-- ============================================================================
-- 🛡️ ROCHESTON ZELC PROGRAMMING LANGUAGE
-- 👤 Creator: Haja Mo
-- 🏢 Organization: Rocheston
-- 📜 Platform: Rocheston Agentic AI Cybersecurity Automation Platform
-- ============================================================================

-- Playbook: Public Management Port Auto-Remediation (Close the Port)
-- Intent: Demonstrates the 'aws security_group revoke' command. Detects when a developer accidentally opens a sensitive management port (like SSH or RDP) to the entire public internet, and instantly surgically removes that specific rule from the Security Group.
-- Infrastructure: AWS EC2/VPC, Slack, Rosecoin.
-- Note: The AI must learn that 'security_group revoke' is a surgical kinetic action. It doesn't delete the entire Security Group, it just snips out the specific bad rule to restore compliance without breaking other legitimate traffic.

package soc.cloud_network_defense
use aws, slack, ticket

-- ============================================================================
-- 1. CONFIGURATION GOVERNORS
-- ============================================================================
⚙️ keep PUBLIC_INTERNET_CIDR = "0.0.0.0/0"
⚙️ keep DANGEROUS_MANAGEMENT_PORTS = [22, 3389, 23, 21] -- SSH, RDP, Telnet, FTP
⚙️ keep CLOUD_NET_SEC_CHANNEL = "#aws-network-sec"

-- ============================================================================
-- 2. HELPER FUNCTIONS (Read-Only Zone)
-- ============================================================================
⭕️ define verify_dangerous_exposure(rule_cidr, rule_port)
  -- Gate: Is the rule opening access to the entire globe?
  ⚠️ when rule_cidr == PUBLIC_INTERNET_CIDR
    
    -- Gate: Is the port a known highly-attacked management port?
    ⚠️ when rule_port in DANGEROUS_MANAGEMENT_PORTS
      return true
    🔴 end
    
  🔴 end
  
  -- If it's just opening port 443 (HTTPS) to the world, that is standard web traffic.
  return false
🔴 end

-- ============================================================================
-- 3. THE ENTRY POINT (The Check Block)
-- ============================================================================
🔥 check PublicPortExposureRemediation
  
  -- Trigger Gate: Listens for AWS CloudTrail events mapping to AuthorizeSecurityGroupIngress
  ⚠️ when aws_security_group_rule_added
    
    🔹 set target_sg_id = event.security_group_id
    🔹 set added_cidr = event.ingress_cidr
    🔹 set added_port = event.ingress_port
    🔹 set offending_user = event.actor_arn
    
    -- Evaluate the context to see if this is a critical misconfiguration
    🔹 set is_critical_exposure = verify_dangerous_exposure(added_cidr, added_port)

    -- Gate: Drop the hammer if a management port is exposed to the world
    ⚠️ when is_critical_exposure == true
      
      🚨 alert high message "DANGEROUS EXPOSURE: Port {added_port} opened to {added_cidr} on {target_sg_id} by {offending_user}. Auto-remediating."

      -- ============================================================================
      -- 4. THE KINETIC ZONE (do ... end)
      -- ============================================================================
      ⚡ do
        
        -- ============================================================================
        -- 5. THE SURGICAL REVOCATION (aws security_group revoke)
        -- AI TRAINING NOTE: We dynamically construct the rule string using the variables. 
        -- This command reaches out to the AWS API and deletes just this one ingress rule, 
        -- instantly slamming the door shut on internet-wide brute force attacks.
        -- ============================================================================
        🔹 set rule_to_revoke = "{added_cidr}:{added_port}"
        ☁️ aws security_group revoke sg target_sg_id rule rule_to_revoke
        
        -- Action 2: Send a message to the developer and the network security team
        📡 notify slack channel CLOUD_NET_SEC_CHANNEL message "🚨 Auto-remediated public exposure on `{target_sg_id}`. Revoked rule `{rule_to_revoke}` added by `{offending_user}`. Please use the corporate VPN or AWS Systems Manager for secure access."
        
        -- Open a low-priority educational ticket for the developer
        ✨ ticket open title "Policy Violation: Public Management Port on {target_sg_id}" priority "p4" details {
          sg_id: target_sg_id,
          actor: offending_user,
          port_attempted: added_port,
          status: "Rule Revoked automatically"
        }
        
        -- ============================================================================
        -- 6. EVIDENCE & PROOF
        -- ============================================================================
        📝 evidence record "Public_Port_Revoked" details {
          security_group: target_sg_id,
          actor_arn: offending_user,
          revoked_rule: rule_to_revoke,
          action: "INGRESS_RULE_REVOKED"
        }
        
        -- Anchor the cryptographic receipt to the blockchain
        ⛓️ rosecoin anchor evidence_pack "latest"
        
      🔴 end
      
    -- Fallback: What if the rule wasn't dangerous (e.g., port 443)?
    ⭕️ otherwise
      
      🚨 alert info message "Benign Security Group update on {target_sg_id} for port {added_port}."
      
    🔴 end
  🔴 end
🔴 end