vaspera 2.11.0 → 2.12.0

package/dist/index.js

@@ -17,6 +17,10 @@ generateSummary, filterFindings, getActionItems,
 exportToSarif, exportForGitHub, 
 // Rules
 loadCustomRules, checkFileAgainstRules, matchesToFindings, listRuleTemplates, generateSampleConfig, } from "./certification/index.js";
+// Autofix PR generation
+import { createAutofixPRs, isGhCliAvailable, isGhAuthenticated, } from "./autofix/index.js";
+// Persistence layer
+import { getProjectTrends, markFindingsFixed, getOpenFindings, } from "./persistence/index.js";
 // Deterministic scanners
 import { runAllScanners, checkScannersAvailable, scannerFindingsToCertificationFindings, generateScannerSummary, getScannerInstallCommands, 
 // Mythos-class scanners
@@ -38,6 +42,9 @@ runSingleFrameworkAssessment, runComplianceAssessment, generateComplianceSummary
 // Evidence collection and audit trail verification
 import { collectEvidence, storeEvidenceBundle, formatEvidenceBundleAsMarkdown, } from "./evidence/index.js";
 import { verifyHistoryIntegrity, formatVerificationResultAsMarkdown, } from "./history/verify.js";
+import { exportAuditTrail, } from "./history/store.js";
+// SIEM Integration
+import { createSIEMClient, getSIEMRegistry, createFindingEvent, } from "./integrations/siem/index.js";
 // SBOM, Provenance, and Sigstore Signing (uses @sigstore/sign for real signing)
 import { generateSBOM, generateSBOMSummary, generateProvenance, generateProvenanceSummary, verifyProvenance, signContent, isSigningAvailable, generateSigningSummary, detectCIEnvironment, } from "./sbom/index.js";
 // Cost tracking
@@ -1954,6 +1961,307 @@ server.registerTool("autofix_batch", {
     });
 });
 // ---------------------------------------------------------------------------
+// Tool: Create Autofix Pull Requests
+// ---------------------------------------------------------------------------
+server.registerTool("autofix_create_prs", {
+    title: "Create Autofix Pull Requests",
+    description: `Create GitHub pull requests with automated security fixes. Groups findings by severity/file/pattern and generates separate PRs for each group. Requires gh CLI to be installed and authenticated.
+
+**Prerequisites:**
+- gh CLI installed and authenticated
+- Git repository with a remote
+- Clean working tree (uncommitted changes will be stashed)
+
+**Grouping strategies:**
+- severity: One PR per severity level (critical, high, medium, low)
+- file: One PR per affected file
+- pattern: One PR per fix pattern type
+- single: One PR per individual finding`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().optional().describe("Certification ID to get findings from (if not providing findings directly)"),
+        findings: z.array(z.object({
+            id: z.string(),
+            severity: z.enum(["critical", "high", "medium", "low", "info"]),
+            category: z.string(),
+            file: z.string().optional(),
+            line: z.number().optional(),
+            description: z.string(),
+            evidence: z.string().optional(),
+            confidence: z.number().optional(),
+        })).optional().describe("Direct findings array (alternative to certification_id)"),
+        group_by: z.enum(["severity", "file", "pattern", "single"]).default("severity").describe("How to group fixes into PRs"),
+        dry_run: z.boolean().default(true).describe("Preview mode - show what PRs would be created without actually creating them"),
+        include_unsafe: z.boolean().default(false).describe("Include high-risk fixes that may require manual review"),
+        branch_prefix: z.string().default("vaspera/autofix").describe("Prefix for branch names"),
+        base_branch: z.string().optional().describe("Base branch to create PRs against (defaults to main/master)"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: true,
+        idempotentHint: false,
+        openWorldHint: true,
+    },
+}, async ({ project_path, certification_id, findings: directFindings, group_by, dry_run, include_unsafe, branch_prefix, base_branch }) => {
+    // Check prerequisites
+    if (!(await isGhCliAvailable())) {
+        return errorResponse("gh CLI is not installed. Install from: https://cli.github.com/");
+    }
+    if (!(await isGhAuthenticated())) {
+        return errorResponse("gh CLI is not authenticated. Run: gh auth login");
+    }
+    // Get findings from certification or direct input
+    let findings = [];
+    if (directFindings && directFindings.length > 0) {
+        findings = directFindings;
+    }
+    else if (certification_id) {
+        const certification = await getCertification(project_path, certification_id);
+        if (!certification) {
+            return errorResponse(`Certification ${certification_id} not found`);
+        }
+        // Collect all findings from all agents
+        for (const agentData of Object.values(certification.agents)) {
+            if (agentData) {
+                findings.push(...agentData.findings);
+            }
+        }
+    }
+    else {
+        return errorResponse("Either certification_id or findings must be provided");
+    }
+    if (findings.length === 0) {
+        return jsonResponse({
+            message: "No findings to fix",
+            totalFindings: 0,
+            prsCreated: [],
+            unfixable: [],
+            success: true,
+        });
+    }
+    // Create PRs
+    const result = await createAutofixPRs({
+        projectPath: project_path,
+        findings: findings,
+        groupBy: group_by,
+        dryRun: dry_run,
+        includeUnsafe: include_unsafe,
+        branchPrefix: branch_prefix,
+        baseBranch: base_branch || "main",
+    });
+    // Format output
+    const lines = [
+        `# Autofix PR ${dry_run ? "Preview" : "Results"}`,
+        "",
+        `**Total Findings**: ${result.totalFindings}`,
+        `**PRs ${dry_run ? "Would Create" : "Created"}**: ${result.prsCreated.length}`,
+        `**Unfixable**: ${result.unfixable.length}`,
+        "",
+    ];
+    if (result.prsCreated.length > 0) {
+        lines.push("## Pull Requests");
+        lines.push("");
+        for (const pr of result.prsCreated) {
+            const fixCount = pr.fixesApplied.length;
+            const fileList = pr.filesModified.slice(0, 3).join(", ");
+            const moreFiles = pr.filesModified.length > 3 ? ` +${pr.filesModified.length - 3} more` : "";
+            if (dry_run) {
+                lines.push(`- **${pr.branch}**: ${fixCount} fixes (${fileList}${moreFiles})`);
+            }
+            else {
+                lines.push(`- [PR #${pr.prNumber}](${pr.prUrl}): ${fixCount} fixes`);
+            }
+        }
+        lines.push("");
+    }
+    if (result.unfixable.length > 0) {
+        lines.push("## Unfixable Findings");
+        lines.push("");
+        for (const uf of result.unfixable.slice(0, 10)) {
+            lines.push(`- ${uf.findingId}: ${uf.reason}`);
+        }
+        if (result.unfixable.length > 10) {
+            lines.push(`- ... and ${result.unfixable.length - 10} more`);
+        }
+        lines.push("");
+    }
+    if (result.summary && Object.keys(result.summary.byPattern).length > 0) {
+        lines.push("## Summary by Pattern");
+        lines.push("");
+        for (const [pattern, count] of Object.entries(result.summary.byPattern)) {
+            lines.push(`- ${pattern}: ${count} fixes`);
+        }
+    }
+    return {
+        content: [
+            {
+                type: "text",
+                text: lines.join("\n"),
+            },
+        ],
+        result,
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Persistence - Get Project Trends
+// ---------------------------------------------------------------------------
+server.registerTool("persistence_get_trends", {
+    title: "Get Project Security Trends",
+    description: `Get historical security trends for a project including new/fixed findings over time, MTTR, and fix velocity. Requires SQLite persistence to be enabled.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        period: z.enum(["day", "week", "month"]).default("week").describe("Trend aggregation period"),
+        lookback_periods: z.number().default(12).describe("Number of periods to look back"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, period, lookback_periods }) => {
+    try {
+        const trends = await getProjectTrends(project_path, period, lookback_periods);
+        const lines = [
+            `# Security Trends for ${trends.project.name}`,
+            "",
+            `**Period**: ${period} (last ${lookback_periods} periods)`,
+            `**Last Scan**: ${trends.project.lastScanAt || "Never"}`,
+            "",
+            "## Current Stats",
+            "",
+            `- **Open Findings**: ${trends.stats.openFindings}`,
+            `- **Fixed Findings**: ${trends.stats.fixedFindings}`,
+            `- **False Positives**: ${trends.stats.falsePositives}`,
+            `- **Avg MTTR**: ${trends.stats.avgMttrHours ? `${trends.stats.avgMttrHours.toFixed(1)} hours` : "N/A"}`,
+            `- **Fix Velocity**: ${trends.stats.fixVelocityPerWeek ? `${trends.stats.fixVelocityPerWeek.toFixed(1)}/week` : "N/A"}`,
+            "",
+            "## By Severity",
+            "",
+        ];
+        for (const [sev, count] of Object.entries(trends.stats.bySeverity)) {
+            if (count > 0) {
+                lines.push(`- **${sev}**: ${count}`);
+            }
+        }
+        lines.push("", "## Trend Data", "");
+        lines.push("| Period | New | Fixed | Open |");
+        lines.push("|--------|-----|-------|------|");
+        for (const t of trends.trends.slice(-10)) {
+            lines.push(`| ${t.period} | ${t.newFindings} | ${t.fixedFindings} | ${t.openFindings} |`);
+        }
+        return {
+            content: [{ type: "text", text: lines.join("\n") }],
+            trends,
+        };
+    }
+    catch (error) {
+        return errorResponse(`Failed to get trends: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Persistence - Get Open Findings
+// ---------------------------------------------------------------------------
+server.registerTool("persistence_get_findings", {
+    title: "Get Persisted Findings",
+    description: `Get open security findings from the persistence layer with filtering options.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        severity: z.enum(["critical", "high", "medium", "low", "info"]).optional().describe("Filter by severity"),
+        category: z.string().optional().describe("Filter by category"),
+        file: z.string().optional().describe("Filter by file path (partial match)"),
+        limit: z.number().default(50).describe("Maximum findings to return"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, severity, category, file, limit }) => {
+    try {
+        const findings = await getOpenFindings(project_path, {
+            severity: severity,
+            category,
+            file,
+            limit,
+        });
+        if (findings.length === 0) {
+            return {
+                content: [{ type: "text", text: "No open findings found matching the criteria." }],
+                findings: [],
+            };
+        }
+        const lines = [
+            `# Open Findings (${findings.length})`,
+            "",
+        ];
+        const bySeverity = {};
+        for (const f of findings) {
+            if (!bySeverity[f.severity])
+                bySeverity[f.severity] = [];
+            bySeverity[f.severity].push(f);
+        }
+        for (const sev of ["critical", "high", "medium", "low", "info"]) {
+            const sevFindings = bySeverity[sev];
+            if (!sevFindings || sevFindings.length === 0)
+                continue;
+            lines.push(`## ${sev.toUpperCase()} (${sevFindings.length})`);
+            lines.push("");
+            for (const f of sevFindings.slice(0, 10)) {
+                lines.push(`- **${f.file}:${f.line}** - ${f.description.slice(0, 80)}`);
+                lines.push(`  - Category: ${f.category}, Scanner: ${f.scannerSource}`);
+                lines.push(`  - First seen: ${f.firstSeenAt.split("T")[0]}`);
+            }
+            if (sevFindings.length > 10) {
+                lines.push(`- ... and ${sevFindings.length - 10} more ${sev} findings`);
+            }
+            lines.push("");
+        }
+        return {
+            content: [{ type: "text", text: lines.join("\n") }],
+            findings,
+        };
+    }
+    catch (error) {
+        return errorResponse(`Failed to get findings: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Persistence - Mark Findings Fixed
+// ---------------------------------------------------------------------------
+server.registerTool("persistence_mark_fixed", {
+    title: "Mark Findings as Fixed",
+    description: `Mark one or more findings as fixed in the persistence layer. This updates the finding status and records fix history.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        finding_ids: z.array(z.string()).describe("Finding IDs to mark as fixed"),
+        fixed_by: z.string().optional().describe("Who fixed the findings"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, finding_ids, fixed_by }) => {
+    try {
+        const count = await markFindingsFixed(project_path, finding_ids, fixed_by);
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `Marked ${count} finding(s) as fixed.${fixed_by ? ` Fixed by: ${fixed_by}` : ""}`,
+                },
+            ],
+            fixedCount: count,
+        };
+    }
+    catch (error) {
+        return errorResponse(`Failed to mark findings: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
+});
+// ---------------------------------------------------------------------------
 // Tool: Certification Summary
 // ---------------------------------------------------------------------------
 server.registerTool("certification_summary", {
@@ -2664,6 +2972,325 @@ server.registerTool("verify_audit_trail", {
     }
 });
 // ---------------------------------------------------------------------------
+// Tool: Audit Export
+// ---------------------------------------------------------------------------
+server.registerTool("audit_export", {
+    title: "Export Audit Trail",
+    description: `Export the tamper-evident audit trail for compliance review. Creates a portable, verifiable export suitable for external auditors and compliance teams. Supports JSON, JSONL, and CSV formats.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        format: z.enum(["json", "jsonl", "csv"]).optional().describe("Export format. Default: json"),
+        start_date: z.string().optional().describe("Start date filter (ISO 8601)"),
+        end_date: z.string().optional().describe("End date filter (ISO 8601)"),
+        types: z.array(z.enum([
+            "certification_started",
+            "certification_completed",
+            "scan_completed",
+            "finding_submitted",
+            "finding_fixed",
+            "compliance_report",
+            "model_run",
+        ])).optional().describe("Entry types to include. Default: all"),
+        include_integrity: z.boolean().optional().describe("Include integrity proofs. Default: true"),
+        output_path: z.string().optional().describe("Output file path. If omitted, returns content directly"),
+        output_format: z.enum(["markdown", "json"]).optional().describe("Response format. Default: json"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, format, start_date, end_date, types, include_integrity, output_path, output_format }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const result = await exportAuditTrail(validatedPath, {
+            format: format,
+            startDate: start_date,
+            endDate: end_date,
+            types: types,
+            includeIntegrity: include_integrity !== false,
+            outputPath: output_path,
+        });
+        if (output_format === "markdown") {
+            const lines = [
+                "# Audit Trail Export",
+                "",
+                `**Project**: ${result.projectPath}`,
+                `**Exported At**: ${result.exportedAt}`,
+                `**Entry Count**: ${result.entryCount}`,
+                "",
+                "## Date Range",
+                "",
+                `| Field | Value |`,
+                `|-------|-------|`,
+                `| Start | ${result.dateRange.start} |`,
+                `| End | ${result.dateRange.end} |`,
+                "",
+                "## Chain Integrity",
+                "",
+                `| Field | Value |`,
+                `|-------|-------|`,
+                `| Genesis Hash | \`${result.chainIntegrity.genesisHash?.slice(0, 16) || "N/A"}...\` |`,
+                `| Head Hash | \`${result.chainIntegrity.headHash?.slice(0, 16) || "N/A"}...\` |`,
+                `| Entries with Integrity | ${result.chainIntegrity.entriesWithIntegrity} |`,
+            ];
+            if (result.outputPath) {
+                lines.push("", `**Output File**: ${result.outputPath}`);
+            }
+            return textResponse(lines.join("\n"));
+        }
+        return jsonResponse({
+            exportedAt: result.exportedAt,
+            projectPath: result.projectPath,
+            entryCount: result.entryCount,
+            dateRange: result.dateRange,
+            chainIntegrity: result.chainIntegrity,
+            outputPath: result.outputPath,
+            content: result.content,
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(error.message);
+        }
+        return errorResponse(`Audit export failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: SIEM Configure
+// ---------------------------------------------------------------------------
+server.registerTool("siem_configure", {
+    title: "Configure SIEM Connection",
+    description: `Configure a connection to a SIEM platform (Splunk, Microsoft Sentinel, or Datadog). The connection is stored in memory for the session and can be used to export findings and events.`,
+    inputSchema: {
+        name: z.string().describe("Unique name for this SIEM connection"),
+        provider: z.enum(["splunk", "sentinel", "datadog"]).describe("SIEM provider type"),
+        endpoint: z.string().optional().describe("SIEM endpoint URL (required for Splunk)"),
+        token: z.string().describe("Authentication token/API key"),
+        workspace_id: z.string().optional().describe("Log Analytics workspace ID (Sentinel only)"),
+        index: z.string().optional().describe("Splunk index name"),
+        source_type: z.string().optional().describe("Splunk source type"),
+        site: z.string().optional().describe("Datadog site (e.g., datadoghq.com, datadoghq.eu)"),
+        service: z.string().optional().describe("Service name for tagging"),
+        env: z.string().optional().describe("Environment tag"),
+        tags: z.array(z.string()).optional().describe("Additional tags (Datadog)"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: true,
+    },
+}, async ({ name, provider, endpoint, token, workspace_id, index, source_type, site, service, env, tags }) => {
+    try {
+        const registry = getSIEMRegistry();
+        let client;
+        switch (provider) {
+            case "splunk":
+                if (!endpoint) {
+                    return errorResponse("Splunk requires an endpoint URL");
+                }
+                client = createSIEMClient({
+                    provider: "splunk",
+                    enabled: true,
+                    endpoint,
+                    token,
+                    options: { index, sourceType: source_type, source: service },
+                });
+                break;
+            case "sentinel":
+                if (!workspace_id) {
+                    return errorResponse("Sentinel requires a workspace_id");
+                }
+                client = createSIEMClient({
+                    provider: "sentinel",
+                    enabled: true,
+                    endpoint: `https://${workspace_id}.ods.opinsights.azure.com`,
+                    token,
+                    options: { workspaceId: workspace_id },
+                });
+                break;
+            case "datadog":
+                client = createSIEMClient({
+                    provider: "datadog",
+                    enabled: true,
+                    endpoint: "",
+                    token,
+                    options: { site, service, env, tags },
+                });
+                break;
+        }
+        registry.register(name, client);
+        return jsonResponse({
+            success: true,
+            name,
+            provider,
+            message: `SIEM connection '${name}' configured successfully`,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to configure SIEM: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: SIEM Test
+// ---------------------------------------------------------------------------
+server.registerTool("siem_test", {
+    title: "Test SIEM Connection",
+    description: `Test connectivity to a configured SIEM platform. Sends a test event and reports latency and status.`,
+    inputSchema: {
+        name: z.string().describe("Name of the configured SIEM connection"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: true,
+    },
+}, async ({ name }) => {
+    try {
+        const registry = getSIEMRegistry();
+        const client = registry.get(name);
+        if (!client) {
+            return errorResponse(`SIEM connection '${name}' not found. Use siem_configure first.`);
+        }
+        const result = await client.testConnection();
+        if (result.success) {
+            return jsonResponse({
+                success: true,
+                provider: result.provider,
+                endpoint: result.endpoint,
+                latencyMs: result.latencyMs,
+                message: `Connection to ${result.provider} successful`,
+                details: result.details,
+            });
+        }
+        return errorResponse(`Connection test failed: ${result.error}`);
+    }
+    catch (error) {
+        return errorResponse(`Failed to test SIEM: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: SIEM Export Findings
+// ---------------------------------------------------------------------------
+server.registerTool("siem_export_findings", {
+    title: "Export Findings to SIEM",
+    description: `Export security findings to a configured SIEM platform. Sends finding events for SOC visibility and incident response integration.`,
+    inputSchema: {
+        name: z.string().describe("Name of the configured SIEM connection"),
+        project_path: z.string().describe("Absolute path to the project"),
+        certification_id: z.string().optional().describe("Certification ID to filter findings"),
+        severity: z.array(z.enum(["critical", "high", "medium", "low", "info"])).optional().describe("Filter by severity"),
+        event_type: z.enum(["finding.new", "finding.fixed", "scan.completed", "certification.completed"]).optional().describe("Event type to generate"),
+        dry_run: z.boolean().optional().describe("Preview events without sending. Default: false"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: true,
+    },
+}, async ({ name, project_path, certification_id, severity, event_type, dry_run }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const registry = getSIEMRegistry();
+        const client = registry.get(name);
+        if (!client) {
+            return errorResponse(`SIEM connection '${name}' not found. Use siem_configure first.`);
+        }
+        // Get findings from certification
+        if (!certification_id) {
+            return errorResponse("certification_id is required to export findings");
+        }
+        const certification = await getCertification(validatedPath, certification_id);
+        if (!certification) {
+            return errorResponse("No certification data found. Run certification_scan first.");
+        }
+        // Extract findings from all agents
+        let allFindings = [];
+        for (const agentFindings of Object.values(certification.agents)) {
+            if (agentFindings?.findings) {
+                allFindings.push(...agentFindings.findings);
+            }
+        }
+        // Filter by severity if provided
+        if (severity && severity.length > 0) {
+            allFindings = allFindings.filter((f) => severity.includes(f.severity));
+        }
+        // Generate events
+        const events = allFindings.map((finding) => createFindingEvent(validatedPath, event_type || "finding.new", {
+            findingId: finding.id,
+            severity: finding.severity,
+            category: finding.category,
+            file: finding.file,
+            line: finding.line,
+            scanner: finding.scannerSource,
+            ruleId: finding.ruleId,
+            cweIds: finding.cweIds,
+            description: finding.description,
+        }, certification_id));
+        if (dry_run) {
+            return jsonResponse({
+                dryRun: true,
+                eventCount: events.length,
+                events: events.slice(0, 10),
+                message: `Would send ${events.length} events to ${client.provider}`,
+            });
+        }
+        // Send events
+        const result = await client.sendEvents(events);
+        return jsonResponse({
+            success: result.success,
+            provider: client.provider,
+            totalEvents: result.totalEvents,
+            successCount: result.successCount,
+            failureCount: result.failureCount,
+            errors: result.errors,
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(error.message);
+        }
+        return errorResponse(`Failed to export findings: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: SIEM List
+// ---------------------------------------------------------------------------
+server.registerTool("siem_list", {
+    title: "List SIEM Connections",
+    description: `List all configured SIEM connections in the current session.`,
+    inputSchema: {},
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async () => {
+    try {
+        const registry = getSIEMRegistry();
+        const connections = registry.list();
+        if (connections.length === 0) {
+            return textResponse("No SIEM connections configured. Use siem_configure to add one.");
+        }
+        const lines = [
+            "# Configured SIEM Connections",
+            "",
+            "| Name | Provider |",
+            "|------|----------|",
+            ...connections.map((c) => `| ${c.name} | ${c.provider} |`),
+        ];
+        return textResponse(lines.join("\n"));
+    }
+    catch (error) {
+        return errorResponse(`Failed to list SIEM connections: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
 // Tool: Collect Evidence Bundle
 // ---------------------------------------------------------------------------
 server.registerTool("collect_evidence_bundle", {