v0.2.2 - Live data wiring, dashboard complete and website

.gitignore

@@ -217,3 +217,5 @@ __marimo__/
 # Streamlit
 .streamlit/secrets.toml
 ai/vectorstore/
+.vercel
+.env*

README.md

@@ -1,6 +1,6 @@
 # OpenShield
 
-> **Open source Cloud Security Posture Management (CSPM) for Azure - built by the community, for the community.**
+> **Open source Cloud Security Posture Management (CSPM) for Azure - detect misconfigurations, map to CIS/NIST/ISO27001/SOC2, fix them with one command, and identify cryptographic assets requiring quantum-safe migration.**
 
 [![GitHub Repo stars](https://img.shields.io/github/stars/openshield-org/openshield?style=flat-square)](https://github.com/openshield-org/openshield/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/openshield-org/openshield?style=flat-square)](https://github.com/openshield-org/openshield/network/members)
@@ -26,17 +26,30 @@ Startups, SMEs, universities, and student teams are left with **zero visibility*
 
 **OpenShield changes that.**
 
+## Why Post-Quantum Cryptography Matters Now
+
+Adversaries are collecting encrypted Azure traffic today to decrypt it when quantum computers become available. This is called a Harvest Now Decrypt Later attack and it is happening right now.
+
+OpenShield scans Azure for classical cryptographic assets that need migration before it is too late:
+
+- TLS configurations using RSA or ECDH key exchange on App Services
+- Key Vault keys using RSA or ECC algorithms vulnerable to Shor's algorithm
+- Certificates using classical signature algorithms
+
+Findings map to NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) and feed directly into post-quantum migration planning.
+
 ---
 
 ## What OpenShield Does
 
 | Feature | Description |
 |---|---|
-| **Misconfiguration Scanner** | Runs 20 Azure security rules across storage, network, identity, database, compute, and Key Vault |
+| **Misconfiguration Scanner** | Runs 39 Azure security rules across storage, network, identity, database, compute, Key Vault, and post-quantum cryptography |
 | **Compliance Mapper** | Maps findings to CIS Benchmarks, NIST CSF, ISO 27001, and SOC 2 framework JSON files |
-| **Scan History API** | Stores scans and findings in PostgreSQL and exposes findings, score, scan history, and compliance posture over REST |
-| **Remediation Playbooks** | Every current rule ships with a matching Azure CLI remediation script |
-| **Security Dashboard** | Frontend scaffold is present; the React dashboard MVP is still on the roadmap |
+| **Scan History API** | Stores scans and findings in PostgreSQL and exposes findings, score, scan history, compliance posture, drift, and resource inventory over REST |
+| **Remediation Playbooks** | Every rule ships with a matching Azure CLI remediation script (36 playbooks) |
+| **Security Dashboard** | Full React dashboard deployed on Vercel — live monitoring, findings, compliance, drift, prioritization, and AI-layer views |
+| **Project Website** | Documentation and reference site at [openshield-website.vercel.app](https://openshield-website.vercel.app) — blog, rules gallery, docs, roadmap, releases, and interactive playground |
 | **Sentinel Integration** | Normalises findings and pushes them into Microsoft Sentinel via a Log Analytics custom table and KQL analytics rules |
 
 ---
@@ -45,13 +58,13 @@ Startups, SMEs, universities, and student teams are left with **zero visibility*
 
 ```mermaid
 flowchart TD
-    A["React Dashboard MVP\nPlanned frontend"]
+    A["React Dashboard\nVercel · Live"]
     B["Flask REST API\nJWT · CORS · Blueprints"]
-    C["Scanner Engine\n20 Python rules"]
+    C["Scanner Engine\n39 Python rules"]
     D["Azure Subscription\nScanned via Azure SDK + Graph"]
     E["Compliance Framework JSON\nCIS · NIST · ISO 27001 · SOC 2"]
     F["PostgreSQL Database\nFindings · Scans"]
-    G["Azure CLI Playbooks\n20 remediation scripts"]
+    G["Azure CLI Playbooks\n39 remediation scripts"]
     H["sentinel/ingest.py\nNormalise + HMAC upload"]
     I["Microsoft Sentinel\nOpenShieldFindings_CL · KQL rules"]
 
@@ -67,13 +80,15 @@ flowchart TD
     I -->|alerts| A
 ```
 
-## Live API
+## Live Demo
 
-The OpenShield API is deployed to the Render free tier and is accessible at:
-
-**`https://openshield-api.onrender.com`**
+| Service | URL |
+|---|---|
+| **Security Dashboard** (Vercel) | `https://openshield-gules.vercel.app` |
+| **REST API** (Render) | `https://openshield-api.onrender.com` |
+| **Project Website** | `https://openshield-website.vercel.app` |
 
-> **Note:** As this is hosted on the Render free tier, the service may spin down after 15 minutes of inactivity. The first request after a spin-down can take 30-60 seconds to complete.
+> **Note:** The API is hosted on Render. The dashboard connects automatically on load and shows live data from the PostgreSQL database.
 
 > [!IMPORTANT]
 > **Security Requirement:** Production deployments **fail at startup** if `JWT_SECRET` is missing, set to the insecure default, or shorter than 32 characters. Generate a strong secret with:
@@ -88,9 +103,10 @@ The OpenShield API is deployed to the Render free tier and is accessible at:
 
 | Layer | Technology | Cost |
 |---|---|---|
-| Frontend | Scaffolded dashboard app (React + Tailwind planned) | Free |
+| Project Website | Static HTML + Tailwind CDN, deployed on Vercel | Free |
+| Security Dashboard | React + Vite + Tailwind, deployed on Vercel | Free |
 | Backend API | Python + Flask | Free |
-| Database | PostgreSQL | Free (Render/Azure free tier) |
+| Database | PostgreSQL | Render managed PostgreSQL |
 | Cloud Scanner | Python + Azure SDK | Free |
 | Remediation | Azure CLI playbooks | Free |
 | SIEM | Microsoft Sentinel | 90-day free trial |
@@ -116,7 +132,8 @@ openshield/
 ├── api/                   # Flask REST API
 │   ├── routes/
 │   └── models/
-├── frontend/              # Dashboard scaffold
+├── frontend/              # React security dashboard (Vercel)
+├── website/               # Project website — docs, blog, rules gallery (Vercel)
 ├── sentinel/              # Sentinel integration & KQL rules
 ├── .github/workflows/     # CI checks
 ├── docs/                  # Documentation
@@ -129,6 +146,8 @@ openshield/
 
 ## Quick Start
 
+**Backend (Flask API + Scanner)**
+
 ```bash
 # Clone the repo
 git clone https://github.com/openshield-org/openshield.git
@@ -142,6 +161,7 @@ export AZURE_SUBSCRIPTION_ID=your-subscription-id
 export AZURE_CLIENT_ID=your-client-id
 export AZURE_CLIENT_SECRET=your-client-secret
 export AZURE_TENANT_ID=your-tenant-id
+export JWT_SECRET=your-strong-secret   # used to protect write endpoints (scan trigger, AI)
 
 # Run a scan
 python -c "
@@ -155,6 +175,21 @@ print(json.dumps(result, indent=2))
 FLASK_APP=api/app.py flask run
 ```
 
+**Frontend (React dashboard)**
+
+```bash
+cd frontend
+npm install
+
+# Local dev — points at http://localhost:5000 by default
+npm run dev
+
+# To develop against the live Render backend:
+VITE_API_URL=https://openshield-api.onrender.com npm run dev
+```
+
+No token required — all read endpoints are public. Only scan trigger and AI endpoints require a JWT (POST only).
+
 ---
 
 ## Contributing
@@ -178,9 +213,10 @@ Contributors are credited below.
 
 - [x] Project scaffolding
 - [x] Core scanner engine (Azure SDK integration)
-- [x] 20 scan rules
+- [x] 30+ scan rules
 - [x] Flask API + PostgreSQL schema
-- [ ] React dashboard MVP
+- [x] Post-quantum cryptography scanner (AZ-PQC-001 to AZ-PQC-003)
+- [x] React dashboard (live on Vercel)
 - [x] CIS Benchmark compliance mapping
 - [x] SOC 2 compliance mapping
 - [x] Sentinel alert integration
@@ -189,6 +225,8 @@ Contributors are credited below.
 - [x] Azure CLI remediation playbook library
 - [x] NIST CSF + ISO 27001 mappings
 - [x] GitHub Actions CI pipeline
+- [x] Project website with docs, blog, rules gallery, and playground
+- [x] Live end-to-end data wiring (all API endpoints serving real data)
 - [ ] Multi-cloud support (AWS, GCP)
 
 ---
@@ -199,20 +237,12 @@ MIT — free to use, modify, and distribute.
 
 ---
 
-> Built with ❤️ by security engineers and students who believe cloud security tooling should be accessible to everyone.
+> Built by security engineers and students who believe cloud security tooling should be accessible to everyone.
 
 ---
 
 ## Learn OpenShield
 
-Explore the OpenShield learning portal to understand:
+Full documentation, the security rules gallery, blog, and interactive playground are available at the project website:
 
-- Azure CSPM fundamentals
-- OpenShield architecture
-- Compliance mappings
-- Remediation workflows
-- Contributor onboarding
-- Documentation navigation
-
-👉 [OpenShield Learn](docs/learn/index.html)
-> Built by security engineers and students who believe cloud security tooling should be accessible to everyone.
+**[openshield-website.vercel.app](https://openshield-website.vercel.app)**

ai/knowledge/skills/post-quantum-cryptography-azure/SKILL.md

@@ -0,0 +1,89 @@
+---
+name: post-quantum-cryptography-azure
+description: Identifies and remediates non-quantum-safe cryptographic configurations in Azure including classical TLS key exchange, RSA and ECC keys in Key Vault, and classical certificate algorithms. Maps findings to NIST PQC standards FIPS 203, FIPS 204, and FIPS 205. Use when assessing quantum readiness of Azure infrastructure or building a Cryptographic Bill of Materials.
+domain: cybersecurity
+subdomain: post-quantum-cryptography
+tags:
+- post-quantum
+- pqc
+- azure
+- key-vault
+- tls
+- cryptography
+- cbom
+version: '1.0'
+author: openshield
+license: Apache-2.0
+nist_csf:
+- PR.DS-2
+- PR.DS-1
+---
+
+# Post-Quantum Cryptography Assessment for Azure
+
+## When to Use
+- When assessing an Azure environment for quantum readiness
+- When building a Cryptographic Bill of Materials for Azure resources
+- When identifying classical cryptographic algorithms that need migration
+- When planning post-quantum migration for Key Vault keys and certificates
+- When evaluating TLS configurations for quantum vulnerability
+
+## Key Concepts
+
+| Term | Definition |
+|------|------------|
+| Harvest Now Decrypt Later | Attack where adversaries collect encrypted traffic today and decrypt it when quantum computers become available |
+| Shor's Algorithm | Quantum algorithm that can break RSA and ECC by solving integer factorisation and discrete logarithm problems efficiently |
+| ML-KEM | Module Lattice Key Encapsulation Mechanism, NIST FIPS 203, post-quantum safe key exchange |
+| ML-DSA | Module Lattice Digital Signature Algorithm, NIST FIPS 204, post-quantum safe signing |
+| SLH-DSA | Stateless Hash-Based Digital Signature Algorithm, NIST FIPS 205, post-quantum safe signing |
+| CBOM | Cryptographic Bill of Materials, inventory of all cryptographic assets in a system |
+| PQMA | Post-Quantum Migration Analyser, tool for validating PQC migration paths |
+
+## OpenShield PQC Rules
+
+| Rule | Description | Severity |
+|------|-------------|----------|
+| AZ-PQC-001 | TLS below 1.3 on App Service | HIGH |
+| AZ-PQC-002 | Key Vault key using RSA or ECC algorithm | HIGH |
+| AZ-PQC-003 | Key Vault certificate using non-quantum-safe signature algorithm | MEDIUM |
+
+## Assessment Workflow
+
+### Step 1: Identify Classical Keys in Key Vault
+```bash
+az keyvault list --output table
+az keyvault key list --vault-name <vault-name> --output table
+az keyvault certificate list --vault-name <vault-name> --output table
+```
+
+### Step 2: Check TLS Configuration on App Services
+```bash
+az webapp list --output table
+az webapp config show --resource-group <rg> --name <app-name> --query minTlsVersion
+```
+
+### Step 3: Build Cryptographic Bill of Materials
+Document all findings with resource ID, algorithm type, key size, expiry date, and dependent services.
+
+### Step 4: Prioritise Migration
+1. Keys and certificates exposed to internet traffic first
+2. Long-lived keys with high blast radius second
+3. Internal service-to-service encryption third
+
+## NIST PQC Standards Reference
+
+| Standard | Algorithm | Use Case |
+|----------|-----------|----------|
+| FIPS 203 | ML-KEM | Key encapsulation, replacing RSA and ECDH key exchange |
+| FIPS 204 | ML-DSA | Digital signatures, replacing RSA-PSS and ECDSA |
+| FIPS 205 | SLH-DSA | Digital signatures, hash-based alternative |
+
+## Compliance Mapping
+
+| Framework | Control | Requirement |
+|-----------|---------|-------------|
+| NIST CSF | PR.DS-2 | Data in transit is protected using quantum-safe algorithms |
+| ISO 27001 | A.10.1.1 | Cryptographic controls policy must address quantum threats |
+| CIS Azure | 8.1 | Key management must include post-quantum migration planning |
+| SOC 2 | CC6.7 | Encryption protecting data in transit must be quantum-safe |

api/app.py

@@ -9,7 +9,6 @@
 from flask_cors import CORS
 
 from api.models.finding import DatabaseManager
-from api.routes.ai import ai_bp
 
 load_dotenv()
 
@@ -20,7 +19,12 @@
 logger = logging.getLogger(__name__)
 
 # Paths that do not require a JWT token
-_PUBLIC_PATHS = {"/health", "/"}
+# All GET requests are public — the dashboard is a public demo of seeded data.
+# POST endpoints (scan trigger, AI) remain JWT-protected.
+def _is_public_get(path: str) -> bool:
+    if path in ("/", "/health"):
+        return True
+    return path.startswith("/api/")
 
 _INSECURE_JWT_DEFAULT = "change-me-in-production"
 _MIN_JWT_SECRET_LENGTH = 32
@@ -108,7 +112,7 @@ def create_app() -> Flask:
             "For production deployments, set this to your specific frontend domain(s)."
         )
     allowed_origins = allowed_origins_raw.split(",")
-    CORS(app, resources={r"/api/*": {"origins": allowed_origins}})
+    CORS(app, resources={r"/*": {"origins": allowed_origins}})
 
     # ------------------------------------------------------------------ #
     # Database Management                                                   #
@@ -140,7 +144,7 @@ def verify_jwt() -> None:
         """Validate the Bearer token on every non-public, non-OPTIONS request."""
         if request.method == "OPTIONS":
             return None
-        if request.path in _PUBLIC_PATHS:
+        if request.method == "GET" and _is_public_get(request.path):
             return None
 
         auth = request.headers.get("Authorization", "")
@@ -167,15 +171,21 @@ def verify_jwt() -> None:
     # ------------------------------------------------------------------ #
     from api.routes.ai import ai_bp
     from api.routes.compliance import compliance_bp
+    from api.routes.drift import drift_bp
     from api.routes.findings import findings_bp
+    from api.routes.prioritization import prioritization_bp
+    from api.routes.resources import resources_bp
     from api.routes.scans import scans_bp
     from api.routes.score import score_bp
 
     app.register_blueprint(ai_bp)
+    app.register_blueprint(compliance_bp)
+    app.register_blueprint(drift_bp)
     app.register_blueprint(findings_bp)
+    app.register_blueprint(prioritization_bp)
+    app.register_blueprint(resources_bp)
     app.register_blueprint(scans_bp)
     app.register_blueprint(score_bp)
-    app.register_blueprint(compliance_bp)
 
     # ------------------------------------------------------------------ #
     # Routes (public)                                                      #