Skip to content

Compliance control-ID mapping, cloudwright plan, GCP/Azure live import (v1.5.0)#65

Merged
xmpuspus merged 2 commits into
mainfrom
feat/compliance-plan-multicloud-import
May 19, 2026
Merged

Compliance control-ID mapping, cloudwright plan, GCP/Azure live import (v1.5.0)#65
xmpuspus merged 2 commits into
mainfrom
feat/compliance-plan-multicloud-import

Conversation

@xmpuspus
Copy link
Copy Markdown
Owner

@xmpuspus xmpuspus commented May 19, 2026

Closes three competitive-gap features from the May 2026 analysis.

1. Compliance scanner with framework control-ID mapping

cloudwright compliance spec.yaml --frameworks hipaa,soc2,fedramp maps every design-stage finding to the exact control it violates (HIPAA 164.312(a)(2)(iv), SOC 2 CC6.1, FedRAMP SC-28, PCI-DSS, GDPR, ISO 27001, NIST 800-53) before any infrastructure exists. Runs on the built-in scanner with zero tooling; folds in a Checkov deep scan when the binary is present (explicit CKV map + keyword fallback). POST /api/compliance + Compliance tab. New compliance extra.

2. cloudwright plan — prove it deploys

cloudwright plan spec.yaml --target terraform|pulumi-python|pulumi-ts runs terraform validate/plan or pulumi preview against the exported artifact, read-only. validate is the no-credential offline proof; plan adds a real resource diff with creds. Honest skip-reason classification. POST /api/plan + Plan tab with DEPLOYABLE verdict.

3. Live GCP + Azure import

import-live --provider gcp --project P (Compute Engine, Cloud Storage, Cloud SQL) and --provider azure --subscription S (VMs, Storage, SQL, AKS), mirroring the AWS importer. CLI routes gcp/azure instead of 'not yet implemented'.

Verification

  • 39 new tests; per-package suites green (CLI 99/0, core 1291, web 114). Remaining failures are pre-existing live-LLM/macOS-SSL e2e, unrelated.
  • e2e: real Checkov (27 control-mapped findings), real terraform (DEPLOYABLE), real GCP API calls.
  • agent-browser confirmed both new canvas tabs; backend curl confirmed both endpoints.
  • ruff check + format clean. Terminal + web demo GIFs (reproducible scripts included).

Version bumped 1.4.0 -> 1.5.0 across all 4 packages + extras pins.

Reviewed by Xavier Puspus

xmpuspus added 2 commits May 19, 2026 14:03
@xmpuspus
Add compliance control-ID mapping, cloudwright plan, and GCP/Azure li…
5b880f7 
…ve import

cloudwright compliance maps every design-stage finding to the specific
framework control it violates (HIPAA/SOC2/PCI-DSS/FedRAMP/GDPR/ISO27001/
NIST), folding in a Checkov deep scan when available and degrading
gracefully without it. cloudwright plan runs terraform validate/plan or
pulumi preview against the exported artifact to prove it deploys.
import-live now supports gcp and azure alongside aws. CLI, web API,
and canvas panels for all three; version 1.5.0.

Co-Authored-By: Xavier Puspus
@xmpuspus
Bump server.json to 1.5.0 for MCP registry publish
33b0b94 
Co-Authored-By: Xavier Puspus
@xmpuspus xmpuspus merged commit dabb9f4 into main May 19, 2026
5 checks passed
@xmpuspus xmpuspus deleted the feat/compliance-plan-multicloud-import branch May 19, 2026 06:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xmpuspus