From 51dbc180431347996b75f6486f2ad811a3f3c0a3 Mon Sep 17 00:00:00 2001 From: Maxime Date: Wed, 8 Jul 2026 11:34:48 -0700 Subject: [PATCH 1/5] docs: Cloud Security API / IaC / case-automation reference One operator reference covering the public /cloudsec API surface (auth, routes, the ?format=csv streaming export), the Hive-as-IaC story (cloudsec_provider / all six cloudsec_policy types incl. suppression / cloudsec_query, with tenant-onboarding and multi-tenant policy-push recipes), and the findings-cases D&R recipes (auto-create / resolve / reopen-if-not-fixed, plus the Jira-via-Outputs variant). Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01KBA8AfLL8xJ4zR46YPGGMy --- docs/8-reference/cloud-security-api-iac.md | 214 +++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 215 insertions(+) create mode 100644 docs/8-reference/cloud-security-api-iac.md diff --git a/docs/8-reference/cloud-security-api-iac.md b/docs/8-reference/cloud-security-api-iac.md new file mode 100644 index 000000000..293cb0d50 --- /dev/null +++ b/docs/8-reference/cloud-security-api-iac.md @@ -0,0 +1,214 @@ +# Cloud Security: API, Infrastructure-as-Code, and Case Automation + +This page is the operator reference for automating LimaCharlie Cloud Security: the +public REST API surface, the Hive records that ARE the Infrastructure-as-Code +surface (providers, policies, saved queries), and the D&R recipes that close the +loop between cloud findings and Cases. + +## The REST API + +All Cloud Security routes live under `https://api.limacharlie.io/v1/cloudsec/{oid}/…` +and appear in the public OpenAPI spec at +[`/openapi`](https://api.limacharlie.io/openapi). Reads require the `cloudsec.get` +permission, finding-triage writes require `cloudsec.set`, and every route requires +the organization to be subscribed to the cloud inventory extension (a `403` tells +you to subscribe). + +The read surface includes: `findings` (risk-ranked worklist with keyset pagination +and server-side filters), `findings/facets`, `attack-paths` (with the same filter +selectors), `chokepoints` (incl. the principal-exposure metrics), `ciem/public-access`, +`inventory` (+`inventory/facets`), `compliance` (+`compliance/frameworks`), +`overview` (incl. the per-tenant `usage` metering block), `risk-trend`, `changes`, +`scan-status`, `query` (the graph DSL), and `graph/neighbors`. + +### CSV export + +Add `?format=csv` to `findings`, `inventory`, `compliance`, or `query` to stream the +result as a CSV attachment instead of JSON. The server walks the full filtered set +itself (your filter query parameters apply; paging parameters are ignored), capped +at 100,000 rows with a trailing `#`-comment row as the truncation notice. + +```bash +curl -H "Authorization: Bearer $JWT" \ + "https://api.limacharlie.io/v1/cloudsec/$OID/findings?severity=CRITICAL&severity=HIGH&format=csv" \ + -o findings.csv +``` + +The compliance CSV carries one row per control including the proving finding ids — +the auditor-facing evidence export. + +## Hive is the IaC surface + +Cloud Security is configured entirely through Hive records. Anything you can click +in the console you can `limacharlie hive set` — which makes tenant onboarding and +multi-tenant policy management a script, not a UI workflow. + +| Hive | Record | Purpose | +|---|---|---| +| `cloudsec_provider` | one per cloud/IdP connection | what to collect (GCP / AWS / Azure / Okta / Google Workspace) | +| `cloudsec_policy` | many, typed by `policy_type` | `classification` (crown jewels), `coverage` (EDR expectation), `scanning` (agentless YARA), `emission` (event feed), `exclusions` (resource escape hatch), `suppression` (finding disposition rules) | +| `cloudsec_query` | one per saved query | org-shared saved graph queries (the Query Console library) | + +### Onboarding a tenant (recipe) + +```bash +# 1. Subscribe the org to the extension (billing/enable gate). +limacharlie extension subscribe --name ext-cloud-inventory --oid $OID + +# 2. Connect a provider. +cat > provider.json < classification.json < Date: Sat, 11 Jul 2026 10:25:05 -0700 Subject: [PATCH 2/5] docs(cloud-security): extension renamed to ext-cloud-security Co-Authored-By: Claude Fable 5 Claude-Session: https://claude.ai/code/session_015kiVFM7wDDFeLHjbd477AW --- docs/8-reference/cloud-security-api-iac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/8-reference/cloud-security-api-iac.md b/docs/8-reference/cloud-security-api-iac.md index 293cb0d50..245faa365 100644 --- a/docs/8-reference/cloud-security-api-iac.md +++ b/docs/8-reference/cloud-security-api-iac.md @@ -53,7 +53,7 @@ multi-tenant policy management a script, not a UI workflow. ```bash # 1. Subscribe the org to the extension (billing/enable gate). -limacharlie extension subscribe --name ext-cloud-inventory --oid $OID +limacharlie extension subscribe --name ext-cloud-security --oid $OID # 2. Connect a provider. cat > provider.json < Date: Sat, 11 Jul 2026 10:25:20 -0700 Subject: [PATCH 3/5] docs(cloud-security): missed extension wording Co-Authored-By: Claude Fable 5 Claude-Session: https://claude.ai/code/session_015kiVFM7wDDFeLHjbd477AW --- docs/8-reference/cloud-security-api-iac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/8-reference/cloud-security-api-iac.md b/docs/8-reference/cloud-security-api-iac.md index 245faa365..d69b75c5a 100644 --- a/docs/8-reference/cloud-security-api-iac.md +++ b/docs/8-reference/cloud-security-api-iac.md @@ -11,7 +11,7 @@ All Cloud Security routes live under `https://api.limacharlie.io/v1/cloudsec/{oi and appear in the public OpenAPI spec at [`/openapi`](https://api.limacharlie.io/openapi). Reads require the `cloudsec.get` permission, finding-triage writes require `cloudsec.set`, and every route requires -the organization to be subscribed to the cloud inventory extension (a `403` tells +the organization to be subscribed to the cloud security extension (a `403` tells you to subscribe). The read surface includes: `findings` (risk-ranked worklist with keyset pagination From 943e1abeb341f0f126bb04c455387429a2f6e376 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Sat, 11 Jul 2026 10:25:07 -0700 Subject: [PATCH 4/5] docs(cloud-security): extension renamed to ext-cloud-security Co-Authored-By: Claude Fable 5 Claude-Session: https://claude.ai/code/session_015kiVFM7wDDFeLHjbd477AW --- docs/cloud-security/api-reference.md | 2 +- docs/cloud-security/automation.md | 2 +- docs/cloud-security/getting-started.md | 4 ++-- docs/cloud-security/index.md | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/cloud-security/api-reference.md b/docs/cloud-security/api-reference.md index c3b9153dd..8bca31061 100644 --- a/docs/cloud-security/api-reference.md +++ b/docs/cloud-security/api-reference.md @@ -7,7 +7,7 @@ Authentication is the standard `Authorization: Bearer ` header. !!! info "Permissions & enable gate" Reads require `cloudsec.get`; writes require `cloudsec.set`. Every route - requires the organization to be subscribed to `ext-cloud-inventory` — a + requires the organization to be subscribed to `ext-cloud-security` — a `403` on any route means subscribe first. The `oid` is always taken from the authorized path. diff --git a/docs/cloud-security/automation.md b/docs/cloud-security/automation.md index da296afed..d2b1b3a08 100644 --- a/docs/cloud-security/automation.md +++ b/docs/cloud-security/automation.md @@ -9,7 +9,7 @@ page collects the operator recipes. ```bash # 1. Subscribe the org to the extension (billing/enable gate). -limacharlie extension subscribe --name ext-cloud-inventory --oid $OID +limacharlie extension subscribe --name ext-cloud-security --oid $OID # 2. Store the collector credential as a secret (hive set reads # record data from --input-file or piped stdin). diff --git a/docs/cloud-security/getting-started.md b/docs/cloud-security/getting-started.md index 30dc9dc32..d2a3bcaee 100644 --- a/docs/cloud-security/getting-started.md +++ b/docs/cloud-security/getting-started.md @@ -7,12 +7,12 @@ and run the first sweep. ## 1. Subscribe the extension Cloud Security is enabled per organization by subscribing to the -`ext-cloud-inventory` extension — the subscription is both the enable gate +`ext-cloud-security` extension — the subscription is both the enable gate and the billing hook. In the web console, open the extension from the Add-Ons marketplace and click **Subscribe**, or from the CLI: ```bash -limacharlie extension subscribe --name ext-cloud-inventory --oid $OID +limacharlie extension subscribe --name ext-cloud-security --oid $OID ``` Until the organization is subscribed, every Cloud Security API route and diff --git a/docs/cloud-security/index.md b/docs/cloud-security/index.md index b4052e66a..56d10297c 100644 --- a/docs/cloud-security/index.md +++ b/docs/cloud-security/index.md @@ -44,7 +44,7 @@ on a schedule, on demand, or continuously from a change feed. ## How it works -1. **Subscribe** the organization to the `ext-cloud-inventory` extension — +1. **Subscribe** the organization to the `ext-cloud-security` extension — this is the product's enable (and billing) gate. 2. **Connect providers**: one `cloudsec_provider` Hive record per cloud account / IdP tenant. A pre-save credential test probes every permission @@ -74,7 +74,7 @@ onboarded and governed as code. connection records in the Hive. Every route additionally requires the organization to be subscribed to - `ext-cloud-inventory`; unsubscribed organizations receive `403`. + `ext-cloud-security`; unsubscribed organizations receive `403`. ## Documentation From 454a5d1f9f58f08d437e90d94224a9c8b04ab986 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Sat, 11 Jul 2026 11:10:16 -0700 Subject: [PATCH 5/5] docs(cloud-security): Private Beta callout on every Cloud Security page Every page in the section (and the 8-reference API/IaC page, which lives outside it) now carries the same Private Beta admonition as the landing page, so deep links don't miss it. Co-Authored-By: Claude Fable 5 Claude-Session: https://claude.ai/code/session_015kiVFM7wDDFeLHjbd477AW --- docs/8-reference/cloud-security-api-iac.md | 5 +++++ docs/cloud-security/api-reference.md | 5 +++++ docs/cloud-security/automation.md | 5 +++++ docs/cloud-security/caasm.md | 5 +++++ docs/cloud-security/cli.md | 5 +++++ docs/cloud-security/compliance.md | 5 +++++ docs/cloud-security/configuration.md | 5 +++++ docs/cloud-security/findings.md | 5 +++++ docs/cloud-security/getting-started.md | 5 +++++ docs/cloud-security/graph.md | 5 +++++ 10 files changed, 50 insertions(+) diff --git a/docs/8-reference/cloud-security-api-iac.md b/docs/8-reference/cloud-security-api-iac.md index d69b75c5a..8af6a800d 100644 --- a/docs/8-reference/cloud-security-api-iac.md +++ b/docs/8-reference/cloud-security-api-iac.md @@ -1,5 +1,10 @@ # Cloud Security: API, Infrastructure-as-Code, and Case Automation +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + This page is the operator reference for automating LimaCharlie Cloud Security: the public REST API surface, the Hive records that ARE the Infrastructure-as-Code surface (providers, policies, saved queries), and the D&R recipes that close the diff --git a/docs/cloud-security/api-reference.md b/docs/cloud-security/api-reference.md index 8bca31061..4d0e99f54 100644 --- a/docs/cloud-security/api-reference.md +++ b/docs/cloud-security/api-reference.md @@ -1,5 +1,10 @@ # API Reference +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + All Cloud Security routes live under `https://api.limacharlie.io/v1/cloudsec/{oid}/…` and appear in the public OpenAPI spec at [`/openapi`](https://api.limacharlie.io/openapi). diff --git a/docs/cloud-security/automation.md b/docs/cloud-security/automation.md index d2b1b3a08..e7e8d1a78 100644 --- a/docs/cloud-security/automation.md +++ b/docs/cloud-security/automation.md @@ -1,5 +1,10 @@ # Automation & Infrastructure-as-Code +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Everything Cloud Security does is scriptable: configuration is Hive records, the query/triage surface is the [REST API](api-reference.md) and [CLI](cli.md), and findings flow through the standard event pipeline. This diff --git a/docs/cloud-security/caasm.md b/docs/cloud-security/caasm.md index 6558b682a..55a4c69da 100644 --- a/docs/cloud-security/caasm.md +++ b/docs/cloud-security/caasm.md @@ -1,5 +1,10 @@ # CAASM — Cyber Asset Attack Surface Management +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Your tools already know what you own: the EDR sees devices, the identity provider sees users and their devices, MDM and scanners see more. CAASM merges those third-party views into one entity-resolved asset inventory and diff --git a/docs/cloud-security/cli.md b/docs/cloud-security/cli.md index 24f76c672..91774a648 100644 --- a/docs/cloud-security/cli.md +++ b/docs/cloud-security/cli.md @@ -1,5 +1,10 @@ # Command Line Interface +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + The `limacharlie cloudsec` command group (Python SDK/CLI v2) covers the full Cloud Security API surface. Every command supports the global options (`--oid`, `--output json|yaml|csv|table`, `--filter `), and every diff --git a/docs/cloud-security/compliance.md b/docs/cloud-security/compliance.md index 401344f75..700b62ea9 100644 --- a/docs/cloud-security/compliance.md +++ b/docs/cloud-security/compliance.md @@ -1,5 +1,10 @@ # Compliance +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Cloud Security evaluates compliance frameworks continuously against the live estate: each control maps to detection rules, and a control fails when open findings prove the violation — so the compliance report is always as fresh diff --git a/docs/cloud-security/configuration.md b/docs/cloud-security/configuration.md index a28d68301..259737771 100644 --- a/docs/cloud-security/configuration.md +++ b/docs/cloud-security/configuration.md @@ -1,5 +1,10 @@ # Configuration Reference +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Cloud Security is configured entirely through three Hive types. Anything the console can configure, `limacharlie hive set` can configure — which makes tenant onboarding and fleet-wide policy a script, not a UI workflow (see diff --git a/docs/cloud-security/findings.md b/docs/cloud-security/findings.md index 4cbead928..314bb5cca 100644 --- a/docs/cloud-security/findings.md +++ b/docs/cloud-security/findings.md @@ -1,5 +1,10 @@ # Findings & Triage +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Everything Cloud Security detects lands in one place: a merged, risk-ranked findings worklist. CSPM misconfigurations, graph-derived attack paths, and identity (CIEM) risks are all findings with the same shape, the same triage diff --git a/docs/cloud-security/getting-started.md b/docs/cloud-security/getting-started.md index d2a3bcaee..57af37520 100644 --- a/docs/cloud-security/getting-started.md +++ b/docs/cloud-security/getting-started.md @@ -1,5 +1,10 @@ # Getting Started with Cloud Security +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + This page takes an organization from zero to a populated Cloud Security dashboard: subscribe the extension, store a credential, connect a provider, and run the first sweep. diff --git a/docs/cloud-security/graph.md b/docs/cloud-security/graph.md index b22b92ffe..94831acce 100644 --- a/docs/cloud-security/graph.md +++ b/docs/cloud-security/graph.md @@ -1,5 +1,10 @@ # Security Graph & Queries +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Every sweep builds a graph of the estate: resources, identities, and data stores as nodes; reachability, exposure, permissions, and vulnerability relationships as edges. The graph is what turns three individually-boring