vaspera 2.14.0 → 2.15.0

package/dist/index.js

@@ -3,7 +3,10 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { readdir, readFile, writeFile, mkdir, stat, access } from "fs/promises";
-import { join, basename } from "path";
+import { readFileSync } from "fs";
+import { join, basename, dirname } from "path";
+import { fileURLToPath } from "url";
+import { randomUUID } from "crypto";
 import { COMMANDS, listCommands, getCommand } from "./commands/index.js";
 import { logger, createChildLogger } from "./logger.js";
 import { generateCertificationId, initializeCertification, getCertification, startAgent, getAgentFindings, submitFinding, completeAgent, addCrossVerification, addRedTeamChallenge, saveConsensus, finalizeCertification, getLatestCertification, isCertificationValid, calculateConsensus, canFinalize, writeCertificationArtifacts, updateCertificationMetadata, 
@@ -43,6 +46,7 @@ runSingleFrameworkAssessment, runComplianceAssessment, generateComplianceSummary
 import { collectEvidence, storeEvidenceBundle, formatEvidenceBundleAsMarkdown, } from "./evidence/index.js";
 import { verifyHistoryIntegrity, formatVerificationResultAsMarkdown, } from "./history/verify.js";
 import { exportAuditTrail, } from "./history/store.js";
+import { recordDecision, getDecisionProvenance } from "./history/decisions.js";
 // SIEM Integration
 import { createSIEMClient, getSIEMRegistry, createFindingEvent, } from "./integrations/siem/index.js";
 // SBOM, Provenance, and Sigstore Signing (uses @sigstore/sign for real signing)
@@ -52,7 +56,11 @@ import { getTracker, formatCost, formatTokens, estimateCost, getSupportedModels,
 // Multi-model consensus
 import { getRunner, DEFAULT_MODELS, formatProvider, } from "./multimodel/index.js";
 // Path validation utilities
-import { validateProjectPath, PathValidationError } from "./util/paths.js";
+import { validateProjectPath, PathValidationError, resolveContainedFile, resolveContainedWritePath, } from "./util/paths.js";
+import { parseJson, tryParseJson } from "./util/json.js";
+import { applyProjectPathGuard } from "./tool-guard.js";
+import { finalizeCertificate, verifyCertificate, CertificateError, } from "./certification/agent-certificate.js";
+import { certificationToCertificateBody, baselineCertificateBody, } from "./certification/agent-certificate-map.js";
 // Telemetry and scan registry
 import { trackCertificationStarted, trackCertificationCompleted, trackScannerRun, } from "./telemetry/usage.js";
 import { getRegistry } from "./telemetry/registry.js";
@@ -159,10 +167,18 @@ function parseAuditCounts(content) {
 // ---------------------------------------------------------------------------
 // Server
 // ---------------------------------------------------------------------------
+const PKG_PATH = join(dirname(fileURLToPath(import.meta.url)), "..", "package.json");
+const PKG_VERSION = parseJson(readFileSync(PKG_PATH, "utf-8"), "package.json").version;
 const server = new McpServer({
     name: "vaspera-hardening-mcp-server",
-    version: "2.0.0",
+    version: PKG_VERSION,
 });
+// Every tool with a project_path input gets validateProjectPath() by
+// construction (CONSTITUTION rule 3). Set VASPERA_PATH_BOUNDARY to also
+// confine all scans to a workspace root.
+applyProjectPathGuard(server, process.env.VASPERA_PATH_BOUNDARY
+    ? { basePath: process.env.VASPERA_PATH_BOUNDARY }
+    : {});
 // ---------------------------------------------------------------------------
 // Tool: List Projects
 // ---------------------------------------------------------------------------
@@ -1909,6 +1925,181 @@ server.registerTool("certification_finalize", {
     };
 });
 // ---------------------------------------------------------------------------
+// Tool: Generate Agent Certificate
+// ---------------------------------------------------------------------------
+server.registerTool("agent_certificate_generate", {
+    title: "Generate Agent Certificate",
+    description: `Produce a versioned, tamper-evident agent certificate (v1) across six dimensions (security, scalability, quality, explainability, compliance, AI-BOM). If certification_id is provided, the real certification run is mapped into the certificate; dimensions not covered are marked not_assessed rather than fabricated. The certificate carries a sha256 content digest and is Sigstore-signed when an OIDC identity is available (CI), otherwise unsigned-but-digested.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z
+            .string()
+            .optional()
+            .describe("Map an existing certification run into the certificate"),
+        subject_name: z.string().optional().describe("Override the certified subject name"),
+        subject_kind: z
+            .enum(["agent", "mcp-server", "codebase"])
+            .optional()
+            .describe("Kind of subject being certified (default: codebase)"),
+        compliance_frameworks: z
+            .array(z.enum([
+            "ISO-42001",
+            "NIST-AI-RMF",
+            "OWASP-LLM",
+            "SOC2",
+            "ISO27001",
+            "HIPAA",
+            "GDPR",
+            "PCI-DSS",
+            "NIST-800-53",
+        ]))
+            .optional()
+            .describe("Frameworks to evaluate for the compliance dimension (requires certification_id)"),
+        validity_days: z
+            .number()
+            .int()
+            .positive()
+            .max(3650)
+            .optional()
+            .describe("Certificate validity window in days (default 90)"),
+        sign: z
+            .boolean()
+            .optional()
+            .describe("Attempt Sigstore signing (default true; falls back to unsigned)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, subject_name, subject_kind, compliance_frameworks, validity_days, sign, }) => {
+    const now = new Date();
+    const expires = new Date(now.getTime() + (validity_days ?? 90) * 86400000);
+    const certificateId = `vac_${randomUUID()}`;
+    let body;
+    if (certification_id) {
+        const cert = await getCertification(project_path, certification_id);
+        if (!cert) {
+            return errorResponse(`Certification ${certification_id} not found`);
+        }
+        // Anchor the certificate to the tamper-evident decision chain.
+        const provenance = await getDecisionProvenance(project_path);
+        body = certificationToCertificateBody(cert, {
+            toolVersion: PKG_VERSION,
+            issuedAt: now.toISOString(),
+            expiresAt: expires.toISOString(),
+            certificateId,
+            complianceFrameworks: compliance_frameworks,
+            provenance,
+        });
+        if (subject_name)
+            body.subject.name = subject_name;
+        if (subject_kind)
+            body.subject.kind = subject_kind;
+    }
+    else {
+        // No certification supplied — baseline skeleton with all dimensions
+        // not_assessed (honest, never fabricated).
+        body = baselineCertificateBody({
+            toolVersion: PKG_VERSION,
+            issuedAt: now.toISOString(),
+            expiresAt: expires.toISOString(),
+            certificateId,
+            subjectName: subject_name ?? basename(project_path),
+            subjectKind: subject_kind ?? "codebase",
+            identifier: project_path,
+        });
+    }
+    try {
+        const certificate = await finalizeCertificate(body, { sign: sign ?? true });
+        return jsonResponse({ certificate });
+    }
+    catch (error) {
+        if (error instanceof CertificateError) {
+            return errorResponse(`Certificate generation failed: ${error.message}`);
+        }
+        throw error;
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Verify Agent Certificate
+// ---------------------------------------------------------------------------
+server.registerTool("agent_certificate_verify", {
+    title: "Verify Agent Certificate",
+    description: `Independently verify an agent certificate without trusting the issuer: re-validate the schema, recompute the content digest from the canonical body, and check the Sigstore signature if present. Returns which checks passed and any errors.`,
+    inputSchema: {
+        certificate_json: z
+            .string()
+            .describe("The agent certificate as a JSON string"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ certificate_json }) => {
+    const parsed = tryParseJson(certificate_json, "certificate_json");
+    if (parsed === undefined) {
+        return errorResponse("certificate_json is not valid JSON");
+    }
+    const result = await verifyCertificate(parsed);
+    return jsonResponse({ ...result });
+});
+// ---------------------------------------------------------------------------
+// Tool: Record AI Decision (provenance)
+// ---------------------------------------------------------------------------
+server.registerTool("decision_record", {
+    title: "Record AI Decision (Provenance)",
+    description: `Append a tamper-evident record of an AI decision to the project's hash-chained audit trail, for explainability and traceability. Raw input/prompt/output are stored as sha256 digests (+ optional summary), so the chain proves what was decided without retaining secrets. Verify the chain with verify_audit_trail.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        decision_type: z
+            .string()
+            .describe("Kind of decision (tool_call, classification, generation, refusal, …)"),
+        model: z.string().describe("Model that produced the decision"),
+        model_version: z.string().optional(),
+        input: z.string().describe("Input/context that led to the decision (digested, not stored raw)"),
+        prompt: z.string().optional().describe("Prompt, if applicable (digested)"),
+        output: z.string().describe("The output/decision (digested)"),
+        tools_invoked: z.array(z.string()).optional(),
+        summary: z.string().optional().describe("Short human-readable summary"),
+        rationale: z.string().optional().describe("Rationale / explanation"),
+        confidence: z.number().min(0).max(100).optional(),
+        certification_id: z.string().optional(),
+        sign: z.boolean().optional().describe("Sigstore-sign the entry (requires OIDC)"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, decision_type, model, model_version, input, prompt, output, tools_invoked, summary, rationale, confidence, certification_id, sign, }) => {
+    const entry = await recordDecision(project_path, {
+        decisionType: decision_type,
+        model,
+        modelVersion: model_version,
+        input,
+        prompt,
+        output,
+        toolsInvoked: tools_invoked,
+        summary,
+        rationale,
+        confidence,
+        certificationId: certification_id,
+    }, { sign: sign ?? false });
+    return jsonResponse({
+        recorded: true,
+        id: entry.id,
+        hash: entry.integrity?.hash,
+        previousHash: entry.integrity?.previousHash,
+        inputDigest: entry.inputDigest,
+        outputDigest: entry.outputDigest,
+    });
+});
+// ---------------------------------------------------------------------------
 // Tool: Certification Dashboard
 // ---------------------------------------------------------------------------
 server.registerTool("certification_dashboard", {
@@ -2092,7 +2283,7 @@ server.registerTool("autofix_apply", {
     },
     annotations: {
         readOnlyHint: false,
-        destructiveHint: false,
+        destructiveHint: true,
         idempotentHint: false,
         openWorldHint: false,
     },
@@ -2146,7 +2337,7 @@ server.registerTool("autofix_batch", {
     },
     annotations: {
         readOnlyHint: false,
-        destructiveHint: false,
+        destructiveHint: true,
         idempotentHint: false,
         openWorldHint: false,
     },
@@ -2720,7 +2911,9 @@ server.registerTool("rules_check_file", {
             message: "No custom rules configured. Use rules_generate_config to create a sample.",
         });
     }
-    const fullPath = join(project_path, file_path);
+    // file_path is untrusted — contain it within the (already validated)
+    // project tree before reading.
+    const fullPath = await resolveContainedFile(project_path, file_path);
     const content = await readFile(fullPath, "utf-8");
     const matches = await checkFileAgainstRules(file_path, content, rules);
     const findings = matchesToFindings(matches);
@@ -3673,9 +3866,10 @@ server.registerTool("sbom_generate", {
             includeDevDependencies: include_dev,
             includeVulnerabilities: include_vulnerabilities,
         }, findings);
-        // Write to file if requested
+        // Write to file if requested. output_file is untrusted — contain
+        // it within the project tree (no absolute-path escape hatch).
         if (output_file) {
-            const filePath = output_file.startsWith("/") ? output_file : join(project_path, output_file);
+            const filePath = await resolveContainedWritePath(project_path, output_file);
             const content = output_format === "summary"
                 ? generateSBOMSummary(sbom)
                 : JSON.stringify(sbom, null, 2);
@@ -4471,10 +4665,15 @@ server.registerTool("consensus_models", {
 // ---------------------------------------------------------------------------
 server.registerTool("consensus_clear", {
     title: "Clear Recorded Results",
-    description: `Clear previously recorded findings for a certification. Use before re-recording results for fresh consensus calculation.`,
+    description: `Clear previously recorded findings for a certification. Use before re-recording results for fresh consensus calculation. Fail-closed: pass confirm: true to actually clear; otherwise returns a no-op preview.`,
     inputSchema: {
         certification_id: z.string().describe("Certification ID"),
         agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]).optional().describe("Specific agent to clear, or all if not specified"),
+        confirm: z
+            .boolean()
+            .optional()
+            .default(false)
+            .describe("Must be true to actually clear recorded results; otherwise a no-op preview is returned"),
     },
     annotations: {
         readOnlyHint: false,
@@ -4482,8 +4681,15 @@ server.registerTool("consensus_clear", {
         idempotentHint: true,
         openWorldHint: false,
     },
-}, async ({ certification_id, agent }) => {
+}, async ({ certification_id, agent, confirm }) => {
     try {
+        if (!confirm) {
+            return jsonResponse({
+                preview: true,
+                wouldClear: { certificationId: certification_id, agent: agent || "all" },
+                message: `No-op preview: would clear recorded results for ${certification_id} (${agent || "all"} agents). Re-run with confirm: true to apply.`,
+            });
+        }
         const runner = getRunner();
         runner.clearResults(certification_id, agent);
         return jsonResponse({
@@ -6086,10 +6292,15 @@ server.registerTool("deploy_vercel_list", {
     }
 });
 server.registerTool("deploy_vercel_promote", {
-    description: "Promote a Vercel preview deployment to production.",
+    description: "Promote a Vercel preview deployment to production. Fail-closed: pass confirm: true to actually promote; otherwise returns a no-op preview.",
     inputSchema: {
         project_id: z.string().describe("Vercel project ID"),
         deployment_id: z.string().describe("Deployment ID to promote"),
+        confirm: z
+            .boolean()
+            .optional()
+            .default(false)
+            .describe("Must be true to actually promote to production; otherwise a no-op preview is returned"),
     },
     annotations: {
         readOnlyHint: false,
@@ -6097,8 +6308,15 @@ server.registerTool("deploy_vercel_promote", {
         idempotentHint: false,
         openWorldHint: true,
     },
-}, async ({ project_id, deployment_id }) => {
+}, async ({ project_id, deployment_id, confirm }) => {
     try {
+        if (!confirm) {
+            return jsonResponse({
+                preview: true,
+                wouldPromote: { project_id, deployment_id },
+                message: `No-op preview: would promote deployment ${deployment_id} to production. Re-run with confirm: true to apply.`,
+            });
+        }
         if (!isVercelAvailable()) {
             return errorResponse("VERCEL_TOKEN not configured");
         }
@@ -6116,10 +6334,15 @@ server.registerTool("deploy_vercel_promote", {
     }
 });
 server.registerTool("deploy_vercel_rollback", {
-    description: "Rollback to a previous Vercel deployment.",
+    description: "Rollback to a previous Vercel deployment. Fail-closed: pass confirm: true to actually roll back; otherwise returns a no-op preview.",
     inputSchema: {
         project_id: z.string().describe("Vercel project ID"),
         deployment_id: z.string().describe("Deployment ID to rollback to"),
+        confirm: z
+            .boolean()
+            .optional()
+            .default(false)
+            .describe("Must be true to actually roll back production; otherwise a no-op preview is returned"),
     },
     annotations: {
         readOnlyHint: false,
@@ -6127,8 +6350,15 @@ server.registerTool("deploy_vercel_rollback", {
         idempotentHint: false,
         openWorldHint: true,
     },
-}, async ({ project_id, deployment_id }) => {
+}, async ({ project_id, deployment_id, confirm }) => {
     try {
+        if (!confirm) {
+            return jsonResponse({
+                preview: true,
+                wouldRollbackTo: { project_id, deployment_id },
+                message: `No-op preview: would roll back ${project_id} to deployment ${deployment_id}. Re-run with confirm: true to apply.`,
+            });
+        }
         if (!isVercelAvailable()) {
             return errorResponse("VERCEL_TOKEN not configured");
         }
@@ -6221,7 +6451,9 @@ Use this for fast feedback on individual files.`,
     },
 }, async ({ project_path, file_path }) => {
     try {
-        const fullPath = file_path.startsWith("/") ? file_path : join(project_path, file_path);
+        // file_path is untrusted — contain it within the (already
+        // validated) project tree (no absolute-path escape hatch).
+        const fullPath = await resolveContainedFile(project_path, file_path);
         const result = await quickAICheck(fullPath, project_path);
         return jsonResponse({
             file: file_path,