sustainability
+      - id: "#+.*Energy Consumption"
+        label: "Sustainability"
         tags: ["Sustainability", "Green-AI"]
         severity: "LOW"
         remediation: "Sustainability: Estimate energy consumption of training/inference."
+
     red_flags:
+      # Credential Leakage (High Fidelity)
+      - pattern: "(?i)(password|secret|key|token)\\s*=\\s*['\"][a-zA-Z0-9_\\-]{8,}['\"]"
+        label: "Generic Secret Assignment"
+        tags: ["Security", "Secrets"]
+        severity: "CRITICAL"
+        remediation: "Potential hardcoded secret detected. Use environment variables or a vault."
+
+      - pattern: "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
+        label: "AWS Access Key"
+        tags: ["Security", "Secrets"]
+        severity: "CRITICAL"
+        remediation: "AWS Access Key ID detected. Revoke immediately."
+
+      - pattern: "-----BEGIN (RSA|EC|DSA|OPENSSH|PRIVATE)? ?KEY-----"
+        label: "Private Key Block"
+        tags: ["Security", "Secrets"]
+        severity: "CRITICAL"
+        remediation: "Private Key block detected. Never commit keys to version control."
+
+      - pattern: "sk-[a-zA-Z0-9]{32,}"
+        label: "OpenAI Key"
+        tags: ["Security", "Secrets"]
+        severity: "CRITICAL"
+        remediation: "OpenAI Secret Key detected."
+
+      # Anti-Patterns
       - pattern: "disable auth"
+        label: "Disabled Auth"
         tags: ["Security", "Anti-Pattern"]
         severity: "CRITICAL"
         remediation: "Security Anti-Pattern: Do not disable authentication mechanisms in spec."
-      - pattern: "hardcoded credential"
-        tags: ["Security", "Anti-Pattern"]
-        severity: "CRITICAL"
-        remediation: "Security Anti-Pattern: Never reference hardcoded secrets or keys."

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "nod-linter"
-version = "2.0.0"
+version = "2.1.0"
 description = "A compliance-as-code gatekeeper for AI specifications."
 readme = "README.md"
 authors = [
@@ -32,3 +32,6 @@ nod = "nod.cli:main"
 
 [tool.setuptools.packages.find]
 where = ["src"]
+
+[tool.setuptools.package-data]
+nod = ["defaults/*.yaml"]

src/nod/__init__.py

@@ -2,4 +2,4 @@
 nod: AI Spec Compliance Gatekeeper.
 """
 
-__version__ = "2.0.0"
+__version__ = "2.1.0"

src/nod/cli.py

@@ -8,6 +8,7 @@
 from .reporters import gen_sarif, gen_report
 from .security import sign_attestation, freeze, verify
 from .utils import Colors, colorize
+from . import __version__
 
 def main():
     parser = argparse.ArgumentParser(description="nod: AI Spec Compliance")
@@ -22,12 +23,14 @@ def main():
     parser.add_argument("--min-severity", default="HIGH", choices=["MEDIUM", "HIGH", "CRITICAL"])
     parser.add_argument("--output", choices=["text", "json", "sarif", "compliance"], default="text")
     parser.add_argument("--save-to")
+    parser.add_argument("--version", action="version", version=f"nod v{__version__}")
+    parser.add_argument("--quiet", "-q", action="store_true", help="Suppress non-error output")
     args = parser.parse_args()
 
     default_rules = ["defaults"] if os.path.isdir("defaults") else ["rules.yaml"]
     sources = args.rules if args.rules else default_rules
 
-    # Init config
+    # Init config (Quietly unless error)
     config = load_rules(sources)
     policy_version = config.get("version", "unknown")
     ignored = load_ignore(".nodignore")
@@ -44,7 +47,8 @@ def main():
                 sys.exit(1)
             with open(args.path, "w", encoding="utf-8") as f:
                 f.write(template)
-            print(f"✅ Generated: {args.path}")
+            if not args.quiet:
+                print(f"✅ Generated: {args.path}")
         else:
             print(template)
         sys.exit(0)
@@ -61,11 +65,15 @@ def main():
 
     if args.freeze:
         freeze(policy_version, scanner.attestation)
+        if not args.quiet:
+            print(f"✅ Baseline frozen to nod.lock")
         sys.exit(0)
 
     if args.verify:
         if not verify(scanner.attestation):
             sys.exit(1)
+        if not args.quiet:
+            print("✅ Verification Passed: No drift.")
         sys.exit(0)
 
     if args.fix:
@@ -82,50 +90,73 @@ def main():
     elif args.output == "compliance":
         output_content = gen_report(scanner.attestation)
     else:
-        summary = [f"\n--- nod Summary ---\nTarget: {args.path}\nMax Sev: {max_sev_label}"]
-        if scanner.attestation.get("signed"):
-            summary.append(f"{colorize('🔒 Signed', Colors.GREEN)}")
+        # Text Output
+        summary = []
+        if not args.quiet:
+            summary.append(f"\n--- nod Summary ---\nTarget: {args.path}\nMax Sev: {max_sev_label}")
+            if scanner.attestation.get("signed"):
+                summary.append(f"{colorize('🔒 Signed', Colors.GREEN)}")
 
         fail_check = False
         min_val = SEVERITY_MAP.get(args.min_severity, 0)
 
         for data in results.values():
-            summary.append(f"\n[{colorize(data['label'], Colors.BOLD)}]")
+            # In quiet mode, skip profile headers unless there's a failure inside? 
+            # Or just print failures. Let's print failures only in quiet mode.
+            profile_buffer = []
+            if not args.quiet:
+                profile_buffer.append(f"\n[{colorize(data['label'], Colors.BOLD)}]")
+
+            has_failures = False
             for check in data["checks"]:
                 name = check.get("label") or check['id']
                 if check["status"] == "FAIL":
+                    has_failures = True
                     sev_col = Colors.RED if check['severity'] in ["CRITICAL", "HIGH"] else Colors.YELLOW
-                    summary.append(f"  {colorize('❌', Colors.RED)} [{colorize(check['severity'], sev_col)}] {name}")
+                    profile_buffer.append(f"  {colorize('❌', Colors.RED)} [{colorize(check['severity'], sev_col)}] {name}")
                     if check.get("source"):
-                        summary.append(f"     File: {check['source']}")
+                        profile_buffer.append(f"     File: {check['source']}")
 
                     if SEVERITY_MAP.get(check["severity"], 0) >= min_val:
                         fail_check = True
-                elif check["status"] == "EXCEPTION":
-                    summary.append(f"  {colorize('⚪', Colors.BLUE)} [EXCEPTION] {name}")
-                elif check["status"] == "SKIPPED":
-                    summary.append(f"  {colorize('⏭️', Colors.CYAN)}  [SKIPPED] {name}")
-                else:
-                    summary.append(f"  {colorize('✅', Colors.GREEN)} [PASS] {name}")
+                elif not args.quiet:
+                    if check["status"] == "EXCEPTION":
+                        profile_buffer.append(f"  {colorize('⚪', Colors.BLUE)} [EXCEPTION] {name}")
+                    elif check["status"] == "SKIPPED":
+                        profile_buffer.append(f"  {colorize('⏭️', Colors.CYAN)}  [SKIPPED] {name}")
+                    else:
+                        profile_buffer.append(f"  {colorize('✅', Colors.GREEN)} [PASS] {name}")
+
+            # In quiet mode, only append buffer if there were failures
+            if not args.quiet or has_failures:
+                summary.extend(profile_buffer)
 
-        status_msg = f"\nFAIL: Blocked by {args.min_severity}+" if fail_check else "\nPASS: Nod granted."
-        summary.append(colorize(status_msg, Colors.RED if fail_check else Colors.GREEN))
-        output_content = "\n".join(summary)
         if fail_check:
+            status_msg = f"\nFAIL: Blocked by {args.min_severity}+"
+            summary.append(colorize(status_msg, Colors.RED))
             exit_code = 1
+        elif not args.quiet:
+            status_msg = "\nPASS: Nod granted."
+            summary.append(colorize(status_msg, Colors.GREEN))
+
+        output_content = "\n".join(summary)
 
+    # Check exit code based on severity for non-text outputs too
     if SEVERITY_MAP.get(max_sev_label, 0) >= SEVERITY_MAP.get(args.min_severity, 0):
         exit_code = 1
 
     if args.save_to:
         try:
             with open(args.save_to, "w", encoding="utf-8") as f:
                 f.write(output_content)
-            print(f"Saved: {args.save_to}")
+            if not args.quiet:
+                print(f"Saved: {args.save_to}")
         except Exception as e:
             print(f"Error saving file: {e}", file=sys.stderr)
             sys.exit(1)
     else:
-        print(output_content)
+        # Only print if there is content (quiet mode with no errors might be empty)
+        if output_content.strip():
+            print(output_content)
 
     sys.exit(exit_code)