aws-security-mcp 0.7.1 → 0.7.3

package/dist/src/index.js

@@ -4,7 +4,7 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { z } from "zod";
 
 // src/version.ts
-var VERSION = "0.7.1";
+var VERSION = "0.7.3";
 
 // src/utils/aws-client.ts
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
@@ -85,6 +85,25 @@ async function listOrgAccounts(region) {
 }
 
 // src/scanners/runner.ts
+var DEFAULT_CONCURRENCY = 5;
+async function runWithConcurrency(tasks, limit) {
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (let i = 0; i < tasks.length; i++) {
+    const idx = i;
+    const p = tasks[idx]().then((value) => {
+      results[idx] = { status: "fulfilled", value };
+    }).catch((reason) => {
+      results[idx] = { status: "rejected", reason };
+    }).finally(() => {
+      executing.delete(p);
+    });
+    executing.add(p);
+    if (executing.size >= limit) await Promise.race(executing);
+  }
+  await Promise.all(executing);
+  return results;
+}
 var AGGREGATION_MODULES = /* @__PURE__ */ new Set([
   "security_hub_findings",
   "guardduty_findings",
@@ -132,8 +151,8 @@ function buildSummary(modules) {
     modulesError
   };
 }
-async function runScannersWithContext(scanners, ctx) {
-  const settled = await Promise.allSettled(scanners.map((s) => s.scan(ctx)));
+async function runScannersWithContext(scanners, ctx, concurrency = DEFAULT_CONCURRENCY) {
+  const settled = await runWithConcurrency(scanners.map((s) => () => s.scan(ctx)), concurrency);
   return settled.map((result, i) => {
     if (result.status === "fulfilled") {
       for (const f of result.value.findings) {
@@ -654,6 +673,25 @@ import {
   DescribeInstancesCommand,
   DescribeInstanceAttributeCommand
 } from "@aws-sdk/client-ec2";
+var USERDATA_CONCURRENCY = 5;
+async function runWithConcurrency2(tasks, limit) {
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (let i = 0; i < tasks.length; i++) {
+    const idx = i;
+    const p = tasks[idx]().then((value) => {
+      results[idx] = { status: "fulfilled", value };
+    }).catch((reason) => {
+      results[idx] = { status: "rejected", reason };
+    }).finally(() => {
+      executing.delete(p);
+    });
+    executing.add(p);
+    if (executing.size >= limit) await Promise.race(executing);
+  }
+  await Promise.all(executing);
+  return results;
+}
 var SECRET_PATTERNS = [
   { name: "AWS Access Key", pattern: /AKIA[0-9A-Z]{16}/, matchType: "value" },
   { name: "Private Key", pattern: /-----BEGIN.*PRIVATE KEY-----/, matchType: "value" },
@@ -753,25 +791,28 @@ var SecretExposureScanner = class {
           nextToken = resp.NextToken;
         } while (nextToken);
         resourcesScanned += instances.length;
-        for (const inst of instances) {
+        const userDataTasks = instances.map((inst) => async () => {
+          const instId = inst.InstanceId ?? "unknown";
+          const attrResp = await ec2.send(
+            new DescribeInstanceAttributeCommand({
+              InstanceId: instId,
+              Attribute: "userData"
+            })
+          );
+          const raw = attrResp.UserData?.Value;
+          return { instId, userData: raw ? Buffer.from(raw, "base64").toString("utf-8") : void 0 };
+        });
+        const settled = await runWithConcurrency2(userDataTasks, USERDATA_CONCURRENCY);
+        for (let i = 0; i < instances.length; i++) {
+          const result = settled[i];
+          const inst = instances[i];
           const instId = inst.InstanceId ?? "unknown";
           const instArn = `arn:${partition}:ec2:${region}:${accountId}:instance/${instId}`;
-          let userData;
-          try {
-            const attrResp = await ec2.send(
-              new DescribeInstanceAttributeCommand({
-                InstanceId: instId,
-                Attribute: "userData"
-              })
-            );
-            const raw = attrResp.UserData?.Value;
-            if (raw) {
-              userData = Buffer.from(raw, "base64").toString("utf-8");
-            }
-          } catch (e) {
-            warnings.push(`Could not read userData for ${instId}: ${e instanceof Error ? e.message : String(e)}`);
+          if (result.status === "rejected") {
+            warnings.push(`Could not read userData for ${instId}: ${result.reason instanceof Error ? result.reason.message : String(result.reason)}`);
             continue;
           }
+          const userData = result.value.userData;
           if (!userData) continue;
           for (const sp of SECRET_PATTERNS) {
             if (sp.matchType === "name") continue;
@@ -1962,6 +2003,7 @@ import {
 import {
   S3Client as S3Client3,
   ListBucketsCommand as ListBucketsCommand2,
+  GetBucketLocationCommand as GetBucketLocationCommand2,
   GetBucketTaggingCommand
 } from "@aws-sdk/client-s3";
 var DEFAULT_REQUIRED_TAGS = ["Environment", "Project", "Owner"];
@@ -2078,8 +2120,19 @@ var TagComplianceScanner = class {
         for (const bucket of buckets) {
           const name = bucket.Name ?? "unknown";
           const arn = `arn:${partition}:s3:::${name}`;
+          let bucketClient;
+          try {
+            const locResp = await s3Client.send(new GetBucketLocationCommand2({ Bucket: name }));
+            const rawLoc = locResp.LocationConstraint || "us-east-1";
+            const bucketRegion = rawLoc === "EU" ? "eu-west-1" : rawLoc;
+            bucketClient = bucketRegion === region ? s3Client : createClient(S3Client3, bucketRegion, ctx.credentials);
+          } catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            warnings.push(`Bucket ${name}: could not determine region, skipping: ${msg}`);
+            continue;
+          }
           try {
-            const taggingResp = await s3Client.send(
+            const taggingResp = await bucketClient.send(
               new GetBucketTaggingCommand({ Bucket: name })
             );
             const tags = (taggingResp.TagSet ?? []).map((t) => ({
@@ -2381,6 +2434,7 @@ import {
 import {
   S3Client as S3Client4,
   ListBucketsCommand as ListBucketsCommand3,
+  GetBucketLocationCommand as GetBucketLocationCommand3,
   GetBucketVersioningCommand,
   GetBucketReplicationCommand
 } from "@aws-sdk/client-s3";
@@ -2555,8 +2609,19 @@ var DisasterRecoveryScanner = class {
       resourcesScanned += bucketNames.length;
       for (const name of bucketNames) {
         const arn = `arn:${partition}:s3:::${name}`;
+        let bucketClient;
+        try {
+          const locResp = await s3Client.send(new GetBucketLocationCommand3({ Bucket: name }));
+          const rawLoc = locResp.LocationConstraint || "us-east-1";
+          const bucketRegion = rawLoc === "EU" ? "eu-west-1" : rawLoc;
+          bucketClient = bucketRegion === region ? s3Client : createClient(S3Client4, bucketRegion, ctx.credentials);
+        } catch (e) {
+          const msg = e instanceof Error ? e.message : String(e);
+          warnings.push(`Bucket ${name}: could not determine region, skipping: ${msg}`);
+          continue;
+        }
         try {
-          const ver = await s3Client.send(
+          const ver = await bucketClient.send(
             new GetBucketVersioningCommand({ Bucket: name })
           );
           if (ver.Status !== "Enabled") {
@@ -2582,7 +2647,7 @@ var DisasterRecoveryScanner = class {
           warnings.push(`Bucket ${name} versioning check failed: ${msg}`);
         }
         try {
-          await s3Client.send(
+          await bucketClient.send(
             new GetBucketReplicationCommand({ Bucket: name })
           );
         } catch (e) {
@@ -3784,6 +3849,39 @@ var zhI18n = {
       action: "\u5B89\u88C5 SSM Agent \u5E76\u914D\u7F6E Patch Manager"
     }
   },
+  // HW Defense HTML Report
+  hwReportTitle: "\u62A4\u7F51\u84DD\u961F\u5B89\u5168\u8BC4\u4F30\u62A5\u544A",
+  hwAutoCheck: "\u81EA\u52A8\u5316\u68C0\u67E5",
+  hwManualCheck: "\u4EBA\u5DE5\u786E\u8BA4\u4E8B\u9879",
+  hwNoAutoCheck: "\u6B64\u9879\u65E0\u81EA\u52A8\u5316\u68C0\u67E5",
+  hwClean: "\u672A\u53D1\u73B0\u95EE\u9898",
+  hwTotalFindings: "\u53D1\u73B0\u603B\u6570",
+  hwSectionsChecked: "\u68C0\u67E5\u5206\u7C7B",
+  hwAutoVerified: "\u81EA\u52A8\u9A8C\u8BC1",
+  hwManualPending: "\u4EBA\u5DE5\u5F85\u786E\u8BA4",
+  hwManualCount: (n) => `${n} \u9879\u4EBA\u5DE5\u786E\u8BA4`,
+  hwAffectedResources: (n) => `\u67E5\u770B\u53D7\u5F71\u54CD\u8D44\u6E90 (${n})`,
+  hwRemediation: "\u4FEE\u590D\u5EFA\u8BAE",
+  hwSectionNames: {
+    attack_surface: { name: "\u653B\u51FB\u9762\u6536\u655B", icon: "\u{1F3AF}" },
+    vulnerability_patch: { name: "\u6F0F\u6D1E\u4E0E\u8865\u4E01\u7BA1\u7406", icon: "\u{1FA79}" },
+    identity_credential: { name: "\u8EAB\u4EFD\u4E0E\u51ED\u8BC1\u5B89\u5168", icon: "\u{1F511}" },
+    transport_security: { name: "\u4F20\u8F93\u4E0E\u5B9E\u4F8B\u5B89\u5168", icon: "\u{1F512}" },
+    security_services: { name: "\u5B89\u5168\u670D\u52A1\u72B6\u6001", icon: "\u{1F6E1}\uFE0F" },
+    emergency_response: { name: "\u5E94\u6025\u54CD\u5E94\u51C6\u5907", icon: "\u{1F6A8}" },
+    environment_control: { name: "\u73AF\u5883\u5904\u7F6E", icon: "\u{1F3D7}\uFE0F" },
+    post_review: { name: "\u62A4\u7F51\u540E\u4F18\u5316", icon: "\u{1F4CA}" }
+  },
+  hwManualItems: {
+    attack_surface: ["\u7ED8\u5236\u51FA\u5165\u7AD9\u8DEF\u5F84\u67B6\u6784\u56FE\uFF0C\u6807\u6CE8\u6240\u6709\u4E92\u8054\u7F51/DX\u4E13\u7EBF\u51FA\u5165\u7AD9\u8DEF\u5F84"],
+    vulnerability_patch: ["\u8054\u7CFB\u5B89\u5168\u5382\u5546\u8FDB\u884C\u6A21\u62DF\u653B\u51FB\u6F14\u7EC3\uFF08\u6E17\u900F\u6D4B\u8BD5\uFF09", "\u5173\u6CE8 AWS \u5B89\u5168\u516C\u544A\uFF08\u5DF2\u77E5\u6F0F\u6D1E\u4E0E\u8865\u4E01\uFF09"],
+    identity_credential: ["\u6240\u6709 IAM \u7528\u6237\u7ED1\u5B9A MFA", "AKSK \u8F6E\u8F6C\u5468\u671F \u2264 90 \u5929", "\u907F\u514D\u5171\u4EAB\u8D26\u6237\u4F7F\u7528", "S3/Lambda/\u5E94\u7528\u4EE3\u7801\u4E2D\u65E0\u660E\u6587\u5BC6\u7801"],
+    transport_security: ["\u786E\u8BA4\u6240\u6709\u5BF9\u5916\u670D\u52A1\u4F7F\u7528 TLS 1.2+", "\u68C0\u67E5\u5185\u90E8\u670D\u52A1\u95F4\u901A\u4FE1\u662F\u5426\u52A0\u5BC6"],
+    security_services: ["\u786E\u8BA4 Security Hub \u5DF2\u5F00\u542F\u5E76\u914D\u7F6E\u6807\u51C6", "\u786E\u8BA4 GuardDuty \u5DF2\u5728\u6240\u6709\u533A\u57DF\u5F00\u542F", "\u786E\u8BA4 CloudTrail \u591A\u533A\u57DF\u65E5\u5FD7\u8BB0\u5F55\u5DF2\u5F00\u542F", "\u786E\u8BA4 Config Rules \u5DF2\u914D\u7F6E"],
+    emergency_response: ["\u51C6\u5907\u4E13\u7528\u9694\u79BB\u5B89\u5168\u7EC4\uFF08\u65E0 Inbound/Outbound \u89C4\u5219\uFF09", "\u5236\u5B9A\u5B9E\u4F8B\u9694\u79BB SOP\uFF1A\u544A\u8B66 \u2192 \u6392\u67E5 \u2192 \u5C01\u9501\u653B\u51FBIP \u2192 \u7F51\u7EDC\u9694\u79BB \u2192 \u5B89\u5168\u5904\u7F6E \u2192 \u8BB0\u5F55\u653B\u51FB\u9879", "\u7EC4\u5EFA 7\xD724 \u76D1\u63A7\u5FEB\u901F\u54CD\u5E94\u56E2\u961F", "\u521B\u5EFA\u62A4\u7F51\u671F\u95F4\u4E13\u7528\u6C9F\u901A\u6E20\u9053\uFF08\u4F01\u5FAE/\u9489\u9489/\u98DE\u4E66/Chime\uFF09", "\u4E0E AWS TAM \u5EFA\u7ACB WAR-ROOM \u8054\u7CFB\uFF08\u4F01\u4E1A\u7EA7\u652F\u6301\u5BA2\u6237\uFF09"],
+    environment_control: ["\u975E\u6838\u5FC3\u7CFB\u7EDF\u5728\u62A4\u7F51\u671F\u95F4\u5173\u95ED", "\u6D4B\u8BD5/\u5F00\u53D1\u73AF\u5883\u5173\u95ED\u6216\u4E0E\u751F\u4EA7\u4FDD\u6301\u540C\u7B49\u5B89\u5168\u57FA\u7EBF", "\u786E\u8BA4\u54EA\u4E9B\u73AF\u5883\u53EF\u4EE5\u7D27\u6025\u5173\u505C\uFF0C\u907F\u514D\u653B\u51FB\u6269\u6563"],
+    post_review: ["\u9488\u5BF9\u653B\u51FB\u62A5\u544A\u9010\u9879\u5E94\u7B54\u4E0E\u4FEE\u590D", "\u4E0E\u5B89\u5168\u56E2\u961F\u5EFA\u7ACB\u5468\u671F\u6027\u5B89\u5168\u7EF4\u62A4\u6D41\u7A0B", "\u6301\u7EED\u8865\u5168\u5B89\u5168\u98CE\u9669"]
+  },
   // HW Checklist (full composite)
   hwChecklist: `
 \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
@@ -4060,6 +4158,39 @@ var enI18n = {
       action: "Install SSM Agent and configure Patch Manager"
     }
   },
+  // HW Defense HTML Report
+  hwReportTitle: "HW Defense Security Assessment Report",
+  hwAutoCheck: "Automated Checks",
+  hwManualCheck: "Manual Verification Items",
+  hwNoAutoCheck: "No automated checks for this section",
+  hwClean: "No issues found",
+  hwTotalFindings: "Total Findings",
+  hwSectionsChecked: "Sections Checked",
+  hwAutoVerified: "Auto-Verified",
+  hwManualPending: "Manual Pending",
+  hwManualCount: (n) => `${n} manual item${n === 1 ? "" : "s"}`,
+  hwAffectedResources: (n) => `View affected resources (${n})`,
+  hwRemediation: "Remediation",
+  hwSectionNames: {
+    attack_surface: { name: "Attack Surface Reduction", icon: "\u{1F3AF}" },
+    vulnerability_patch: { name: "Vulnerability & Patch Management", icon: "\u{1FA79}" },
+    identity_credential: { name: "Identity & Credential Security", icon: "\u{1F511}" },
+    transport_security: { name: "Transport & Instance Security", icon: "\u{1F512}" },
+    security_services: { name: "Security Service Status", icon: "\u{1F6E1}\uFE0F" },
+    emergency_response: { name: "Emergency Response Readiness", icon: "\u{1F6A8}" },
+    environment_control: { name: "Environment Control", icon: "\u{1F3D7}\uFE0F" },
+    post_review: { name: "Post-Drill Optimization", icon: "\u{1F4CA}" }
+  },
+  hwManualItems: {
+    attack_surface: ["Draw ingress/egress path architecture diagram, mark all Internet/DX dedicated line paths"],
+    vulnerability_patch: ["Contact security vendors for simulated attack drills (penetration testing)", "Monitor AWS security advisories (known vulnerabilities and patches)"],
+    identity_credential: ["All IAM users must have MFA enabled", "Access key rotation cycle \u2264 90 days", "Avoid shared account usage", "No plaintext passwords in S3/Lambda/application code"],
+    transport_security: ["Verify all external-facing services use TLS 1.2+", "Check internal service-to-service communication encryption"],
+    security_services: ["Verify Security Hub is enabled with standards configured", "Verify GuardDuty is enabled in all regions", "Verify CloudTrail multi-region logging is enabled", "Verify Config Rules are configured"],
+    emergency_response: ["Prepare dedicated isolation security groups (no Inbound/Outbound rules)", "Establish instance isolation SOP: Alert \u2192 Investigate \u2192 Block attacker IP \u2192 Network isolation \u2192 Security response \u2192 Log attack details", "Form 7\xD724 monitoring rapid response team", "Create dedicated communication channels for the drill period (Teams/Slack/Chime)", "Establish WAR-ROOM connection with AWS TAM (Enterprise Support customers)"],
+    environment_control: ["Shut down non-critical systems during the drill period", "Shut down test/dev environments or maintain same security baseline as production", "Confirm which environments can be emergency-stopped to prevent attack propagation"],
+    post_review: ["Address and remediate each item from the attack report", "Establish periodic security maintenance processes with the security team", "Continuously fill security risk gaps"]
+  },
   // HW Checklist (full composite)
   hwChecklist: `
 \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
@@ -8234,6 +8365,374 @@ ${naNote}
 </html>`;
 }
 
+// src/tools/hw-report.ts
+function esc2(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function safeUrl2(url) {
+  try {
+    const u = new URL(url);
+    if (u.protocol === "https:" || u.protocol === "http:") return url;
+    return null;
+  } catch {
+    return null;
+  }
+}
+function escWithLinks2(s) {
+  const parts = s.split(/(https?:\/\/\S+)/);
+  return parts.map((part, i) => {
+    if (i % 2 === 1) {
+      const safe = safeUrl2(part);
+      if (safe) {
+        return `<a href="${esc2(safe)}" style="color:#60a5fa" target="_blank" rel="noopener">${esc2(part)}</a>`;
+      }
+      return esc2(part);
+    }
+    return esc2(part);
+  }).join("");
+}
+var SEVERITY_ORDER3 = ["CRITICAL", "HIGH", "MEDIUM", "LOW"];
+var HW_SECTIONS = [
+  {
+    id: "attack_surface",
+    autoModules: ["network_reachability", "dns_dangling", "public_access_verify", "waf_coverage"],
+    shKeywords: ["network", "public", "exposure", "port", "waf", "firewall", "vpc", "securitygroup"]
+  },
+  {
+    id: "vulnerability_patch",
+    autoModules: ["patch_compliance_findings"],
+    shKeywords: ["vulnerability", "patch", "cve", "inspector", "software"]
+  },
+  {
+    id: "identity_credential",
+    autoModules: ["iam_privilege_escalation", "secret_exposure"],
+    shKeywords: ["iam", "access", "privilege", "credential", "password", "mfa", "key rotation"]
+  },
+  {
+    id: "transport_security",
+    autoModules: ["ssl_certificate", "imdsv2_enforcement"],
+    shKeywords: ["ssl", "tls", "certificate", "imds", "metadata"]
+  },
+  {
+    id: "security_services",
+    autoModules: ["service_detection"],
+    shKeywords: []
+  },
+  {
+    id: "emergency_response",
+    autoModules: [],
+    shKeywords: []
+  },
+  {
+    id: "environment_control",
+    autoModules: [],
+    shKeywords: []
+  },
+  {
+    id: "post_review",
+    autoModules: [],
+    shKeywords: []
+  }
+];
+function hwCss() {
+  return `
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{background:#0f172a;color:#f8fafc;font-family:Inter,system-ui,-apple-system,sans-serif;line-height:1.6;font-size:14px}
+    .container{max-width:900px;margin:0 auto;padding:40px 24px}
+    header{text-align:center;margin-bottom:40px;border-bottom:1px solid #334155;padding-bottom:24px}
+    header h1{font-size:28px;font-weight:700;margin-bottom:8px;letter-spacing:-0.5px}
+    .meta{color:#94a3b8;font-size:13px}
+    h2{font-size:20px;font-weight:600;margin:32px 0 16px;padding-bottom:8px;border-bottom:1px solid #334155}
+    h3{font-size:16px;font-weight:600;margin:16px 0 8px}
+    h4{font-size:14px;font-weight:600;margin:12px 0 4px}
+    .summary-cards{display:flex;gap:12px;flex-wrap:wrap;margin-bottom:32px;justify-content:center}
+    .summary-card{background:#1e293b;border:1px solid #334155;border-radius:8px;padding:16px 20px;text-align:center;min-width:100px;flex:1}
+    .summary-card .stat-count{font-size:28px;font-weight:700}
+    .summary-card .stat-label{font-size:12px;color:#94a3b8;margin-top:2px}
+    .badge{display:inline-block;padding:2px 10px;border-radius:4px;font-size:11px;font-weight:700;letter-spacing:0.5px;color:#fff}
+    .badge-critical{background:#ef4444}
+    .badge-high{background:#f97316}
+    .badge-medium{background:#eab308;color:#1e293b}
+    .badge-low{background:#22c55e;color:#1e293b}
+    .hw-section{background:#1e293b;border:1px solid #334155;border-radius:8px;margin-bottom:16px;overflow:hidden}
+    .hw-section>summary{cursor:pointer;padding:16px 20px;display:flex;align-items:center;gap:12px;list-style:none;font-size:16px;font-weight:600;user-select:none;flex-wrap:wrap}
+    .hw-section>summary::-webkit-details-marker{display:none}
+    .hw-section>summary::marker{content:""}
+    .hw-section>summary::after{content:"\\25B6";font-size:12px;color:#64748b;flex-shrink:0;transition:transform 0.2s;margin-left:auto}
+    .hw-section[open]>summary::after{transform:rotate(90deg)}
+    .hw-section[open]>summary{border-bottom:1px solid #334155}
+    .hw-section-body{padding:16px 20px}
+    .hw-section-icon{font-size:20px}
+    .hw-section-title{flex:1}
+    .hw-section-stats{display:inline-flex;gap:8px;font-size:12px;flex-wrap:wrap}
+    .hw-section-stats .badge{font-size:10px;padding:1px 8px}
+    .hw-auto-section{margin-bottom:16px}
+    .hw-auto-section h4{color:#60a5fa;margin-bottom:8px}
+    .hw-manual-section h4{color:#fbbf24;margin-bottom:8px}
+    .hw-clean{color:#22c55e;font-size:14px;padding:8px 12px;background:rgba(34,197,94,0.1);border-radius:6px}
+    .hw-no-auto{color:#94a3b8;font-size:14px;padding:8px 12px;background:rgba(148,163,184,0.08);border-radius:6px}
+    .hw-manual-item{display:flex;align-items:flex-start;gap:8px;padding:6px 12px;margin-bottom:4px;font-size:14px;color:#cbd5e1;border-radius:4px;background:rgba(148,163,184,0.06)}
+    .hw-manual-checkbox{color:#fbbf24;font-size:16px;flex-shrink:0}
+    .finding-card{display:flex;align-items:center;gap:8px;padding:8px 12px;margin-bottom:4px;border-radius:6px;border-left:4px solid #334155;background:rgba(30,41,59,0.5);flex-wrap:wrap}
+    .sev-critical{border-left-color:#ef4444}
+    .sev-high{border-left-color:#f97316}
+    .sev-medium{border-left-color:#eab308}
+    .sev-low{border-left-color:#22c55e}
+    .finding-title-text{font-weight:600;font-size:13px;flex:1;min-width:200px}
+    .finding-resource{color:#94a3b8;font-size:12px;max-width:300px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}
+    .finding-card>details{width:100%;margin-top:4px}
+    .finding-card>details>summary{cursor:pointer;font-size:12px;color:#60a5fa;user-select:none}
+    .finding-card-body{padding:8px 0}
+    .finding-card-body p{color:#cbd5e1;font-size:13px;margin-bottom:4px}
+    .finding-card-body ol{padding-left:20px}
+    .finding-card-body li{color:#cbd5e1;font-size:13px;margin-bottom:2px}
+    .hw-finding-group{background:#1e293b;border:1px solid #334155;border-radius:8px;padding:12px 16px;margin-bottom:8px}
+    .hw-finding-header{display:flex;align-items:center;gap:8px}
+    .hw-finding-title{color:#e2e8f0;font-size:14px;flex:1}
+    .hw-finding-count{color:#94a3b8;font-size:13px;font-weight:600;background:#334155;padding:2px 8px;border-radius:4px}
+    .hw-finding-resources{padding:8px 0}
+    .hw-resource-item{font-size:12px;color:#94a3b8;padding:2px 0;font-family:monospace}
+    .hw-finding-remediation{border-top:1px solid #334155;margin-top:8px;padding-top:8px}
+    .hw-finding-remediation ol{margin:4px 0;padding-left:20px;font-size:13px;color:#cbd5e1}
+    footer{margin-top:48px;padding-top:24px;border-top:1px solid #334155;text-align:center}
+    footer p{color:#64748b;font-size:12px;margin-bottom:4px}
+    @media print{
+      body{background:#fff;color:#1e293b;-webkit-print-color-adjust:exact;print-color-adjust:exact}
+      .container{max-width:100%;padding:20px}
+      .hw-section,.summary-card,.finding-card{background:#fff;border:1px solid #e2e8f0}
+      .badge{border:1px solid}
+      header{border-bottom-color:#e2e8f0}
+      h2{border-bottom-color:#e2e8f0}
+      footer{border-top-color:#e2e8f0}
+      .summary-card .stat-label{color:#64748b}
+      .finding-title-text{color:#1e293b}
+      .finding-resource{color:#64748b}
+      .finding-card-body p,.finding-card-body li{color:#475569}
+      .hw-section[open]>summary{border-bottom-color:#e2e8f0}
+      .hw-manual-item{color:#475569}
+      details{display:block}
+      details>summary{display:block}
+      details>:not(summary){display:block !important}
+    }
+  `;
+}
+function generateHwDefenseHtmlReport(scanResults, lang) {
+  const t = getI18n(lang ?? "zh");
+  const htmlLang = (lang ?? "zh") === "zh" ? "zh-CN" : "en";
+  const { accountId, region, scanStart } = scanResults;
+  const date = scanStart.split("T")[0];
+  const scanTime = scanStart.replace("T", " ").replace(/\.\d+Z$/, " UTC");
+  const moduleMap = /* @__PURE__ */ new Map();
+  for (const mod of scanResults.modules) {
+    const findings = mod.findings.map((f) => ({ ...f, module: f.module ?? mod.module }));
+    moduleMap.set(mod.module, findings);
+  }
+  const assignedShFindings = /* @__PURE__ */ new Set();
+  function shFindingKey(f) {
+    return `${f.title}|${f.resourceId}|${f.resourceArn}`;
+  }
+  const sectionResults = [];
+  for (const section of HW_SECTIONS) {
+    const findings = [];
+    for (const mod of section.autoModules) {
+      if (mod === "security_hub_findings") continue;
+      const modFindings = moduleMap.get(mod) ?? [];
+      findings.push(...modFindings);
+    }
+    if (section.shKeywords.length > 0) {
+      const shFindings = moduleMap.get("security_hub_findings") ?? [];
+      for (const f of shFindings) {
+        const key = shFindingKey(f);
+        if (assignedShFindings.has(key)) continue;
+        const searchText = `${f.title} ${f.description} ${f.impact}`.toLowerCase();
+        if (section.shKeywords.some((kw) => searchText.includes(kw))) {
+          findings.push(f);
+          assignedShFindings.add(key);
+        }
+      }
+    }
+    const hasAutoModules = section.autoModules.length > 0 || section.shKeywords.length > 0;
+    const hasAutoResults = hasAutoModules && (section.autoModules.some((m) => moduleMap.has(m)) || section.shKeywords.length > 0 && moduleMap.has("security_hub_findings"));
+    const manualItems = t.hwManualItems[section.id] ?? [];
+    sectionResults.push({
+      id: section.id,
+      findings,
+      manualItems,
+      hasAutoModules,
+      hasAutoResults
+    });
+  }
+  const totalFindings = sectionResults.reduce((sum, s) => sum + s.findings.length, 0);
+  const sectionsChecked = sectionResults.filter((s) => s.hasAutoResults || s.manualItems.length > 0).length;
+  const autoVerified = sectionResults.filter((s) => s.hasAutoResults).length;
+  const totalManualItems = sectionResults.reduce((sum, s) => sum + s.manualItems.length, 0);
+  function groupFindings(findings) {
+    const groups = /* @__PURE__ */ new Map();
+    const groupTitles = /* @__PURE__ */ new Map();
+    for (const f of findings) {
+      const cveMatch = f.title.match(/CVE-\d{4}-\d+/i);
+      if (cveMatch) {
+        const key2 = `cve:${cveMatch[0].toUpperCase()}`;
+        if (!groups.has(key2)) {
+          groups.set(key2, []);
+          groupTitles.set(key2, f.title);
+        }
+        groups.get(key2).push(f);
+        continue;
+      }
+      const controlMatch = f.title.match(/[A-Z]+\.\d+/);
+      if (controlMatch) {
+        const key2 = `ctrl:${controlMatch[0]}`;
+        if (!groups.has(key2)) {
+          groups.set(key2, []);
+          groupTitles.set(key2, f.title);
+        }
+        groups.get(key2).push(f);
+        continue;
+      }
+      const key = `title:${f.title}`;
+      if (!groups.has(key)) {
+        groups.set(key, []);
+        groupTitles.set(key, f.title);
+      }
+      groups.get(key).push(f);
+    }
+    const result = [];
+    for (const [key, gFindings] of groups) {
+      let highestSeverity = "LOW";
+      for (const f of gFindings) {
+        if (SEVERITY_ORDER3.indexOf(f.severity) < SEVERITY_ORDER3.indexOf(highestSeverity)) {
+          highestSeverity = f.severity;
+        }
+      }
+      result.push({ title: groupTitles.get(key), findings: gFindings, highestSeverity });
+    }
+    return result;
+  }
+  const renderGroup = (group) => {
+    const sev = group.highestSeverity.toLowerCase();
+    const count = group.findings.length;
+    const first = group.findings[0];
+    const resourceItems = group.findings.map((f) => `<div class="hw-resource-item">${esc2(f.resourceId)} &mdash; ${esc2(f.resourceArn)}</div>`).join("\n");
+    const remediationSteps = first.remediationSteps.map((s) => `<li>${escWithLinks2(s)}</li>`).join("");
+    return `<div class="hw-finding-group">
+  <div class="hw-finding-header">
+    <span class="badge badge-${esc2(sev)}">${esc2(group.highestSeverity)}</span>
+    <span class="hw-finding-title">${esc2(group.title)}</span>
+    <span class="hw-finding-count">&times;${count}</span>
+  </div>
+  <details>
+    <summary>${t.hwAffectedResources(count)}</summary>
+    <div class="hw-finding-resources">
+      ${resourceItems}
+    </div>
+    <div class="hw-finding-remediation">
+      <strong>${esc2(t.hwRemediation)}:</strong>
+      <ol>${remediationSteps}</ol>
+    </div>
+  </details>
+</div>`;
+  };
+  const sectionsHtml = sectionResults.map((section) => {
+    const meta = t.hwSectionNames[section.id];
+    if (!meta) return "";
+    const sectionName = meta.name;
+    const sectionIcon = meta.icon ?? "";
+    const statBadges = [];
+    if (section.findings.length > 0) {
+      const sevCounts = {};
+      for (const f of section.findings) {
+        sevCounts[f.severity] = (sevCounts[f.severity] ?? 0) + 1;
+      }
+      for (const sev of SEVERITY_ORDER3) {
+        if (sevCounts[sev]) {
+          statBadges.push(
+            `<span class="badge badge-${sev.toLowerCase()}">${sevCounts[sev]} ${sev}</span>`
+          );
+        }
+      }
+    } else if (section.hasAutoResults) {
+      statBadges.push(`<span style="color:#22c55e;font-size:12px">&#10003; ${esc2(t.hwClean)}</span>`);
+    }
+    if (section.manualItems.length > 0) {
+      statBadges.push(`<span style="color:#fbbf24;font-size:12px">&#9744; ${esc2(t.hwManualCount(section.manualItems.length))}</span>`);
+    }
+    let autoHtml;
+    if (!section.hasAutoModules) {
+      autoHtml = `<div class="hw-no-auto">&#9898; ${esc2(t.hwNoAutoCheck)}</div>`;
+    } else if (!section.hasAutoResults) {
+      autoHtml = `<div class="hw-no-auto">&#9898; ${esc2(t.hwNoAutoCheck)}</div>`;
+    } else if (section.findings.length === 0) {
+      autoHtml = `<div class="hw-clean">&#10004; ${esc2(t.hwClean)}</div>`;
+    } else {
+      const sorted = [...section.findings].sort((a, b) => {
+        const sevDiff = SEVERITY_ORDER3.indexOf(a.severity) - SEVERITY_ORDER3.indexOf(b.severity);
+        if (sevDiff !== 0) return sevDiff;
+        return b.riskScore - a.riskScore;
+      });
+      const groups = groupFindings(sorted);
+      autoHtml = groups.map(renderGroup).join("\n");
+    }
+    let manualHtml = "";
+    if (section.manualItems.length > 0) {
+      const items = section.manualItems.map((item) => `<div class="hw-manual-item"><span class="hw-manual-checkbox">&#9633;</span>${esc2(item)}</div>`).join("\n");
+      manualHtml = `
+        <div class="hw-manual-section">
+          <h4>&#128203; ${esc2(t.hwManualCheck)}</h4>
+          ${items}
+        </div>`;
+    }
+    return `<details class="hw-section">
+  <summary>
+    <span class="hw-section-icon">${esc2(sectionIcon)}</span>
+    <span class="hw-section-title">${esc2(sectionName)}</span>
+    <span class="hw-section-stats">${statBadges.join(" ")}</span>
+  </summary>
+  <div class="hw-section-body">
+    <div class="hw-auto-section">
+      <h4>&#129302; ${esc2(t.hwAutoCheck)}</h4>
+      ${autoHtml}
+    </div>
+    ${manualHtml}
+  </div>
+</details>`;
+  }).filter(Boolean).join("\n");
+  const findingsColor = totalFindings === 0 ? "#22c55e" : totalFindings <= 5 ? "#eab308" : "#ef4444";
+  return `<!DOCTYPE html>
+<html lang="${htmlLang}">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>${esc2(t.hwReportTitle)} &mdash; ${esc2(date)}</title>
+<style>${hwCss()}</style>
+</head>
+<body>
+<div class="container">
+
+<header>
+  <h1>&#128737;&#65039; ${esc2(t.hwReportTitle)}</h1>
+  <div class="meta">${esc2(t.account)}: ${esc2(accountId)} | ${esc2(t.region)}: ${esc2(region)} | ${esc2(t.scanTime)}: ${esc2(scanTime)}</div>
+</header>
+
+<section class="summary-cards">
+  <div class="summary-card"><div class="stat-count" style="color:${findingsColor}">${totalFindings}</div><div class="stat-label">${esc2(t.hwTotalFindings)}</div></div>
+  <div class="summary-card"><div class="stat-count" style="color:#60a5fa">${sectionsChecked}</div><div class="stat-label">${esc2(t.hwSectionsChecked)}</div></div>
+  <div class="summary-card"><div class="stat-count" style="color:#22c55e">${autoVerified}</div><div class="stat-label">${esc2(t.hwAutoVerified)}</div></div>
+  <div class="summary-card"><div class="stat-count" style="color:#fbbf24">${totalManualItems}</div><div class="stat-label">${esc2(t.hwManualPending)}</div></div>
+</section>
+
+${sectionsHtml}
+
+<footer>
+  <p>${esc2(t.generatedBy)} v${VERSION}</p>
+
+</footer>
+
+</div>
+</body>
+</html>`;
+}
+
 // src/tools/save-results.ts
 import { writeFileSync, readFileSync, mkdirSync, existsSync } from "fs";
 import { join } from "path";
@@ -8304,7 +8803,7 @@ function saveResults(scanResults, outputDir) {
 }
 
 // src/tools/scan-groups.ts
-var SEVERITY_ORDER3 = {
+var SEVERITY_ORDER4 = {
   LOW: 0,
   MEDIUM: 1,
   HIGH: 2,
@@ -8313,8 +8812,8 @@ var SEVERITY_ORDER3 = {
 function applyFindingsFilter(moduleName, findings, filter) {
   let result = findings;
   if (filter.minSeverity) {
-    const minLevel = SEVERITY_ORDER3[filter.minSeverity.toUpperCase()] ?? 0;
-    result = result.filter((f) => (SEVERITY_ORDER3[f.severity] ?? 0) >= minLevel);
+    const minLevel = SEVERITY_ORDER4[filter.minSeverity.toUpperCase()] ?? 0;
+    result = result.filter((f) => (SEVERITY_ORDER4[f.severity] ?? 0) >= minLevel);
   }
   if (moduleName === "security_hub_findings" && filter.securityHubCategories?.length) {
     const keywords = filter.securityHubCategories;
@@ -8348,10 +8847,10 @@ var SCAN_GROUPS = {
   },
   hw_defense: {
     name: "\u62A4\u7F51\u84DD\u961F\u52A0\u56FA",
-    description: "\u62A4\u7F51\u524D\u5B89\u5168\u81EA\u67E5 \u2014 \u653B\u51FB\u9762+\u5F31\u70B9\u8BC4\u4F30",
-    modules: ["service_detection", "secret_exposure", "network_reachability", "dns_dangling", "ssl_certificate", "iam_privilege_escalation", "security_hub_findings", "guardduty_findings", "inspector_findings", "config_rules_findings", "access_analyzer_findings", "patch_compliance_findings", "imdsv2_enforcement", "waf_coverage"],
+    description: "\u62A4\u7F51\u524D\u5B89\u5168\u81EA\u67E5 \u2014 \u653B\u51FB\u8005\u89C6\u89D2\u7684\u653B\u51FB\u9762+\u5F31\u70B9\u8BC4\u4F30",
+    modules: ["service_detection", "network_reachability", "dns_dangling", "public_access_verify", "ssl_certificate", "waf_coverage", "imdsv2_enforcement", "secret_exposure", "iam_privilege_escalation", "patch_compliance_findings", "security_hub_findings"],
     findingsFilter: {
-      guardDutyTypes: ["Backdoor", "Trojan", "PenTest", "CryptoCurrency"],
+      securityHubCategories: ["network", "public", "exposure", "port", "WAF", "vulnerability", "patch", "IAM", "iam", "access", "privilege", "secret", "credential", "password", "IMDS", "firewall", "VPC", "vpc", "SecurityGroup", "securitygroup", "CVE", "cve", "Inspector", "inspector", "software", "MFA", "mfa", "key rotation", "SSL", "ssl", "TLS", "tls", "certificate", "metadata", "CloudTrail", "cloudtrail", "logging", "audit", "encryption"],
       minSeverity: "MEDIUM"
     }
   },
@@ -8873,6 +9372,7 @@ function createServer(defaultRegion) {
           const summaryContent = content[0];
           if (summaryContent && summaryContent.type === "text") {
             summaryContent.text += "\n\n" + getHwDefenseChecklist(lang ?? "zh");
+            summaryContent.text += "\n\n\u{1F4A1} Tip: Call generate_hw_defense_report with these scan results to get a dedicated HTML report organized by HW Defense SOP checklist categories.";
           }
         }
         return { content };
@@ -8971,6 +9471,23 @@ function createServer(defaultRegion) {
       }
     }
   );
+  server.tool(
+    "generate_hw_defense_report",
+    "Generate an HTML report organized by HW Defense (\u62A4\u7F51) SOP checklist categories. Save as .html file.",
+    {
+      scan_results: z.string().describe("JSON string of FullScanResult from scan_group hw_defense or scan_all"),
+      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)")
+    },
+    async ({ scan_results, lang }) => {
+      try {
+        const parsed = JSON.parse(scan_results);
+        const report = generateHwDefenseHtmlReport(parsed, lang ?? "zh");
+        return { content: [{ type: "text", text: report }] };
+      } catch (err) {
+        return { content: [{ type: "text", text: `Error: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+      }
+    }
+  );
   server.tool(
     "generate_maturity_report",
     "Generate a security maturity assessment report from scan_all results. Requires service_detection module output. Read-only.",
@@ -9267,6 +9784,7 @@ export {
   calculateScore,
   createServer,
   generateHtmlReport,
+  generateHwDefenseHtmlReport,
   generateMarkdownReport,
   generateMlps3HtmlReport,
   getCurrentAccountId,