vaspera 2.11.0 → 2.13.0

package/dist/index.js

@@ -17,6 +17,10 @@ generateSummary, filterFindings, getActionItems,
 exportToSarif, exportForGitHub, 
 // Rules
 loadCustomRules, checkFileAgainstRules, matchesToFindings, listRuleTemplates, generateSampleConfig, } from "./certification/index.js";
+// Autofix PR generation
+import { createAutofixPRs, isGhCliAvailable, isGhAuthenticated, } from "./autofix/index.js";
+// Persistence layer
+import { getProjectTrends, markFindingsFixed, getOpenFindings, } from "./persistence/index.js";
 // Deterministic scanners
 import { runAllScanners, checkScannersAvailable, scannerFindingsToCertificationFindings, generateScannerSummary, getScannerInstallCommands, 
 // Mythos-class scanners
@@ -38,6 +42,9 @@ runSingleFrameworkAssessment, runComplianceAssessment, generateComplianceSummary
 // Evidence collection and audit trail verification
 import { collectEvidence, storeEvidenceBundle, formatEvidenceBundleAsMarkdown, } from "./evidence/index.js";
 import { verifyHistoryIntegrity, formatVerificationResultAsMarkdown, } from "./history/verify.js";
+import { exportAuditTrail, } from "./history/store.js";
+// SIEM Integration
+import { createSIEMClient, getSIEMRegistry, createFindingEvent, } from "./integrations/siem/index.js";
 // SBOM, Provenance, and Sigstore Signing (uses @sigstore/sign for real signing)
 import { generateSBOM, generateSBOMSummary, generateProvenance, generateProvenanceSummary, verifyProvenance, signContent, isSigningAvailable, generateSigningSummary, detectCIEnvironment, } from "./sbom/index.js";
 // Cost tracking
@@ -49,6 +56,8 @@ import { validateProjectPath, PathValidationError } from "./util/paths.js";
 // Telemetry and scan registry
 import { trackCertificationStarted, trackCertificationCompleted, trackScannerRun, } from "./telemetry/usage.js";
 import { getRegistry } from "./telemetry/registry.js";
+// False positive feedback
+import { submitFeedback, generateFeedbackReport, getSuppressionSuggestions, FP_REASON_DESCRIPTIONS, } from "./scanners/fp-feedback.js";
 // ---------------------------------------------------------------------------
 // Config
 // ---------------------------------------------------------------------------
@@ -864,6 +873,64 @@ server.registerTool("certification_scan", {
     };
 });
 // ---------------------------------------------------------------------------
+// Tool: Diff-Aware Scanning (CI Integration)
+// ---------------------------------------------------------------------------
+server.registerTool("certification_scan_diff", {
+    title: "Diff-Aware Certification Scan",
+    description: `Scan only changed files for faster CI/PR workflows.
+
+Uses \`git diff\` to detect files changed since a base commit (e.g., origin/main).
+Reduces scan time by 50-90% in typical PR scenarios.
+
+**Security-critical files** (auth, middleware, API routes) are always included
+regardless of changes when \`always_scan_security\` is true.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        base_sha: z.string().optional().describe("Base SHA for comparison (default: origin/main)"),
+        head_sha: z.string().optional().describe("Head SHA to compare (default: HEAD)"),
+        always_scan_security: z.boolean().optional().default(true).describe("Always include security-critical files"),
+        exclude: z.array(z.string()).optional().describe("Regex patterns to exclude from scanning"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, base_sha, head_sha, always_scan_security, exclude }) => {
+    const { configureIncrementalScan } = await import("./action/diff-mode.js");
+    const result = await configureIncrementalScan({
+        projectPath: project_path,
+        baseSha: base_sha,
+        headSha: head_sha,
+        alwaysScanSecurityFiles: always_scan_security,
+        exclude,
+    });
+    const fileList = result.filesToScan.map((f) => f.path);
+    const securityFiles = fileList.filter((f) => f.includes("auth") ||
+        f.includes("security") ||
+        f.includes("middleware") ||
+        f.includes("api/"));
+    return jsonResponse({
+        isIncremental: result.isIncremental,
+        filesToScan: fileList,
+        fileCount: fileList.length,
+        securityFileCount: securityFiles.length,
+        removedFiles: result.removedFiles,
+        estimatedSavings: `${result.estimatedSavingsPercent}%`,
+        diff: {
+            baseSha: result.diff.baseSha,
+            headSha: result.diff.headSha,
+            additions: result.diff.additions,
+            deletions: result.diff.deletions,
+            changedFilesTotal: result.diff.changedFiles.length,
+        },
+        note: result.isIncremental
+            ? `Scanning ${fileList.length} changed files (${result.estimatedSavingsPercent}% reduction)`
+            : "Full scan recommended (diff detection failed or no changes)",
+    });
+});
+// ---------------------------------------------------------------------------
 // Tool: Check Scanner Availability
 // ---------------------------------------------------------------------------
 server.registerTool("certification_scanners_available", {
@@ -1782,11 +1849,17 @@ server.registerTool("certification_dashboard", {
 // ---------------------------------------------------------------------------
 server.registerTool("autofix_preview", {
     title: "Preview Auto-Fix for Finding",
-    description: `Preview an automatic fix for a certification finding without applying it. Returns the before/after diff.`,
+    description: `Preview an automatic fix without applying it. Can be used two ways:
+1. With certification_id + finding_id to preview a fix from a certification scan
+2. Standalone with file + pattern_id to preview a fix without running a full scan first`,
     inputSchema: {
         project_path: z.string().describe("Absolute path to the project root"),
-        certification_id: z.string().describe("Certification ID"),
-        finding_id: z.string().describe("Finding ID to preview fix for"),
+        certification_id: z.string().optional().describe("Certification ID (optional if using standalone mode)"),
+        finding_id: z.string().optional().describe("Finding ID to preview fix for (required with certification_id)"),
+        file: z.string().optional().describe("File path relative to project root (standalone mode)"),
+        line: z.number().optional().describe("Line number where the issue is located (standalone mode)"),
+        pattern_id: z.string().optional().describe("Pattern ID to apply (e.g., 'perf-async-foreach', 'sec-hardcoded-secret'). Use autofix_list_patterns to see available patterns."),
+        category: z.string().optional().describe("Finding category (alternative to pattern_id, e.g., 'async-foreach', 'hardcoded')"),
     },
     annotations: {
         readOnlyHint: true,
@@ -1794,24 +1867,51 @@ server.registerTool("autofix_preview", {
         idempotentHint: true,
         openWorldHint: false,
     },
-}, async ({ project_path, certification_id, finding_id }) => {
-    const certification = await getCertification(project_path, certification_id);
-    if (!certification) {
-        return errorResponse(`Certification ${certification_id} not found`);
-    }
-    // Find the finding
+}, async ({ project_path, certification_id, finding_id, file, line, pattern_id, category }) => {
     let finding = null;
-    for (const agentData of Object.values(certification.agents)) {
-        if (agentData) {
-            finding = agentData.findings.find((f) => f.id === finding_id);
-            if (finding)
-                break;
+    if (certification_id && finding_id) {
+        const certification = await getCertification(project_path, certification_id);
+        if (!certification) {
+            return errorResponse(`Certification ${certification_id} not found`);
+        }
+        for (const agentData of Object.values(certification.agents)) {
+            if (agentData) {
+                finding = agentData.findings.find((f) => f.id === finding_id) || null;
+                if (finding)
+                    break;
+            }
+        }
+        if (!finding) {
+            return errorResponse(`Finding ${finding_id} not found`);
         }
     }
-    if (!finding) {
-        return errorResponse(`Finding ${finding_id} not found`);
+    else if (file) {
+        if (!pattern_id && !category) {
+            return errorResponse("Standalone mode requires either pattern_id or category. Use autofix_list_patterns to see available patterns.");
+        }
+        finding = {
+            id: pattern_id || `standalone-${category || "unknown"}`,
+            severity: "medium",
+            category: category || pattern_id || "unknown",
+            file,
+            line: line || 1,
+            description: "Standalone autofix preview",
+            evidence: "",
+            confidence: 100,
+            verifications: [],
+            created_at: new Date().toISOString(),
+        };
+    }
+    else {
+        return errorResponse("Provide either (certification_id + finding_id) or (file + pattern_id/category) for standalone mode.");
     }
     const preview = await previewFix(project_path, finding);
+    if (!preview.canAutoFix && !certification_id) {
+        return jsonResponse({
+            ...preview,
+            hint: "No matching pattern found. Use autofix_list_patterns to see available fix patterns and their IDs.",
+        });
+    }
     return jsonResponse({ ...preview });
 });
 // ---------------------------------------------------------------------------
@@ -1954,6 +2054,307 @@ server.registerTool("autofix_batch", {
     });
 });
 // ---------------------------------------------------------------------------
+// Tool: Create Autofix Pull Requests
+// ---------------------------------------------------------------------------
+server.registerTool("autofix_create_prs", {
+    title: "Create Autofix Pull Requests",
+    description: `Create GitHub pull requests with automated security fixes. Groups findings by severity/file/pattern and generates separate PRs for each group. Requires gh CLI to be installed and authenticated.
+
+**Prerequisites:**
+- gh CLI installed and authenticated
+- Git repository with a remote
+- Clean working tree (uncommitted changes will be stashed)
+
+**Grouping strategies:**
+- severity: One PR per severity level (critical, high, medium, low)
+- file: One PR per affected file
+- pattern: One PR per fix pattern type
+- single: One PR per individual finding`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().optional().describe("Certification ID to get findings from (if not providing findings directly)"),
+        findings: z.array(z.object({
+            id: z.string(),
+            severity: z.enum(["critical", "high", "medium", "low", "info"]),
+            category: z.string(),
+            file: z.string().optional(),
+            line: z.number().optional(),
+            description: z.string(),
+            evidence: z.string().optional(),
+            confidence: z.number().optional(),
+        })).optional().describe("Direct findings array (alternative to certification_id)"),
+        group_by: z.enum(["severity", "file", "pattern", "single"]).default("severity").describe("How to group fixes into PRs"),
+        dry_run: z.boolean().default(true).describe("Preview mode - show what PRs would be created without actually creating them"),
+        include_unsafe: z.boolean().default(false).describe("Include high-risk fixes that may require manual review"),
+        branch_prefix: z.string().default("vaspera/autofix").describe("Prefix for branch names"),
+        base_branch: z.string().optional().describe("Base branch to create PRs against (defaults to main/master)"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: true,
+        idempotentHint: false,
+        openWorldHint: true,
+    },
+}, async ({ project_path, certification_id, findings: directFindings, group_by, dry_run, include_unsafe, branch_prefix, base_branch }) => {
+    // Check prerequisites
+    if (!(await isGhCliAvailable())) {
+        return errorResponse("gh CLI is not installed. Install from: https://cli.github.com/");
+    }
+    if (!(await isGhAuthenticated())) {
+        return errorResponse("gh CLI is not authenticated. Run: gh auth login");
+    }
+    // Get findings from certification or direct input
+    let findings = [];
+    if (directFindings && directFindings.length > 0) {
+        findings = directFindings;
+    }
+    else if (certification_id) {
+        const certification = await getCertification(project_path, certification_id);
+        if (!certification) {
+            return errorResponse(`Certification ${certification_id} not found`);
+        }
+        // Collect all findings from all agents
+        for (const agentData of Object.values(certification.agents)) {
+            if (agentData) {
+                findings.push(...agentData.findings);
+            }
+        }
+    }
+    else {
+        return errorResponse("Either certification_id or findings must be provided");
+    }
+    if (findings.length === 0) {
+        return jsonResponse({
+            message: "No findings to fix",
+            totalFindings: 0,
+            prsCreated: [],
+            unfixable: [],
+            success: true,
+        });
+    }
+    // Create PRs
+    const result = await createAutofixPRs({
+        projectPath: project_path,
+        findings: findings,
+        groupBy: group_by,
+        dryRun: dry_run,
+        includeUnsafe: include_unsafe,
+        branchPrefix: branch_prefix,
+        baseBranch: base_branch || "main",
+    });
+    // Format output
+    const lines = [
+        `# Autofix PR ${dry_run ? "Preview" : "Results"}`,
+        "",
+        `**Total Findings**: ${result.totalFindings}`,
+        `**PRs ${dry_run ? "Would Create" : "Created"}**: ${result.prsCreated.length}`,
+        `**Unfixable**: ${result.unfixable.length}`,
+        "",
+    ];
+    if (result.prsCreated.length > 0) {
+        lines.push("## Pull Requests");
+        lines.push("");
+        for (const pr of result.prsCreated) {
+            const fixCount = pr.fixesApplied.length;
+            const fileList = pr.filesModified.slice(0, 3).join(", ");
+            const moreFiles = pr.filesModified.length > 3 ? ` +${pr.filesModified.length - 3} more` : "";
+            if (dry_run) {
+                lines.push(`- **${pr.branch}**: ${fixCount} fixes (${fileList}${moreFiles})`);
+            }
+            else {
+                lines.push(`- [PR #${pr.prNumber}](${pr.prUrl}): ${fixCount} fixes`);
+            }
+        }
+        lines.push("");
+    }
+    if (result.unfixable.length > 0) {
+        lines.push("## Unfixable Findings");
+        lines.push("");
+        for (const uf of result.unfixable.slice(0, 10)) {
+            lines.push(`- ${uf.findingId}: ${uf.reason}`);
+        }
+        if (result.unfixable.length > 10) {
+            lines.push(`- ... and ${result.unfixable.length - 10} more`);
+        }
+        lines.push("");
+    }
+    if (result.summary && Object.keys(result.summary.byPattern).length > 0) {
+        lines.push("## Summary by Pattern");
+        lines.push("");
+        for (const [pattern, count] of Object.entries(result.summary.byPattern)) {
+            lines.push(`- ${pattern}: ${count} fixes`);
+        }
+    }
+    return {
+        content: [
+            {
+                type: "text",
+                text: lines.join("\n"),
+            },
+        ],
+        result,
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Persistence - Get Project Trends
+// ---------------------------------------------------------------------------
+server.registerTool("persistence_get_trends", {
+    title: "Get Project Security Trends",
+    description: `Get historical security trends for a project including new/fixed findings over time, MTTR, and fix velocity. Requires SQLite persistence to be enabled.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        period: z.enum(["day", "week", "month"]).default("week").describe("Trend aggregation period"),
+        lookback_periods: z.number().default(12).describe("Number of periods to look back"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, period, lookback_periods }) => {
+    try {
+        const trends = await getProjectTrends(project_path, period, lookback_periods);
+        const lines = [
+            `# Security Trends for ${trends.project.name}`,
+            "",
+            `**Period**: ${period} (last ${lookback_periods} periods)`,
+            `**Last Scan**: ${trends.project.lastScanAt || "Never"}`,
+            "",
+            "## Current Stats",
+            "",
+            `- **Open Findings**: ${trends.stats.openFindings}`,
+            `- **Fixed Findings**: ${trends.stats.fixedFindings}`,
+            `- **False Positives**: ${trends.stats.falsePositives}`,
+            `- **Avg MTTR**: ${trends.stats.avgMttrHours ? `${trends.stats.avgMttrHours.toFixed(1)} hours` : "N/A"}`,
+            `- **Fix Velocity**: ${trends.stats.fixVelocityPerWeek ? `${trends.stats.fixVelocityPerWeek.toFixed(1)}/week` : "N/A"}`,
+            "",
+            "## By Severity",
+            "",
+        ];
+        for (const [sev, count] of Object.entries(trends.stats.bySeverity)) {
+            if (count > 0) {
+                lines.push(`- **${sev}**: ${count}`);
+            }
+        }
+        lines.push("", "## Trend Data", "");
+        lines.push("| Period | New | Fixed | Open |");
+        lines.push("|--------|-----|-------|------|");
+        for (const t of trends.trends.slice(-10)) {
+            lines.push(`| ${t.period} | ${t.newFindings} | ${t.fixedFindings} | ${t.openFindings} |`);
+        }
+        return {
+            content: [{ type: "text", text: lines.join("\n") }],
+            trends,
+        };
+    }
+    catch (error) {
+        return errorResponse(`Failed to get trends: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Persistence - Get Open Findings
+// ---------------------------------------------------------------------------
+server.registerTool("persistence_get_findings", {
+    title: "Get Persisted Findings",
+    description: `Get open security findings from the persistence layer with filtering options.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        severity: z.enum(["critical", "high", "medium", "low", "info"]).optional().describe("Filter by severity"),
+        category: z.string().optional().describe("Filter by category"),
+        file: z.string().optional().describe("Filter by file path (partial match)"),
+        limit: z.number().default(50).describe("Maximum findings to return"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, severity, category, file, limit }) => {
+    try {
+        const findings = await getOpenFindings(project_path, {
+            severity: severity,
+            category,
+            file,
+            limit,
+        });
+        if (findings.length === 0) {
+            return {
+                content: [{ type: "text", text: "No open findings found matching the criteria." }],
+                findings: [],
+            };
+        }
+        const lines = [
+            `# Open Findings (${findings.length})`,
+            "",
+        ];
+        const bySeverity = {};
+        for (const f of findings) {
+            if (!bySeverity[f.severity])
+                bySeverity[f.severity] = [];
+            bySeverity[f.severity].push(f);
+        }
+        for (const sev of ["critical", "high", "medium", "low", "info"]) {
+            const sevFindings = bySeverity[sev];
+            if (!sevFindings || sevFindings.length === 0)
+                continue;
+            lines.push(`## ${sev.toUpperCase()} (${sevFindings.length})`);
+            lines.push("");
+            for (const f of sevFindings.slice(0, 10)) {
+                lines.push(`- **${f.file}:${f.line}** - ${f.description.slice(0, 80)}`);
+                lines.push(`  - Category: ${f.category}, Scanner: ${f.scannerSource}`);
+                lines.push(`  - First seen: ${f.firstSeenAt.split("T")[0]}`);
+            }
+            if (sevFindings.length > 10) {
+                lines.push(`- ... and ${sevFindings.length - 10} more ${sev} findings`);
+            }
+            lines.push("");
+        }
+        return {
+            content: [{ type: "text", text: lines.join("\n") }],
+            findings,
+        };
+    }
+    catch (error) {
+        return errorResponse(`Failed to get findings: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Persistence - Mark Findings Fixed
+// ---------------------------------------------------------------------------
+server.registerTool("persistence_mark_fixed", {
+    title: "Mark Findings as Fixed",
+    description: `Mark one or more findings as fixed in the persistence layer. This updates the finding status and records fix history.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        finding_ids: z.array(z.string()).describe("Finding IDs to mark as fixed"),
+        fixed_by: z.string().optional().describe("Who fixed the findings"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, finding_ids, fixed_by }) => {
+    try {
+        const count = await markFindingsFixed(project_path, finding_ids, fixed_by);
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `Marked ${count} finding(s) as fixed.${fixed_by ? ` Fixed by: ${fixed_by}` : ""}`,
+                },
+            ],
+            fixedCount: count,
+        };
+    }
+    catch (error) {
+        return errorResponse(`Failed to mark findings: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
+});
+// ---------------------------------------------------------------------------
 // Tool: Certification Summary
 // ---------------------------------------------------------------------------
 server.registerTool("certification_summary", {
@@ -2664,6 +3065,325 @@ server.registerTool("verify_audit_trail", {
     }
 });
 // ---------------------------------------------------------------------------
+// Tool: Audit Export
+// ---------------------------------------------------------------------------
+server.registerTool("audit_export", {
+    title: "Export Audit Trail",
+    description: `Export the tamper-evident audit trail for compliance review. Creates a portable, verifiable export suitable for external auditors and compliance teams. Supports JSON, JSONL, and CSV formats.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        format: z.enum(["json", "jsonl", "csv"]).optional().describe("Export format. Default: json"),
+        start_date: z.string().optional().describe("Start date filter (ISO 8601)"),
+        end_date: z.string().optional().describe("End date filter (ISO 8601)"),
+        types: z.array(z.enum([
+            "certification_started",
+            "certification_completed",
+            "scan_completed",
+            "finding_submitted",
+            "finding_fixed",
+            "compliance_report",
+            "model_run",
+        ])).optional().describe("Entry types to include. Default: all"),
+        include_integrity: z.boolean().optional().describe("Include integrity proofs. Default: true"),
+        output_path: z.string().optional().describe("Output file path. If omitted, returns content directly"),
+        output_format: z.enum(["markdown", "json"]).optional().describe("Response format. Default: json"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, format, start_date, end_date, types, include_integrity, output_path, output_format }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const result = await exportAuditTrail(validatedPath, {
+            format: format,
+            startDate: start_date,
+            endDate: end_date,
+            types: types,
+            includeIntegrity: include_integrity !== false,
+            outputPath: output_path,
+        });
+        if (output_format === "markdown") {
+            const lines = [
+                "# Audit Trail Export",
+                "",
+                `**Project**: ${result.projectPath}`,
+                `**Exported At**: ${result.exportedAt}`,
+                `**Entry Count**: ${result.entryCount}`,
+                "",
+                "## Date Range",
+                "",
+                `| Field | Value |`,
+                `|-------|-------|`,
+                `| Start | ${result.dateRange.start} |`,
+                `| End | ${result.dateRange.end} |`,
+                "",
+                "## Chain Integrity",
+                "",
+                `| Field | Value |`,
+                `|-------|-------|`,
+                `| Genesis Hash | \`${result.chainIntegrity.genesisHash?.slice(0, 16) || "N/A"}...\` |`,
+                `| Head Hash | \`${result.chainIntegrity.headHash?.slice(0, 16) || "N/A"}...\` |`,
+                `| Entries with Integrity | ${result.chainIntegrity.entriesWithIntegrity} |`,
+            ];
+            if (result.outputPath) {
+                lines.push("", `**Output File**: ${result.outputPath}`);
+            }
+            return textResponse(lines.join("\n"));
+        }
+        return jsonResponse({
+            exportedAt: result.exportedAt,
+            projectPath: result.projectPath,
+            entryCount: result.entryCount,
+            dateRange: result.dateRange,
+            chainIntegrity: result.chainIntegrity,
+            outputPath: result.outputPath,
+            content: result.content,
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(error.message);
+        }
+        return errorResponse(`Audit export failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: SIEM Configure
+// ---------------------------------------------------------------------------
+server.registerTool("siem_configure", {
+    title: "Configure SIEM Connection",
+    description: `Configure a connection to a SIEM platform (Splunk, Microsoft Sentinel, or Datadog). The connection is stored in memory for the session and can be used to export findings and events.`,
+    inputSchema: {
+        name: z.string().describe("Unique name for this SIEM connection"),
+        provider: z.enum(["splunk", "sentinel", "datadog"]).describe("SIEM provider type"),
+        endpoint: z.string().optional().describe("SIEM endpoint URL (required for Splunk)"),
+        token: z.string().describe("Authentication token/API key"),
+        workspace_id: z.string().optional().describe("Log Analytics workspace ID (Sentinel only)"),
+        index: z.string().optional().describe("Splunk index name"),
+        source_type: z.string().optional().describe("Splunk source type"),
+        site: z.string().optional().describe("Datadog site (e.g., datadoghq.com, datadoghq.eu)"),
+        service: z.string().optional().describe("Service name for tagging"),
+        env: z.string().optional().describe("Environment tag"),
+        tags: z.array(z.string()).optional().describe("Additional tags (Datadog)"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: true,
+    },
+}, async ({ name, provider, endpoint, token, workspace_id, index, source_type, site, service, env, tags }) => {
+    try {
+        const registry = getSIEMRegistry();
+        let client;
+        switch (provider) {
+            case "splunk":
+                if (!endpoint) {
+                    return errorResponse("Splunk requires an endpoint URL");
+                }
+                client = createSIEMClient({
+                    provider: "splunk",
+                    enabled: true,
+                    endpoint,
+                    token,
+                    options: { index, sourceType: source_type, source: service },
+                });
+                break;
+            case "sentinel":
+                if (!workspace_id) {
+                    return errorResponse("Sentinel requires a workspace_id");
+                }
+                client = createSIEMClient({
+                    provider: "sentinel",
+                    enabled: true,
+                    endpoint: `https://${workspace_id}.ods.opinsights.azure.com`,
+                    token,
+                    options: { workspaceId: workspace_id },
+                });
+                break;
+            case "datadog":
+                client = createSIEMClient({
+                    provider: "datadog",
+                    enabled: true,
+                    endpoint: "",
+                    token,
+                    options: { site, service, env, tags },
+                });
+                break;
+        }
+        registry.register(name, client);
+        return jsonResponse({
+            success: true,
+            name,
+            provider,
+            message: `SIEM connection '${name}' configured successfully`,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to configure SIEM: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: SIEM Test
+// ---------------------------------------------------------------------------
+server.registerTool("siem_test", {
+    title: "Test SIEM Connection",
+    description: `Test connectivity to a configured SIEM platform. Sends a test event and reports latency and status.`,
+    inputSchema: {
+        name: z.string().describe("Name of the configured SIEM connection"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: true,
+    },
+}, async ({ name }) => {
+    try {
+        const registry = getSIEMRegistry();
+        const client = registry.get(name);
+        if (!client) {
+            return errorResponse(`SIEM connection '${name}' not found. Use siem_configure first.`);
+        }
+        const result = await client.testConnection();
+        if (result.success) {
+            return jsonResponse({
+                success: true,
+                provider: result.provider,
+                endpoint: result.endpoint,
+                latencyMs: result.latencyMs,
+                message: `Connection to ${result.provider} successful`,
+                details: result.details,
+            });
+        }
+        return errorResponse(`Connection test failed: ${result.error}`);
+    }
+    catch (error) {
+        return errorResponse(`Failed to test SIEM: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: SIEM Export Findings
+// ---------------------------------------------------------------------------
+server.registerTool("siem_export_findings", {
+    title: "Export Findings to SIEM",
+    description: `Export security findings to a configured SIEM platform. Sends finding events for SOC visibility and incident response integration.`,
+    inputSchema: {
+        name: z.string().describe("Name of the configured SIEM connection"),
+        project_path: z.string().describe("Absolute path to the project"),
+        certification_id: z.string().optional().describe("Certification ID to filter findings"),
+        severity: z.array(z.enum(["critical", "high", "medium", "low", "info"])).optional().describe("Filter by severity"),
+        event_type: z.enum(["finding.new", "finding.fixed", "scan.completed", "certification.completed"]).optional().describe("Event type to generate"),
+        dry_run: z.boolean().optional().describe("Preview events without sending. Default: false"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: true,
+    },
+}, async ({ name, project_path, certification_id, severity, event_type, dry_run }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const registry = getSIEMRegistry();
+        const client = registry.get(name);
+        if (!client) {
+            return errorResponse(`SIEM connection '${name}' not found. Use siem_configure first.`);
+        }
+        // Get findings from certification
+        if (!certification_id) {
+            return errorResponse("certification_id is required to export findings");
+        }
+        const certification = await getCertification(validatedPath, certification_id);
+        if (!certification) {
+            return errorResponse("No certification data found. Run certification_scan first.");
+        }
+        // Extract findings from all agents
+        let allFindings = [];
+        for (const agentFindings of Object.values(certification.agents)) {
+            if (agentFindings?.findings) {
+                allFindings.push(...agentFindings.findings);
+            }
+        }
+        // Filter by severity if provided
+        if (severity && severity.length > 0) {
+            allFindings = allFindings.filter((f) => severity.includes(f.severity));
+        }
+        // Generate events
+        const events = allFindings.map((finding) => createFindingEvent(validatedPath, event_type || "finding.new", {
+            findingId: finding.id,
+            severity: finding.severity,
+            category: finding.category,
+            file: finding.file,
+            line: finding.line,
+            scanner: finding.scannerSource,
+            ruleId: finding.ruleId,
+            cweIds: finding.cweIds,
+            description: finding.description,
+        }, certification_id));
+        if (dry_run) {
+            return jsonResponse({
+                dryRun: true,
+                eventCount: events.length,
+                events: events.slice(0, 10),
+                message: `Would send ${events.length} events to ${client.provider}`,
+            });
+        }
+        // Send events
+        const result = await client.sendEvents(events);
+        return jsonResponse({
+            success: result.success,
+            provider: client.provider,
+            totalEvents: result.totalEvents,
+            successCount: result.successCount,
+            failureCount: result.failureCount,
+            errors: result.errors,
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(error.message);
+        }
+        return errorResponse(`Failed to export findings: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: SIEM List
+// ---------------------------------------------------------------------------
+server.registerTool("siem_list", {
+    title: "List SIEM Connections",
+    description: `List all configured SIEM connections in the current session.`,
+    inputSchema: {},
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async () => {
+    try {
+        const registry = getSIEMRegistry();
+        const connections = registry.list();
+        if (connections.length === 0) {
+            return textResponse("No SIEM connections configured. Use siem_configure to add one.");
+        }
+        const lines = [
+            "# Configured SIEM Connections",
+            "",
+            "| Name | Provider |",
+            "|------|----------|",
+            ...connections.map((c) => `| ${c.name} | ${c.provider} |`),
+        ];
+        return textResponse(lines.join("\n"));
+    }
+    catch (error) {
+        return errorResponse(`Failed to list SIEM connections: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
 // Tool: Collect Evidence Bundle
 // ---------------------------------------------------------------------------
 server.registerTool("collect_evidence_bundle", {
@@ -5467,6 +6187,193 @@ server.registerTool("ai_code_hallucinations", {
     }
 });
 // ---------------------------------------------------------------------------
+// False Positive Feedback Tools
+// ---------------------------------------------------------------------------
+server.registerTool("feedback_submit", {
+    description: "Submit feedback marking a finding as true positive (TP) or false positive (FP). Helps improve scanner accuracy over time.",
+    inputSchema: {
+        project_path: z.string().describe("Path to the project"),
+        scanner: z.enum([
+            "semgrep", "npm-audit", "gitleaks", "tsc", "eslint",
+            "bandit", "gosec", "brakeman", "trivy", "binary-analysis",
+            "memory-safety", "race-condition", "healthcare", "logic",
+            "dast", "zap", "nuclei", "terraform", "tfsec", "checkov",
+            "openapi", "spectral", "rust", "cargo-audit", "clippy",
+            "detection", "plugin"
+        ]).describe("Scanner that generated the finding"),
+        rule_id: z.string().describe("Rule ID (e.g., 'semgrep:owasp.sql-injection')"),
+        file: z.string().describe("File path where the finding was reported"),
+        line: z.number().optional().describe("Line number of the finding"),
+        verdict: z.enum(["tp", "fp"]).describe("Your verdict: 'tp' for true positive, 'fp' for false positive"),
+        reason: z.enum([
+            "test-code", "false-pattern-match", "sanitized-elsewhere",
+            "intentional", "vendor-code", "generated-code",
+            "example-code", "configuration", "other"
+        ]).optional().describe("Reason for marking as FP (required if verdict is 'fp')"),
+        details: z.string().optional().describe("Additional context or notes"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, scanner, rule_id, file, line, verdict, reason, details }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const finding = {
+            scanner: scanner,
+            ruleId: rule_id,
+            file,
+            line: line ?? 0,
+            message: "",
+            severity: "medium",
+            confidence: 100,
+        };
+        const entry = await submitFeedback(validatedPath, finding, verdict, {
+            reason: reason,
+            details,
+        });
+        return jsonResponse({
+            success: true,
+            feedbackId: entry.id,
+            scanner: entry.scanner,
+            ruleId: entry.ruleId,
+            file: entry.file,
+            verdict: entry.verdict,
+            reason: entry.reason,
+            submittedAt: entry.submittedAt,
+            message: verdict === "fp"
+                ? `Marked as false positive. Reason: ${FP_REASON_DESCRIPTIONS[reason] || reason}`
+                : "Marked as true positive. This helps confirm the finding is valid.",
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(`Path validation failed: ${error.message}`);
+        }
+        return errorResponse(error instanceof Error ? error.message : String(error));
+    }
+});
+server.registerTool("feedback_report", {
+    description: "Generate a report of all feedback submitted for a project, including FP rates by scanner and top FP reasons.",
+    inputSchema: {
+        project_path: z.string().describe("Path to the project"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const report = await generateFeedbackReport(validatedPath);
+        return jsonResponse({
+            overview: {
+                totalFeedback: report.overview.totalFeedback,
+                truePositives: report.overview.tpCount,
+                falsePositives: report.overview.fpCount,
+                overallFPRate: `${(report.overview.overallFPRate * 100).toFixed(1)}%`,
+            },
+            byScanner: report.byScanner.map((s) => ({
+                scanner: s.scanner,
+                total: s.total,
+                tp: s.tp,
+                fp: s.fp,
+                fpRate: `${(s.fpRate * 100).toFixed(1)}%`,
+            })),
+            topFPReasons: report.topFPReasons.map((r) => ({
+                reason: r.reason,
+                description: FP_REASON_DESCRIPTIONS[r.reason],
+                count: r.count,
+                percentage: `${r.percentage.toFixed(1)}%`,
+            })),
+            recentFeedback: report.recentFeedback.slice(0, 5).map((f) => ({
+                scanner: f.scanner,
+                ruleId: f.ruleId,
+                file: f.file,
+                verdict: f.verdict,
+                reason: f.reason,
+                submittedAt: f.submittedAt,
+            })),
+            suppressionSuggestions: report.suppressionSuggestions.length,
+            message: report.overview.totalFeedback === 0
+                ? "No feedback submitted yet. Use feedback_submit to mark findings as TP or FP."
+                : `Analyzed ${report.overview.totalFeedback} feedback entries. FP rate: ${(report.overview.overallFPRate * 100).toFixed(1)}%`,
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(`Path validation failed: ${error.message}`);
+        }
+        return errorResponse(error instanceof Error ? error.message : String(error));
+    }
+});
+server.registerTool("feedback_suppressions", {
+    description: "Get suggestions for rules to disable based on accumulated false positive feedback. Rules with >50% FP rate (min 5 samples) are flagged.",
+    inputSchema: {
+        project_path: z.string().describe("Path to the project"),
+        min_fp_rate: z.number().min(0).max(1).optional().default(0.5).describe("Minimum FP rate to suggest suppression (0.0-1.0, default: 0.5)"),
+        min_sample_size: z.number().min(1).optional().default(5).describe("Minimum number of feedback entries required (default: 5)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, min_fp_rate, min_sample_size }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const suggestions = await getSuppressionSuggestions(validatedPath, {
+            minFPRate: min_fp_rate,
+            minSampleSize: min_sample_size,
+        });
+        if (suggestions.length === 0) {
+            return jsonResponse({
+                suggestions: [],
+                message: "No rules meet the criteria for suppression. Either not enough feedback or FP rates are acceptable.",
+                criteria: {
+                    minFPRate: `${(min_fp_rate ?? 0.5) * 100}%`,
+                    minSampleSize: min_sample_size ?? 5,
+                },
+            });
+        }
+        return jsonResponse({
+            suggestions: suggestions.map((s) => ({
+                scanner: s.scanner,
+                ruleId: s.ruleId,
+                fpRate: `${(s.fpRate * 100).toFixed(1)}%`,
+                sampleSize: s.sampleSize,
+                recommendation: s.suggestion,
+                recommendationText: s.suggestion === "disable"
+                    ? "High FP rate (≥80%) - consider disabling this rule"
+                    : s.suggestion === "review"
+                        ? "Moderate FP rate (≥50%) - review rule configuration"
+                        : "FP rate acceptable - keep rule enabled",
+                commonReasons: s.commonReasons.map((r) => ({
+                    reason: r,
+                    description: FP_REASON_DESCRIPTIONS[r],
+                })),
+            })),
+            summary: {
+                totalSuggestions: suggestions.length,
+                disableRecommendations: suggestions.filter((s) => s.suggestion === "disable").length,
+                reviewRecommendations: suggestions.filter((s) => s.suggestion === "review").length,
+            },
+            message: `Found ${suggestions.length} rule(s) with high false positive rates based on your feedback.`,
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(`Path validation failed: ${error.message}`);
+        }
+        return errorResponse(error instanceof Error ? error.message : String(error));
+    }
+});
+// ---------------------------------------------------------------------------
 // Exports (for HTTP server and client integration)
 // ---------------------------------------------------------------------------
 export { server, textResponse, jsonResponse, errorResponse };