security-mcp 1.0.4 → 1.1.0

package/dist/mcp/server.js

@@ -7,6 +7,7 @@ import { z } from "zod";
 import { runPrGate } from "../gate/policy.js";
 import { readFileSafe } from "../repo/fs.js";
 import { searchRepo } from "../repo/search.js";
+import { createReviewAttestation, createReviewRun, readReviewRun, updateReviewStep } from "../review/store.js";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const PKG_ROOT = resolve(__dirname, "../..");
 const PROMPTS_DIR = join(PKG_ROOT, "prompts");
@@ -20,7 +21,6 @@ function loadPromptFile(name) {
     return `[security-mcp] Prompt file not found: ${name}. Run "npm run build" from the package root.`;
 }
 const SECURITY_PROMPT = loadPromptFile("SECURITY_PROMPT.md");
-/* eslint-disable deprecation/deprecation */
 const server = new McpServer({
     name: "security-mcp",
     version: "1.0.0"
@@ -50,21 +50,124 @@ function safeTool(handler) {
     };
 }
 // ---------------------------------------------------------------------------
-// Existing tools (unchanged)
+// Review workflow
+// ---------------------------------------------------------------------------
+const ReviewRunIdParam = {
+    runId: z.string().uuid().optional().describe("Optional security review run ID created by security.start_review.")
+};
+const StartReviewParams = {
+    mode: z.enum(["recent_changes", "folder_by_folder", "file_by_file"]).describe("Required scan scope mode for this review."),
+    targets: z.array(z.string()).optional().describe("Required for folder_by_folder and file_by_file modes. Relative folders/files to evaluate."),
+    baseRef: z.string().optional().describe("Only for recent_changes mode. Base git ref, default origin/main."),
+    headRef: z.string().optional().describe("Only for recent_changes mode. Head git ref, default HEAD.")
+};
+const StartReviewSchema = z.object(StartReviewParams);
+tool("security.start_review", "Start a stateful security review run, lock the scan mode, and return a run ID for ordered execution and attestation. OPERATING MANDATE: 90% fixing, 10% advisory. You do not list vulnerabilities and walk away — you write the fix, implement the control, and enforce the policy.", StartReviewParams, safeTool(async (args, _extra) => {
+    const { mode, targets, baseRef, headRef } = StartReviewSchema.parse(args);
+    const cleanTargets = (targets ?? []).map((target) => target.trim()).filter(Boolean);
+    if ((mode === "folder_by_folder" || mode === "file_by_file") && cleanTargets.length === 0) {
+        throw new Error(`Mode "${mode}" requires one or more relative targets.`);
+    }
+    const run = await createReviewRun({ mode, targets, baseRef, headRef });
+    await updateReviewStep(run.id, "scan_strategy", "completed", {
+        mode,
+        targets: cleanTargets,
+        baseRef: baseRef ?? "origin/main",
+        headRef: headRef ?? "HEAD"
+    });
+    return asTextResponse({
+        runId: run.id,
+        mode,
+        targets: cleanTargets,
+        baseRef: baseRef ?? "origin/main",
+        headRef: headRef ?? "HEAD",
+        requiredSteps: run.requiredSteps,
+        operatingMandate: "90% fixing, 10% advisory. Write the fix. Implement the control. Enforce the policy. Do not list vulnerabilities and walk away.",
+        nextSteps: [
+            "Run security.threat_model with this runId.",
+            "Run security.checklist with this runId.",
+            "Run security.run_pr_gate with this runId.",
+            "Run security.attest_review after remediation is complete."
+        ]
+    });
+}));
+const AttestReviewParams = {
+    runId: z.string().uuid().describe("Security review run ID."),
+    signatureEnvVar: z.string().optional().describe("Optional environment variable containing an HMAC key for attestation signing.")
+};
+const AttestReviewSchema = z.object(AttestReviewParams);
+tool("security.attest_review", "Generate a security review attestation with integrity hash and optional HMAC signature.", AttestReviewParams, safeTool(async (args, _extra) => {
+    const { runId, signatureEnvVar } = AttestReviewSchema.parse(args);
+    const run = await readReviewRun(runId);
+    const required = new Set(run.requiredSteps);
+    const completed = Array.from(required).filter((step) => {
+        const status = run.steps[step]?.status;
+        return status === "completed" || status === "approved";
+    });
+    const missing = Array.from(required).filter((step) => !completed.includes(step));
+    const latestGate = run.steps["run_pr_gate"]?.details ?? {};
+    const payload = {
+        runId: run.id,
+        createdAt: run.createdAt,
+        updatedAt: run.updatedAt,
+        mode: run.mode,
+        targets: run.targets,
+        steps: run.steps,
+        coverage: {
+            required: Array.from(required),
+            completed,
+            missing
+        },
+        latestGate
+    };
+    const signatureKey = signatureEnvVar ? process.env[signatureEnvVar] : undefined;
+    const attestation = await createReviewAttestation(runId, payload, signatureKey);
+    return asTextResponse({
+        attestationPath: attestation.path,
+        sha256: attestation.sha256,
+        ...(attestation.hmacSha256 ? { hmacSha256: attestation.hmacSha256 } : {}),
+        completedSteps: completed,
+        missingSteps: missing,
+        confidence: latestGate["confidence"] ?? null
+    });
+}));
+// ---------------------------------------------------------------------------
+// Existing tools
 // ---------------------------------------------------------------------------
 const RunPrGateParams = {
+    ...ReviewRunIdParam,
+    mode: z.enum(["recent_changes", "folder_by_folder", "file_by_file"]).optional().describe("Scan scope mode. recent_changes (default) uses git diff; folder_by_folder scans one or more folders; file_by_file scans explicit files."),
+    targets: z.array(z.string()).optional().describe("Required for folder_by_folder and file_by_file modes. Relative folders/files to evaluate."),
     baseRef: z.string().optional().describe("Base git ref for diff (e.g. origin/main). Optional."),
     headRef: z.string().optional().describe("Head git ref for diff (e.g. HEAD). Optional."),
     policyPath: z.string().optional().describe("Override policy path. Default: .mcp/policies/security-policy.json")
 };
 const RunPrGateSchema = z.object(RunPrGateParams);
-tool("security.run_pr_gate", "Run the security policy gate against the current workspace. Returns PASS/FAIL plus findings and required actions.", RunPrGateParams, safeTool(async (args, _extra) => {
-    const { baseRef, headRef, policyPath } = RunPrGateSchema.parse(args);
+tool("security.run_pr_gate", "Run the security policy gate for recent changes, selected folders, or selected files. Returns PASS/FAIL plus findings and required actions.", RunPrGateParams, safeTool(async (args, _extra) => {
+    const { runId, mode, targets, baseRef, headRef, policyPath } = RunPrGateSchema.parse(args);
+    if (!runId) {
+        return asTextResponse({
+            requires_run_id: true,
+            question: "Start the review with security.start_review before running the gate.",
+            next_step: "Call security.start_review, then re-run security.run_pr_gate with the returned runId."
+        });
+    }
     const result = await runPrGate({
+        mode,
+        targets,
         baseRef,
         headRef,
         policyPath: policyPath ?? ".mcp/policies/security-policy.json"
     });
+    await updateReviewStep(runId, "run_pr_gate", "completed", {
+        status: result.status,
+        confidence: result.confidence,
+        findings: result.findings.map((finding) => ({ id: finding.id, severity: finding.severity })),
+        suppressedFindings: result.suppressedFindings?.map((entry) => ({
+            id: entry.finding.id,
+            exceptionId: entry.exceptionId
+        })) ?? []
+    });
     return asTextResponse(result);
 }));
 const ReadFileParams = {
@@ -97,9 +200,20 @@ const GetSystemPromptParams = {
     payment_processor: z.string().optional().describe("Payment processor in use, e.g. 'Stripe', 'Braintree', 'Adyen', or 'none'.")
 };
 const GetSystemPromptSchema = z.object(GetSystemPromptParams);
-tool("security.get_system_prompt", "Return the full security engineering system prompt. Optionally customized with your stack, cloud provider, and payment processor. Use this as the system prompt to configure Claude as an elite security engineer for your project.", GetSystemPromptParams, safeTool(async (args, _extra) => {
+tool("security.get_system_prompt", "Return the full security engineering system prompt. Optionally customized with your stack, cloud provider, and payment processor. Use this as the system prompt to configure Claude as an elite security engineer for your project. Core operating ratio: 90% fixing, 10% advisory — write the fix, implement the control, enforce the policy.", GetSystemPromptParams, safeTool(async (args, _extra) => {
     const { stack, cloud, payment_processor } = GetSystemPromptSchema.parse(args);
-    let prompt = SECURITY_PROMPT;
+    // Prepend the operating mandate so it is the first instruction the model reads,
+    // regardless of which part of the prompt file is loaded or truncated.
+    const OPERATING_MANDATE = "# CORE OPERATING MANDATE — READ FIRST\n\n" +
+        "Your operating ratio is **90% fixing, 10% advisory**.\n" +
+        "You do NOT list vulnerabilities and walk away.\n" +
+        "You write the fix. You implement the control. You enforce the policy.\n\n" +
+        "**90% action:** Write the secure code directly. Implement validation, middleware, " +
+        "access controls, and secret management. Produce production-ready fixes every time.\n\n" +
+        "**10% explanation:** One line — what was wrong, what attack it prevents, which framework " +
+        "control applies (OWASP, ATT&CK, NIST). Then move on.\n\n" +
+        "---\n\n";
+    let prompt = OPERATING_MANDATE + SECURITY_PROMPT;
     // Append a project-specific scope section if any context was provided
     if (stack ?? cloud ?? payment_processor) {
         const scopeLines = [
@@ -124,13 +238,14 @@ tool("security.get_system_prompt", "Return the full security engineering system
 // New tool: security.threat_model
 // ---------------------------------------------------------------------------
 const ThreatModelParams = {
+    ...ReviewRunIdParam,
     feature: z.string().describe("One or two sentences describing the feature or component to threat-model. " +
         "Example: 'OAuth 2.0 login flow with PKCE and session cookies'."),
     surfaces: z.array(z.enum(["web", "api", "mobile", "ai", "infra", "data"])).optional().describe("Attack surfaces involved. Defaults to all.")
 };
 const ThreatModelSchema = z.object(ThreatModelParams);
 tool("security.threat_model", "Generate a STRIDE + PASTA + ATT&CK threat model template for a described feature or component. Returns a structured Markdown document ready to fill in.", ThreatModelParams, safeTool(async (args, _extra) => {
-    const { feature, surfaces } = ThreatModelSchema.parse(args);
+    const { runId, feature, surfaces } = ThreatModelSchema.parse(args);
     const surfaceList = surfaces ?? ["web", "api", "mobile", "ai", "infra", "data"];
     const template = `# Threat Model: ${feature}
 
@@ -241,12 +356,19 @@ Describe Level 0 (context) and Level 1 (process) flows in prose or embed a diagr
 - [ ] IR playbook updated if new attack surface introduced
 - [ ] Compliance requirements addressed and documented
 `;
+    if (runId) {
+        await updateReviewStep(runId, "threat_model", "completed", {
+            feature,
+            surfaces: surfaceList
+        });
+    }
     return asTextResponse(template);
 }));
 // ---------------------------------------------------------------------------
 // New tool: security.checklist
 // ---------------------------------------------------------------------------
 const ChecklistParams = {
+    ...ReviewRunIdParam,
     surface: z.enum(["web", "api", "mobile", "ai", "infra", "payments", "all"]).optional()
         .describe("Filter checklist by attack surface. Default: all.")
 };
@@ -334,8 +456,11 @@ Use before every production release. All items must be checked or explicitly ris
 - [ ] Audit trail maintained for all payment operations
 `;
 tool("security.checklist", "Return the pre-release security checklist, optionally filtered by attack surface (web, api, mobile, ai, infra, payments, all).", ChecklistParams, safeTool(async (args, _extra) => {
-    const { surface } = ChecklistSchema.parse(args);
+    const { runId, surface } = ChecklistSchema.parse(args);
     if (!surface || surface === "all") {
+        if (runId) {
+            await updateReviewStep(runId, "checklist", "completed", { surface: "all" });
+        }
         return asTextResponse(CHECKLIST_ALL);
     }
     // Extract the relevant section
@@ -358,6 +483,9 @@ tool("security.checklist", "Return the pre-release security checklist, optionall
     const allSurfaces = lines.slice(0, allSurfacesEnd).join("\n");
     const sectionEnd = lines.findIndex((l, i) => i > start + 1 && l.startsWith("## "));
     const section = lines.slice(start, sectionEnd === -1 ? undefined : sectionEnd).join("\n");
+    if (runId) {
+        await updateReviewStep(runId, "checklist", "completed", { surface });
+    }
     return asTextResponse(`# Pre-Release Security Checklist (${surface})\n\n${allSurfaces}\n\n${section}`);
 }));
 // ---------------------------------------------------------------------------
@@ -434,9 +562,810 @@ tool("security.generate_policy", "Generate a security-policy.json for your proje
     return asTextResponse(comment + JSON.stringify(policy, null, 2));
 }));
 // ---------------------------------------------------------------------------
+// New tool: security.scan_strategy
+// ---------------------------------------------------------------------------
+const ScanStrategyParams = {
+    ...ReviewRunIdParam,
+    mode: z.enum(["folder_by_folder", "file_by_file", "recent_changes"]).optional().describe("Required scan mode. Ask the user to choose before starting review."),
+    targets: z.array(z.string()).optional().describe("Required for folder_by_folder and file_by_file. Relative folders/files to evaluate."),
+    baseRef: z.string().optional().describe("Only for recent_changes mode. Base git ref, default origin/main."),
+    headRef: z.string().optional().describe("Only for recent_changes mode. Head git ref, default HEAD.")
+};
+const ScanStrategySchema = z.object(ScanStrategyParams);
+tool("security.scan_strategy", "Create an exhaustive security scan plan and enforce a required user choice: folder_by_folder, file_by_file, or recent_changes.", ScanStrategyParams, safeTool(async (args, _extra) => {
+    const { runId, mode, targets, baseRef, headRef } = ScanStrategySchema.parse(args);
+    if (!mode) {
+        return asTextResponse({
+            required_user_decision: true,
+            question: "Choose scan mode before running security checks.",
+            options: ["folder_by_folder", "file_by_file", "recent_changes"],
+            next_step: "Call security.scan_strategy again with the selected mode."
+        });
+    }
+    const cleanTargets = (targets ?? []).map((t) => t.trim()).filter(Boolean);
+    if ((mode === "folder_by_folder" || mode === "file_by_file") && cleanTargets.length === 0) {
+        return asTextResponse({
+            required_user_decision: true,
+            question: `Mode "${mode}" requires explicit targets. Provide relative ${mode === "folder_by_folder" ? "folders" : "files"}.`,
+            next_step: "Call security.scan_strategy with mode + targets."
+        });
+    }
+    const frameworkCoverage = {
+        threat_modeling: ["STRIDE", "PASTA", "LINDDUN", "DREAD", "ATT&CK Navigator", "Attack Trees", "TRIKE"],
+        appsec_and_adversary: [
+            "OWASP Top 10 (Web/API)",
+            "OWASP ASVS L2/L3",
+            "OWASP MASVS",
+            "MITRE ATT&CK",
+            "MITRE D3FEND",
+            "MITRE CAPEC",
+            "MITRE ATLAS"
+        ],
+        governance_and_compliance: [
+            "NIST 800-53 Rev5",
+            "NIST CSF 2.0",
+            "NIST 800-207 (Zero Trust)",
+            "NIST 800-218 (SSDF)",
+            "PCI DSS 4.0",
+            "SOC 2 Type II",
+            "ISO 27001/27002/42001",
+            "GDPR/CCPA"
+        ],
+        pipeline_controls: [
+            "SAST",
+            "SCA",
+            "Secrets Scanning",
+            "IaC Scanning",
+            "Container Scanning",
+            "DAST",
+            "SBOM + Provenance"
+        ]
+    };
+    const runGateTemplate = mode === "recent_changes"
+        ? {
+            tool: "security.run_pr_gate",
+            args: {
+                mode: "recent_changes",
+                baseRef: baseRef ?? "origin/main",
+                headRef: headRef ?? "HEAD"
+            }
+        }
+        : {
+            tool: "security.run_pr_gate",
+            args: {
+                mode,
+                targets: cleanTargets
+            }
+        };
+    if (runId) {
+        await updateReviewStep(runId, "scan_strategy", "completed", {
+            mode,
+            targets: cleanTargets,
+            baseRef: baseRef ?? "origin/main",
+            headRef: headRef ?? "HEAD"
+        });
+    }
+    return asTextResponse({
+        decision_confirmed: true,
+        mode,
+        targets: cleanTargets,
+        git_range: mode === "recent_changes" ? { baseRef: baseRef ?? "origin/main", headRef: headRef ?? "HEAD" } : null,
+        execution_plan: [
+            "1) Inventory scope and adjacent blast radius components.",
+            "2) Run threat model coverage (STRIDE + PASTA + ATT&CK + D3FEND).",
+            "3) Run policy gate + static/dynamic/IaC/container/security checks.",
+            "4) Map findings to OWASP/NIST/PCI/SOC2/ISO controls.",
+            "5) Apply code/config fixes immediately and re-run gate until PASS.",
+            "6) Produce residual-risk register with owner, date, and review cadence."
+        ],
+        framework_coverage: frameworkCoverage,
+        run_gate_template: runGateTemplate,
+        completion_rule: "No section is complete until all required controls are either implemented or formally risk-accepted."
+    });
+}));
+// ---------------------------------------------------------------------------
+// New tool: security.terraform_hardening_blueprint
+// ---------------------------------------------------------------------------
+const TerraformHardeningParams = {
+    cloud: z.enum(["aws", "gcp", "azure", "multi"]).optional().describe("Target cloud platform. Default: multi."),
+    criticality: z.enum(["standard", "high", "regulated"]).optional().describe("Security strictness profile."),
+    environment: z.string().optional().describe("Environment name (e.g., prod, staging).")
+};
+const TerraformHardeningSchema = z.object(TerraformHardeningParams);
+tool("security.terraform_hardening_blueprint", "Generate an advanced Terraform hardening blueprint with secure module design, guardrails, and control mappings.", TerraformHardeningParams, safeTool(async (args, _extra) => {
+    const { cloud, criticality, environment } = TerraformHardeningSchema.parse(args);
+    const selectedCloud = cloud ?? "multi";
+    const selectedCriticality = criticality ?? "high";
+    const blueprint = {
+        target: { cloud: selectedCloud, criticality: selectedCriticality, environment: environment ?? "unspecified" },
+        module_layout: [
+            "modules/network: private subnets, no default public ingress, egress allowlists",
+            "modules/identity: least-privilege IAM roles, short-lived credentials, no wildcard actions",
+            "modules/data: encryption at rest with CMEK/KMS, backup + PITR, private endpoints",
+            "modules/observability: audit logs + flow logs + SIEM forwarding + immutable retention",
+            "modules/security: WAF, DDoS controls, threat detection, guardrail SCP/org-policies"
+        ],
+        mandatory_terraform_controls: [
+            "Pin providers and modules to exact versions; no floating ranges.",
+            "Use remote state with encryption + locking + restricted access.",
+            "Enforce policy checks: Checkov/tfsec/Terrascan + OPA Conftest in CI.",
+            "Block 0.0.0.0/0 ingress/egress unless explicit risk acceptance.",
+            "Disable public object storage by default.",
+            "Require tags/labels for owner, data classification, and environment.",
+            "Enable cloud audit logging on every managed resource."
+        ],
+        secure_cicd_flow: [
+            "terraform fmt/validate -> terraform plan -> policy checks (OPA/Checkov/tfsec) -> manual approval -> terraform apply",
+            "Store plan output artifact and sign provenance before apply.",
+            "Run drift detection nightly and alert on unauthorized changes."
+        ],
+        control_mapping: {
+            nist_800_53: ["AC-3", "AC-6", "AU-2", "AU-12", "SC-7", "SC-8", "SC-12", "SI-4"],
+            cis: ["CIS cloud benchmark level 2", "CIS IaC policy enforcement"],
+            zero_trust: ["explicit authn/authz for service paths", "micro-segmentation", "continuous verification"]
+        }
+    };
+    return asTextResponse(blueprint);
+}));
+// ---------------------------------------------------------------------------
+// New tool: security.generate_opa_rego
+// ---------------------------------------------------------------------------
+const GenerateOpaRegoParams = {
+    ...ReviewRunIdParam,
+    policyPack: z.enum(["terraform_plan", "ci_pipeline", "kubernetes"]).optional().describe("Policy pack to generate. Default: terraform_plan."),
+    cloud: z.enum(["aws", "gcp", "azure", "multi"]).optional().describe("Cloud context for policy wording."),
+    applySuggestion: z.boolean().optional().describe("Must be true before generating policy code. This forces explicit user consent.")
+};
+const GenerateOpaRegoSchema = z.object(GenerateOpaRegoParams);
+tool("security.generate_opa_rego", "Generate preventive OPA/Rego policy code for Terraform plans or CI pipelines. Requires explicit user consent first.", GenerateOpaRegoParams, safeTool(async (args, _extra) => {
+    const { runId, policyPack, cloud, applySuggestion } = GenerateOpaRegoSchema.parse(args);
+    const selectedPack = policyPack ?? "terraform_plan";
+    if (!applySuggestion) {
+        return asTextResponse({
+            requires_user_confirmation: true,
+            question: "Do you want security-mcp to generate preventive OPA/Rego policies for your pipeline and Terraform plan checks?",
+            next_step: "Re-run security.generate_opa_rego with applySuggestion=true."
+        });
+    }
+    const terraformPolicy = `package security.terraform
+
+import rego.v1
+
+deny contains msg if {
+  some rc in input.resource_changes
+  rc.type == "aws_security_group_rule"
+  lower(rc.change.after.type) == "ingress"
+  rc.change.after.cidr_blocks[_] == "0.0.0.0/0"
+  msg := "deny: public ingress 0.0.0.0/0 is not allowed"
+}
+
+deny contains msg if {
+  some rc in input.resource_changes
+  rc.type in {"aws_s3_bucket", "google_storage_bucket", "azurerm_storage_account"}
+  not is_private_storage(rc.change.after)
+  msg := sprintf("deny: storage resource %s must not be public", [rc.address])
+}
+
+deny contains msg if {
+  some rc in input.resource_changes
+  is_data_resource(rc.type)
+  not encryption_enabled(rc.change.after)
+  msg := sprintf("deny: encryption at rest is required for %s", [rc.address])
+}
+
+is_private_storage(after) if {
+  not after.public
+}
+
+encryption_enabled(after) if {
+  after.encryption == true
+}
+
+is_data_resource(kind) if {
+  kind in {"aws_db_instance", "google_sql_database_instance", "azurerm_postgresql_flexible_server"}
+}`;
+    const ciPolicy = `package security.cicd
+
+import rego.v1
+
+required_jobs := {"sast", "sca", "secrets", "iac", "container", "dast"}
+
+deny contains msg if {
+  some job in required_jobs
+  not input.pipeline.jobs[job]
+  msg := sprintf("deny: missing required security job '%s'", [job])
+}
+
+deny contains msg if {
+  input.pipeline.context.allow_high_findings == true
+  msg := "deny: pipeline cannot allow HIGH/CRITICAL findings by default"
+}
+
+deny contains msg if {
+  not input.pipeline.provenance.signed
+  msg := "deny: release artifacts must include signed provenance/SBOM attestations"
+}`;
+    const k8sPolicy = `package security.kubernetes
+
+import rego.v1
+
+deny contains msg if {
+  input.kind == "Deployment"
+  some c in input.spec.template.spec.containers
+  not c.securityContext.runAsNonRoot
+  msg := sprintf("deny: container '%s' must run as non-root", [c.name])
+}
+
+deny contains msg if {
+  input.kind == "Deployment"
+  some c in input.spec.template.spec.containers
+  c.securityContext.privileged == true
+  msg := sprintf("deny: privileged container '%s' is not allowed", [c.name])
+}`;
+    const policyByPack = {
+        terraform_plan: {
+            path: "policy/terraform/security.rego",
+            policy: terraformPolicy,
+            conftest_command: "terraform show -json tfplan.binary > tfplan.json && conftest test tfplan.json -p policy/terraform"
+        },
+        ci_pipeline: {
+            path: "policy/ci/security.rego",
+            policy: ciPolicy,
+            conftest_command: "conftest test pipeline-input.json -p policy/ci"
+        },
+        kubernetes: {
+            path: "policy/kubernetes/security.rego",
+            policy: k8sPolicy,
+            conftest_command: "conftest test k8s-manifest.yaml -p policy/kubernetes"
+        }
+    };
+    const selected = policyByPack[selectedPack];
+    // Generate test file for the selected policy pack
+    const testPackageName = `security.${selectedPack.replace(/_/g, "")}_test`;
+    const testPolicy = `package ${testPackageName}
+
+import rego.v1
+
+# --- Allow cases (should NOT produce deny) ---
+
+test_allow_valid_resource if {
+  count(deny) == 0 with input as {
+    "resource_changes": []
+  }
+}
+
+test_allow_encrypted_storage if {
+  count(deny) == 0 with input as {
+    "resource_changes": [{
+      "type": "aws_s3_bucket",
+      "address": "aws_s3_bucket.secure",
+      "change": { "after": { "public": false, "encryption": true } }
+    }]
+  }
+}
+
+test_allow_private_ingress if {
+  count(deny) == 0 with input as {
+    "resource_changes": [{
+      "type": "aws_security_group_rule",
+      "change": { "after": { "type": "ingress", "cidr_blocks": ["10.0.0.0/8"] } }
+    }]
+  }
+}
+
+# --- Deny cases (should produce deny) ---
+
+test_deny_public_ingress if {
+  count(deny) > 0 with input as {
+    "resource_changes": [{
+      "type": "aws_security_group_rule",
+      "change": { "after": { "type": "ingress", "cidr_blocks": ["0.0.0.0/0"] } }
+    }]
+  }
+}
+
+test_deny_public_storage if {
+  count(deny) > 0 with input as {
+    "resource_changes": [{
+      "type": "aws_s3_bucket",
+      "address": "aws_s3_bucket.bad",
+      "change": { "after": { "public": true, "encryption": false } }
+    }]
+  }
+}
+
+test_deny_unencrypted_database if {
+  count(deny) > 0 with input as {
+    "resource_changes": [{
+      "type": "aws_db_instance",
+      "address": "aws_db_instance.bad",
+      "change": { "after": { "encryption": false } }
+    }]
+  }
+}
+
+# --- Edge cases ---
+
+test_empty_input if {
+  count(deny) == 0 with input as {}
+}
+
+test_null_resource_changes if {
+  count(deny) == 0 with input as { "resource_changes": [] }
+}
+
+test_missing_required_fields if {
+  count(deny) == 0 with input as { "resource_changes": [{ "type": "unknown_type", "change": {} }] }
+}
+`;
+    const testFilePath = selected.path.replace(".rego", "_test.rego");
+    if (runId) {
+        await updateReviewStep(runId, "generate_opa_rego", "approved", {
+            policyPack: selectedPack,
+            cloud: cloud ?? "multi"
+        });
+    }
+    return asTextResponse({
+        generated_for: { policyPack: selectedPack, cloud: cloud ?? "multi" },
+        files: [
+            selected,
+            { path: testFilePath, policy: testPolicy, description: "OPA test file — run with: opa test policy/ -v" }
+        ],
+        install_notes: [
+            "Run this in CI before deployment apply/admission.",
+            "Fail the pipeline when any deny rules are returned.",
+            "Run tests with: opa test policy/ -v",
+            "Version-control the policy and require security-owner approval for policy exceptions."
+        ]
+    });
+}));
+// ---------------------------------------------------------------------------
+// New tool: security.self_heal_loop
+// ---------------------------------------------------------------------------
+const SelfHealLoopParams = {
+    ...ReviewRunIdParam,
+    useCase: z.string().optional().describe("Short description of recurring security issues in this codebase."),
+    findings: z.array(z.string()).optional().describe("Recent recurring findings or control gaps."),
+    approveAdaptiveUpdates: z.boolean().optional().describe("Must be true before suggesting any adaptive improvement. Human approval is mandatory.")
+};
+const SelfHealLoopSchema = z.object(SelfHealLoopParams);
+tool("security.self_heal_loop", "Propose a human-approved self-healing improvement loop for this security setup. No adaptive change may be applied without explicit human approval.", SelfHealLoopParams, safeTool(async (args, _extra) => {
+    const { runId, useCase, findings, approveAdaptiveUpdates } = SelfHealLoopSchema.parse(args);
+    if (!approveAdaptiveUpdates) {
+        return asTextResponse({
+            requires_human_approval: true,
+            question: "Do you want security-mcp to propose adaptive updates to policies/checklists based on recurring findings in your use case?",
+            next_step: "Re-run security.self_heal_loop with approveAdaptiveUpdates=true."
+        });
+    }
+    if (runId) {
+        await updateReviewStep(runId, "self_heal_loop", "approved", {
+            useCase: useCase ?? "unspecified"
+        });
+    }
+    return asTextResponse({
+        adaptive_security_loop: [
+            "1) Capture repeated findings from gate outputs and incident reports.",
+            "2) Cluster by root cause (authz gaps, IaC misconfig, secrets, AI injection, dependency risk).",
+            "3) Propose updates to .mcp/policies/security-policy.json and .mcp/mappings/evidence-map.json.",
+            "4) Require explicit human approval before applying any policy, prompt, or checklist mutation.",
+            "5) Re-run security.run_pr_gate in the selected scan mode and compare residual risk trend."
+        ],
+        guardrails: [
+            "No autonomous code or policy mutation without explicit human approval.",
+            "No weakening of controls without signed risk acceptance metadata.",
+            "Every approved adaptive update must be logged with owner, date, rationale, and rollback path."
+        ],
+        input_summary: {
+            useCase: useCase ?? "unspecified",
+            findings: findings ?? []
+        }
+    });
+}));
+// ---------------------------------------------------------------------------
+// New tool: security.generate_compliance_report
+// ---------------------------------------------------------------------------
+const GenerateComplianceReportParams = {
+    ...ReviewRunIdParam,
+    framework: z.enum(["SOC2", "PCI-DSS", "ISO27001", "NIST-800-53", "HIPAA", "GDPR"]).describe("Compliance framework to evaluate against."),
+    outputFormat: z.enum(["json", "markdown"]).default("markdown").describe("Output format.")
+};
+const GenerateComplianceReportSchema = z.object(GenerateComplianceReportParams);
+tool("security.generate_compliance_report", "Generate a compliance gap analysis report mapping gate results to a specific framework's controls. Identifies satisfied, missing, and partially-satisfied controls with evidence artifacts.", GenerateComplianceReportParams, safeTool(async (args, _extra) => {
+    const { runId, framework, outputFormat } = GenerateComplianceReportSchema.parse(args);
+    // Framework → control prefix/tag mapping
+    const frameworkFilters = {
+        "SOC2": ["SOC2_", "SOC 2"],
+        "PCI-DSS": ["PCI_", "PCI DSS"],
+        "ISO27001": ["ISO_", "ISO 27001"],
+        "NIST-800-53": ["NIST_", "NIST 800-53"],
+        "HIPAA": ["HIPAA"],
+        "GDPR": ["GDPR"]
+    };
+    const filters = frameworkFilters[framework] ?? [];
+    // Load gate result from run if provided
+    let gateFindings = [];
+    let gateStatus = "UNKNOWN";
+    if (runId) {
+        try {
+            const { readReviewRun } = await import("../review/store.js");
+            const run = await readReviewRun(runId);
+            const gateStep = run.steps["run_pr_gate"];
+            if (gateStep?.details) {
+                const details = gateStep.details;
+                gateStatus = String(details["status"] ?? "UNKNOWN");
+                gateFindings = details["findings"] ?? [];
+            }
+        }
+        catch {
+            // run not found — proceed without gate data
+        }
+    }
+    // Load control catalog
+    const { loadControlCatalog } = await import("../gate/catalog.js");
+    const catalog = await loadControlCatalog();
+    // Filter controls by framework
+    const frameworkControls = catalog.controls.filter((c) => filters.some((f) => c.id.startsWith(f) || c.frameworks.some((fw) => fw.includes(f.trim()))));
+    const controlStatuses = frameworkControls.map((c) => {
+        const matchingFinding = gateFindings.find((f) => f.id.startsWith(c.id) || c.id.includes(f.id));
+        if (matchingFinding) {
+            return { id: c.id, description: c.description, status: "missing", evidence: [`Finding: ${matchingFinding.id} (${matchingFinding.severity})`] };
+        }
+        // If no adverse finding, consider it tentatively satisfied
+        return { id: c.id, description: c.description, status: "satisfied", evidence: c.evidence ?? [] };
+    });
+    const total = controlStatuses.length;
+    const satisfied = controlStatuses.filter((c) => c.status === "satisfied").length;
+    const missing = controlStatuses.filter((c) => c.status === "missing").length;
+    const partial = controlStatuses.filter((c) => c.status === "partial").length;
+    if (outputFormat === "json") {
+        return asTextResponse({
+            framework,
+            runId: runId ?? null,
+            gateStatus,
+            summary: { total, satisfied, missing, partial },
+            controls: controlStatuses
+        });
+    }
+    // Markdown output
+    const rows = controlStatuses.map((c) => {
+        const icon = c.status === "satisfied" ? "✓" : c.status === "missing" ? "✗" : "~";
+        const evidence = c.evidence.slice(0, 2).join("; ") || "-";
+        return `| ${c.id} | ${c.description.slice(0, 60)} | ${icon} ${c.status} | ${evidence} |`;
+    }).join("\n");
+    const report = `# Compliance Gap Analysis: ${framework}
+
+**Run ID**: ${runId ?? "not provided"}
+**Gate Status**: ${gateStatus}
+**Generated**: ${new Date().toISOString()}
+
+## Summary
+
+| Metric | Count |
+|---|---|
+| Total Controls | ${total} |
+| Satisfied | ${satisfied} |
+| Missing | ${missing} |
+| Partial | ${partial} |
+| Coverage | ${total > 0 ? Math.round((satisfied / total) * 100) : 0}% |
+
+## Control Details
+
+| Control ID | Description | Status | Evidence |
+|---|---|---|---|
+${rows}
+`;
+    return asTextResponse(report);
+}));
+// ---------------------------------------------------------------------------
+// New tool: security.notify_webhooks
+// ---------------------------------------------------------------------------
+const NotifyWebhooksParams = {
+    runId: z.string().uuid().describe("Security review run ID whose findings to send."),
+    gateFailed: z.boolean().describe("Whether the gate failed (determines alert severity)."),
+    findingCount: z.number().int().describe("Total number of findings."),
+    criticalCount: z.number().int().describe("Number of CRITICAL findings.")
+};
+const NotifyWebhooksSchema = z.object(NotifyWebhooksParams);
+tool("security.notify_webhooks", "Send security gate findings to configured external systems (Slack, Jira, PagerDuty, generic webhook). Configure endpoints via environment variables: SECURITY_SLACK_WEBHOOK, SECURITY_JIRA_URL+SECURITY_JIRA_TOKEN, SECURITY_PAGERDUTY_KEY, SECURITY_WEBHOOK_URL.", NotifyWebhooksParams, safeTool(async (args, _extra) => {
+    const { runId, gateFailed, findingCount, criticalCount } = NotifyWebhooksSchema.parse(args);
+    const notified = [];
+    const errors = [];
+    // Slack
+    const slackWebhook = process.env["SECURITY_SLACK_WEBHOOK"];
+    if (slackWebhook) {
+        try {
+            const color = gateFailed ? "#d32f2f" : "#388e3c";
+            const statusEmoji = gateFailed ? ":red_circle:" : ":large_green_circle:";
+            const body = {
+                blocks: [
+                    {
+                        type: "header",
+                        text: { type: "plain_text", text: `${statusEmoji} Security Gate ${gateFailed ? "FAILED" : "PASSED"}` }
+                    },
+                    {
+                        type: "section",
+                        fields: [
+                            { type: "mrkdwn", text: `*Run ID*: ${runId}` },
+                            { type: "mrkdwn", text: `*Total Findings*: ${findingCount}` },
+                            { type: "mrkdwn", text: `*Critical Findings*: ${criticalCount}` }
+                        ]
+                    }
+                ],
+                attachments: [{ color }]
+            };
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 10000);
+            try {
+                const resp = await fetch(slackWebhook, {
+                    method: "POST",
+                    headers: { "Content-Type": "application/json" },
+                    body: JSON.stringify(body),
+                    signal: controller.signal
+                });
+                if (resp.ok)
+                    notified.push("slack");
+                else
+                    errors.push(`slack: HTTP ${resp.status}`);
+            }
+            finally {
+                clearTimeout(timeout);
+            }
+        }
+        catch (e) {
+            errors.push(`slack: ${e instanceof Error ? e.message : "unknown error"}`);
+        }
+    }
+    // PagerDuty
+    const pdKey = process.env["SECURITY_PAGERDUTY_KEY"];
+    if (pdKey && gateFailed && criticalCount > 0) {
+        try {
+            const body = {
+                routing_key: pdKey,
+                event_action: "trigger",
+                payload: {
+                    summary: `Security Gate FAILED — ${criticalCount} critical findings (run: ${runId})`,
+                    severity: "critical",
+                    source: "security-mcp",
+                    custom_details: { runId, findingCount, criticalCount }
+                }
+            };
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 10000);
+            try {
+                const resp = await fetch("https://events.pagerduty.com/v2/enqueue", {
+                    method: "POST",
+                    headers: { "Content-Type": "application/json" },
+                    body: JSON.stringify(body),
+                    signal: controller.signal
+                });
+                if (resp.ok)
+                    notified.push("pagerduty");
+                else
+                    errors.push(`pagerduty: HTTP ${resp.status}`);
+            }
+            finally {
+                clearTimeout(timeout);
+            }
+        }
+        catch (e) {
+            errors.push(`pagerduty: ${e instanceof Error ? e.message : "unknown error"}`);
+        }
+    }
+    // Generic webhook
+    const genericWebhook = process.env["SECURITY_WEBHOOK_URL"];
+    if (genericWebhook) {
+        try {
+            const body = { runId, gateFailed, findingCount, criticalCount, timestamp: new Date().toISOString() };
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 10000);
+            try {
+                const resp = await fetch(genericWebhook, {
+                    method: "POST",
+                    headers: { "Content-Type": "application/json" },
+                    body: JSON.stringify(body),
+                    signal: controller.signal
+                });
+                if (resp.ok)
+                    notified.push("webhook");
+                else
+                    errors.push(`webhook: HTTP ${resp.status}`);
+            }
+            finally {
+                clearTimeout(timeout);
+            }
+        }
+        catch (e) {
+            errors.push(`webhook: ${e instanceof Error ? e.message : "unknown error"}`);
+        }
+    }
+    // Jira
+    const jiraUrl = process.env["SECURITY_JIRA_URL"];
+    const jiraToken = process.env["SECURITY_JIRA_TOKEN"];
+    const jiraProject = process.env["SECURITY_JIRA_PROJECT"] ?? "SECURITY";
+    if (jiraUrl && jiraToken && gateFailed) {
+        try {
+            const body = {
+                fields: {
+                    project: { key: jiraProject },
+                    summary: `Security Gate FAILED - ${criticalCount} critical findings`,
+                    description: {
+                        type: "doc",
+                        version: 1,
+                        content: [{
+                                type: "paragraph",
+                                content: [{ type: "text", text: `Run ID: ${runId}. Total findings: ${findingCount}. Critical: ${criticalCount}.` }]
+                            }]
+                    },
+                    issuetype: { name: "Bug" },
+                    priority: { name: criticalCount > 0 ? "Critical" : "High" }
+                }
+            };
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 10000);
+            try {
+                const resp = await fetch(`${jiraUrl}/rest/api/3/issue`, {
+                    method: "POST",
+                    headers: {
+                        "Content-Type": "application/json",
+                        // Never log the token — pass it only in the header
+                        "Authorization": `Bearer ${jiraToken}`
+                    },
+                    body: JSON.stringify(body),
+                    signal: controller.signal
+                });
+                if (resp.ok)
+                    notified.push("jira");
+                else
+                    errors.push(`jira: HTTP ${resp.status}`);
+            }
+            finally {
+                clearTimeout(timeout);
+            }
+        }
+        catch (e) {
+            errors.push(`jira: ${e instanceof Error ? e.message : "unknown error"}`);
+        }
+    }
+    return asTextResponse({
+        notified,
+        errors,
+        summary: notified.length > 0
+            ? `Notified: ${notified.join(", ")}`
+            : "No webhook integrations configured. Set SECURITY_SLACK_WEBHOOK, SECURITY_PAGERDUTY_KEY, SECURITY_WEBHOOK_URL, or SECURITY_JIRA_URL+SECURITY_JIRA_TOKEN."
+    });
+}));
+const REMEDIATION_MAP = {
+    "POSSIBLE_SECRET": {
+        pattern: "const API_KEY = 'sk-...'  // hardcoded secret",
+        fix: "const API_KEY = process.env['API_KEY']; // loaded from secret manager",
+        explanation: "Hardcoded secrets are exposed in source control and logs. Load secrets from environment variables backed by a secret manager (AWS Secrets Manager, HashiCorp Vault, etc.).",
+        references: ["CWE-798", "OWASP Top 10 A07:2021", "NIST 800-53 IA-5"]
+    },
+    "CRYPTO_WEAK_HASH": {
+        pattern: "crypto.createHash('md5').update(data).digest('hex')",
+        fix: "crypto.createHash('sha256').update(data).digest('hex')",
+        explanation: "MD5 and SHA-1 are cryptographically broken. Use SHA-256 or higher.",
+        references: ["NIST SP 800-131A Rev 2", "CWE-327"]
+    },
+    "CRYPTO_WEAK_CIPHER": {
+        pattern: "crypto.createCipheriv('des', key, iv)",
+        fix: "crypto.createCipheriv('aes-256-gcm', key, nonce)",
+        explanation: "DES/RC4/3DES are prohibited by NIST. Use AES-256-GCM for authenticated encryption.",
+        references: ["NIST SP 800-131A Rev 2", "CWE-327", "FIPS 140-3"]
+    },
+    "CRYPTO_INSECURE_RANDOM": {
+        pattern: "const token = Math.random().toString(36).slice(2)",
+        fix: "const token = crypto.randomBytes(32).toString('hex')",
+        explanation: "Math.random() is not cryptographically secure. Use crypto.randomBytes() for tokens, keys, and nonces.",
+        references: ["CWE-338", "OWASP ASVS 2.3.1"]
+    },
+    "CRYPTO_WEAK_JWT_ALGO": {
+        pattern: "jwt.sign(payload, secret, { algorithm: 'HS256' })",
+        fix: "jwt.sign(payload, privateKey, { algorithm: 'RS256' })",
+        explanation: "HS256 requires sharing the signing secret with every verifier. RS256/ES256 use asymmetric keys so verifiers only need the public key.",
+        references: ["RFC 7518", "OWASP JWT Security Cheat Sheet"]
+    },
+    "DB_TLS_DISABLED": {
+        pattern: "postgresql://user:pass@host/db?sslmode=disable",
+        fix: "postgresql://user:pass@host/db?sslmode=verify-full",
+        explanation: "Disabling TLS exposes credentials and data in transit. Always require and verify TLS.",
+        references: ["PCI DSS 4.0 Req 4.2", "NIST 800-53 SC-8", "CWE-319"]
+    },
+    "DB_SQL_INJECTION_RISK": {
+        pattern: "db.query('SELECT * FROM users WHERE id = ' + req.params.id)",
+        fix: "db.query('SELECT * FROM users WHERE id = $1', [req.params.id])",
+        explanation: "Never concatenate user input into SQL. Use parameterized queries or ORM query builders.",
+        references: ["OWASP Top 10 A03:2021", "CWE-89", "NIST 800-53 SI-10"]
+    },
+    "GRAPHQL_INTROSPECTION_ENABLED": {
+        pattern: "new ApolloServer({ introspection: true })",
+        fix: "new ApolloServer({ introspection: process.env.NODE_ENV !== 'production' })",
+        explanation: "GraphQL introspection exposes the full schema to attackers. Disable it in non-dev environments.",
+        references: ["OWASP API Security Top 10 API8:2023", "CWE-200"]
+    },
+    "GRAPHQL_NO_DEPTH_LIMIT": {
+        pattern: "new ApolloServer({ schema })",
+        fix: "import depthLimit from 'graphql-depth-limit';\nnew ApolloServer({ schema, validationRules: [depthLimit(10)] })",
+        explanation: "Without depth limiting, attackers can send deeply nested queries to exhaust server resources.",
+        references: ["OWASP API Security Top 10 API4:2023"]
+    },
+    "K8S_PRIVILEGED_CONTAINER": {
+        pattern: "securityContext:\n  privileged: true",
+        fix: "securityContext:\n  privileged: false\n  allowPrivilegeEscalation: false\n  runAsNonRoot: true\n  capabilities:\n    drop: [\"ALL\"]",
+        explanation: "Privileged containers have unrestricted access to the host kernel. Remove privileged mode and drop all capabilities.",
+        references: ["CIS Kubernetes Benchmark 5.2.1", "NIST 800-190"]
+    },
+    "K8S_NO_SECURITY_CONTEXT": {
+        pattern: "containers:\n  - name: app\n    image: myapp:1.0",
+        fix: "containers:\n  - name: app\n    image: myapp:1.0\n    securityContext:\n      runAsNonRoot: true\n      runAsUser: 1000\n      readOnlyRootFilesystem: true\n      allowPrivilegeEscalation: false\n      capabilities:\n        drop: [\"ALL\"]",
+        explanation: "Always set a securityContext to enforce least-privilege container execution.",
+        references: ["CIS Kubernetes Benchmark", "NIST 800-190", "OWASP Kubernetes Security Cheat Sheet"]
+    },
+    "DLP_REQUEST_BODY_LOGGED": {
+        pattern: "console.log(req.body)",
+        fix: "const { password, token, ...safeFields } = req.body;\nconsole.log({ requestId, safeFields })",
+        explanation: "Full request bodies may contain PII, passwords, or tokens. Log only allowlisted non-sensitive fields.",
+        references: ["GDPR Article 5", "HIPAA 45 CFR 164.312", "CWE-532"]
+    },
+    "DLP_STACK_TRACE_IN_RESPONSE": {
+        pattern: "res.json({ error: err.message, stack: err.stack })",
+        fix: "logger.error({ err, requestId }); // log internally\nres.json({ error: 'An internal error occurred', requestId })",
+        explanation: "Stack traces in API responses disclose internal architecture to attackers (CWE-209). Log internally, return only a safe message.",
+        references: ["CWE-209", "OWASP Top 10 A05:2021", "PCI DSS 4.0 Req 6.2.4"]
+    },
+    "API_TENANT_ID_FROM_INPUT": {
+        pattern: "const tenantId = req.query.tenantId",
+        fix: "const tenantId = req.auth.tenantId // from verified JWT claims",
+        explanation: "Tenant ID must come from the authenticated session/JWT claims. User-supplied tenant IDs allow cross-tenant data access.",
+        references: ["OWASP API Security Top 10 API1:2023", "CWE-639"]
+    },
+    "LOCKFILE_MISSING": {
+        pattern: "# No package-lock.json in repository",
+        fix: "npm install # generates package-lock.json\ngit add package-lock.json\ngit commit -m 'chore: add lockfile'",
+        explanation: "Without a lockfile, npm install resolves the latest matching version on each run, opening the door to supply chain attacks.",
+        references: ["SLSA L1", "NIST 800-218 PS-3", "CWE-829"]
+    },
+    "DEP_FLOATING_VERSION": {
+        pattern: "\"some-package\": \"^1.0.0\"",
+        fix: "\"some-package\": \"1.2.3\" // exact pin\n// or use npm shrinkwrap / lockfile",
+        explanation: "Floating version ranges allow unexpected major/minor updates that may introduce vulnerabilities or breaking changes.",
+        references: ["SLSA L1", "OWASP Top 10 A06:2021"]
+    }
+};
+const GenerateRemediationsParams = {
+    findings: z.array(z.object({
+        id: z.string(),
+        title: z.string(),
+        severity: z.string(),
+        files: z.array(z.string()).optional(),
+        evidence: z.array(z.string()).optional()
+    })).describe("Findings array from a gate run result.")
+};
+const GenerateRemediationsSchema = z.object(GenerateRemediationsParams);
+tool("security.generate_remediations", "Maps each gate finding to a specific, actionable code-level remediation template. Called automatically after every gate FAIL. Returns ready-to-apply fix templates keyed by finding ID.", GenerateRemediationsParams, safeTool(async (args, _extra) => {
+    const { findings } = GenerateRemediationsSchema.parse(args);
+    const result = {};
+    for (const finding of findings) {
+        // Try exact match first, then prefix match
+        const exactMatch = REMEDIATION_MAP[finding.id];
+        const prefixMatch = Object.keys(REMEDIATION_MAP).find((k) => finding.id.startsWith(k) || k.startsWith(finding.id));
+        result[finding.id] = {
+            finding,
+            remediation: exactMatch ?? (prefixMatch ? REMEDIATION_MAP[prefixMatch] : null)
+        };
+    }
+    const withRemediation = Object.values(result).filter((r) => r.remediation !== null).length;
+    const without = findings.length - withRemediation;
+    return asTextResponse({
+        summary: { total: findings.length, withRemediation, withoutRemediationTemplate: without },
+        remediations: result
+    });
+}));
+// ---------------------------------------------------------------------------
 // MCP Prompts capability
 // ---------------------------------------------------------------------------
-server.prompt("security-engineer", "Activate the security-mcp system prompt. Sets up the model as an elite, threat-informed security engineer applying OWASP, MITRE ATT&CK, NIST 800-53, Zero Trust, PCI DSS, SOC 2, and ISO 27001 to every code and architecture decision.", async () => ({
+server.prompt("security-engineer", "Activate the security-mcp system prompt. Operating ratio: 90% fixing, 10% advisory — writes the fix, implements the control, enforces the policy. Does NOT list vulnerabilities and walk away. Applies OWASP, MITRE ATT&CK, NIST 800-53, Zero Trust, PCI DSS, SOC 2, and ISO 27001 to every code and architecture decision.", async () => ({
     messages: [
         {
             role: "user",