vaspera 2.12.0 → 2.14.0

package/dist/index.js

@@ -56,6 +56,8 @@ import { validateProjectPath, PathValidationError } from "./util/paths.js";
 // Telemetry and scan registry
 import { trackCertificationStarted, trackCertificationCompleted, trackScannerRun, } from "./telemetry/usage.js";
 import { getRegistry } from "./telemetry/registry.js";
+// False positive feedback
+import { submitFeedback, generateFeedbackReport, getSuppressionSuggestions, FP_REASON_DESCRIPTIONS, } from "./scanners/fp-feedback.js";
 // ---------------------------------------------------------------------------
 // Config
 // ---------------------------------------------------------------------------
@@ -871,6 +873,64 @@ server.registerTool("certification_scan", {
     };
 });
 // ---------------------------------------------------------------------------
+// Tool: Diff-Aware Scanning (CI Integration)
+// ---------------------------------------------------------------------------
+server.registerTool("certification_scan_diff", {
+    title: "Diff-Aware Certification Scan",
+    description: `Scan only changed files for faster CI/PR workflows.
+
+Uses \`git diff\` to detect files changed since a base commit (e.g., origin/main).
+Reduces scan time by 50-90% in typical PR scenarios.
+
+**Security-critical files** (auth, middleware, API routes) are always included
+regardless of changes when \`always_scan_security\` is true.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        base_sha: z.string().optional().describe("Base SHA for comparison (default: origin/main)"),
+        head_sha: z.string().optional().describe("Head SHA to compare (default: HEAD)"),
+        always_scan_security: z.boolean().optional().default(true).describe("Always include security-critical files"),
+        exclude: z.array(z.string()).optional().describe("Regex patterns to exclude from scanning"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, base_sha, head_sha, always_scan_security, exclude }) => {
+    const { configureIncrementalScan } = await import("./action/diff-mode.js");
+    const result = await configureIncrementalScan({
+        projectPath: project_path,
+        baseSha: base_sha,
+        headSha: head_sha,
+        alwaysScanSecurityFiles: always_scan_security,
+        exclude,
+    });
+    const fileList = result.filesToScan.map((f) => f.path);
+    const securityFiles = fileList.filter((f) => f.includes("auth") ||
+        f.includes("security") ||
+        f.includes("middleware") ||
+        f.includes("api/"));
+    return jsonResponse({
+        isIncremental: result.isIncremental,
+        filesToScan: fileList,
+        fileCount: fileList.length,
+        securityFileCount: securityFiles.length,
+        removedFiles: result.removedFiles,
+        estimatedSavings: `${result.estimatedSavingsPercent}%`,
+        diff: {
+            baseSha: result.diff.baseSha,
+            headSha: result.diff.headSha,
+            additions: result.diff.additions,
+            deletions: result.diff.deletions,
+            changedFilesTotal: result.diff.changedFiles.length,
+        },
+        note: result.isIncremental
+            ? `Scanning ${fileList.length} changed files (${result.estimatedSavingsPercent}% reduction)`
+            : "Full scan recommended (diff detection failed or no changes)",
+    });
+});
+// ---------------------------------------------------------------------------
 // Tool: Check Scanner Availability
 // ---------------------------------------------------------------------------
 server.registerTool("certification_scanners_available", {
@@ -1527,6 +1587,170 @@ server.registerTool("redteam_challenge", {
     };
 });
 // ---------------------------------------------------------------------------
+// Tool: Antagonist Synthesize
+// ---------------------------------------------------------------------------
+server.registerTool("antagonist_synthesize", {
+    title: "Synthesize Attack Narratives",
+    description: `Run antagonist analysis after all agents complete. Synthesizes findings into attack narratives and challenges assumptions. Two modes: "synthesis" (attack narratives), "challenger" (internal critic), or "both".`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        mode: z.enum(["synthesis", "challenger", "both"]).optional().default("both").describe("Analysis mode"),
+        include_prioritization: z.boolean().optional().default(true).describe("Include remediation prioritization"),
+        use_llm: z.boolean().optional().default(true).describe("Use LLM for enhanced analysis"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, mode = "both", include_prioritization = true, use_llm = true }) => {
+    const { runAntagonistAnalysis } = await import("./agents/antagonist/index.js");
+    const { analyzeExploitChains } = await import("./agents/exploit-chain.js");
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    const ready = await allAgentsCompleted(project_path, certification_id);
+    if (!ready) {
+        return errorResponse("Not all agents have completed. Run antagonist after all agents finish.");
+    }
+    const allFindings = [];
+    const agentSummaries = {};
+    for (const [agentName, agentData] of Object.entries(certification.agents)) {
+        if (agentData) {
+            allFindings.push(...agentData.findings);
+            agentSummaries[agentName] = {
+                completed: agentData.status === "completed",
+                findingCount: agentData.findings.length,
+            };
+        }
+    }
+    const chainResult = await analyzeExploitChains(allFindings);
+    const result = await runAntagonistAnalysis({
+        projectPath: project_path,
+        certificationId: certification_id,
+        findings: allFindings,
+        exploitChains: chainResult.chains,
+        exfilPaths: [],
+        agentSummaries: agentSummaries,
+    }, {
+        mode,
+        includePrioritization: include_prioritization,
+        useLlm: use_llm,
+    });
+    return jsonResponse({
+        success: result.success,
+        analysisId: result.analysisId,
+        narrativesFound: result.attackNarratives.length,
+        challengesFound: result.challengerAssessments.length,
+        coverageScore: result.gapAnalysis.coverageScore,
+        summary: result.summary,
+        attackNarratives: result.attackNarratives.slice(0, 5).map((n) => ({
+            name: n.name,
+            likelihood: n.likelihood,
+            difficulty: n.difficulty,
+            impact: n.impact,
+            findingCount: n.findingIds.length,
+            narrative: n.narrative.slice(0, 300),
+        })),
+        challenges: result.challengerAssessments.slice(0, 5).map((c) => ({
+            type: c.type,
+            targetAgent: c.targetAgent,
+            challenge: c.challenge,
+            severity: c.severity,
+        })),
+        prioritization: result.prioritization.slice(0, 5).map((p) => ({
+            order: p.order,
+            findingId: p.findingId,
+            reason: p.reason,
+            effort: p.effort,
+            impact: p.impact,
+        })),
+        gapAnalysis: {
+            coverageScore: result.gapAnalysis.coverageScore,
+            untestedVectors: result.gapAnalysis.untestedAttackVectors.slice(0, 5),
+            recommendations: result.gapAnalysis.recommendations.slice(0, 3),
+        },
+        duration: result.duration,
+        tokensUsed: result.tokensUsed,
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Antagonist Challenge
+// ---------------------------------------------------------------------------
+server.registerTool("antagonist_challenge", {
+    title: "Challenge Finding",
+    description: `Challenge a specific finding from another agent. Used to flag potential false positives, missing context, or wrong severity.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        target_finding_id: z.string().describe("Finding ID to challenge"),
+        challenge_type: z.enum(["false_positive", "missing_context", "wrong_severity", "wrong_assumption"]).describe("Type of challenge"),
+        evidence: z.string().describe("Evidence supporting the challenge"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, target_finding_id, challenge_type, evidence }) => {
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    let targetFinding = null;
+    let targetAgent = null;
+    for (const [agentName, agentData] of Object.entries(certification.agents)) {
+        if (agentData) {
+            const found = agentData.findings.find((f) => f.id === target_finding_id);
+            if (found) {
+                targetFinding = found;
+                targetAgent = agentName;
+                break;
+            }
+        }
+    }
+    if (!targetFinding || !targetAgent) {
+        return errorResponse(`Finding ${target_finding_id} not found`);
+    }
+    const challengeTypeMap = {
+        false_positive: "false_positive_likely",
+        missing_context: "insufficient_evidence",
+        wrong_severity: "wrong_severity",
+        wrong_assumption: "wrong_assumption",
+    };
+    const assessment = {
+        id: `chal-manual-${Date.now().toString(36)}`,
+        type: challengeTypeMap[challenge_type] || challenge_type,
+        targetAgent,
+        targetFindingId: target_finding_id,
+        challenge: `Manual challenge: ${challenge_type}`,
+        evidence,
+        suggestedAction: challenge_type === "false_positive"
+            ? "Review and potentially dismiss this finding"
+            : challenge_type === "wrong_severity"
+                ? "Re-evaluate severity level"
+                : "Provide additional context or evidence",
+        severity: targetFinding.severity,
+        confidence: 90,
+    };
+    await addCrossVerification(project_path, certification_id, {
+        finding_id: target_finding_id,
+        verifying_agent: "antagonist",
+        verdict: "disputed",
+        evidence: `[${challenge_type}] ${evidence}`,
+    });
+    return jsonResponse({
+        success: true,
+        challenge: assessment,
+        findingDisputed: target_finding_id,
+        message: `Finding ${target_finding_id} has been challenged and marked as disputed.`,
+    });
+});
+// ---------------------------------------------------------------------------
 // Tool: Calculate Consensus
 // ---------------------------------------------------------------------------
 server.registerTool("certification_consensus", {
@@ -1789,11 +2013,17 @@ server.registerTool("certification_dashboard", {
 // ---------------------------------------------------------------------------
 server.registerTool("autofix_preview", {
     title: "Preview Auto-Fix for Finding",
-    description: `Preview an automatic fix for a certification finding without applying it. Returns the before/after diff.`,
+    description: `Preview an automatic fix without applying it. Can be used two ways:
+1. With certification_id + finding_id to preview a fix from a certification scan
+2. Standalone with file + pattern_id to preview a fix without running a full scan first`,
     inputSchema: {
         project_path: z.string().describe("Absolute path to the project root"),
-        certification_id: z.string().describe("Certification ID"),
-        finding_id: z.string().describe("Finding ID to preview fix for"),
+        certification_id: z.string().optional().describe("Certification ID (optional if using standalone mode)"),
+        finding_id: z.string().optional().describe("Finding ID to preview fix for (required with certification_id)"),
+        file: z.string().optional().describe("File path relative to project root (standalone mode)"),
+        line: z.number().optional().describe("Line number where the issue is located (standalone mode)"),
+        pattern_id: z.string().optional().describe("Pattern ID to apply (e.g., 'perf-async-foreach', 'sec-hardcoded-secret'). Use autofix_list_patterns to see available patterns."),
+        category: z.string().optional().describe("Finding category (alternative to pattern_id, e.g., 'async-foreach', 'hardcoded')"),
     },
     annotations: {
         readOnlyHint: true,
@@ -1801,24 +2031,51 @@ server.registerTool("autofix_preview", {
         idempotentHint: true,
         openWorldHint: false,
     },
-}, async ({ project_path, certification_id, finding_id }) => {
-    const certification = await getCertification(project_path, certification_id);
-    if (!certification) {
-        return errorResponse(`Certification ${certification_id} not found`);
-    }
-    // Find the finding
+}, async ({ project_path, certification_id, finding_id, file, line, pattern_id, category }) => {
     let finding = null;
-    for (const agentData of Object.values(certification.agents)) {
-        if (agentData) {
-            finding = agentData.findings.find((f) => f.id === finding_id);
-            if (finding)
-                break;
+    if (certification_id && finding_id) {
+        const certification = await getCertification(project_path, certification_id);
+        if (!certification) {
+            return errorResponse(`Certification ${certification_id} not found`);
+        }
+        for (const agentData of Object.values(certification.agents)) {
+            if (agentData) {
+                finding = agentData.findings.find((f) => f.id === finding_id) || null;
+                if (finding)
+                    break;
+            }
+        }
+        if (!finding) {
+            return errorResponse(`Finding ${finding_id} not found`);
         }
     }
-    if (!finding) {
-        return errorResponse(`Finding ${finding_id} not found`);
+    else if (file) {
+        if (!pattern_id && !category) {
+            return errorResponse("Standalone mode requires either pattern_id or category. Use autofix_list_patterns to see available patterns.");
+        }
+        finding = {
+            id: pattern_id || `standalone-${category || "unknown"}`,
+            severity: "medium",
+            category: category || pattern_id || "unknown",
+            file,
+            line: line || 1,
+            description: "Standalone autofix preview",
+            evidence: "",
+            confidence: 100,
+            verifications: [],
+            created_at: new Date().toISOString(),
+        };
+    }
+    else {
+        return errorResponse("Provide either (certification_id + finding_id) or (file + pattern_id/category) for standalone mode.");
     }
     const preview = await previewFix(project_path, finding);
+    if (!preview.canAutoFix && !certification_id) {
+        return jsonResponse({
+            ...preview,
+            hint: "No matching pattern found. Use autofix_list_patterns to see available fix patterns and their IDs.",
+        });
+    }
     return jsonResponse({ ...preview });
 });
 // ---------------------------------------------------------------------------
@@ -6094,6 +6351,193 @@ server.registerTool("ai_code_hallucinations", {
     }
 });
 // ---------------------------------------------------------------------------
+// False Positive Feedback Tools
+// ---------------------------------------------------------------------------
+server.registerTool("feedback_submit", {
+    description: "Submit feedback marking a finding as true positive (TP) or false positive (FP). Helps improve scanner accuracy over time.",
+    inputSchema: {
+        project_path: z.string().describe("Path to the project"),
+        scanner: z.enum([
+            "semgrep", "npm-audit", "gitleaks", "tsc", "eslint",
+            "bandit", "gosec", "brakeman", "trivy", "binary-analysis",
+            "memory-safety", "race-condition", "healthcare", "logic",
+            "dast", "zap", "nuclei", "terraform", "tfsec", "checkov",
+            "openapi", "spectral", "rust", "cargo-audit", "clippy",
+            "detection", "plugin"
+        ]).describe("Scanner that generated the finding"),
+        rule_id: z.string().describe("Rule ID (e.g., 'semgrep:owasp.sql-injection')"),
+        file: z.string().describe("File path where the finding was reported"),
+        line: z.number().optional().describe("Line number of the finding"),
+        verdict: z.enum(["tp", "fp"]).describe("Your verdict: 'tp' for true positive, 'fp' for false positive"),
+        reason: z.enum([
+            "test-code", "false-pattern-match", "sanitized-elsewhere",
+            "intentional", "vendor-code", "generated-code",
+            "example-code", "configuration", "other"
+        ]).optional().describe("Reason for marking as FP (required if verdict is 'fp')"),
+        details: z.string().optional().describe("Additional context or notes"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, scanner, rule_id, file, line, verdict, reason, details }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const finding = {
+            scanner: scanner,
+            ruleId: rule_id,
+            file,
+            line: line ?? 0,
+            message: "",
+            severity: "medium",
+            confidence: 100,
+        };
+        const entry = await submitFeedback(validatedPath, finding, verdict, {
+            reason: reason,
+            details,
+        });
+        return jsonResponse({
+            success: true,
+            feedbackId: entry.id,
+            scanner: entry.scanner,
+            ruleId: entry.ruleId,
+            file: entry.file,
+            verdict: entry.verdict,
+            reason: entry.reason,
+            submittedAt: entry.submittedAt,
+            message: verdict === "fp"
+                ? `Marked as false positive. Reason: ${FP_REASON_DESCRIPTIONS[reason] || reason}`
+                : "Marked as true positive. This helps confirm the finding is valid.",
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(`Path validation failed: ${error.message}`);
+        }
+        return errorResponse(error instanceof Error ? error.message : String(error));
+    }
+});
+server.registerTool("feedback_report", {
+    description: "Generate a report of all feedback submitted for a project, including FP rates by scanner and top FP reasons.",
+    inputSchema: {
+        project_path: z.string().describe("Path to the project"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const report = await generateFeedbackReport(validatedPath);
+        return jsonResponse({
+            overview: {
+                totalFeedback: report.overview.totalFeedback,
+                truePositives: report.overview.tpCount,
+                falsePositives: report.overview.fpCount,
+                overallFPRate: `${(report.overview.overallFPRate * 100).toFixed(1)}%`,
+            },
+            byScanner: report.byScanner.map((s) => ({
+                scanner: s.scanner,
+                total: s.total,
+                tp: s.tp,
+                fp: s.fp,
+                fpRate: `${(s.fpRate * 100).toFixed(1)}%`,
+            })),
+            topFPReasons: report.topFPReasons.map((r) => ({
+                reason: r.reason,
+                description: FP_REASON_DESCRIPTIONS[r.reason],
+                count: r.count,
+                percentage: `${r.percentage.toFixed(1)}%`,
+            })),
+            recentFeedback: report.recentFeedback.slice(0, 5).map((f) => ({
+                scanner: f.scanner,
+                ruleId: f.ruleId,
+                file: f.file,
+                verdict: f.verdict,
+                reason: f.reason,
+                submittedAt: f.submittedAt,
+            })),
+            suppressionSuggestions: report.suppressionSuggestions.length,
+            message: report.overview.totalFeedback === 0
+                ? "No feedback submitted yet. Use feedback_submit to mark findings as TP or FP."
+                : `Analyzed ${report.overview.totalFeedback} feedback entries. FP rate: ${(report.overview.overallFPRate * 100).toFixed(1)}%`,
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(`Path validation failed: ${error.message}`);
+        }
+        return errorResponse(error instanceof Error ? error.message : String(error));
+    }
+});
+server.registerTool("feedback_suppressions", {
+    description: "Get suggestions for rules to disable based on accumulated false positive feedback. Rules with >50% FP rate (min 5 samples) are flagged.",
+    inputSchema: {
+        project_path: z.string().describe("Path to the project"),
+        min_fp_rate: z.number().min(0).max(1).optional().default(0.5).describe("Minimum FP rate to suggest suppression (0.0-1.0, default: 0.5)"),
+        min_sample_size: z.number().min(1).optional().default(5).describe("Minimum number of feedback entries required (default: 5)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, min_fp_rate, min_sample_size }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const suggestions = await getSuppressionSuggestions(validatedPath, {
+            minFPRate: min_fp_rate,
+            minSampleSize: min_sample_size,
+        });
+        if (suggestions.length === 0) {
+            return jsonResponse({
+                suggestions: [],
+                message: "No rules meet the criteria for suppression. Either not enough feedback or FP rates are acceptable.",
+                criteria: {
+                    minFPRate: `${(min_fp_rate ?? 0.5) * 100}%`,
+                    minSampleSize: min_sample_size ?? 5,
+                },
+            });
+        }
+        return jsonResponse({
+            suggestions: suggestions.map((s) => ({
+                scanner: s.scanner,
+                ruleId: s.ruleId,
+                fpRate: `${(s.fpRate * 100).toFixed(1)}%`,
+                sampleSize: s.sampleSize,
+                recommendation: s.suggestion,
+                recommendationText: s.suggestion === "disable"
+                    ? "High FP rate (≥80%) - consider disabling this rule"
+                    : s.suggestion === "review"
+                        ? "Moderate FP rate (≥50%) - review rule configuration"
+                        : "FP rate acceptable - keep rule enabled",
+                commonReasons: s.commonReasons.map((r) => ({
+                    reason: r,
+                    description: FP_REASON_DESCRIPTIONS[r],
+                })),
+            })),
+            summary: {
+                totalSuggestions: suggestions.length,
+                disableRecommendations: suggestions.filter((s) => s.suggestion === "disable").length,
+                reviewRecommendations: suggestions.filter((s) => s.suggestion === "review").length,
+            },
+            message: `Found ${suggestions.length} rule(s) with high false positive rates based on your feedback.`,
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(`Path validation failed: ${error.message}`);
+        }
+        return errorResponse(error instanceof Error ? error.message : String(error));
+    }
+});
+// ---------------------------------------------------------------------------
 // Exports (for HTTP server and client integration)
 // ---------------------------------------------------------------------------
 export { server, textResponse, jsonResponse, errorResponse };