aws-security-mcp 0.7.5 → 0.7.6

package/dist/src/index.d.ts

@@ -49,6 +49,8 @@ interface FullScanResult {
     region: string;
     accountId: string;
     modules: ScanResult[];
+    /** Optional pre-generated AI executive summary (client AI supplies; server never calls an LLM). */
+    aiSummary?: string;
     summary: {
         totalFindings: number;
         critical: number;
@@ -81,6 +83,8 @@ interface DashboardData {
             status: string;
         }>;
         findings: Finding[];
+        /** Optional pre-generated AI executive summary. */
+        aiSummary?: string;
     };
     history: DashboardHistoryEntry[];
     meta: {
@@ -124,15 +128,25 @@ declare function listOrgAccounts(region: string): Promise<OrgAccount[]>;
 
 declare function generateMarkdownReport(scanResults: FullScanResult, lang?: Lang): string;
 
+declare function generateMlps3Report(scanResults: FullScanResult, lang?: Lang): string;
+
 declare function generateHtmlReport(scanResults: FullScanResult, history?: DashboardHistoryEntry[], lang?: Lang): string;
 declare function generateMlps3HtmlReport(scanResults: FullScanResult, history?: DashboardHistoryEntry[], lang?: Lang): string;
 
 declare function generateHwDefenseHtmlReport(scanResults: FullScanResult, lang?: Lang): string;
 
+type ReportType = "dashboard" | "html" | "hw_defense" | "mlps3";
+/**
+ * Build a ready-to-run prompt for the calling client AI to produce a
+ * report-type-tailored AI summary. The server never calls an LLM itself —
+ * it only assembles this prompt + a grounded findings digest.
+ */
+declare function buildAiSummaryPrompt(type: ReportType, scan: FullScanResult, lang: Lang): string;
+
 declare function calculateScore(summary: FullScanResult["summary"]): number;
 declare function saveResults(scanResults: FullScanResult, outputDir?: string): string;
 
 declare function createServer(defaultRegion: string): McpServer;
 declare function startServer(defaultRegion: string): Promise<void>;
 
-export { type DashboardData, type DashboardHistoryEntry, type Finding, type FullScanResult, type Lang, type OrgAccount, type Priority, type ScanContext, type ScanResult, type Scanner, type Severity, assumeRole, buildRoleArn, calculateScore, createServer, generateHtmlReport, generateHwDefenseHtmlReport, generateMarkdownReport, generateMlps3HtmlReport, getCurrentAccountId, listOrgAccounts, runAllScanners, runMultiAccountScanners, saveResults, startServer };
+export { type DashboardData, type DashboardHistoryEntry, type Finding, type FullScanResult, type Lang, type OrgAccount, type Priority, type ReportType, type ScanContext, type ScanResult, type Scanner, type Severity, assumeRole, buildAiSummaryPrompt, buildRoleArn, calculateScore, createServer, generateHtmlReport, generateHwDefenseHtmlReport, generateMarkdownReport, generateMlps3HtmlReport, generateMlps3Report, getCurrentAccountId, listOrgAccounts, runAllScanners, runMultiAccountScanners, saveResults, startServer };

package/dist/src/index.js

@@ -4,7 +4,7 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { z } from "zod";
 
 // src/version.ts
-var VERSION = "0.7.5";
+var VERSION = "0.7.6";
 
 // src/utils/aws-client.ts
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
@@ -84,8 +84,7 @@ async function listOrgAccounts(region) {
   return accounts;
 }
 
-// src/scanners/runner.ts
-var DEFAULT_CONCURRENCY = 5;
+// src/utils/concurrency.ts
 async function runWithConcurrency(tasks, limit) {
   const results = [];
   const executing = /* @__PURE__ */ new Set();
@@ -104,6 +103,9 @@ async function runWithConcurrency(tasks, limit) {
   await Promise.all(executing);
   return results;
 }
+
+// src/scanners/runner.ts
+var DEFAULT_CONCURRENCY = 5;
 var AGGREGATION_MODULES = /* @__PURE__ */ new Set([
   "security_hub_findings",
   "guardduty_findings",
@@ -674,24 +676,6 @@ import {
   DescribeInstanceAttributeCommand
 } from "@aws-sdk/client-ec2";
 var USERDATA_CONCURRENCY = 5;
-async function runWithConcurrency2(tasks, limit) {
-  const results = [];
-  const executing = /* @__PURE__ */ new Set();
-  for (let i = 0; i < tasks.length; i++) {
-    const idx = i;
-    const p = tasks[idx]().then((value) => {
-      results[idx] = { status: "fulfilled", value };
-    }).catch((reason) => {
-      results[idx] = { status: "rejected", reason };
-    }).finally(() => {
-      executing.delete(p);
-    });
-    executing.add(p);
-    if (executing.size >= limit) await Promise.race(executing);
-  }
-  await Promise.all(executing);
-  return results;
-}
 var SECRET_PATTERNS = [
   { name: "AWS Access Key", pattern: /AKIA[0-9A-Z]{16}/, matchType: "value" },
   { name: "Private Key", pattern: /-----BEGIN.*PRIVATE KEY-----/, matchType: "value" },
@@ -802,7 +786,7 @@ var SecretExposureScanner = class {
           const raw = attrResp.UserData?.Value;
           return { instId, userData: raw ? Buffer.from(raw, "base64").toString("utf-8") : void 0 };
         });
-        const settled = await runWithConcurrency2(userDataTasks, USERDATA_CONCURRENCY);
+        const settled = await runWithConcurrency(userDataTasks, USERDATA_CONCURRENCY);
         for (let i = 0; i < instances.length; i++) {
           const result = settled[i];
           const inst = instances[i];
@@ -1782,7 +1766,8 @@ async function getBucketRegion(client, bucketName, defaultRegion, warnings) {
     const resp = await client.send(
       new GetBucketLocationCommand({ Bucket: bucketName })
     );
-    const loc = String(resp.LocationConstraint ?? "") || "us-east-1";
+    const rawLoc = String(resp.LocationConstraint ?? "") || "us-east-1";
+    const loc = rawLoc === "EU" ? "eu-west-1" : rawLoc;
     return loc;
   } catch (e) {
     const msg = e instanceof Error ? e.message : String(e);
@@ -3738,6 +3723,7 @@ var zhI18n = {
   // Extended — MLPS extras
   // Markdown report
   executiveSummary: "\u6267\u884C\u6458\u8981",
+  aiSummaryTitle: "AI \u5B89\u5168\u6001\u52BF\u603B\u7ED3",
   totalFindingsLabel: "\u53D1\u73B0\u603B\u6570",
   description: "\u63CF\u8FF0",
   priority: "\u4F18\u5148\u7EA7",
@@ -4047,6 +4033,7 @@ var enI18n = {
   // Extended \u2014 MLPS extras
   // Markdown report
   executiveSummary: "Executive Summary",
+  aiSummaryTitle: "AI Security Summary",
   totalFindingsLabel: "Total Findings",
   description: "Description",
   priority: "Priority",
@@ -4308,6 +4295,14 @@ function generateMarkdownReport(scanResults, lang) {
     `- **${t.totalFindingsLabel}:** ${summary.totalFindings} (${SEVERITY_ICON.CRITICAL} ${summary.critical} ${t.critical} | ${SEVERITY_ICON.HIGH} ${summary.high} ${t.high} | ${SEVERITY_ICON.MEDIUM} ${summary.medium} ${t.medium} | ${SEVERITY_ICON.LOW} ${summary.low} ${t.low})`
   );
   lines.push("");
+  if (scanResults.aiSummary && scanResults.aiSummary.trim()) {
+    lines.push(`> \u2728 **${t.aiSummaryTitle}**`);
+    lines.push(">");
+    for (const ln of scanResults.aiSummary.trim().split(/\r?\n/)) {
+      lines.push(`> ${ln}`);
+    }
+    lines.push("");
+  }
   if (summary.totalFindings === 0) {
     lines.push(`## ${t.findingsBySeverity}`);
     lines.push("");
@@ -7085,6 +7080,14 @@ function generateMlps3Report(scanResults, lang) {
   lines.push(`## ${t.accountInfo}`);
   lines.push(`- ${t.account}: ${accountId} | ${t.region}: ${region} | ${t.scanTime}: ${scanTime}`);
   lines.push("");
+  if (scanResults.aiSummary && scanResults.aiSummary.trim()) {
+    lines.push(`> \u2728 **${t.aiSummaryTitle}**`);
+    lines.push(">");
+    for (const ln of scanResults.aiSummary.trim().split(/\r?\n/)) {
+      lines.push(`> ${ln}`);
+    }
+    lines.push("");
+  }
   lines.push(`## ${t.preCheckOverview}`);
   lines.push(`- ${t.checkedCount(checkedTotal, autoClean, autoIssues)}`);
   if (autoUnknown > 0) {
@@ -7187,6 +7190,14 @@ function escWithLinks(s) {
     return esc(part);
   }).join("");
 }
+function aiSummaryBlock(summary, title) {
+  const text = (summary ?? "").trim();
+  if (!text) return "";
+  return `<div class="ai-summary">
+  <div class="ai-summary-title">\u2728 ${esc(title)}</div>
+  <div class="ai-summary-body">${esc(text)}</div>
+</div>`;
+}
 function calcScore(summary) {
   const raw = 100 - summary.critical * 15 - summary.high * 5 - summary.medium * 2 - summary.low * 0.5;
   return Math.max(0, Math.min(100, Math.round(raw)));
@@ -7431,7 +7442,13 @@ function sharedCss() {
       details{display:block}
       details>summary{display:block}
       details>:not(summary){display:block !important}
+      .ai-summary{background:#f5f3ff !important;border-color:#c7d2fe !important}
+      .ai-summary-title{color:#4338ca !important}
+      .ai-summary-body{color:#1e293b !important}
     }
+    .ai-summary{background:linear-gradient(135deg,#1e293b,#1e1b4b);border:1px solid #4338ca;border-radius:10px;padding:16px 20px;margin:0 0 28px}
+    .ai-summary-title{font-size:14px;font-weight:700;color:#a5b4fc;margin-bottom:8px}
+    .ai-summary-body{font-size:14px;line-height:1.7;color:#cbd5e1;white-space:pre-wrap}
   `;
 }
 function donutChart(summary) {
@@ -7983,6 +8000,8 @@ ${remaining.map(renderRec).join("\n")}
   <div class="meta">${esc(t.account)}: ${esc(accountId)} | ${esc(t.region)}: ${esc(region)} | ${esc(date)} | ${esc(t.duration)}: ${esc(duration)}</div>
 </header>
 
+${aiSummaryBlock(scanResults.aiSummary, t.aiSummaryTitle)}
+
 <section class="summary">
   <div class="score-card">
     <div class="score-value" style="color:${scoreColor(score)}">${score}</div>
@@ -8330,6 +8349,8 @@ ${mlpsRemaining.map(renderMlpsRec).join("\n")}
   <div class="meta">${esc(t.account)}: ${esc(accountId)} | ${esc(t.region)}: ${esc(region)} | ${esc(t.scanTime)}: ${esc(scanTime)}</div>
 </header>
 
+${aiSummaryBlock(scanResults.aiSummary, t.aiSummaryTitle)}
+
 <section class="summary" style="display:block;text-align:center">
   <div style="font-size:36px;font-weight:700;margin-bottom:12px">
     <span style="color:#22c55e">${autoClean}</span> <span style="color:#94a3b8;font-size:18px">${esc(t.noIssues)}</span>
@@ -8378,6 +8399,14 @@ function safeUrl2(url) {
     return null;
   }
 }
+function aiSummaryBlock2(summary, title) {
+  const text = (summary ?? "").trim();
+  if (!text) return "";
+  return `<div class="ai-summary">
+  <div class="ai-summary-title">\u2728 ${esc2(title)}</div>
+  <div class="ai-summary-body">${esc2(text)}</div>
+</div>`;
+}
 function escWithLinks2(s) {
   const parts = s.split(/(https?:\/\/\S+)/);
   return parts.map((part, i) => {
@@ -8513,7 +8542,13 @@ function hwCss() {
       details{display:block}
       details>summary{display:block}
       details>:not(summary){display:block !important}
+      .ai-summary{background:#f5f3ff !important;border-color:#c7d2fe !important}
+      .ai-summary-title{color:#4338ca !important}
+      .ai-summary-body{color:#1e293b !important}
     }
+    .ai-summary{background:linear-gradient(135deg,#1e293b,#1e1b4b);border:1px solid #4338ca;border-radius:10px;padding:16px 20px;margin:0 0 28px}
+    .ai-summary-title{font-size:14px;font-weight:700;color:#a5b4fc;margin-bottom:8px}
+    .ai-summary-body{font-size:14px;line-height:1.7;color:#cbd5e1;white-space:pre-wrap}
   `;
 }
 function generateHwDefenseHtmlReport(scanResults, lang) {
@@ -8714,6 +8749,8 @@ function generateHwDefenseHtmlReport(scanResults, lang) {
   <div class="meta">${esc2(t.account)}: ${esc2(accountId)} | ${esc2(t.region)}: ${esc2(region)} | ${esc2(t.scanTime)}: ${esc2(scanTime)}</div>
 </header>
 
+${aiSummaryBlock2(scanResults.aiSummary, t.aiSummaryTitle)}
+
 <section class="summary-cards">
   <div class="summary-card"><div class="stat-count" style="color:${findingsColor}">${totalFindings}</div><div class="stat-label">${esc2(t.hwTotalFindings)}</div></div>
   <div class="summary-card"><div class="stat-count" style="color:#60a5fa">${sectionsChecked}</div><div class="stat-label">${esc2(t.hwSectionsChecked)}</div></div>
@@ -8733,6 +8770,137 @@ ${sectionsHtml}
 </html>`;
 }
 
+// src/tools/ai-summary-prompt.ts
+function buildFindingsDigest(scan, lang, topN = 12) {
+  const zh = lang === "zh";
+  const all = scan.modules.flatMap(
+    (m) => m.findings.map((f) => ({ ...f, module: f.module ?? m.module }))
+  );
+  const s = scan.summary;
+  const byModule = [...scan.modules].filter((m) => m.findingsCount > 0).sort((a, b) => b.findingsCount - a.findingsCount).slice(0, 19).map((m) => `${m.module}=${m.findingsCount}`).join(", ");
+  const top = [...all].sort((a, b) => b.riskScore - a.riskScore).slice(0, topN);
+  const topLines = top.map(
+    (f, i) => `${i + 1}. [${f.severity}/${f.priority}] ${f.title} \u2014 ${f.resourceType} ${f.resourceId} (${f.region}) risk=${f.riskScore}`
+  ).join("\n");
+  const head = zh ? `\u8D26\u53F7: ${scan.accountId} | \u533A\u57DF: ${scan.region}
+\u98CE\u9669\u603B\u6570: ${s.totalFindings} (CRITICAL ${s.critical} / HIGH ${s.high} / MEDIUM ${s.medium} / LOW ${s.low})
+\u6A21\u5757\u5206\u5E03: ${byModule || "\u65E0"}
+
+\u9AD8\u98CE\u9669 Top ${top.length}:
+${topLines || "\u65E0"}` : `Account: ${scan.accountId} | Region: ${scan.region}
+Total findings: ${s.totalFindings} (CRITICAL ${s.critical} / HIGH ${s.high} / MEDIUM ${s.medium} / LOW ${s.low})
+Module breakdown: ${byModule || "none"}
+
+Top ${top.length} by risk:
+${topLines || "none"}`;
+  return head;
+}
+function getProfile(type, lang) {
+  const zh = lang === "zh";
+  switch (type) {
+    case "dashboard":
+      return zh ? {
+        persona: "\u4F60\u5728\u4E3A\u5B89\u5168\u8FD0\u8425\u4EEA\u8868\u76D8\u5199\u4E00\u6BB5\u9AD8\u7BA1\u901F\u89C8\u3002\u8BFB\u8005\u662F CISO / \u7BA1\u7406\u5C42\uFF0C\u65F6\u95F4\u5F88\u5C11\u3002",
+        focus: "\u6574\u4F53\u5B89\u5168\u6001\u52BF\u4E00\u53E5\u8BDD\u5B9A\u8C03 + \u5B89\u5168\u8BC4\u5206\u89E3\u8BFB + \u6B64\u523B\u6700\u8BE5\u5173\u6CE8\u7684 3 \u4EF6\u4E8B\uFF08\u6309\u4E1A\u52A1\u5F71\u54CD\u6392\u5E8F\uFF09\u3002\u4E0D\u8981\u7F57\u5217\u6240\u6709 finding\u3002",
+        format: "3-5 \u53E5\u8BDD\uFF0C\u5F00\u5934\u4E00\u53E5\u7ED3\u8BBA\u5148\u884C\u3002\u4E2D\u6587\u3002\u4E0D\u7528 Markdown \u6807\u9898\uFF0C\u53EF\u7528\u7B80\u77ED\u5206\u53F7\u6216\u6362\u884C\u3002\u8BED\u6C14\u4E13\u4E1A\u3001\u514B\u5236\u3001\u53EF\u6267\u884C\u3002"
+      } : {
+        persona: "You are writing an executive at-a-glance summary for a security operations dashboard. Readers are CISO/leadership with little time.",
+        focus: "One-line overall posture verdict + interpretation of the security score + the top 3 things to focus on right now (ordered by business impact). Do NOT list every finding.",
+        format: "3-5 sentences, conclusion first. English. No Markdown headings; short line breaks ok. Professional, restrained, actionable tone."
+      };
+    case "html":
+      return zh ? {
+        persona: "\u4F60\u5728\u4E3A\u4E00\u4EFD\u5B8C\u6574\u7684 AWS \u5B89\u5168\u626B\u63CF\u62A5\u544A\u5199\u6267\u884C\u6458\u8981\u3002\u8BFB\u8005\u65E2\u6709\u7BA1\u7406\u5C42\u4E5F\u6709\u6280\u672F\u8D1F\u8D23\u4EBA\u3002",
+        focus: "\u6574\u4F53\u98CE\u9669\u5168\u666F + Top \u98CE\u9669\u7684\u5171\u6027\u6839\u56E0\uFF08\u5982\u516C\u7F51\u66B4\u9732\u9762\u3001IAM \u8FC7\u6743\u3001\u52A0\u5BC6/\u65E5\u5FD7\u7F3A\u5931\u7B49\uFF09+ \u5206\u4F18\u5148\u7EA7(P0\u2192P2)\u7684\u4FEE\u590D\u8DEF\u7EBF\u5EFA\u8BAE\u3002\u70B9\u51FA\u7CFB\u7EDF\u6027\u95EE\u9898\u800C\u975E\u9010\u6761\u590D\u8FF0\u3002",
+        format: "1 \u6BB5\u6982\u8FF0 + 3-5 \u6761\u8981\u70B9\u3002\u4E2D\u6587\u3002\u53EF\u7528\u8981\u70B9\u5217\u8868\u3002\u6280\u672F\u4E0E\u7BA1\u7406\u53CC\u89C6\u89D2\uFF0C\u7ED9\u51FA\u53EF\u843D\u5730\u7684\u4E0B\u4E00\u6B65\u3002"
+      } : {
+        persona: "You are writing the executive summary for a full AWS security scan report. Readers include both management and technical leads.",
+        focus: "Overall risk landscape + common root causes behind the top risks (public exposure, over-privileged IAM, missing encryption/logging, etc.) + a prioritized (P0\u2192P2) remediation roadmap. Surface systemic issues rather than restating each finding.",
+        format: "1 overview paragraph + 3-5 bullet points. English. Bullet list ok. Both technical and management lens, with concrete next steps."
+      };
+    case "hw_defense":
+      return zh ? {
+        persona: "\u4F60\u662F\u62A4\u7F51\u884C\u52A8(\u7F51\u7EDC\u5B89\u5168\u653B\u9632\u6F14\u7EC3)\u7684\u84DD\u961F\u6307\u6325\u3002\u8FD9\u662F\u4E00\u4EFD\u62A4\u7F51\u5907\u6218\u8BC4\u4F30\u62A5\u544A\u3002\u6CE8\u610F\uFF1AHW=\u62A4\u7F51\uFF0C\u4E0E\u534E\u4E3A\u65E0\u5173\u3002",
+        focus: "\u4ECE\u653B\u51FB\u8005\u89C6\u89D2\u4E32\u8054 findings \u6210\u653B\u51FB\u94FE(kill-chain)\uFF1A\u54EA\u4E9B\u662F\u5916\u90E8\u53EF\u8FBE\u7684\u521D\u59CB\u7A81\u7834\u53E3\u3001\u6A2A\u5411\u79FB\u52A8/\u63D0\u6743\u8DEF\u5F84\u3001\u53EF\u80FD\u7684\u5F71\u54CD\u9762\uFF1B\u7136\u540E\u7ED9\u51FA\u5907\u6218\u6536\u655B\u6E05\u5355(\u5148\u5173\u4EC0\u4E48\u3001\u5148\u76EF\u4EC0\u4E48)\u3002\u5F3A\u8C03\u66B4\u9732\u9762\u6536\u655B\u4E0E\u76D1\u63A7\u52A0\u56FA\u3002",
+        format: "\u5148\u4E00\u53E5\u7814\u5224\u7ED3\u8BBA(\u5F53\u524D\u66B4\u9732\u9762/\u88AB\u6253\u7A7F\u98CE\u9669)\uFF0C\u518D\u7ED9\u300E\u653B\u51FB\u94FE\u89C6\u89D2\u300F\u548C\u300E\u5907\u6218\u6574\u6539\u4F18\u5148\u7EA7\u300F\u4E24\u5757\u3002\u4E2D\u6587\u3002\u8BED\u6C14\u8D34\u62A4\u7F51\u5B9E\u6218\u8BED\u5883\uFF0C\u7D27\u8FEB\u4F46\u4E0D\u5938\u5F20\u3002"
+      } : {
+        persona: "You are the blue-team lead for an HW Defense exercise (cybersecurity attack-defense drill). This is a pre-exercise readiness report. Note: HW = HuWang/\u62A4\u7F51, unrelated to Huawei.",
+        focus: "From an attacker's perspective, chain findings into a kill-chain: external initial footholds, lateral movement/privilege-escalation paths, likely blast radius; then a hardening checklist (what to close/watch first). Emphasize attack-surface reduction and monitoring.",
+        format: "Lead with a one-line verdict (current exposure / breach risk), then two blocks: 'Attack-chain view' and 'Readiness remediation priorities'. English. Combat-readiness tone, urgent but not alarmist."
+      };
+    case "mlps3":
+      return zh ? {
+        persona: "\u4F60\u662F\u7B49\u4FDD\u6D4B\u8BC4\u987E\u95EE\u3002\u8FD9\u662F\u4E00\u4EFD\u7B49\u4FDD\u4E09\u7EA7(GB/T 22239-2019)\u5408\u89C4\u9884\u68C0\u62A5\u544A\u3002",
+        focus: "\u4ECE\u5408\u89C4\u89C6\u89D2\u603B\u7ED3\uFF1A\u5F53\u524D\u5BF9\u7167\u7B49\u4FDD\u4E09\u7EA7\u63A7\u5236\u9879\u7684\u603B\u4F53\u8FBE\u6807\u60C5\u51B5\u3001\u54EA\u4E9B\u63A7\u5236\u57DF\u5B58\u5728\u660E\u663E\u4E0D\u8FBE\u6807\u9879(\u5982\u8BBF\u95EE\u63A7\u5236\u3001\u5B89\u5168\u5BA1\u8BA1\u3001\u5165\u4FB5\u9632\u8303\u3001\u6570\u636E\u5B8C\u6574\u6027/\u4FDD\u5BC6\u6027\u7B49)\u3001\u6574\u6539\u7D27\u8FEB\u5EA6\u4E0E\u8FC7\u4FDD\u5EFA\u8BAE\u3002\u628A\u6280\u672F finding \u6620\u5C04\u5230\u5408\u89C4\u8BED\u8A00\u3002",
+        format: "1 \u6BB5\u5408\u89C4\u7ED3\u8BBA + \u6309\u63A7\u5236\u57DF\u5206\u7EC4\u7684\u4E0D\u8FBE\u6807\u8981\u70B9 + \u6574\u6539\u4F18\u5148\u7EA7\u3002\u4E2D\u6587\u3002\u5F15\u7528\u63A7\u5236\u57DF\u540D\u79F0\u3002\u8BED\u6C14\u4E25\u8C28\u3001\u9762\u5411\u6D4B\u8BC4\u3002"
+      } : {
+        persona: "You are an MLPS assessment advisor. This is an MLPS Level 3 (GB/T 22239-2019) compliance pre-check report.",
+        focus: "Summarize from a compliance lens: overall conformance against MLPS L3 controls, which control domains have clear gaps (access control, security audit, intrusion prevention, data integrity/confidentiality, etc.), remediation urgency, and certification-readiness advice. Map technical findings to compliance language.",
+        format: "1 compliance verdict paragraph + non-conformance points grouped by control domain + remediation priority. English. Reference control-domain names. Rigorous, assessment-oriented tone."
+      };
+  }
+}
+var TYPE_LABEL = {
+  dashboard: { zh: "\u5B89\u5168\u8FD0\u8425\u4EEA\u8868\u76D8", en: "Security Operations Dashboard" },
+  html: { zh: "AWS \u5B89\u5168\u626B\u63CF\u62A5\u544A", en: "AWS Security Scan Report" },
+  hw_defense: { zh: "\u62A4\u7F51\u884C\u52A8\u8BC4\u4F30\u62A5\u544A", en: "HW Defense (\u62A4\u7F51) Readiness Report" },
+  mlps3: { zh: "\u7B49\u4FDD\u4E09\u7EA7\u5408\u89C4\u9884\u68C0\u62A5\u544A", en: "MLPS Level 3 Compliance Pre-check" }
+};
+function buildAiSummaryPrompt(type, scan, lang) {
+  const zh = lang === "zh";
+  const p = getProfile(type, lang);
+  const label = TYPE_LABEL[type][zh ? "zh" : "en"];
+  const digest = buildFindingsDigest(scan, lang);
+  if (zh) {
+    return [
+      `# \u4EFB\u52A1\uFF1A\u4E3A\u300C${label}\u300D\u751F\u6210\u9488\u5BF9\u6027\u7684 AI \u5B89\u5168\u603B\u7ED3`,
+      ``,
+      `## \u89D2\u8272`,
+      p.persona,
+      ``,
+      `## \u603B\u7ED3\u91CD\u70B9`,
+      p.focus,
+      ``,
+      `## \u8F93\u51FA\u683C\u5F0F`,
+      p.format,
+      ``,
+      `## \u7EA6\u675F`,
+      `- \u53EA\u4F9D\u636E\u4E0B\u9762\u7684\u626B\u63CF\u6570\u636E\uFF0C\u4E0D\u8981\u7F16\u9020\u4E0D\u5B58\u5728\u7684\u8D44\u6E90\u6216 finding\u3002`,
+      `- \u4E0D\u8981\u9010\u6761\u590D\u8FF0\u6240\u6709 finding\uFF1B\u63D0\u70BC\u6A21\u5F0F\u4E0E\u4F18\u5148\u7EA7\u3002`,
+      `- \u76F4\u63A5\u8F93\u51FA\u603B\u7ED3\u6B63\u6587\u672C\u8EAB\uFF08\u4E0D\u8981\u5E26\u300C\u4EE5\u4E0B\u662F\u603B\u7ED3\u300D\u4E4B\u7C7B\u7684\u524D\u8A00\uFF0C\u4E0D\u8981 code fence\uFF09\u3002`,
+      `- \u8BED\u8A00\uFF1A\u4E2D\u6587\u3002`,
+      ``,
+      `## \u626B\u63CF\u6570\u636E\u6458\u8981`,
+      digest,
+      ``,
+      `\u8BF7\u73B0\u5728\u8F93\u51FA\u603B\u7ED3\u6B63\u6587\u3002\u751F\u6210\u540E\uFF0C\u628A\u8FD9\u6BB5\u6587\u672C\u901A\u8FC7\u5BF9\u5E94\u62A5\u544A\u5DE5\u5177\u7684 ai_summary \u53C2\u6570\u56DE\u4F20\u5373\u53EF\u3002`
+    ].join("\n");
+  }
+  return [
+    `# Task: Produce a tailored AI security summary for the "${label}"`,
+    ``,
+    `## Role`,
+    p.persona,
+    ``,
+    `## Summary focus`,
+    p.focus,
+    ``,
+    `## Output format`,
+    p.format,
+    ``,
+    `## Constraints`,
+    `- Base it ONLY on the scan data below; do not invent resources or findings.`,
+    `- Do not restate every finding; distill patterns and priorities.`,
+    `- Output the summary body itself (no preamble like "Here is the summary", no code fences).`,
+    `- Language: English.`,
+    ``,
+    `## Scan data digest`,
+    digest,
+    ``,
+    `Now output the summary body. After generating it, pass the text back via the ai_summary parameter of the corresponding report tool.`
+  ].join("\n");
+}
+
 // src/tools/save-results.ts
 import { writeFileSync, readFileSync, mkdirSync, existsSync } from "fs";
 import { join } from "path";
@@ -8789,7 +8957,8 @@ function saveResults(scanResults, outputDir) {
       })),
       findings: scanResults.modules.flatMap(
         (m) => m.findings.map((f) => ({ ...f, module: m.module }))
-      )
+      ),
+      aiSummary: scanResults.aiSummary
     },
     history,
     meta: {
@@ -9405,11 +9574,13 @@ function createServer(defaultRegion) {
     "Generate a Markdown security report from scan results. Read-only. Does not modify any AWS resources.",
     {
       scan_results: z.string().describe("JSON string of FullScanResult from scan_all"),
-      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)")
+      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)"),
+      ai_summary: z.string().optional().describe("Optional pre-generated AI executive summary (Markdown/plain text). Rendered if present; omit to hide.")
     },
-    async ({ scan_results, lang }) => {
+    async ({ scan_results, lang, ai_summary }) => {
       try {
         const parsed = JSON.parse(scan_results);
+        if (ai_summary) parsed.aiSummary = ai_summary;
         const report = generateMarkdownReport(parsed, lang ?? "zh");
         return { content: [{ type: "text", text: report }] };
       } catch (err) {
@@ -9422,11 +9593,13 @@ function createServer(defaultRegion) {
     "Generate a GB/T 22239-2019 \u7B49\u4FDD\u4E09\u7EA7 compliance pre-check report from scan results. Best used with scan_group mlps3_precheck results. Read-only.",
     {
       scan_results: z.string().describe("JSON string of FullScanResult from scan_group mlps3_precheck or scan_all"),
-      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)")
+      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)"),
+      ai_summary: z.string().optional().describe("Optional pre-generated AI executive summary (Markdown/plain text). Rendered if present; omit to hide.")
     },
-    async ({ scan_results, lang }) => {
+    async ({ scan_results, lang, ai_summary }) => {
       try {
         const parsed = JSON.parse(scan_results);
+        if (ai_summary) parsed.aiSummary = ai_summary;
         const report = generateMlps3Report(parsed, lang ?? "zh");
         return { content: [{ type: "text", text: report }] };
       } catch (err) {
@@ -9440,11 +9613,13 @@ function createServer(defaultRegion) {
     {
       scan_results: z.string().describe("JSON string of FullScanResult from scan_all"),
       history: z.string().optional().describe("JSON string of DashboardHistoryEntry[] from dashboard data.json for 30-day trend charts"),
-      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)")
+      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)"),
+      ai_summary: z.string().optional().describe("Optional pre-generated AI executive summary (Markdown/plain text). Rendered if present; omit to hide.")
     },
-    async ({ scan_results, history, lang }) => {
+    async ({ scan_results, history, lang, ai_summary }) => {
       try {
         const parsed = JSON.parse(scan_results);
+        if (ai_summary) parsed.aiSummary = ai_summary;
         const historyData = history ? JSON.parse(history) : void 0;
         const report = generateHtmlReport(parsed, historyData, lang ?? "zh");
         return { content: [{ type: "text", text: report }] };
@@ -9459,11 +9634,13 @@ function createServer(defaultRegion) {
     {
       scan_results: z.string().describe("JSON string of FullScanResult from scan_group mlps3_precheck or scan_all"),
       history: z.string().optional().describe("JSON string of DashboardHistoryEntry[] from dashboard data.json for 30-day trend charts"),
-      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)")
+      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)"),
+      ai_summary: z.string().optional().describe("Optional pre-generated AI executive summary (Markdown/plain text). Rendered if present; omit to hide.")
     },
-    async ({ scan_results, history, lang }) => {
+    async ({ scan_results, history, lang, ai_summary }) => {
       try {
         const parsed = JSON.parse(scan_results);
+        if (ai_summary) parsed.aiSummary = ai_summary;
         const historyData = history ? JSON.parse(history) : void 0;
         const report = generateMlps3HtmlReport(parsed, historyData, lang ?? "zh");
         return { content: [{ type: "text", text: report }] };
@@ -9472,16 +9649,36 @@ function createServer(defaultRegion) {
       }
     }
   );
+  server.tool(
+    "get_ai_summary_prompt",
+    "Return a report-type-tailored prompt (with a grounded findings digest) that the CALLING AI should run to produce an AI security summary. Then pass the generated text back via the `ai_summary` parameter of the matching report tool (or scan_and_report). The server performs no LLM calls. Use this to make each summary specific to the report type (dashboard / security scan / HW Defense \u62A4\u7F51 / MLPS3 \u7B49\u4FDD).",
+    {
+      report_type: z.enum(["dashboard", "html", "hw_defense", "mlps3"]).describe("Target report type the summary is for: dashboard (overview), html (AWS security scan report), hw_defense (\u62A4\u7F51 attack-defense drill), mlps3 (\u7B49\u4FDD\u4E09\u7EA7 compliance)"),
+      scan_results: z.string().describe("JSON string of FullScanResult from scan_all / scan_group"),
+      lang: z.enum(["zh", "en"]).optional().describe("Summary language (default: zh)")
+    },
+    async ({ report_type, scan_results, lang }) => {
+      try {
+        const parsed = JSON.parse(scan_results);
+        const prompt = buildAiSummaryPrompt(report_type, parsed, lang ?? "zh");
+        return { content: [{ type: "text", text: prompt }] };
+      } catch (err) {
+        return { content: [{ type: "text", text: `Error: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+      }
+    }
+  );
   server.tool(
     "generate_hw_defense_report",
     "Generate an HTML report organized by HW Defense (\u62A4\u7F51) SOP checklist categories. Save as .html file.",
     {
       scan_results: z.string().describe("JSON string of FullScanResult from scan_group hw_defense or scan_all"),
-      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)")
+      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)"),
+      ai_summary: z.string().optional().describe("Optional pre-generated AI executive summary (Markdown/plain text). Rendered if present; omit to hide.")
     },
-    async ({ scan_results, lang }) => {
+    async ({ scan_results, lang, ai_summary }) => {
       try {
         const parsed = JSON.parse(scan_results);
+        if (ai_summary) parsed.aiSummary = ai_summary;
         const report = generateHwDefenseHtmlReport(parsed, lang ?? "zh");
         return { content: [{ type: "text", text: report }] };
       } catch (err) {
@@ -9610,11 +9807,13 @@ function createServer(defaultRegion) {
     "Saves scan results to local disk or S3 for dashboard display. Does not modify any AWS resources.",
     {
       scan_results: z.string().describe("JSON string of FullScanResult from scan_all"),
-      output_dir: z.string().optional().describe("Output directory (default: ~/.aws-security)")
+      output_dir: z.string().optional().describe("Output directory (default: ~/.aws-security)"),
+      ai_summary: z.string().optional().describe("Optional pre-generated AI executive summary (from get_ai_summary_prompt with report_type=dashboard). Persisted into dashboard data and rendered on the Overview; omit to hide.")
     },
-    async ({ scan_results, output_dir }) => {
+    async ({ scan_results, output_dir, ai_summary }) => {
       try {
         const parsed = JSON.parse(scan_results);
+        if (ai_summary) parsed.aiSummary = ai_summary;
         const dataPath = saveResults(parsed, output_dir);
         return {
           content: [
@@ -9712,9 +9911,10 @@ Deploy this as a StackSet from your Management Account to all member accounts.`
       role_name: z.string().optional().describe("IAM role name for cross-account scanning"),
       account_ids: z.array(z.string()).optional().describe("Filter to specific account IDs"),
       reports: z.array(z.enum(["html", "hw_defense", "mlps3", "markdown", "all"])).optional().describe("Report types to generate (default: all)"),
-      lang: z.enum(["zh", "en"]).optional().describe("Language: zh or en (default: zh)")
+      lang: z.enum(["zh", "en"]).optional().describe("Language: zh or en (default: zh)"),
+      ai_summary: z.string().optional().describe("Optional pre-generated AI executive summary (Markdown/plain text). Rendered in reports + dashboard if present; omit to hide.")
     },
-    async ({ region, org_mode, role_name, account_ids, reports, lang }) => {
+    async ({ region, org_mode, role_name, account_ids, reports, lang, ai_summary }) => {
       try {
         const r = region ?? defaultRegion;
         const l = lang ?? "zh";
@@ -9730,6 +9930,7 @@ Deploy this as a StackSet from your Management Account to all member accounts.`
         } else {
           result = await runAllScanners(allScanners, r);
         }
+        if (ai_summary) result.aiSummary = ai_summary;
         const baseDir = join2(homedir2(), ".aws-security", "reports", (/* @__PURE__ */ new Date()).toISOString().slice(0, 10));
         mkdirSync2(baseDir, { recursive: true });
         const savedFiles = [];
@@ -9854,6 +10055,7 @@ async function startServer(defaultRegion) {
 }
 export {
   assumeRole,
+  buildAiSummaryPrompt,
   buildRoleArn,
   calculateScore,
   createServer,
@@ -9861,6 +10063,7 @@ export {
   generateHwDefenseHtmlReport,
   generateMarkdownReport,
   generateMlps3HtmlReport,
+  generateMlps3Report,
   getCurrentAccountId,
   listOrgAccounts,
   runAllScanners,