Skip to content

j-arndt/fedcloud

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

15 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

FedCloud β€” Formal Verification Gateway for Federal Cloud Authorizations

CI Pages Lean 4 OSCAL Python Tests

Replace compliance narratives with mathematical proofs.

Read the full documentation β†’

FedCloud automates continuous compliance verification using a hybrid dual-engine architecture: a Lean 4 kernel for deterministic mathematical proofs on structural controls, and Amazon Bedrock agents for qualitative semantic analysis on policy-heavy controls. Both engines produce outputs that are assembled into OSCAL artifacts for continuous authorization.


Architecture

flowchart TB
    subgraph INGEST["β‘  Telemetry Ingestion"]
        CT["AWS CloudTrail"]
        CFG["AWS Config"]
        EB["EventBridge"]
        S3["S3 Uploads<br/><small>PDFs Β· SBOMs Β· Certs</small>"]
        APP["App Metadata<br/><small>Tyler Β· LMS Β· HR</small>"]
    end

    ROUTER{"β‘‘ Lambda Router<br/><code>agents/router.py</code>"}

    CT & CFG & EB --> ROUTER
    S3 & APP --> ROUTER

    subgraph LEAN["β‘’ Lean 4 Kernel β€” Deterministic Proofs"]
        direction LR
        L1["πŸ” Identity &amp; Access<br/><small>AC Β· IA controls</small>"]
        L2["πŸ”‘ Cryptographic<br/><small>SC controls</small>"]
        L3["πŸ—οΈ Architecture<br/><small>CM Β· SC Β· SI controls</small>"]
        L4["πŸ“Š Monitoring<br/><small>AU Β· SI controls</small>"]
    end

    subgraph BEDROCK["β‘£ Amazon Bedrock Agents β€” Qualitative Analysis"]
        direction LR
        B1["πŸ‘€ Personnel<br/><small>PS controls</small>"]
        B2["πŸŽ“ Training<br/><small>AT controls</small>"]
        B3["🚨 Incident Response<br/><small>IR controls</small>"]
        B4["πŸ”„ Recovery<br/><small>CP controls</small>"]
        B5["πŸ“¦ Supply Chain<br/><small>SA Β· SR controls</small>"]
    end

    subgraph GUARD["β‘€ Guardrails"]
        direction LR
        RAG["RAG Grounding"]
        JSON["JSON Schema"]
        CITE["Citation Check"]
        HALL["Hallucination Detection"]
    end

    ROUTER -- "State JSON<br/><small>deterministic</small>" --> LEAN
    ROUTER -- "Documents &amp; Logs<br/><small>qualitative</small>" --> BEDROCK
    BEDROCK --> GUARD

    subgraph OSCAL["β‘₯ OSCAL Assembler"]
        RECEIPT["Signed Receipt<br/><small>HMAC-SHA256</small>"]
        SSP["System Security Plan<br/><small>FedRAMP Moderate</small>"]
        AR["Assessment Results<br/><small>OSCAL 1.1.2</small>"]
        NAR["Audit Narratives<br/><small>Markdown + Citations</small>"]
    end

    LEAN --> RECEIPT
    GUARD --> RECEIPT
    RECEIPT --> SSP
    RECEIPT --> AR
    RECEIPT --> NAR

    CONMON["⑦ Continuous Authorization<br/>Federal Gateway"]
    SSP & AR & NAR --> CONMON

    style INGEST fill:#1e293b,stroke:#334155,color:#e2e8f0
    style LEAN fill:#1e3a5f,stroke:#3b82f6,color:#e2e8f0
    style BEDROCK fill:#3b1f4a,stroke:#a855f7,color:#e2e8f0
    style GUARD fill:#1a2e1a,stroke:#22c55e,color:#e2e8f0
    style OSCAL fill:#2d1f0e,stroke:#f59e0b,color:#e2e8f0
    style ROUTER fill:#0f172a,stroke:#60a5fa,color:#e2e8f0
    style CONMON fill:#0f172a,stroke:#10b981,color:#e2e8f0
Loading

Hybrid Architecture

The system routes each control cluster to the appropriate verification engine based on control type:

  • Deterministic controls (structural, binary-verifiable) go to the Lean 4 Kernel, which produces mathematical proofs. Same input always yields the same result, and every proof is independently checkable.
  • Qualitative controls (policy-heavy, context-dependent) go to Amazon Bedrock Agents, which perform semantic analysis grounded via RAG retrieval against policy document knowledge bases. Guardrails validate outputs and suppress hallucinations before results are accepted.

A router (agents/router.py) classifies incoming telemetry and dispatches each cluster to the correct engine. Both engines emit structured findings that the OSCAL Assembler merges into a unified SSP and Assessment Results document.

Security Clusters

The gateway covers nine security clusters across two engines.

Deterministic Clusters (Lean 4 Kernel)

Cluster Invariant Controls
Identity & Access Privileged sessions require phishing-resistant MFA; tokens ≀ 60 min AC-2, AC-3, AC-6, IA-2, IA-5
Cryptographic Protection Federal data encrypted at rest with FIPS-140-3 modules SC-8, SC-12, SC-13, SC-28
Architecture Immutability Signed images only; no shell access; no open ingress CM-2, CM-6, CM-7, SC-7, SI-7
Continuous Monitoring Active logging to tamper-evident targets; β‰₯ 365-day retention AU-2, AU-6, AU-9, AU-11, SI-4

Each invariant is expressed as a formal Lean 4 theorem with a corresponding decision procedure that produces concrete verification results.

Qualitative Clusters (Amazon Bedrock Agents)

Cluster Analysis Scope Controls
Personnel Security Background checks, NDA verification, IAM provisioning timing PS-1 through PS-8
Cybersecurity Education Training completion, recertification windows AT-1 through AT-4
Incident Response Timeline reconstruction, triage metrics, federal reporting IR-1 through IR-8
Recovery Planning DR drill validation, RTO/RPO verification CP-1, CP-2, CP-4, CP-6, CP-7, CP-9, CP-10
Supply Chain SBOM analysis, CVE contextualization, risk narratives SA-4, SA-5, SA-9, SA-11, SR-1, SR-2, SR-3

Each Bedrock agent retrieves relevant policy documents from the knowledge base, applies semantic reasoning, and returns structured findings with citations.

Quick Start

Prerequisites

  • Python 3.9+
  • Lean 4 (for proof compilation)
  • AWS credentials with Bedrock access (for qualitative agent clusters)

Run the Pipeline (Mock Mode)

# Clone the repository
git clone https://github.com/j-arndt/fedcloud.git
cd fedcloud

# Run all tests (64 total across Lean 4 and Bedrock agent suites)
python -m pytest translator/tests/ oscal/tests/ agents/tests/ -v

# Execute the full pipeline against mock fixtures
python -m scripts.run_pipeline --mode mock --state fixtures/mock_aws_topology.json

# View output artifacts
ls output/
# β†’ SystemState.lean  verification_receipt.json  fedcloud_ssp.json  assessment_results.json

Build the Lean 4 Verification Engine

cd lean

# Install Lean via elan
curl https://elan.lean-lang.org/install/linux -sSf | sh

# Build the verification library
lake build

# Run proof checker against sample states
lean FedCloud/Verify.lean

Docker

docker build -t fedcloud-gateway .
docker run -v $(pwd)/fixtures:/data fedcloud-gateway /data/mock_aws_topology.json

Project Structure

fedcloud/
β”œβ”€β”€ lean/                          # Lean 4 formal verification engine
β”‚   β”œβ”€β”€ lakefile.lean              # Lake build configuration
β”‚   β”œβ”€β”€ lean-toolchain             # Lean version pin (v4.28.0)
β”‚   └── FedCloud/
β”‚       β”œβ”€β”€ BaseModel.lean         # Core type definitions
β”‚       β”œβ”€β”€ Verify.lean            # Orchestrator + sample states
β”‚       └── Invariants/
β”‚           β”œβ”€β”€ Identity.lean      # IAM cluster invariant
β”‚           β”œβ”€β”€ Crypto.lean        # Cryptographic protection invariant
β”‚           β”œβ”€β”€ Architecture.lean  # Immutability invariant
β”‚           └── Monitoring.lean    # Continuous monitoring invariant
β”œβ”€β”€ agents/                        # Bedrock qualitative verification engine
β”‚   β”œβ”€β”€ base_agent.py              # Shared agent with RAG + citations
β”‚   β”œβ”€β”€ config.py                  # Bedrock model and routing config
β”‚   β”œβ”€β”€ router.py                  # Deterministic vs qualitative router
β”‚   β”œβ”€β”€ lambda_handler.py          # AWS Lambda entry point
β”‚   β”œβ”€β”€ guardrails.py              # Output validation and hallucination checks
β”‚   β”œβ”€β”€ knowledge_base.py          # RAG policy document retrieval
β”‚   β”œβ”€β”€ clusters/
β”‚   β”‚   β”œβ”€β”€ personnel.py           # KSI-PS agent
β”‚   β”‚   β”œβ”€β”€ training.py            # KSI-CED agent
β”‚   β”‚   β”œβ”€β”€ incident_response.py   # KSI-INR agent
β”‚   β”‚   β”œβ”€β”€ recovery.py            # KSI-RPL agent
β”‚   β”‚   └── supply_chain.py        # KSI-TPR agent
β”‚   └── tests/
β”‚       └── test_agents.py         # Agent unit tests
β”œβ”€β”€ translator/                    # JSON β†’ Lean translation layer
β”‚   β”œβ”€β”€ json_to_lean.py            # Multi-format state translator
β”‚   β”œβ”€β”€ state_ingestion.py         # State collection service
β”‚   └── tests/
β”‚       └── test_translator.py     # Translator unit tests
β”œβ”€β”€ oscal/                         # OSCAL synthesis pipeline
β”‚   β”œβ”€β”€ receipt_generator.py       # Signed verification receipts
β”‚   β”œβ”€β”€ ssp_updater.py             # SSP component injection
β”‚   β”œβ”€β”€ assessment_results.py      # OSCAL Assessment Results
β”‚   β”œβ”€β”€ templates/
β”‚   β”‚   └── fedramp_moderate_ssp.json  # Baseline SSP template
β”‚   └── tests/
β”‚       └── test_pipeline.py       # Pipeline integration tests
β”œβ”€β”€ fixtures/                      # Mock telemetry data
β”‚   β”œβ”€β”€ mock_aws_topology.json     # Sample AWS infrastructure state
β”‚   β”œβ”€β”€ mock_terraform_plan.json   # Sample Terraform plan
β”‚   └── mock_tyler_app_schema.json # Sample application metadata
β”œβ”€β”€ scripts/
β”‚   └── run_pipeline.py            # Pipeline orchestrator
β”œβ”€β”€ docs/                          # HTML documentation
β”œβ”€β”€ .github/workflows/ci.yml       # GitHub Actions CI
β”œβ”€β”€ Dockerfile                     # Container build
└── README.md

How It Works

1. State Ingestion

Infrastructure state is collected from AWS Config, CloudTrail, EventBridge, and application APIs. In PoC mode, mock fixtures simulate these sources.

2. Translation

The json_to_lean.py translator converts JSON payloads into typed Lean 4 definitions. It handles multiple input formats (raw state, Terraform plans, application schemas) and normalizes them into the SystemState structure.

3. Formal Verification

The Lean 4 kernel compiles the translated state alongside the invariant theorem library. If all proofs hold, the system is mathematically verified. If any invariant fails, the specific violation is identified.

4. Receipt Generation

A cryptographically signed (HMAC-SHA256) JSON receipt captures the verification result, input state hash, timestamp, and per-cluster status.

5. OSCAL Synthesis

The receipt is injected into an OSCAL SSP, updating component definitions with verification metadata. A separate OSCAL Assessment Results document is generated with findings mapped to control families.

Verification Guarantees

Unlike scan-based compliance tools, this system provides:

  • Determinism: Same input always produces same verification result
  • Completeness: Every in-scope resource is checked against every applicable invariant
  • Tamper Evidence: Receipts are cryptographically signed with input state hashes
  • Auditability: The Lean 4 proof logic is inspectable and verifiable by third parties

License

MIT

About

Formal verification gateway that converts cloud infrastructure state into Lean 4 proofs and OSCAL compliance artifacts for continuous federal authorization (FedRamp 20x)

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors