⭐ Expand Security Hub with standards controls, findings, and insights (#7156)

* ⭐ Expand Security Hub with standards controls, findings, automation rules, and insights

Add typed resources for comprehensive Security Hub querying:
- standardSubscription: enabled standards with status
- standardControl: individual controls with pass/fail status, severity, remediation URLs
- finding: ASFF findings with severity, compliance status, workflow state, affected resources
- automationRule: rule metadata with status and execution order
- insight + insightResult: saved filters with computed result aggregations

This enables queries like:
  aws.securityhub.hubs { standardSubscriptions { controls.where(controlStatus == "ENABLED") { controlId severity title } } }

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🐛 Fix error handling, perf, and logic issues in Security Hub resources

Fix duplicate arn/productArn on findings (arn was incorrectly set to
ProductArn), swallowed error in insight filters, by-value copy of large
finding struct in hot loop, off-by-one in 1000-finding cap, and
misleading standard name (was raw ARN). Replace custom strPtr/int32Ptr
with sdk aws.String/aws.Int32.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🧹 Address review: migrate deprecated API, fix severityScore type

- Replace deprecated DescribeStandardsControls with
  ListSecurityControlDefinitions + BatchGetStandardsControlAssociations
- Rename severityScore float → severityNormalized int to match SDK type
  (*int32 range 0-100, not a decimal value)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🐛 Fix standardNameFromArn to handle ruleset/ prefix

CIS standards use "ruleset/" instead of "standards/" in their ARN
(e.g., arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/...).
Handle both prefixes so all standard names are human-readable.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🟢 Add unit tests for Security Hub standardNameFromArn

Tests all ARN formats: standards/, ruleset/, PCI-DSS, NIST,
no-match fallback, empty string, and ARN without version suffix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🧹 Update permissions for new Security Hub APIs

Replace deprecated DescribeStandardsControls with
BatchGetStandardsControlAssociations and ListSecurityControlDefinitions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 📄 Document that permissions.json must always be committed

It tracks IAM permissions required by each provider and changes
to it are part of the PR, not throwaway build artifacts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 📄 Note that expect.txt removals are fine if CI passes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

CLAUDE.md

@@ -346,7 +346,7 @@ Think of it as: MQL (like SQL or even better GraphQL) → MQLC (compiler) → LL
     - Resource structs
     - Schema definitions
     - Data accessor methods
-- Generated files: `*.lr.go`, `*.lr.versions`, `*.resources.json`
+- Generated files: `*.lr.go`, `*.lr.versions`, `*.resources.json`, `*.permissions.json`
 
 ### Resource Caching & __id
 **How caching works:**
@@ -483,6 +483,7 @@ for {
 - Never manually edit generated `.lr.go` files - they get overwritten
 - Use `make providers/mqlr` for faster provider-specific regeneration
 - **Internal structs require a second generation pass.** If you add a new `mql*Internal` struct to a Go file, the first `./mqlr generate` won't embed it (the struct didn't exist when the generator ran). Run `./mqlr generate` again after adding Internal structs.
+- **Always commit `*.permissions.json`** when it changes. This file is regenerated by `make providers/build/<provider>` and tracks the IAM permissions each provider requires. Changes to it (e.g., new API calls added, deprecated calls removed) are part of the PR — they're not throwaway build artifacts.
 
 ### Testing & Verification
 - If you want to test simple changes, build and install the provider and use mql run ....
@@ -565,7 +566,7 @@ make test/integration
 
 ### Quick Pre-Commit Checklist
 - [ ] `gofmt -w` run on all changed `.go` files
-- [ ] Generated files are up-to-date (`.lr.go`, `.pb.go`)
+- [ ] Generated files are up-to-date (`.lr.go`, `.pb.go`, `.permissions.json`)
 - [ ] Linting passes (`make test/lint`)
 - [ ] Changes work interactively (`mql shell <provider>`)
 - [ ] `go.mod` is clean (`go mod tidy`)
@@ -585,6 +586,7 @@ CI runs [check-spelling/check-spelling](https://github.com/check-spelling/check-
 - If the word is a legitimate technical term: add it to `expect.txt` (keep sorted)
 - If the word appears in a pattern (ARN, hash, URL): add a regex to `patterns.txt`
 - If it's a genuine typo: fix the spelling
+- Removing words from `expect.txt` is fine as long as the spell check CI job passes
 
 ## 9. Commit Conventions
 

providers/aws/resources/aws.lr

@@ -3035,6 +3035,146 @@ private aws.securityhub.hub @defaults("arn region") {
   region string
   // List of enabled security standards (CIS, PCI-DSS, AWS Foundational, etc.)
   enabledStandards() []dict
+  // Typed standard subscriptions with control details
+  standardSubscriptions() []aws.securityhub.standardSubscription
+  // Active findings (non-archived) in this hub
+  findings() []aws.securityhub.finding
+  // Automation rules configured in this hub
+  automationRules() []aws.securityhub.automationRule
+  // Custom and default insights
+  insights() []aws.securityhub.insight
+}
+
+// AWS Security Hub enabled standard subscription
+private aws.securityhub.standardSubscription @defaults("name status") {
+  // ARN of the standard subscription
+  arn string
+  // ARN of the standard definition
+  standardArn string
+  // Name of the standard (e.g., CIS AWS Foundations Benchmark)
+  name string
+  // Region for this subscription
+  region string
+  // Subscription status: READY, INCOMPLETE, FAILED, DELETING, PENDING
+  status string
+  // Controls within this standard
+  controls() []aws.securityhub.standardControl
+}
+
+// AWS Security Hub standard control
+private aws.securityhub.standardControl @defaults("controlId title controlStatus") {
+  // Control ARN
+  arn string
+  // Control identifier (e.g., CIS.1.1)
+  controlId string
+  // Control title
+  title string
+  // Description of what the control checks for
+  description string
+  // Control status: ENABLED, DISABLED
+  controlStatus string
+  // Severity: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL
+  severity string
+  // Reason the control was disabled
+  disabledReason string
+  // Related compliance requirements
+  relatedRequirements []string
+  // URL to remediation documentation
+  remediationUrl string
+}
+
+// AWS Security Hub finding (ASFF format)
+private aws.securityhub.finding @defaults("title severity workflowStatus") {
+  // Finding identifier
+  id string
+  // Finding title
+  title string
+  // Finding description
+  description string
+  // Normalized severity label: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL
+  severity string
+  // Legacy normalized severity (0-100 integer, deprecated in favor of severity label)
+  severityNormalized int
+  // Record state: ACTIVE, ARCHIVED
+  recordState string
+  // Compliance status: PASSED, FAILED, WARNING, NOT_AVAILABLE
+  complianceStatus string
+  // Workflow status: NEW, NOTIFIED, RESOLVED, SUPPRESSED
+  workflowStatus string
+  // Finding type categories
+  types []string
+  // ARN of the product that generated the finding
+  productArn string
+  // Name of the product that generated the finding
+  productName string
+  // Identifier for the rule or check that generated the finding
+  generatorId string
+  // Type of the affected resource (e.g., AwsEc2Instance)
+  resourceType string
+  // ID of the affected resource
+  resourceId string
+  // Region of the affected resource
+  resourceRegion string
+  // When the finding was created
+  createdAt time
+  // When the finding was last updated
+  updatedAt time
+  // When the potential issue was first observed
+  firstObservedAt time
+  // When the potential issue was last observed
+  lastObservedAt time
+  // URL to remediation documentation
+  remediationUrl string
+  // Text description of the remediation
+  remediationText string
+  // AWS account ID where the finding was generated
+  accountId string
+  // Region where the finding was generated
+  region string
+}
+
+// AWS Security Hub automation rule
+private aws.securityhub.automationRule @defaults("ruleName ruleStatus") {
+  // Rule ARN
+  arn string
+  // Rule name
+  ruleName string
+  // Rule execution order (1-1000, lower executes first)
+  ruleOrder int
+  // Rule status: ENABLED, DISABLED
+  ruleStatus string
+  // Rule description
+  description string
+  // Whether this rule stops further rule evaluation
+  isTerminal bool
+  // When the rule was created
+  createdAt time
+  // When the rule was last updated
+  updatedAt time
+  // Who created the rule
+  createdBy string
+}
+
+// AWS Security Hub insight (saved filter/aggregation)
+private aws.securityhub.insight @defaults("name") {
+  // Insight ARN
+  arn string
+  // Insight name
+  name string
+  // Attribute that findings are grouped by
+  groupByAttribute string
+  // Filter criteria as dict
+  filters dict
+  // Computed insight results
+  results() []aws.securityhub.insightResult
+}
+
+// AWS Security Hub insight result entry
+private aws.securityhub.insightResult @defaults("groupByAttributeValue count") {
+  // The value of the grouping attribute
+  groupByAttributeValue string
+  // Number of findings matching this value
+  count int
 }
 
 // AWS Shield Advanced