terramend 0.2.0 → 0.2.1

package/src/mcp/localServer.ts

@@ -21,6 +21,7 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { FastMCP, type Tool } from "fastmcp";
 import { terramendMcpName } from "#app/external";
+import { TerraformAssessTool } from "#app/mcp/assess";
 import type { LocalToolContext } from "#app/mcp/localContext";
 import { ModuleExtractionCandidatesTool } from "#app/mcp/moduleExtraction";
 import {
@@ -34,6 +35,7 @@ import { TerraformRootsTool } from "#app/mcp/roots";
 import {
   InfracostDiffTool,
   ReadFindingsTool,
+  TerraformEmitEvidenceTool,
   TerraformEmitSarifTool,
   TerraformPlanTool,
   TerraformScanTool,
@@ -43,6 +45,7 @@ import {
 } from "#app/mcp/terraform";
 import { initToolState } from "#app/toolState";
 import { log } from "#app/utils/cli";
+import { parseToolSelection } from "#app/utils/toolSelection";
 
 export interface LocalMcpOptions {
   /** absolute workspace directory the tools operate on. */
@@ -51,6 +54,10 @@ export interface LocalMcpOptions {
   scanScope?: "full" | "diff" | undefined;
   /** newline/comma-separated approved module list (same as the action input). */
   moduleCatalogue?: string | undefined;
+  /** §1.5 — the unified tool-selection list (same syntax as the action input). */
+  toolsEnabled?: string | undefined;
+  /** §1.5 — scoped token to fetch private cross-repo `git::` modules at init. */
+  moduleFetchToken?: string | undefined;
 }
 
 /** build the cwd-scoped context the read-only tools run against. */
@@ -63,6 +70,11 @@ export function buildLocalContext(options: LocalMcpOptions): LocalToolContext {
       autonomyThreshold: undefined,
       costIncreaseBlockUsd: undefined,
       moduleCatalogue: options.moduleCatalogue,
+      toolsEnabled: parseToolSelection(options.toolsEnabled),
+      gitleaks: false,
+      terratest: false,
+      terraformMcp: false,
+      moduleFetchToken: options.moduleFetchToken,
     },
     toolState: initToolState({ progressComment: undefined }),
     tmpdir: mkdtempSync(join(tmpdir(), "terramend-mcp-")),
@@ -77,6 +89,7 @@ export function buildLocalContext(options: LocalMcpOptions): LocalToolContext {
 export function buildLocalTools(ctx: LocalToolContext): Tool<any, any>[] {
   return [
     TerraformScanTool(ctx),
+    TerraformAssessTool(ctx),
     TerraformValidateTool(ctx),
     TerraformVerifyRemediationTool(ctx),
     TerraformPlanTool(ctx),
@@ -84,6 +97,7 @@ export function buildLocalTools(ctx: LocalToolContext): Tool<any, any>[] {
     InfracostDiffTool(ctx),
     ReadFindingsTool(ctx),
     TerraformEmitSarifTool(ctx),
+    TerraformEmitEvidenceTool(ctx),
     ListModulesTool(ctx),
     TerraformModuleGraphTool(ctx),
     TerraformModuleInterfaceTool(ctx),

package/src/mcp/server.ts

@@ -5,6 +5,8 @@ import { createServer } from "node:net";
 import { setTimeout as sleep } from "node:timers/promises";
 import { FastMCP, type Tool } from "fastmcp";
 import { type AgentId, terramendMcpName } from "#app/external";
+import { TerraformAssessTool } from "#app/mcp/assess";
+import { TerraformChangeSummaryTool } from "#app/mcp/changeSummary";
 import { CheckoutPrTool } from "#app/mcp/checkout";
 import { GetCheckSuiteLogsTool } from "#app/mcp/checkSuite";
 import {
@@ -57,6 +59,7 @@ import { ClosePullRequestTool, ListRemediationPrsTool } from "#app/mcp/staleFix"
 import {
   InfracostDiffTool,
   ReadFindingsTool,
+  TerraformEmitEvidenceTool,
   TerraformEmitSarifTool,
   TerraformPlanTool,
   TerraformScanTool,
@@ -166,6 +169,7 @@ function buildCommonTools(ctx: ToolContext, outputSchema?: JsonSchema): Tool<any
     PullRequestInfoTool(ctx),
     CommitInfoTool(ctx),
     CheckoutPrTool(ctx),
+    TerraformChangeSummaryTool(ctx),
     GetReviewCommentsTool(ctx),
     ListPullRequestReviewsTool(ctx),
     ResolveReviewThreadTool(ctx),
@@ -177,6 +181,7 @@ function buildCommonTools(ctx: ToolContext, outputSchema?: JsonSchema): Tool<any
     // Terraform best-practice check tools (read-only). Always available so the
     // Remediate / GenerateTerraform modes can scan + gate without extra perms.
     TerraformScanTool(ctx),
+    TerraformAssessTool(ctx),
     TerraformValidateTool(ctx),
     TerraformVerifyRemediationTool(ctx),
     InfracostDiffTool(ctx),
@@ -192,6 +197,7 @@ function buildCommonTools(ctx: ToolContext, outputSchema?: JsonSchema): Tool<any
     TerraformRootsTool(ctx),
     ScaffoldTerratestTool(ctx),
     TerraformEmitSarifTool(ctx),
+    TerraformEmitEvidenceTool(ctx),
     PolicyCheckTool(ctx),
     ComplianceCrosswalkTool(ctx),
   ];

package/src/mcp/terraform/evidence.test.ts

@@ -0,0 +1,72 @@
+import { describe, expect, it } from "vitest";
+import { buildAssessment } from "#app/mcp/assess";
+import { buildCrosswalkReport } from "#app/mcp/crosswalk";
+import { buildEvidenceBundle, EVIDENCE_SCHEMA } from "#app/mcp/terraform/evidence";
+import type { Concern } from "#app/mcp/terraform/types";
+import { buildVerificationSummary } from "#app/mcp/terraform/verification";
+
+let n = 0;
+function concern(partial: Partial<Concern> = {}): Concern {
+  n += 1;
+  return {
+    id: partial.id ?? `id${n}`,
+    source: partial.source ?? "trivy",
+    rule_id: partial.rule_id ?? "trivy:AVD-AWS-0088",
+    severity: partial.severity ?? "high",
+    category: partial.category ?? "security",
+    evidence: partial.evidence ?? "S3 bucket is unencrypted at rest",
+    location: partial.location ?? { file: "main.tf", line: 1 },
+    remediation_hint: null,
+  };
+}
+
+function bundleFor(concerns: Concern[]) {
+  const crosswalk = buildCrosswalkReport(
+    concerns.map((c) => ({ id: c.id, rule_id: c.rule_id, evidence: c.evidence })),
+  );
+  const scorecard = buildAssessment(concerns, crosswalk, buildVerificationSummary(concerns, []));
+  return buildEvidenceBundle({
+    scorecard,
+    crosswalk,
+    subject: { scanned_dir: "/repo", repo: "acme/infra", ref: "main", commit: "abc123" },
+    generatedAt: "2026-06-13T00:00:00.000Z",
+    version: "0.2.0",
+  });
+}
+
+describe("buildEvidenceBundle", () => {
+  it("packages posture, subject, and the caller's timestamp under our own schema (not OSCAL)", () => {
+    const b = bundleFor([concern()]);
+    expect(b.schema).toBe(EVIDENCE_SCHEMA);
+    expect(b.schema).not.toMatch(/oscal/i);
+    expect(b.generated_at).toBe("2026-06-13T00:00:00.000Z");
+    expect(b.tool).toEqual({ name: "terramend", version: "0.2.0" });
+    expect(b.subject).toMatchObject({ repo: "acme/infra", ref: "main", commit: "abc123" });
+    expect(b.posture).toBe("action-required");
+  });
+
+  it("emits one control statement per mapped concern, each carrying its status + controls", () => {
+    const b = bundleFor([
+      concern({ id: "enc", rule_id: "trivy:AVD-AWS-0088", evidence: "unencrypted at rest" }),
+      concern({ id: "iam", rule_id: "checkov:CKV_AWS_1", evidence: "IAM wildcard * policy" }),
+    ]);
+    const byId = Object.fromEntries(b.control_statements.map((s) => [s.concern_id, s]));
+    expect(byId.enc?.status).toBe("fail");
+    expect(byId.iam?.status).toBe("not-code-verifiable");
+    expect(byId.enc?.controls.length).toBeGreaterThan(0);
+  });
+
+  it("never claims a pass it can't verify — carries the legend + honest disclaimer", () => {
+    const b = bundleFor([concern()]);
+    expect(Object.keys(b.legend)).toContain("not-code-verifiable");
+    expect(b.legend.inconclusive).toMatch(/not a pass/i);
+    expect(b.disclaimer).toMatch(/not an audit verdict/i);
+    expect(b.disclaimer).toMatch(/absence of a finding is not proof/i);
+  });
+
+  it("is deterministic for the same inputs (reproducible evidence)", () => {
+    const a = JSON.stringify(bundleFor([concern({ id: "x" })]));
+    const b = JSON.stringify(bundleFor([concern({ id: "x" })]));
+    expect(a).toBe(b);
+  });
+});

package/src/mcp/terraform/evidence.ts

@@ -0,0 +1,187 @@
+import { writeFileSync } from "node:fs";
+import { type } from "arktype";
+import { type AssessmentScorecard, runAssessmentPipeline } from "#app/mcp/assess";
+import type { CrosswalkReport } from "#app/mcp/crosswalk";
+import type { LocalToolContext } from "#app/mcp/localContext";
+import { resolveWithinCwd } from "#app/mcp/pathSafety";
+import { execute, tool, toolOk } from "#app/mcp/shared";
+import type { Severity } from "#app/mcp/terraform/types";
+import {
+  VERIFICATION_STATUS_LABEL,
+  type VerificationStatus,
+  type VerificationSummary,
+} from "#app/mcp/terraform/verification";
+import { log } from "#app/utils/cli";
+import packageJson from "#package.json" with { type: "json" };
+
+/**
+ * Backend-free compliance evidence bundle (the WS4a wedge — an auditor-facing
+ * artifact the OSS action can emit with **zero cloud and no backend**, committed
+ * to a `compliance/` path). It packages the read-only assessment — posture,
+ * per-control statements with their five-status verdict ([[verification]]), the
+ * crosswalk index, and the scanner coverage — into one deterministic JSON file.
+ *
+ * SCHEMA / HONESTY: this is Terramend's OWN structured schema, NOT OSCAL. A
+ * strict OSCAL (or compliance-trestle / C2P) emitter is a deliberate follow-up,
+ * gated on a buyer who actually needs OSCAL — emitting OSCAL nobody consumes is
+ * cost without value. The bundle is INDICATIVE alignment guidance, never an audit
+ * verdict, and it never claims `pass` for an unfired control (absence of a
+ * finding is not proof). Pure builder + a thin file-writing tool.
+ */
+
+export const EVIDENCE_SCHEMA = "terramend-evidence/v0.1" as const;
+export const DEFAULT_EVIDENCE_PATH = "compliance/terramend-evidence.json";
+
+export interface EvidenceControlStatement {
+  concern_id: string;
+  rule_id: string;
+  /** the five-status verdict for this statement (fail / not-code-verifiable). */
+  status: VerificationStatus;
+  severity?: string | undefined;
+  file?: string | undefined;
+  line?: number | null | undefined;
+  controls: { framework: string; control: string; title: string }[];
+}
+
+export interface EvidenceBundle {
+  /** Terramend's own schema id — explicitly NOT OSCAL (see module note). */
+  schema: typeof EVIDENCE_SCHEMA;
+  /** caller-supplied ISO timestamp (kept out of the builder so it stays pure). */
+  generated_at: string;
+  tool: { name: "terramend"; version: string };
+  subject: {
+    scanned_dir: string;
+    repo?: string | undefined;
+    ref?: string | undefined;
+    commit?: string | undefined;
+  };
+  posture: AssessmentScorecard["posture"];
+  summary: {
+    total: number;
+    by_severity: AssessmentScorecard["by_severity"];
+    verification: VerificationSummary["counts"];
+  };
+  /** one statement per mapped concern, each carrying its status + controls. */
+  control_statements: EvidenceControlStatement[];
+  /** which scanners code-verified vs which were inconclusive (coverage gaps). */
+  coverage: VerificationSummary["coverage"];
+  crosswalk: {
+    version: string;
+    reviewed: string;
+    by_framework: CrosswalkReport["by_framework"];
+  };
+  /** the five-status legend, so the bundle is self-describing for an assessor. */
+  legend: Record<VerificationStatus, string>;
+  disclaimer: string;
+}
+
+const DISCLAIMER =
+  "Indicative alignment guidance from a deterministic starter rule-pack — NOT an " +
+  "audit verdict. Statuses are code-verified only; an inconclusive check is a " +
+  "coverage gap (not a pass) and absence of a finding is not proof of compliance.";
+
+export interface EvidenceSubject {
+  scanned_dir: string;
+  repo?: string | undefined;
+  ref?: string | undefined;
+  commit?: string | undefined;
+}
+
+/**
+ * Build the evidence bundle from an assessment's scorecard + crosswalk. Pure —
+ * `generatedAt` and the subject identifiers are passed in so the same inputs
+ * always produce the same bytes (and tests don't need a clock). Control
+ * statements come from the crosswalk entries (which already carry the
+ * verification status), enriched with the concern's severity/location.
+ */
+export function buildEvidenceBundle(args: {
+  scorecard: AssessmentScorecard;
+  crosswalk: CrosswalkReport;
+  subject: EvidenceSubject;
+  generatedAt: string;
+  version?: string;
+}): EvidenceBundle {
+  const { scorecard, crosswalk, subject, generatedAt } = args;
+  const control_statements: EvidenceControlStatement[] = crosswalk.entries.map((e) => ({
+    concern_id: e.concern_id,
+    rule_id: e.rule_id,
+    status: e.status,
+    controls: e.controls,
+  }));
+  return {
+    schema: EVIDENCE_SCHEMA,
+    generated_at: generatedAt,
+    tool: { name: "terramend", version: args.version ?? packageJson.version },
+    subject,
+    posture: scorecard.posture,
+    summary: {
+      total: scorecard.total,
+      by_severity: scorecard.by_severity,
+      verification: scorecard.verification.counts,
+    },
+    control_statements,
+    coverage: scorecard.verification.coverage,
+    crosswalk: {
+      version: crosswalk.version,
+      reviewed: crosswalk.reviewed,
+      by_framework: crosswalk.by_framework,
+    },
+    legend: VERIFICATION_STATUS_LABEL,
+    disclaimer: DISCLAIMER,
+  };
+}
+
+export const TerraformEmitEvidenceParams = type({
+  "output_path?": type.string.describe(
+    "where to write the evidence bundle (default: ./compliance/terramend-evidence.json in the workspace). Commit it so the compliance/ path is the auditable evidence trail.",
+  ),
+  "severity_threshold?": type("'critical' | 'high' | 'medium' | 'low' | 'info'").describe(
+    "minimum severity to include (default: the run's configured threshold, else low).",
+  ),
+});
+
+export function TerraformEmitEvidenceTool(ctx: LocalToolContext) {
+  return tool({
+    name: "terraform_emit_evidence",
+    description:
+      "Emit a backend-free compliance EVIDENCE BUNDLE (auditor-facing JSON) for the workspace — the wedge that " +
+      "produces assessor-ready evidence with no cloud and no backend. Runs the read-only assessment and writes " +
+      "a deterministic bundle (default `compliance/terramend-evidence.json`): overall `posture`, per-control " +
+      "statements each with a five-status verdict (fail / not-code-verifiable), the scanner `coverage` " +
+      "(verified vs inconclusive), and the indicative crosswalk index. Commit the file so `compliance/` is the " +
+      "auditable trail. It NEVER modifies Terraform or opens a PR. The schema is Terramend's own (not OSCAL); " +
+      "the bundle is indicative alignment guidance, never an audit verdict, and never claims a pass it can't " +
+      "code-verify. Pairs with `terraform_assess` (the human-readable report) and `terraform_emit_sarif`.",
+    parameters: TerraformEmitEvidenceParams,
+    execute: execute(async ({ output_path, severity_threshold }) => {
+      const configured = ctx.payload.severityThreshold as Severity | undefined;
+      const threshold: Severity = severity_threshold ?? configured ?? "low";
+      const { cwd, scorecard, crosswalk } = runAssessmentPipeline(ctx, threshold);
+
+      // SECURITY: confine the agent-supplied path to the workspace (same guard as
+      // terraform_emit_sarif) so it can't clobber arbitrary files on the runner.
+      const target = resolveWithinCwd(cwd, output_path ?? DEFAULT_EVIDENCE_PATH);
+      const bundle = buildEvidenceBundle({
+        scorecard,
+        crosswalk,
+        subject: {
+          scanned_dir: cwd,
+          repo: process.env.GITHUB_REPOSITORY,
+          ref: process.env.GITHUB_REF_NAME,
+          commit: process.env.GITHUB_SHA,
+        },
+        generatedAt: new Date().toISOString(),
+      });
+      writeFileSync(target, `${JSON.stringify(bundle, null, 2)}\n`);
+      log.info(
+        `» terraform_emit_evidence: ${scorecard.posture} — ${bundle.control_statements.length} control statement(s) → ${target}`,
+      );
+      return toolOk({
+        output_path: target,
+        posture: bundle.posture,
+        statements: bundle.control_statements.length,
+        verification: bundle.summary.verification,
+      });
+    }),
+  });
+}

package/src/mcp/terraform/scanners.ts

@@ -18,6 +18,7 @@ import {
   toRepoRelative,
 } from "#app/mcp/terraform/types";
 import { log } from "#app/utils/cli";
+import { type ResolvedToolSelection, scannerToolId } from "#app/utils/toolSelection";
 
 // dirs already `terraform init`-ed this process, so repeated scans don't re-init.
 const initedDirs = new Set<string>();
@@ -30,9 +31,16 @@ const initedDirs = new Set<string>();
  * `-input=false` keeps it non-interactive. Network-dependent and best-effort: if
  * it fails (offline, private module, etc.) validate still runs, just shallow.
  */
-function ensureTerraformInit(cwd: string): void {
+function ensureTerraformInit(cwd: string, extraEnv?: Record<string, string>): void {
   if (initedDirs.has(cwd)) return;
-  const r = run("terraform", ["init", "-backend=false", "-input=false", "-no-color"], cwd);
+  // `extraEnv` carries the optional module-fetch credential (§1.5) so init can
+  // resolve a private cross-repo `git::` module; absent for the common case.
+  const r = run(
+    "terraform",
+    ["init", "-backend=false", "-input=false", "-no-color"],
+    cwd,
+    extraEnv,
+  );
   // mark done even on non-zero: a failed init won't succeed on retry within the
   // same run, and we don't want to re-run it for every scanner call.
   initedDirs.add(cwd);
@@ -93,8 +101,8 @@ const VALIDATE_NOISE = [
 ];
 
 /** run `terraform validate` in one root and return concerns re-based onto cwd. */
-function scanValidateRoot(root: ResolvedRoot): ScannerOutcome {
-  ensureTerraformInit(root.absDir);
+function scanValidateRoot(root: ResolvedRoot, extraEnv?: Record<string, string>): ScannerOutcome {
+  ensureTerraformInit(root.absDir, extraEnv);
   const r = run("terraform", ["validate", "-json"], root.absDir);
   if (r.missing) return skipped("terraform-validate", "terraform not installed");
   try {
@@ -120,14 +128,14 @@ function scanValidateRoot(root: ResolvedRoot): ScannerOutcome {
  * whole tree), so a multi-root repo only catches subdir-root validate errors
  * when we visit each root.
  */
-export function scanValidate(cwd: string): ScannerOutcome {
+export function scanValidate(cwd: string, extraEnv?: Record<string, string>): ScannerOutcome {
   const roots = resolveRoots(cwd);
   const concerns: Concern[] = [];
   let anyRan = false;
   let sawMissing = false;
   let unvalidated = 0;
   for (const root of roots) {
-    const outcome = scanValidateRoot(root);
+    const outcome = scanValidateRoot(root, extraEnv);
     unvalidated += outcome.unvalidated ?? 0;
     if (outcome.ran) {
       anyRan = true;
@@ -747,10 +755,37 @@ export function changedTerraformFiles(cwd: string): Set<string> | null {
   return new Set(files);
 }
 
+export interface RunScannersOptions {
+  /** §1.5 — the resolved tool selection. A scanner whose tool is gated/disabled
+   * is reported as a `skipped` outcome (with the licence/disable reason) instead
+   * of running, so `terraform_scan` and the ✗→✓ verifier see the SAME toolchain. */
+  selection?: ResolvedToolSelection | undefined;
+  /** §1.5 — module-fetch credential env, threaded into `terraform validate`'s
+   * init so a private cross-repo `git::` module resolves during a scan. */
+  terraformEnv?: Record<string, string> | undefined;
+}
+
 /** run every scanner once over `cwd`. shared by `terraform_scan` and the
- * deterministic remediation verifier so both see the identical toolchain. */
-export function runScanners(cwd: string): ScannerOutcome[] {
-  return [scanFmt(cwd), scanValidate(cwd), scanTflint(cwd), scanTrivy(cwd), scanCheckov(cwd)];
+ * deterministic remediation verifier so both see the identical toolchain. A
+ * scanner the selection has turned off is emitted as `skipped` (never run), so
+ * the gate applies identically to the scan and its verification re-scan. */
+export function runScanners(cwd: string, opts: RunScannersOptions = {}): ScannerOutcome[] {
+  const { selection, terraformEnv } = opts;
+  const gate = (source: Concern["source"], runner: () => ScannerOutcome): ScannerOutcome => {
+    if (!selection) return runner();
+    const id = scannerToolId(source);
+    if (id && !selection.enabled(id)) {
+      return skipped(source, selection.offReason(id) ?? "disabled by tools_enabled");
+    }
+    return runner();
+  };
+  return [
+    gate("terraform-fmt", () => scanFmt(cwd)),
+    gate("terraform-validate", () => scanValidate(cwd, terraformEnv)),
+    gate("tflint", () => scanTflint(cwd)),
+    gate("trivy", () => scanTrivy(cwd)),
+    gate("checkov", () => scanCheckov(cwd)),
+  ];
 }
 
 export interface RemediationVerdict {
@@ -807,3 +842,45 @@ export function computeRegressions(
   }
   return [...regressions].sort();
 }
+
+/**
+ * Line-INDEPENDENT ✗→✓ partition (the integrity-preserving replacement for the
+ * raw-id `computeRemediationVerdict` when scan context is available). Each
+ * requested entry carries its display `id` and its `key` (see `concernKeyOf`);
+ * a concern is `remaining` iff its KEY still appears in the re-scan, else
+ * `resolved`. Because a fix that shifts lines keeps the same (source|rule|file)
+ * key, an unfixed concern can no longer be mis-reported as resolved. Pure.
+ */
+export function partitionByKey(
+  requested: { id: string; key: string }[],
+  currentKeys: Set<string>,
+): RemediationVerdict {
+  const resolved: string[] = [];
+  const remaining: string[] = [];
+  for (const r of requested) {
+    if (currentKeys.has(r.key)) remaining.push(r.id);
+    else resolved.push(r.id);
+  }
+  return { verified: remaining.length === 0, resolved, remaining };
+}
+
+/**
+ * Line-INDEPENDENT regression set: one representative current concern id per KEY
+ * present in the re-scan but absent from the pre-fix baseline keys. A pre-existing
+ * concern that merely shifted to a new line (same key) is NOT a regression — only
+ * a genuinely new (rule, file) defect is. Replaces the raw-id `computeRegressions`
+ * for the integrity path. Pure; returns sorted ids for a stable PR body.
+ */
+export function regressionIdsByKey(
+  current: { id: string; key: string }[],
+  baselineKeys: Set<string>,
+): string[] {
+  const seen = new Set<string>();
+  const out: string[] = [];
+  for (const c of current) {
+    if (baselineKeys.has(c.key) || seen.has(c.key)) continue;
+    seen.add(c.key);
+    out.push(c.id);
+  }
+  return out.sort();
+}

package/src/mcp/terraform/tools.test.ts

@@ -23,6 +23,7 @@ vi.mock("#app/mcp/shared", async (importOriginal) => {
   };
 });
 
+import { TerraformAssessTool } from "#app/mcp/assess";
 import { _clearProviderSchemaCache } from "#app/mcp/providerSchema";
 import type { ToolContext } from "#app/mcp/server";
 import { changedTerraformFiles } from "#app/mcp/terraform/scanners";
@@ -36,6 +37,7 @@ import {
   TerraformVerifyRemediationTool,
 } from "#app/mcp/terraform/tools";
 import { concernId } from "#app/mcp/terraform/types";
+import { parseToolSelection } from "#app/utils/toolSelection";
 
 // --- fake subprocess plumbing ----------------------------------------------
 
@@ -70,7 +72,12 @@ function makeCtx(
   over: { payload?: Record<string, unknown>; toolState?: Record<string, unknown> } = {},
 ): ToolContext {
   return {
-    payload: { cwd, ...(over.payload ?? {}) },
+    // §1.5 — default these tests to the full toolchain (`tools_enabled: all`) so
+    // they exercise every scanner; the licence gate's default (non-permissive
+    // tools off) is covered explicitly in the gate tests + toolSelection.test.ts.
+    // `over.payload` can override (e.g. pass toolsEnabled: undefined to assert the
+    // bare default).
+    payload: { cwd, toolsEnabled: parseToolSelection("all"), ...(over.payload ?? {}) },
     toolState: { ...(over.toolState ?? {}) },
     tmpdir: makeDir(),
   } as unknown as ToolContext;
@@ -240,6 +247,59 @@ describe("TerraformScanTool", () => {
     );
   });
 
+  it("§1.5 licence-gates tflint off by default and reports it as a gated skip", async () => {
+    const cwd = makeDir({ "main.tf": tf });
+    dispatch = scannersDispatch();
+    // a bare run (no tools_enabled) → the default licence gate applies.
+    const ctx = makeCtx(cwd, { payload: { toolsEnabled: undefined } });
+
+    const result = await runTool(TerraformScanTool(ctx));
+
+    // tflint (MPL-2.0) is not run; the permissive scanners still are.
+    expect(result.scanners_ran).not.toContain("tflint");
+    expect(result.scanners_ran).toEqual(
+      expect.arrayContaining(["terraform-fmt", "terraform-validate", "trivy"]),
+    );
+    // it's surfaced as a licence-gated skip + in the tool_selection summary.
+    const tflintSkip = (result.scanners_skipped as Array<{ source: string; reason?: string }>).find(
+      (s) => s.source === "tflint",
+    );
+    expect(tflintSkip?.reason).toMatch(/licence-gated/i);
+    expect(result.tool_selection).toMatchObject({
+      licence_gated: expect.arrayContaining(["tflint"]),
+    });
+    // the tflint concern is absent from the baseline, so verify stays consistent.
+    expect(ctx.toolState.baselineConcernIds).toHaveLength(3);
+  });
+
+  it("§1.5 runs tflint when it is the licence-aware opt-in in tools_enabled", async () => {
+    const cwd = makeDir({ "main.tf": tf });
+    dispatch = scannersDispatch();
+    const ctx = makeCtx(cwd, { payload: { toolsEnabled: parseToolSelection("tflint") } });
+
+    const result = await runTool(TerraformScanTool(ctx));
+
+    expect(result.scanners_ran).toContain("tflint");
+    // tflint is no longer gated (it was opted in); terraform_mcp still is.
+    const gated = (result.tool_selection as { licence_gated: string[] }).licence_gated;
+    expect(gated).not.toContain("tflint");
+  });
+
+  it("§1.5 disables a permissive scanner when tools_enabled vetoes it", async () => {
+    const cwd = makeDir({ "main.tf": tf });
+    dispatch = scannersDispatch();
+    const ctx = makeCtx(cwd, { payload: { toolsEnabled: parseToolSelection("all, -trivy") } });
+
+    const result = await runTool(TerraformScanTool(ctx));
+
+    expect(result.scanners_ran).not.toContain("trivy");
+    const trivySkip = (result.scanners_skipped as Array<{ source: string; reason?: string }>).find(
+      (s) => s.source === "trivy",
+    );
+    expect(trivySkip?.reason).toMatch(/disabled via tools_enabled/);
+    expect(result.tool_selection).toMatchObject({ disabled: expect.arrayContaining(["trivy"]) });
+  });
+
   it("filters by the explicit severity_threshold but keeps the baseline unfiltered", async () => {
     const cwd = makeDir({ "main.tf": tf });
     dispatch = scannersDispatch();
@@ -345,6 +405,41 @@ describe("TerraformScanTool", () => {
   });
 });
 
+describe("TerraformAssessTool — §1.5 toolchain transparency (read-only surface)", () => {
+  const tf = 'resource "aws_s3_bucket" "b" {\n  bucket = "x"\n}\n';
+
+  it("surfaces the licence-gated tool in tool_selection on a bare (default-gate) run", async () => {
+    const cwd = makeDir({ "main.tf": tf });
+    dispatch = scannersDispatch();
+    // toolsEnabled: undefined → the default licence gate applies (tflint off).
+    const ctx = makeCtx(cwd, { payload: { toolsEnabled: undefined } });
+
+    const result = await runTool(TerraformAssessTool(ctx));
+
+    // the assessment still produced a scorecard from the permissive scanners…
+    expect(result).toMatchObject({ ok: true, scanned_dir: cwd });
+    expect(result.scanners_ran).not.toContain("tflint");
+    // …and is honest that tflint was licence-gated off, exactly like terraform_scan.
+    expect(result.tool_selection).toMatchObject({
+      licence_gated: expect.arrayContaining(["tflint"]),
+      disabled: [],
+      unknown_tokens: [],
+    });
+  });
+
+  it("surfaces a mistyped tools_enabled token instead of silently ignoring it", async () => {
+    const cwd = makeDir({ "main.tf": tf });
+    dispatch = scannersDispatch();
+    const ctx = makeCtx(cwd, { payload: { toolsEnabled: parseToolSelection("trivy, nope") } });
+
+    const result = await runTool(TerraformAssessTool(ctx));
+
+    expect((result.tool_selection as { unknown_tokens: string[] }).unknown_tokens).toEqual([
+      "nope",
+    ]);
+  });
+});
+
 describe("TerraformValidateTool", () => {
   const versionsTf = `terraform {
   required_providers {