6#if !defined(SIGNET_ENABLE_COMMERCIAL) || !SIGNET_ENABLE_COMMERCIAL
7#error "signet/ai/incident_response.hpp requires SIGNET_ENABLE_COMMERCIAL=ON (AGPL-3.0 commercial tier). See LICENSE_COMMERCIAL."
37#include <unordered_map>
116 std::vector<PlaybookStep> result;
117 for (
const auto& s :
steps) {
118 if (s.phase == phase) result.push_back(s);
132 auto gate = commercial::require_feature(
"PlaybookRegistry");
133 if (!gate)
throw std::runtime_error(gate.error().message);
143 auto it = playbooks_.find(incident_type);
144 if (it == playbooks_.end()) {
146 "No playbook registered for incident type: " + incident_type};
153 std::vector<std::string> types;
154 types.reserve(playbooks_.size());
155 for (
const auto& [k, _] : playbooks_) types.push_back(k);
160 [[nodiscard]]
size_t size()
const {
return playbooks_.size(); }
181 "NIST SP 800-57 Part 2 Rev. 1 §6.1",
182 "DORA Art.10(1)",
"PCI-DSS Req. 3.6.8"
187 "Detect key compromise via anomaly detection or external report",
190 {
"Verify alert authenticity",
"Identify affected key IDs"},
false},
193 "Revoke compromised keys in KMS and block further use",
196 {
"Revoke KEK in KMS",
"Invalidate cached DEKs",
197 "Enable emergency key rotation"},
true},
200 "Notify CISO and legal team; assess regulatory notification obligation",
203 {
"Assess GDPR Art.33 72h window",
"Assess DORA Art.19(1) notification"},
true},
206 "Rotate all affected DEKs and re-encrypt impacted data",
209 {
"Generate new DEKs via KMS",
"Re-encrypt affected Parquet files",
210 "Verify re-encryption with test reads"},
true},
213 "Verify data integrity and restore normal key rotation schedule",
216 {
"Verify hash chain integrity",
"Resume automated key rotation",
217 "Update key inventory"},
false},
220 "Conduct post-incident review and update threat model (DORA Art.13)",
223 {
"Root cause analysis",
"Update threat model D-12",
224 "Document timeline for regulatory record"},
true},
229 static IncidentPlaybook data_breach_playbook() {
232 pb.incident_type =
"data_breach";
233 pb.version =
"1.0.0";
235 pb.regulatory_references = {
236 "GDPR Art.33/34",
"DORA Art.19",
"EU AI Act Art.62"
241 "Identify scope of data breach — affected records, data types, time window",
244 {
"Identify affected data classification levels (G-9)",
245 "Count affected data subjects",
"Determine attack vector"},
false},
248 "Isolate affected systems and preserve forensic evidence",
251 {
"Block attacker access",
"Snapshot affected systems",
252 "Preserve audit chain logs"},
true},
255 "Notify DPO within 24h; prepare GDPR Art.33 notification (72h deadline)",
258 {
"Draft supervisory authority notification",
259 "Assess need for Art.34 data subject notification"},
true},
262 "Patch vulnerability, invoke crypto-shredding (G-1) if applicable",
265 {
"Apply security patch",
"Crypto-shred affected key material",
266 "Reset affected credentials"},
true},
269 "Verify remediation, restore services, monitor for reoccurrence",
272 {
"Verify breach vector is closed",
"Resume normal monitoring",
273 "Update anomaly detection rules"},
false},
276 "Post-incident review, update ROPA (G-3), notify regulator of completion",
279 {
"Root cause analysis",
"Update ROPA records",
280 "File final regulatory report"},
true},
285 static IncidentPlaybook service_outage_playbook() {
287 pb.playbook_id =
"PB-SVC-001";
288 pb.incident_type =
"service_outage";
289 pb.version =
"1.0.0";
291 pb.regulatory_references = {
"DORA Art.11",
"DORA Art.10(1)"};
295 "Detect service degradation via monitoring and alerting",
298 {
"Verify monitoring alerts",
"Check WAL ingestion pipeline"},
false},
301 "Activate recovery procedures (DORA Art.11)",
304 {
"Failover to backup systems",
"Enable WAL recovery mode"},
false},
307 "Restore service and verify data integrity",
310 {
"Verify hash chain integrity",
"Confirm no data loss",
311 "Resume normal operations"},
true},
314 "Update resilience testing scenarios (D-2)",
317 {
"Document root cause",
"Update resilience test cases"},
false},
322 std::unordered_map<std::string, IncidentPlaybook> playbooks_;
349 auto gate = commercial::require_feature(
"IncidentResponseTracker");
350 if (!gate)
throw std::runtime_error(gate.error().message);
355 const std::string& step_id,
356 const std::string& completed_by,
357 int64_t started_at_ns,
358 int64_t completed_at_ns,
359 const std::string& notes =
"")
364 for (
const auto& s : playbook_.
steps) {
365 if (s.step_id == step_id) {
367 sla_ns = s.sla_seconds * INT64_C(1000000000);
373 "Step '" + step_id +
"' not found in playbook " +
377 if (completed_at_ns < started_at_ns) {
379 "completed_at must be >= started_at"};
388 ((completed_at_ns - started_at_ns) <= sla_ns);
390 completed_.push_back(std::move(rec));
401 return completed_.size() == playbook_.
steps.size();
406 std::vector<std::string> remaining;
407 for (
const auto& s : playbook_.
steps) {
409 for (
const auto& c : completed_) {
410 if (c.step_id == s.step_id) { done =
true;
break; }
412 if (!done) remaining.push_back(s.step_id);
420 for (
const auto& c : completed_) {
421 if (!c.sla_met) ++count;
427 [[nodiscard]]
const std::string&
incident_id()
const {
return incident_id_; }
433 std::string incident_id_;
435 std::vector<StepRecord> completed_;
Tracks execution progress of a playbook during an active incident.
IncidentResponseTracker(const std::string &incident_id, const IncidentPlaybook &playbook)
Initialize tracker for a specific incident and playbook.
expected< void > complete_step(const std::string &step_id, const std::string &completed_by, int64_t started_at_ns, int64_t completed_at_ns, const std::string ¬es="")
Record completion of a playbook step.
bool all_steps_complete() const
Check if all playbook steps have been completed.
std::vector< std::string > remaining_steps() const
Get remaining (uncompleted) step IDs.
const IncidentPlaybook & playbook() const
Associated playbook.
int32_t sla_breach_count() const
Count of SLA breaches across completed steps.
const std::string & incident_id() const
Incident identifier.
const std::vector< StepRecord > & completed_steps() const
Get all completed step records.
Registry of incident response playbooks indexed by incident type.
size_t size() const
Number of registered playbooks.
static PlaybookRegistry financial_defaults()
Build a registry with default playbooks for financial/compliance scenarios.
std::vector< std::string > incident_types() const
Get all registered incident types.
expected< IncidentPlaybook > lookup(const std::string &incident_type) const
Look up a playbook by incident type.
void register_playbook(const IncidentPlaybook &pb)
Register a playbook for a specific incident type.
A lightweight result type that holds either a success value of type T or an Error.
@ REGULATORY
Regulatory or compliance-driven halt.
EscalationLevel
Escalation hierarchy for incident routing.
@ L1_OPERATIONS
First-line operations team.
@ L2_ENGINEERING
Engineering / DevOps on-call.
@ L4_REGULATORY
Regulatory authority notification (DORA Art.19)
@ L3_MANAGEMENT
Management / CISO notification.
@ INVALID_ARGUMENT
A caller-supplied argument is outside the valid range or violates a precondition.
IncidentPhase
NIST SP 800-61 incident response lifecycle phases.
@ ERADICATION
Remove root cause.
@ LESSONS_LEARNED
Post-incident review (DORA Art.13)
@ RECOVERY
Restore normal operations.
@ DETECTION
Anomaly detection / alert triage.
@ PREPARATION
Pre-incident readiness.
@ CONTAINMENT
Limit blast radius.
NotificationChannel
Notification channel for incident communications.
@ EMAIL
Email to responsible parties.
@ REGULATORY
Formal regulatory notification (DORA Art.19(1))
@ INTERNAL_LOG
System log only.
@ PAGER
PagerDuty / on-call alert.
IncidentSeverity
Incident severity per DORA Art.10(1) classification.
@ P4_LOW
Minor, no customer impact.
@ P1_CRITICAL
Major outage, data loss, regulatory notification required.
@ P2_HIGH
Significant impact, SLA breach risk.
@ P3_MEDIUM
Limited impact, workaround available.
Lightweight error value carrying an ErrorCode and a human-readable message.
An ordered sequence of response steps for a specific incident type.
std::vector< std::string > regulatory_references
IncidentSeverity min_severity
std::vector< PlaybookStep > steps_for_phase(IncidentPhase phase) const
Get all steps for a specific phase.
std::string version
Playbook version.
std::string incident_type
Category (e.g., "data_breach", "key_compromise")
std::vector< PlaybookStep > steps
std::string playbook_id
Unique playbook identifier.
size_t step_count() const
Total number of steps in this playbook.
Step completion record for audit trail.
A single step in an incident response playbook.
std::vector< std::string > checklist
Sub-items to verify.
int64_t sla_seconds
Maximum time to complete (0 = no SLA)
EscalationLevel escalation
std::string responsible_role
Who performs this step.
std::string step_id
Unique step identifier.
bool requires_sign_off
Needs explicit sign-off before proceeding.
std::string action
What to do.
NotificationChannel notify
1.9.8