6#if !defined(SIGNET_ENABLE_COMMERCIAL) || !SIGNET_ENABLE_COMMERCIAL
7#error "signet/ai/incident_response.hpp requires SIGNET_ENABLE_COMMERCIAL=ON (AGPL-3.0 commercial tier). See LICENSE_COMMERCIAL."
36#include <unordered_map>
115 std::vector<PlaybookStep> result;
116 for (
const auto& s :
steps) {
117 if (s.phase == phase) result.push_back(s);
131 (void)commercial::require_feature(
"PlaybookRegistry");
141 auto it = playbooks_.find(incident_type);
142 if (it == playbooks_.end()) {
144 "No playbook registered for incident type: " + incident_type};
151 std::vector<std::string> types;
152 types.reserve(playbooks_.size());
153 for (
const auto& [k, _] : playbooks_) types.push_back(k);
158 [[nodiscard]]
size_t size()
const {
return playbooks_.size(); }
179 "NIST SP 800-57 Part 2 Rev. 1 §6.1",
180 "DORA Art.10(1)",
"PCI-DSS Req. 3.6.8"
185 "Detect key compromise via anomaly detection or external report",
188 {
"Verify alert authenticity",
"Identify affected key IDs"},
false},
191 "Revoke compromised keys in KMS and block further use",
194 {
"Revoke KEK in KMS",
"Invalidate cached DEKs",
195 "Enable emergency key rotation"},
true},
198 "Notify CISO and legal team; assess regulatory notification obligation",
201 {
"Assess GDPR Art.33 72h window",
"Assess DORA Art.19(1) notification"},
true},
204 "Rotate all affected DEKs and re-encrypt impacted data",
207 {
"Generate new DEKs via KMS",
"Re-encrypt affected Parquet files",
208 "Verify re-encryption with test reads"},
true},
211 "Verify data integrity and restore normal key rotation schedule",
214 {
"Verify hash chain integrity",
"Resume automated key rotation",
215 "Update key inventory"},
false},
218 "Conduct post-incident review and update threat model (DORA Art.13)",
221 {
"Root cause analysis",
"Update threat model D-12",
222 "Document timeline for regulatory record"},
true},
227 static IncidentPlaybook data_breach_playbook() {
230 pb.incident_type =
"data_breach";
231 pb.version =
"1.0.0";
233 pb.regulatory_references = {
234 "GDPR Art.33/34",
"DORA Art.19",
"EU AI Act Art.62"
239 "Identify scope of data breach — affected records, data types, time window",
242 {
"Identify affected data classification levels (G-9)",
243 "Count affected data subjects",
"Determine attack vector"},
false},
246 "Isolate affected systems and preserve forensic evidence",
249 {
"Block attacker access",
"Snapshot affected systems",
250 "Preserve audit chain logs"},
true},
253 "Notify DPO within 24h; prepare GDPR Art.33 notification (72h deadline)",
256 {
"Draft supervisory authority notification",
257 "Assess need for Art.34 data subject notification"},
true},
260 "Patch vulnerability, invoke crypto-shredding (G-1) if applicable",
263 {
"Apply security patch",
"Crypto-shred affected key material",
264 "Reset affected credentials"},
true},
267 "Verify remediation, restore services, monitor for reoccurrence",
270 {
"Verify breach vector is closed",
"Resume normal monitoring",
271 "Update anomaly detection rules"},
false},
274 "Post-incident review, update ROPA (G-3), notify regulator of completion",
277 {
"Root cause analysis",
"Update ROPA records",
278 "File final regulatory report"},
true},
283 static IncidentPlaybook service_outage_playbook() {
285 pb.playbook_id =
"PB-SVC-001";
286 pb.incident_type =
"service_outage";
287 pb.version =
"1.0.0";
289 pb.regulatory_references = {
"DORA Art.11",
"DORA Art.10(1)"};
293 "Detect service degradation via monitoring and alerting",
296 {
"Verify monitoring alerts",
"Check WAL ingestion pipeline"},
false},
299 "Activate recovery procedures (DORA Art.11)",
302 {
"Failover to backup systems",
"Enable WAL recovery mode"},
false},
305 "Restore service and verify data integrity",
308 {
"Verify hash chain integrity",
"Confirm no data loss",
309 "Resume normal operations"},
true},
312 "Update resilience testing scenarios (D-2)",
315 {
"Document root cause",
"Update resilience test cases"},
false},
320 std::unordered_map<std::string, IncidentPlaybook> playbooks_;
347 (void)commercial::require_feature(
"IncidentResponseTracker");
352 const std::string& step_id,
353 const std::string& completed_by,
354 int64_t started_at_ns,
355 int64_t completed_at_ns,
356 const std::string& notes =
"")
361 for (
const auto& s : playbook_.
steps) {
362 if (s.step_id == step_id) {
364 sla_ns = s.sla_seconds * INT64_C(1000000000);
370 "Step '" + step_id +
"' not found in playbook " +
374 if (completed_at_ns < started_at_ns) {
376 "completed_at must be >= started_at"};
385 ((completed_at_ns - started_at_ns) <= sla_ns);
387 completed_.push_back(std::move(rec));
398 return completed_.size() == playbook_.
steps.size();
403 std::vector<std::string> remaining;
404 for (
const auto& s : playbook_.
steps) {
406 for (
const auto& c : completed_) {
407 if (c.step_id == s.step_id) { done =
true;
break; }
409 if (!done) remaining.push_back(s.step_id);
417 for (
const auto& c : completed_) {
418 if (!c.sla_met) ++count;
424 [[nodiscard]]
const std::string&
incident_id()
const {
return incident_id_; }
430 std::string incident_id_;
432 std::vector<StepRecord> completed_;
Tracks execution progress of a playbook during an active incident.
IncidentResponseTracker(const std::string &incident_id, const IncidentPlaybook &playbook)
Initialize tracker for a specific incident and playbook.
expected< void > complete_step(const std::string &step_id, const std::string &completed_by, int64_t started_at_ns, int64_t completed_at_ns, const std::string ¬es="")
Record completion of a playbook step.
bool all_steps_complete() const
Check if all playbook steps have been completed.
std::vector< std::string > remaining_steps() const
Get remaining (uncompleted) step IDs.
const IncidentPlaybook & playbook() const
Associated playbook.
int32_t sla_breach_count() const
Count of SLA breaches across completed steps.
const std::string & incident_id() const
Incident identifier.
const std::vector< StepRecord > & completed_steps() const
Get all completed step records.
Registry of incident response playbooks indexed by incident type.
size_t size() const
Number of registered playbooks.
static PlaybookRegistry financial_defaults()
Build a registry with default playbooks for financial/compliance scenarios.
std::vector< std::string > incident_types() const
Get all registered incident types.
expected< IncidentPlaybook > lookup(const std::string &incident_type) const
Look up a playbook by incident type.
void register_playbook(const IncidentPlaybook &pb)
Register a playbook for a specific incident type.
A lightweight result type that holds either a success value of type T or an Error.
@ REGULATORY
Regulatory or compliance-driven halt.
EscalationLevel
Escalation hierarchy for incident routing.
@ L1_OPERATIONS
First-line operations team.
@ L2_ENGINEERING
Engineering / DevOps on-call.
@ L4_REGULATORY
Regulatory authority notification (DORA Art.19)
@ L3_MANAGEMENT
Management / CISO notification.
@ INVALID_ARGUMENT
A caller-supplied argument is outside the valid range or violates a precondition.
IncidentPhase
NIST SP 800-61 incident response lifecycle phases.
@ ERADICATION
Remove root cause.
@ LESSONS_LEARNED
Post-incident review (DORA Art.13)
@ RECOVERY
Restore normal operations.
@ DETECTION
Anomaly detection / alert triage.
@ PREPARATION
Pre-incident readiness.
@ CONTAINMENT
Limit blast radius.
NotificationChannel
Notification channel for incident communications.
@ EMAIL
Email to responsible parties.
@ REGULATORY
Formal regulatory notification (DORA Art.19(1))
@ INTERNAL_LOG
System log only.
@ PAGER
PagerDuty / on-call alert.
IncidentSeverity
Incident severity per DORA Art.10(1) classification.
@ P4_LOW
Minor, no customer impact.
@ P1_CRITICAL
Major outage, data loss, regulatory notification required.
@ P2_HIGH
Significant impact, SLA breach risk.
@ P3_MEDIUM
Limited impact, workaround available.
Lightweight error value carrying an ErrorCode and a human-readable message.
An ordered sequence of response steps for a specific incident type.
std::vector< std::string > regulatory_references
IncidentSeverity min_severity
std::vector< PlaybookStep > steps_for_phase(IncidentPhase phase) const
Get all steps for a specific phase.
std::string version
Playbook version.
std::string incident_type
Category (e.g., "data_breach", "key_compromise")
std::vector< PlaybookStep > steps
std::string playbook_id
Unique playbook identifier.
size_t step_count() const
Total number of steps in this playbook.
Step completion record for audit trail.
A single step in an incident response playbook.
std::vector< std::string > checklist
Sub-items to verify.
int64_t sla_seconds
Maximum time to complete (0 = no SLA)
EscalationLevel escalation
std::string responsible_role
Who performs this step.
std::string step_id
Unique step identifier.
bool requires_sign_off
Needs explicit sign-off before proceeding.
std::string action
What to do.
NotificationChannel notify
1.9.8