-- ============================================================================
-- 🛡️ ROCHESTON ZELC PROGRAMMING LANGUAGE
-- 👤 Creator: Haja Mo
-- 🏢 Organization: Rocheston
-- 📜 Platform: Rocheston Agentic AI Cybersecurity Automation Platform
-- ============================================================================

-- Playbook: Password Security & Brute-Force Defense (Password Keywords)
-- Intent: Demonstrates 'argon2', 'credential_stuffing', 'rate_limit', and 'salt'. 
-- Neutralizes automated login attacks and enforces modern hashing standards.
-- Infrastructure: Rocheston IAM, Redis (for throttling), Argon2 Library, Rosecoin.
-- Note: 'pepper' is stored in a separate HSM to prevent single-point-of-failure leaks.

package soc.identity_hardening
use identity, crypto, network, slack, rosecoin

-- ============================================================================
-- 1. CONFIGURATION GOVERNORS (Strongly Typed)
-- ============================================================================
⚙️ keep HASH_ALGO: String = "Argon2id"
⚙️ keep MAX_LOGIN_ATTEMPTS: Integer = 5
⚙️ keep MIN_PASSWORD_LENGTH: Integer = 16
⚙️ keep THROTTLE_WINDOW: Duration = 15m

-- ============================================================================
-- 2. THE ENTRY POINT (The Check Block)
-- ============================================================================
🔥 check PasswordIntegrityDefense
  
  -- Trigger Gate: Detects a 'credential_stuffing' pattern (High-frequency failed logins)
  ⚠️ when credential_stuffing_detected or api_spike on "/auth/login"
    
    🔹 set target_user: identity = event.principal
    🔹 set source_ip: IPv4 = event.src_ip
    🔹 set attempt_count: Integer = event.fail_count
    
    🚨 alert warning message "IDENTITY ALERT: Credential stuffing attempt on {target_user} from {source_ip}."

    -- ============================================================================
    -- 3. THE THROTTLING & LOCKOUT LAYER (rate_limit, throttle, lockout)
    -- ============================================================================
    ⚡ do
      
      -- Action 1: Apply 'rate_limit' to the source IP
      -- Voice-friendly: "Identity rate_limit IP..."
      ☁️ network apply_rate_limit source_ip threshold 1/min
      
      -- Action 2: Trigger a 'lockout' for the specific user account
      ⚠️ when attempt_count >= MAX_LOGIN_ATTEMPTS
         🚨 alert critical message "ACCOUNT LOCKOUT: {target_user} locked after {attempt_count} failed attempts."
         ☁️ identity lockout target_user duration THROTTLE_WINDOW
         
         -- Action 3: Set 'mfa_required' for the next successful login
         ☁️ identity set_policy mfa_required for target_user
      🔴 end

      -- ============================================================================
      -- 4. THE HASHING & STORAGE LAYER (argon2, salt, pepper, bcrypt)
      -- ============================================================================
      -- Action 4: Verify that the user's 'password_hash' uses the modern standard
      -- If the user is using legacy MD5/SHA1, trigger an immediate rotation.
      🔹 set current_hash_type: String = identity check_hash_type for target_user
      
      ⚠️ when current_hash_type != HASH_ALGO
         🚨 alert info message "CRYPTO UPGRADE: Migrating {target_user} to {HASH_ALGO}."
         
         -- Action 5: Force a password reset on next login to upgrade 'hashing'
         -- Generates a unique 'salt' and incorporates the global 'pepper'.
         ☁️ identity force_reset target_user reason "Insecure-Hash-Upgrade"
      🔴 end

      -- ============================================================================
      -- 5. THE BREACH & RECOVERY LAYER (breach_check, recovery_flow, reset_token)
      -- ============================================================================
      -- Action 6: Perform a 'breach_check' against known leaked databases
      🔹 set is_leaked: Boolean = identity breach_check target_user.password_fingerprint
      
      ⚠️ when is_leaked == true
         🚨 alert critical message "COMPROMISED CREDENTIALS: {target_user}'s password found in external breach."
         
         -- Action 7: Invalidate all active 'session_timeout' and 'reset_token'-s
         ☁️ identity invalidate_all_tokens for target_user
         
         -- Action 8: Trigger a secure 'recovery_flow'
         ☁️ identity trigger_recovery_flow target_user channel "email_and_sms"
      🔴 end

      -- Action 9: Notify the User and the IAM Admin
      📡 notify slack channel "#identity-security-ops" message "🔑 *Credential Defense Successful* \n*User:* `{target_user}` \n*Status:* Account Locked. MFA Enabled. Breach Check Complete. \n*Action:* Reset Token Invalidated. Recovery Flow Initiated."

      -- ============================================================================
      -- 6. EVIDENCE & PROOF
      -- ============================================================================
      📝 evidence record "Password_Security_Remediation_Cycle" details {
          user: target_user,
          hash_upgrade: (current_hash_type != HASH_ALGO),
          breach_found: is_leaked,
          action: "IDENTITY_ASSURANCE_RESTORED"
      }
      
      -- Anchor the hash upgrade event and breach status to Rosecoin
      ⛓️ rosecoin anchor evidence_pack "latest"
      
    🔴 end
  🔴 end
🔴 end