vaspera 2.13.0 → 2.15.0

package/dist/index.js

@@ -3,7 +3,10 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { readdir, readFile, writeFile, mkdir, stat, access } from "fs/promises";
-import { join, basename } from "path";
+import { readFileSync } from "fs";
+import { join, basename, dirname } from "path";
+import { fileURLToPath } from "url";
+import { randomUUID } from "crypto";
 import { COMMANDS, listCommands, getCommand } from "./commands/index.js";
 import { logger, createChildLogger } from "./logger.js";
 import { generateCertificationId, initializeCertification, getCertification, startAgent, getAgentFindings, submitFinding, completeAgent, addCrossVerification, addRedTeamChallenge, saveConsensus, finalizeCertification, getLatestCertification, isCertificationValid, calculateConsensus, canFinalize, writeCertificationArtifacts, updateCertificationMetadata, 
@@ -43,6 +46,7 @@ runSingleFrameworkAssessment, runComplianceAssessment, generateComplianceSummary
 import { collectEvidence, storeEvidenceBundle, formatEvidenceBundleAsMarkdown, } from "./evidence/index.js";
 import { verifyHistoryIntegrity, formatVerificationResultAsMarkdown, } from "./history/verify.js";
 import { exportAuditTrail, } from "./history/store.js";
+import { recordDecision, getDecisionProvenance } from "./history/decisions.js";
 // SIEM Integration
 import { createSIEMClient, getSIEMRegistry, createFindingEvent, } from "./integrations/siem/index.js";
 // SBOM, Provenance, and Sigstore Signing (uses @sigstore/sign for real signing)
@@ -52,7 +56,11 @@ import { getTracker, formatCost, formatTokens, estimateCost, getSupportedModels,
 // Multi-model consensus
 import { getRunner, DEFAULT_MODELS, formatProvider, } from "./multimodel/index.js";
 // Path validation utilities
-import { validateProjectPath, PathValidationError } from "./util/paths.js";
+import { validateProjectPath, PathValidationError, resolveContainedFile, resolveContainedWritePath, } from "./util/paths.js";
+import { parseJson, tryParseJson } from "./util/json.js";
+import { applyProjectPathGuard } from "./tool-guard.js";
+import { finalizeCertificate, verifyCertificate, CertificateError, } from "./certification/agent-certificate.js";
+import { certificationToCertificateBody, baselineCertificateBody, } from "./certification/agent-certificate-map.js";
 // Telemetry and scan registry
 import { trackCertificationStarted, trackCertificationCompleted, trackScannerRun, } from "./telemetry/usage.js";
 import { getRegistry } from "./telemetry/registry.js";
@@ -159,10 +167,18 @@ function parseAuditCounts(content) {
 // ---------------------------------------------------------------------------
 // Server
 // ---------------------------------------------------------------------------
+const PKG_PATH = join(dirname(fileURLToPath(import.meta.url)), "..", "package.json");
+const PKG_VERSION = parseJson(readFileSync(PKG_PATH, "utf-8"), "package.json").version;
 const server = new McpServer({
     name: "vaspera-hardening-mcp-server",
-    version: "2.0.0",
+    version: PKG_VERSION,
 });
+// Every tool with a project_path input gets validateProjectPath() by
+// construction (CONSTITUTION rule 3). Set VASPERA_PATH_BOUNDARY to also
+// confine all scans to a workspace root.
+applyProjectPathGuard(server, process.env.VASPERA_PATH_BOUNDARY
+    ? { basePath: process.env.VASPERA_PATH_BOUNDARY }
+    : {});
 // ---------------------------------------------------------------------------
 // Tool: List Projects
 // ---------------------------------------------------------------------------
@@ -1587,6 +1603,170 @@ server.registerTool("redteam_challenge", {
     };
 });
 // ---------------------------------------------------------------------------
+// Tool: Antagonist Synthesize
+// ---------------------------------------------------------------------------
+server.registerTool("antagonist_synthesize", {
+    title: "Synthesize Attack Narratives",
+    description: `Run antagonist analysis after all agents complete. Synthesizes findings into attack narratives and challenges assumptions. Two modes: "synthesis" (attack narratives), "challenger" (internal critic), or "both".`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        mode: z.enum(["synthesis", "challenger", "both"]).optional().default("both").describe("Analysis mode"),
+        include_prioritization: z.boolean().optional().default(true).describe("Include remediation prioritization"),
+        use_llm: z.boolean().optional().default(true).describe("Use LLM for enhanced analysis"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, mode = "both", include_prioritization = true, use_llm = true }) => {
+    const { runAntagonistAnalysis } = await import("./agents/antagonist/index.js");
+    const { analyzeExploitChains } = await import("./agents/exploit-chain.js");
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    const ready = await allAgentsCompleted(project_path, certification_id);
+    if (!ready) {
+        return errorResponse("Not all agents have completed. Run antagonist after all agents finish.");
+    }
+    const allFindings = [];
+    const agentSummaries = {};
+    for (const [agentName, agentData] of Object.entries(certification.agents)) {
+        if (agentData) {
+            allFindings.push(...agentData.findings);
+            agentSummaries[agentName] = {
+                completed: agentData.status === "completed",
+                findingCount: agentData.findings.length,
+            };
+        }
+    }
+    const chainResult = await analyzeExploitChains(allFindings);
+    const result = await runAntagonistAnalysis({
+        projectPath: project_path,
+        certificationId: certification_id,
+        findings: allFindings,
+        exploitChains: chainResult.chains,
+        exfilPaths: [],
+        agentSummaries: agentSummaries,
+    }, {
+        mode,
+        includePrioritization: include_prioritization,
+        useLlm: use_llm,
+    });
+    return jsonResponse({
+        success: result.success,
+        analysisId: result.analysisId,
+        narrativesFound: result.attackNarratives.length,
+        challengesFound: result.challengerAssessments.length,
+        coverageScore: result.gapAnalysis.coverageScore,
+        summary: result.summary,
+        attackNarratives: result.attackNarratives.slice(0, 5).map((n) => ({
+            name: n.name,
+            likelihood: n.likelihood,
+            difficulty: n.difficulty,
+            impact: n.impact,
+            findingCount: n.findingIds.length,
+            narrative: n.narrative.slice(0, 300),
+        })),
+        challenges: result.challengerAssessments.slice(0, 5).map((c) => ({
+            type: c.type,
+            targetAgent: c.targetAgent,
+            challenge: c.challenge,
+            severity: c.severity,
+        })),
+        prioritization: result.prioritization.slice(0, 5).map((p) => ({
+            order: p.order,
+            findingId: p.findingId,
+            reason: p.reason,
+            effort: p.effort,
+            impact: p.impact,
+        })),
+        gapAnalysis: {
+            coverageScore: result.gapAnalysis.coverageScore,
+            untestedVectors: result.gapAnalysis.untestedAttackVectors.slice(0, 5),
+            recommendations: result.gapAnalysis.recommendations.slice(0, 3),
+        },
+        duration: result.duration,
+        tokensUsed: result.tokensUsed,
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Antagonist Challenge
+// ---------------------------------------------------------------------------
+server.registerTool("antagonist_challenge", {
+    title: "Challenge Finding",
+    description: `Challenge a specific finding from another agent. Used to flag potential false positives, missing context, or wrong severity.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        target_finding_id: z.string().describe("Finding ID to challenge"),
+        challenge_type: z.enum(["false_positive", "missing_context", "wrong_severity", "wrong_assumption"]).describe("Type of challenge"),
+        evidence: z.string().describe("Evidence supporting the challenge"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, target_finding_id, challenge_type, evidence }) => {
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    let targetFinding = null;
+    let targetAgent = null;
+    for (const [agentName, agentData] of Object.entries(certification.agents)) {
+        if (agentData) {
+            const found = agentData.findings.find((f) => f.id === target_finding_id);
+            if (found) {
+                targetFinding = found;
+                targetAgent = agentName;
+                break;
+            }
+        }
+    }
+    if (!targetFinding || !targetAgent) {
+        return errorResponse(`Finding ${target_finding_id} not found`);
+    }
+    const challengeTypeMap = {
+        false_positive: "false_positive_likely",
+        missing_context: "insufficient_evidence",
+        wrong_severity: "wrong_severity",
+        wrong_assumption: "wrong_assumption",
+    };
+    const assessment = {
+        id: `chal-manual-${Date.now().toString(36)}`,
+        type: challengeTypeMap[challenge_type] || challenge_type,
+        targetAgent,
+        targetFindingId: target_finding_id,
+        challenge: `Manual challenge: ${challenge_type}`,
+        evidence,
+        suggestedAction: challenge_type === "false_positive"
+            ? "Review and potentially dismiss this finding"
+            : challenge_type === "wrong_severity"
+                ? "Re-evaluate severity level"
+                : "Provide additional context or evidence",
+        severity: targetFinding.severity,
+        confidence: 90,
+    };
+    await addCrossVerification(project_path, certification_id, {
+        finding_id: target_finding_id,
+        verifying_agent: "antagonist",
+        verdict: "disputed",
+        evidence: `[${challenge_type}] ${evidence}`,
+    });
+    return jsonResponse({
+        success: true,
+        challenge: assessment,
+        findingDisputed: target_finding_id,
+        message: `Finding ${target_finding_id} has been challenged and marked as disputed.`,
+    });
+});
+// ---------------------------------------------------------------------------
 // Tool: Calculate Consensus
 // ---------------------------------------------------------------------------
 server.registerTool("certification_consensus", {
@@ -1745,6 +1925,181 @@ server.registerTool("certification_finalize", {
     };
 });
 // ---------------------------------------------------------------------------
+// Tool: Generate Agent Certificate
+// ---------------------------------------------------------------------------
+server.registerTool("agent_certificate_generate", {
+    title: "Generate Agent Certificate",
+    description: `Produce a versioned, tamper-evident agent certificate (v1) across six dimensions (security, scalability, quality, explainability, compliance, AI-BOM). If certification_id is provided, the real certification run is mapped into the certificate; dimensions not covered are marked not_assessed rather than fabricated. The certificate carries a sha256 content digest and is Sigstore-signed when an OIDC identity is available (CI), otherwise unsigned-but-digested.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z
+            .string()
+            .optional()
+            .describe("Map an existing certification run into the certificate"),
+        subject_name: z.string().optional().describe("Override the certified subject name"),
+        subject_kind: z
+            .enum(["agent", "mcp-server", "codebase"])
+            .optional()
+            .describe("Kind of subject being certified (default: codebase)"),
+        compliance_frameworks: z
+            .array(z.enum([
+            "ISO-42001",
+            "NIST-AI-RMF",
+            "OWASP-LLM",
+            "SOC2",
+            "ISO27001",
+            "HIPAA",
+            "GDPR",
+            "PCI-DSS",
+            "NIST-800-53",
+        ]))
+            .optional()
+            .describe("Frameworks to evaluate for the compliance dimension (requires certification_id)"),
+        validity_days: z
+            .number()
+            .int()
+            .positive()
+            .max(3650)
+            .optional()
+            .describe("Certificate validity window in days (default 90)"),
+        sign: z
+            .boolean()
+            .optional()
+            .describe("Attempt Sigstore signing (default true; falls back to unsigned)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, subject_name, subject_kind, compliance_frameworks, validity_days, sign, }) => {
+    const now = new Date();
+    const expires = new Date(now.getTime() + (validity_days ?? 90) * 86400000);
+    const certificateId = `vac_${randomUUID()}`;
+    let body;
+    if (certification_id) {
+        const cert = await getCertification(project_path, certification_id);
+        if (!cert) {
+            return errorResponse(`Certification ${certification_id} not found`);
+        }
+        // Anchor the certificate to the tamper-evident decision chain.
+        const provenance = await getDecisionProvenance(project_path);
+        body = certificationToCertificateBody(cert, {
+            toolVersion: PKG_VERSION,
+            issuedAt: now.toISOString(),
+            expiresAt: expires.toISOString(),
+            certificateId,
+            complianceFrameworks: compliance_frameworks,
+            provenance,
+        });
+        if (subject_name)
+            body.subject.name = subject_name;
+        if (subject_kind)
+            body.subject.kind = subject_kind;
+    }
+    else {
+        // No certification supplied — baseline skeleton with all dimensions
+        // not_assessed (honest, never fabricated).
+        body = baselineCertificateBody({
+            toolVersion: PKG_VERSION,
+            issuedAt: now.toISOString(),
+            expiresAt: expires.toISOString(),
+            certificateId,
+            subjectName: subject_name ?? basename(project_path),
+            subjectKind: subject_kind ?? "codebase",
+            identifier: project_path,
+        });
+    }
+    try {
+        const certificate = await finalizeCertificate(body, { sign: sign ?? true });
+        return jsonResponse({ certificate });
+    }
+    catch (error) {
+        if (error instanceof CertificateError) {
+            return errorResponse(`Certificate generation failed: ${error.message}`);
+        }
+        throw error;
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Verify Agent Certificate
+// ---------------------------------------------------------------------------
+server.registerTool("agent_certificate_verify", {
+    title: "Verify Agent Certificate",
+    description: `Independently verify an agent certificate without trusting the issuer: re-validate the schema, recompute the content digest from the canonical body, and check the Sigstore signature if present. Returns which checks passed and any errors.`,
+    inputSchema: {
+        certificate_json: z
+            .string()
+            .describe("The agent certificate as a JSON string"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ certificate_json }) => {
+    const parsed = tryParseJson(certificate_json, "certificate_json");
+    if (parsed === undefined) {
+        return errorResponse("certificate_json is not valid JSON");
+    }
+    const result = await verifyCertificate(parsed);
+    return jsonResponse({ ...result });
+});
+// ---------------------------------------------------------------------------
+// Tool: Record AI Decision (provenance)
+// ---------------------------------------------------------------------------
+server.registerTool("decision_record", {
+    title: "Record AI Decision (Provenance)",
+    description: `Append a tamper-evident record of an AI decision to the project's hash-chained audit trail, for explainability and traceability. Raw input/prompt/output are stored as sha256 digests (+ optional summary), so the chain proves what was decided without retaining secrets. Verify the chain with verify_audit_trail.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        decision_type: z
+            .string()
+            .describe("Kind of decision (tool_call, classification, generation, refusal, …)"),
+        model: z.string().describe("Model that produced the decision"),
+        model_version: z.string().optional(),
+        input: z.string().describe("Input/context that led to the decision (digested, not stored raw)"),
+        prompt: z.string().optional().describe("Prompt, if applicable (digested)"),
+        output: z.string().describe("The output/decision (digested)"),
+        tools_invoked: z.array(z.string()).optional(),
+        summary: z.string().optional().describe("Short human-readable summary"),
+        rationale: z.string().optional().describe("Rationale / explanation"),
+        confidence: z.number().min(0).max(100).optional(),
+        certification_id: z.string().optional(),
+        sign: z.boolean().optional().describe("Sigstore-sign the entry (requires OIDC)"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, decision_type, model, model_version, input, prompt, output, tools_invoked, summary, rationale, confidence, certification_id, sign, }) => {
+    const entry = await recordDecision(project_path, {
+        decisionType: decision_type,
+        model,
+        modelVersion: model_version,
+        input,
+        prompt,
+        output,
+        toolsInvoked: tools_invoked,
+        summary,
+        rationale,
+        confidence,
+        certificationId: certification_id,
+    }, { sign: sign ?? false });
+    return jsonResponse({
+        recorded: true,
+        id: entry.id,
+        hash: entry.integrity?.hash,
+        previousHash: entry.integrity?.previousHash,
+        inputDigest: entry.inputDigest,
+        outputDigest: entry.outputDigest,
+    });
+});
+// ---------------------------------------------------------------------------
 // Tool: Certification Dashboard
 // ---------------------------------------------------------------------------
 server.registerTool("certification_dashboard", {
@@ -1928,7 +2283,7 @@ server.registerTool("autofix_apply", {
     },
     annotations: {
         readOnlyHint: false,
-        destructiveHint: false,
+        destructiveHint: true,
         idempotentHint: false,
         openWorldHint: false,
     },
@@ -1982,7 +2337,7 @@ server.registerTool("autofix_batch", {
     },
     annotations: {
         readOnlyHint: false,
-        destructiveHint: false,
+        destructiveHint: true,
         idempotentHint: false,
         openWorldHint: false,
     },
@@ -2556,7 +2911,9 @@ server.registerTool("rules_check_file", {
             message: "No custom rules configured. Use rules_generate_config to create a sample.",
         });
     }
-    const fullPath = join(project_path, file_path);
+    // file_path is untrusted — contain it within the (already validated)
+    // project tree before reading.
+    const fullPath = await resolveContainedFile(project_path, file_path);
     const content = await readFile(fullPath, "utf-8");
     const matches = await checkFileAgainstRules(file_path, content, rules);
     const findings = matchesToFindings(matches);
@@ -3509,9 +3866,10 @@ server.registerTool("sbom_generate", {
             includeDevDependencies: include_dev,
             includeVulnerabilities: include_vulnerabilities,
         }, findings);
-        // Write to file if requested
+        // Write to file if requested. output_file is untrusted — contain
+        // it within the project tree (no absolute-path escape hatch).
         if (output_file) {
-            const filePath = output_file.startsWith("/") ? output_file : join(project_path, output_file);
+            const filePath = await resolveContainedWritePath(project_path, output_file);
             const content = output_format === "summary"
                 ? generateSBOMSummary(sbom)
                 : JSON.stringify(sbom, null, 2);
@@ -4307,10 +4665,15 @@ server.registerTool("consensus_models", {
 // ---------------------------------------------------------------------------
 server.registerTool("consensus_clear", {
     title: "Clear Recorded Results",
-    description: `Clear previously recorded findings for a certification. Use before re-recording results for fresh consensus calculation.`,
+    description: `Clear previously recorded findings for a certification. Use before re-recording results for fresh consensus calculation. Fail-closed: pass confirm: true to actually clear; otherwise returns a no-op preview.`,
     inputSchema: {
         certification_id: z.string().describe("Certification ID"),
         agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]).optional().describe("Specific agent to clear, or all if not specified"),
+        confirm: z
+            .boolean()
+            .optional()
+            .default(false)
+            .describe("Must be true to actually clear recorded results; otherwise a no-op preview is returned"),
     },
     annotations: {
         readOnlyHint: false,
@@ -4318,8 +4681,15 @@ server.registerTool("consensus_clear", {
         idempotentHint: true,
         openWorldHint: false,
     },
-}, async ({ certification_id, agent }) => {
+}, async ({ certification_id, agent, confirm }) => {
     try {
+        if (!confirm) {
+            return jsonResponse({
+                preview: true,
+                wouldClear: { certificationId: certification_id, agent: agent || "all" },
+                message: `No-op preview: would clear recorded results for ${certification_id} (${agent || "all"} agents). Re-run with confirm: true to apply.`,
+            });
+        }
         const runner = getRunner();
         runner.clearResults(certification_id, agent);
         return jsonResponse({
@@ -5922,10 +6292,15 @@ server.registerTool("deploy_vercel_list", {
     }
 });
 server.registerTool("deploy_vercel_promote", {
-    description: "Promote a Vercel preview deployment to production.",
+    description: "Promote a Vercel preview deployment to production. Fail-closed: pass confirm: true to actually promote; otherwise returns a no-op preview.",
     inputSchema: {
         project_id: z.string().describe("Vercel project ID"),
         deployment_id: z.string().describe("Deployment ID to promote"),
+        confirm: z
+            .boolean()
+            .optional()
+            .default(false)
+            .describe("Must be true to actually promote to production; otherwise a no-op preview is returned"),
     },
     annotations: {
         readOnlyHint: false,
@@ -5933,8 +6308,15 @@ server.registerTool("deploy_vercel_promote", {
         idempotentHint: false,
         openWorldHint: true,
     },
-}, async ({ project_id, deployment_id }) => {
+}, async ({ project_id, deployment_id, confirm }) => {
     try {
+        if (!confirm) {
+            return jsonResponse({
+                preview: true,
+                wouldPromote: { project_id, deployment_id },
+                message: `No-op preview: would promote deployment ${deployment_id} to production. Re-run with confirm: true to apply.`,
+            });
+        }
         if (!isVercelAvailable()) {
             return errorResponse("VERCEL_TOKEN not configured");
         }
@@ -5952,10 +6334,15 @@ server.registerTool("deploy_vercel_promote", {
     }
 });
 server.registerTool("deploy_vercel_rollback", {
-    description: "Rollback to a previous Vercel deployment.",
+    description: "Rollback to a previous Vercel deployment. Fail-closed: pass confirm: true to actually roll back; otherwise returns a no-op preview.",
     inputSchema: {
         project_id: z.string().describe("Vercel project ID"),
         deployment_id: z.string().describe("Deployment ID to rollback to"),
+        confirm: z
+            .boolean()
+            .optional()
+            .default(false)
+            .describe("Must be true to actually roll back production; otherwise a no-op preview is returned"),
     },
     annotations: {
         readOnlyHint: false,
@@ -5963,8 +6350,15 @@ server.registerTool("deploy_vercel_rollback", {
         idempotentHint: false,
         openWorldHint: true,
     },
-}, async ({ project_id, deployment_id }) => {
+}, async ({ project_id, deployment_id, confirm }) => {
     try {
+        if (!confirm) {
+            return jsonResponse({
+                preview: true,
+                wouldRollbackTo: { project_id, deployment_id },
+                message: `No-op preview: would roll back ${project_id} to deployment ${deployment_id}. Re-run with confirm: true to apply.`,
+            });
+        }
         if (!isVercelAvailable()) {
             return errorResponse("VERCEL_TOKEN not configured");
         }
@@ -6057,7 +6451,9 @@ Use this for fast feedback on individual files.`,
     },
 }, async ({ project_path, file_path }) => {
     try {
-        const fullPath = file_path.startsWith("/") ? file_path : join(project_path, file_path);
+        // file_path is untrusted — contain it within the (already
+        // validated) project tree (no absolute-path escape hatch).
+        const fullPath = await resolveContainedFile(project_path, file_path);
         const result = await quickAICheck(fullPath, project_path);
         return jsonResponse({
             file: file_path,