vaspera 2.5.0

package/dist/index.js

@@ -0,0 +1,4120 @@
+#!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+import { readdir, readFile, writeFile, mkdir, stat, access } from "fs/promises";
+import { join, basename } from "path";
+import { COMMANDS, listCommands, getCommand } from "./commands/index.js";
+import { logger, createChildLogger } from "./logger.js";
+import { generateCertificationId, initializeCertification, getCertification, startAgent, getAgentFindings, submitFinding, completeAgent, addCrossVerification, addRedTeamChallenge, saveConsensus, finalizeCertification, getLatestCertification, isCertificationValid, calculateConsensus, canFinalize, writeCertificationArtifacts, updateCertificationMetadata, 
+// Cross-verification
+autoCrossVerify, allAgentsCompleted, 
+// Auto-fix
+previewFix, applyFix, listFixPatterns, batchApplySafeFixes, getSafeFixPatterns, 
+// Summary
+generateSummary, filterFindings, getActionItems, 
+// SARIF
+exportToSarif, exportForGitHub, 
+// Rules
+loadCustomRules, checkFileAgainstRules, matchesToFindings, listRuleTemplates, generateSampleConfig, } from "./certification/index.js";
+// Deterministic scanners
+import { runAllScanners, checkScannersAvailable, scannerFindingsToCertificationFindings, generateScannerSummary, getScannerInstallCommands, 
+// Mythos-class scanners
+runBinaryAnalysis, runMemorySafetyAnalysis, runRaceConditionAnalysis, } from "./scanners/index.js";
+// Mythos-class agents
+import { runZeroDayHunter, runLogicFlawDetector, analyzeExploitChains, getChainSummary, } from "./agents/index.js";
+// M6: Agent & MCP Security Scanners
+import { runAgentScanners, checkAgentScannersAvailable, runPromptInjectionFuzzer, discoverManifest, generateAgentScannerSummary, AGENT_SCANNER_TYPES, } from "./scanners/agent/index.js";
+// M6: AI Compliance Frameworks
+import { getAIFrameworkControls, AI_FRAMEWORKS_METADATA, } from "./compliance/frameworks/index.js";
+// Evaluation harness
+import { runEvaluation, runStabilityTest, calculateMetrics, calculateStabilityMetrics, meetsTargets, generateEvaluationReport, formatReportAsMarkdown, generateCompactSummary, generateReadmeBadges, getFixtureStats, ALL_FIXTURES, TARGET_METRICS, } from "./eval/index.js";
+// Compliance frameworks
+import { generateComplianceReport, generateMultiFrameworkReport, formatComplianceReportAsMarkdown, formatMultiFrameworkReportAsMarkdown, generateCompactComplianceSummary, getControlsForFramework, getSOC2Categories, getISO27001Categories, } from "./compliance/index.js";
+// SBOM, Provenance, and Sigstore Signing (uses @sigstore/sign for real signing)
+import { generateSBOM, generateSBOMSummary, generateProvenance, generateProvenanceSummary, verifyProvenance, signContent, isSigningAvailable, generateSigningSummary, detectCIEnvironment, } from "./sbom/index.js";
+// Cost tracking
+import { getTracker, formatCost, formatTokens, estimateCost, getSupportedModels, MODEL_PRICING, } from "./cost/index.js";
+// Multi-model consensus
+import { getRunner, DEFAULT_MODELS, formatProvider, } from "./multimodel/index.js";
+// ---------------------------------------------------------------------------
+// Config
+// ---------------------------------------------------------------------------
+const DEFAULT_PROJECTS_DIR = process.env.VASPERA_PROJECTS_DIR ||
+    join(process.env.HOME || "~", "Documents", "GitHub");
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+async function dirExists(p) {
+    try {
+        const s = await stat(p);
+        return s.isDirectory();
+    }
+    catch (error) {
+        logger.debug("helpers.dir_not_found", { path: p, error: String(error) });
+        return false;
+    }
+}
+async function fileExists(p) {
+    try {
+        await access(p);
+        return true;
+    }
+    catch (error) {
+        logger.debug("helpers.file_not_found", { path: p, error: String(error) });
+        return false;
+    }
+}
+async function safeReadFile(p) {
+    try {
+        return await readFile(p, "utf-8");
+    }
+    catch (error) {
+        logger.debug("helpers.read_failed", { path: p, error: String(error) });
+        return null;
+    }
+}
+/**
+ * Create a standard MCP text response
+ */
+function textResponse(text) {
+    return {
+        content: [{ type: "text", text }],
+    };
+}
+/**
+ * Create a standard MCP JSON response
+ */
+function jsonResponse(data) {
+    return {
+        content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
+        structuredContent: data,
+    };
+}
+/**
+ * Create a standard MCP error response
+ */
+function errorResponse(message) {
+    return {
+        content: [{ type: "text", text: `Error: ${message}` }],
+    };
+}
+async function discoverProjects(baseDir) {
+    const entries = await readdir(baseDir, { withFileTypes: true });
+    const projects = [];
+    for (const entry of entries) {
+        if (!entry.isDirectory() || entry.name.startsWith("."))
+            continue;
+        const fullPath = join(baseDir, entry.name);
+        // A project has a package.json or .git
+        const hasPkg = await fileExists(join(fullPath, "package.json"));
+        const hasGit = await dirExists(join(fullPath, ".git"));
+        if (hasPkg || hasGit) {
+            projects.push(fullPath);
+        }
+    }
+    return projects;
+}
+function parseAuditScore(content) {
+    const match = content.match(/readiness score[:\s]*(\d+)/i);
+    return match ? parseInt(match[1], 10) : null;
+}
+function parseAuditCounts(content) {
+    const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+    const critMatch = content.match(/CRITICAL[:\s]*(\d+)/i);
+    const highMatch = content.match(/HIGH[:\s]*(\d+)/i);
+    const medMatch = content.match(/MEDIUM[:\s]*(\d+)/i);
+    const lowMatch = content.match(/LOW[:\s]*(\d+)/i);
+    if (critMatch)
+        counts.critical = parseInt(critMatch[1], 10);
+    if (highMatch)
+        counts.high = parseInt(highMatch[1], 10);
+    if (medMatch)
+        counts.medium = parseInt(medMatch[1], 10);
+    if (lowMatch)
+        counts.low = parseInt(lowMatch[1], 10);
+    return counts;
+}
+// ---------------------------------------------------------------------------
+// Server
+// ---------------------------------------------------------------------------
+const server = new McpServer({
+    name: "vaspera-hardening-mcp-server",
+    version: "2.0.0",
+});
+// ---------------------------------------------------------------------------
+// Tool: List Projects
+// ---------------------------------------------------------------------------
+server.registerTool("hardening_list_projects", {
+    title: "List Vaspera Projects",
+    description: `Discover all projects in the Vaspera workspace directory. Returns project names, paths, and whether hardening commands are already installed. Set VASPERA_PROJECTS_DIR env var to override the default directory (~/Documents/GitHub).`,
+    inputSchema: {
+        base_dir: z
+            .string()
+            .optional()
+            .describe("Base directory to scan. Defaults to VASPERA_PROJECTS_DIR or ~/Documents/GitHub"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ base_dir }) => {
+    const dir = base_dir || DEFAULT_PROJECTS_DIR;
+    if (!(await dirExists(dir))) {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `Error: Directory not found: ${dir}\nSet VASPERA_PROJECTS_DIR or pass base_dir parameter.`,
+                },
+            ],
+        };
+    }
+    const projects = await discoverProjects(dir);
+    const results = await Promise.all(projects.map(async (p) => {
+        const name = basename(p);
+        const hasCommands = await dirExists(join(p, ".claude", "commands"));
+        const hasAudit = await fileExists(join(p, "AUDIT.md"));
+        const hasReport = await fileExists(join(p, "HARDENING-REPORT.md"));
+        let score = null;
+        if (hasAudit) {
+            const auditContent = await safeReadFile(join(p, "AUDIT.md"));
+            if (auditContent)
+                score = parseAuditScore(auditContent);
+        }
+        return {
+            name,
+            path: p,
+            hardening_installed: hasCommands,
+            has_audit: hasAudit,
+            has_report: hasReport,
+            readiness_score: score,
+        };
+    }));
+    const output = {
+        base_dir: dir,
+        project_count: results.length,
+        projects: results,
+    };
+    return {
+        content: [{ type: "text", text: JSON.stringify(output, null, 2) }],
+        structuredContent: output,
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Install Commands
+// ---------------------------------------------------------------------------
+server.registerTool("hardening_install", {
+    title: "Install Hardening Commands",
+    description: `Install the production hardening slash commands into a project's .claude/commands/ directory. After installation, Claude Code can use /audit, /fix-critical, /fix-high, /fix-medium, /fix-rls, /add-tests, /verify, and /harden in that project.`,
+    inputSchema: {
+        project_path: z
+            .string()
+            .describe("Absolute path to the project root directory"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path }) => {
+    if (!(await dirExists(project_path))) {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `Error: Project directory not found: ${project_path}`,
+                },
+            ],
+        };
+    }
+    try {
+        const commandsDir = join(project_path, ".claude", "commands");
+        await mkdir(commandsDir, { recursive: true });
+        const installed = [];
+        const errors = [];
+        for (const [key, cmd] of Object.entries(COMMANDS)) {
+            const filename = `${key}.md`;
+            const filepath = join(commandsDir, filename);
+            try {
+                await writeFile(filepath, `# ${cmd.description}\n\n${cmd.content}`, "utf-8");
+                installed.push(filename);
+            }
+            catch (err) {
+                errors.push(`Failed to write ${filename}: ${err instanceof Error ? err.message : String(err)}`);
+            }
+        }
+        const output = {
+            project: project_path,
+            commands_dir: commandsDir,
+            installed_commands: installed,
+            errors: errors.length > 0 ? errors : undefined,
+            usage: "Open Claude Code in the project and type /audit to start",
+        };
+        return {
+            content: [{ type: "text", text: JSON.stringify(output, null, 2) }],
+            structuredContent: output,
+        };
+    }
+    catch (err) {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `Error installing commands: ${err instanceof Error ? err.message : String(err)}`,
+                },
+            ],
+        };
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Install to All Projects
+// ---------------------------------------------------------------------------
+server.registerTool("hardening_install_all", {
+    title: "Install Hardening Commands to All Projects",
+    description: `Install hardening slash commands into every discovered project in the workspace. Scans the base directory, finds all projects, and installs commands to each one. Defaults to dry-run mode for safety - set dry_run: false to apply changes.`,
+    inputSchema: {
+        base_dir: z
+            .string()
+            .optional()
+            .describe("Base directory. Defaults to VASPERA_PROJECTS_DIR or ~/Documents/GitHub"),
+        dry_run: z
+            .boolean()
+            .optional()
+            .default(true)
+            .describe("Preview changes without modifying files. Set to false to apply changes."),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ base_dir, dry_run = true }) => {
+    const dir = base_dir || DEFAULT_PROJECTS_DIR;
+    if (!(await dirExists(dir))) {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `Error: Directory not found: ${dir}`,
+                },
+            ],
+        };
+    }
+    try {
+        const projects = await discoverProjects(dir);
+        const commandCount = Object.keys(COMMANDS).length;
+        const results = [];
+        for (const projectPath of projects) {
+            if (dry_run) {
+                // Dry-run mode: just report what would happen
+                results.push({
+                    name: basename(projectPath),
+                    path: projectPath,
+                    commands_would_install: commandCount,
+                });
+            }
+            else {
+                // Apply mode: actually write files
+                try {
+                    const commandsDir = join(projectPath, ".claude", "commands");
+                    await mkdir(commandsDir, { recursive: true });
+                    let count = 0;
+                    for (const [key, cmd] of Object.entries(COMMANDS)) {
+                        const filepath = join(commandsDir, `${key}.md`);
+                        await writeFile(filepath, `# ${cmd.description}\n\n${cmd.content}`, "utf-8");
+                        count++;
+                    }
+                    results.push({
+                        name: basename(projectPath),
+                        path: projectPath,
+                        commands_installed: count,
+                    });
+                }
+                catch (err) {
+                    results.push({
+                        name: basename(projectPath),
+                        path: projectPath,
+                        commands_installed: 0,
+                        error: err instanceof Error ? err.message : String(err),
+                    });
+                }
+            }
+        }
+        const output = {
+            mode: dry_run ? "dry-run" : "applied",
+            base_dir: dir,
+            projects_scanned: projects.length,
+            commands_per_project: commandCount,
+            projects_updated: dry_run ? 0 : results.filter((r) => !r.error && r.commands_installed).length,
+            projects_would_update: dry_run ? results.length : 0,
+            projects_failed: results.filter((r) => r.error).length,
+            projects: results,
+            ...(dry_run && { note: "This is a dry-run preview. Set dry_run: false to apply changes." }),
+        };
+        return {
+            content: [{ type: "text", text: JSON.stringify(output, null, 2) }],
+            structuredContent: output,
+        };
+    }
+    catch (err) {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `Error discovering projects: ${err instanceof Error ? err.message : String(err)}`,
+                },
+            ],
+        };
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Get Command Prompt
+// ---------------------------------------------------------------------------
+server.registerTool("hardening_get_command", {
+    title: "Get Hardening Command Prompt",
+    description: `Retrieve the full prompt text for a specific hardening command. Use this to execute a hardening phase against a project. Available commands: audit, fix-critical, fix-high, fix-medium, fix-rls, add-tests, verify, harden.`,
+    inputSchema: {
+        command: z
+            .enum([
+            "audit",
+            "fix-critical",
+            "fix-high",
+            "fix-medium",
+            "fix-rls",
+            "add-tests",
+            "verify",
+            "harden",
+            "preflight",
+            "deps",
+            "deadcode",
+            "errors",
+            "secrets",
+            "api-check",
+            "perf",
+            "certification-security",
+            "certification-reliability",
+            "certification-typesafety",
+            "certification-performance",
+            "certification-quality",
+            "certification-redteam",
+            "certify",
+        ])
+            .describe("The hardening command to retrieve"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ command }) => {
+    const cmd = getCommand(command);
+    if (!cmd) {
+        return {
+            content: [
+                { type: "text", text: `Error: Unknown command: ${command}` },
+            ],
+        };
+    }
+    const output = {
+        command: cmd.name,
+        description: cmd.description,
+        prompt: cmd.content,
+    };
+    return {
+        content: [{ type: "text", text: JSON.stringify(output, null, 2) }],
+        structuredContent: output,
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Read Audit Report
+// ---------------------------------------------------------------------------
+server.registerTool("hardening_read_audit", {
+    title: "Read Project Audit Report",
+    description: `Read the AUDIT.md file from a project. Returns the full audit content including severity counts and readiness score. Use after running /audit in a project.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path }) => {
+    const auditPath = join(project_path, "AUDIT.md");
+    const content = await safeReadFile(auditPath);
+    if (!content) {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `No AUDIT.md found in ${project_path}. Run /audit in Claude Code first.`,
+                },
+            ],
+        };
+    }
+    const score = parseAuditScore(content);
+    const counts = parseAuditCounts(content);
+    const output = {
+        project: basename(project_path),
+        path: auditPath,
+        readiness_score: score,
+        issue_counts: counts,
+        content,
+    };
+    return {
+        content: [{ type: "text", text: JSON.stringify(output, null, 2) }],
+        structuredContent: output,
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Read Hardening Report
+// ---------------------------------------------------------------------------
+server.registerTool("hardening_read_report", {
+    title: "Read Hardening Report",
+    description: `Read the HARDENING-REPORT.md from a project. Contains the before/after comparison and deployment checklist. Available after running /verify.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path }) => {
+    const reportPath = join(project_path, "HARDENING-REPORT.md");
+    const content = await safeReadFile(reportPath);
+    if (!content) {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `No HARDENING-REPORT.md found in ${project_path}. Run the full hardening pipeline first.`,
+                },
+            ],
+        };
+    }
+    return {
+        content: [{ type: "text", text: content }],
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Portfolio Dashboard
+// ---------------------------------------------------------------------------
+server.registerTool("hardening_dashboard", {
+    title: "Portfolio Production Readiness Dashboard",
+    description: `Compare production readiness across all Vaspera projects. Shows which projects have been audited, their readiness scores, issue counts, and what phases have been completed. Use to prioritize which project to harden next.`,
+    inputSchema: {
+        base_dir: z
+            .string()
+            .optional()
+            .describe("Base directory. Defaults to VASPERA_PROJECTS_DIR or ~/Documents/GitHub"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ base_dir }) => {
+    const dir = base_dir || DEFAULT_PROJECTS_DIR;
+    if (!(await dirExists(dir))) {
+        return {
+            content: [
+                { type: "text", text: `Error: Directory not found: ${dir}` },
+            ],
+        };
+    }
+    const projects = await discoverProjects(dir);
+    const dashboard = await Promise.all(projects.map(async (p) => {
+        const name = basename(p);
+        const hasCommands = await dirExists(join(p, ".claude", "commands"));
+        const auditContent = await safeReadFile(join(p, "AUDIT.md"));
+        const reportContent = await safeReadFile(join(p, "HARDENING-REPORT.md"));
+        const rlsContent = await safeReadFile(join(p, "RLS-REPORT.md"));
+        const hasPkg = await safeReadFile(join(p, "package.json"));
+        let stack = "unknown";
+        if (hasPkg) {
+            try {
+                const pkg = JSON.parse(hasPkg);
+                const deps = {
+                    ...pkg.dependencies,
+                    ...pkg.devDependencies,
+                };
+                const frameworks = [];
+                if (deps["next"])
+                    frameworks.push("Next.js");
+                if (deps["react"])
+                    frameworks.push("React");
+                if (deps["@supabase/supabase-js"])
+                    frameworks.push("Supabase");
+                if (deps["expo"])
+                    frameworks.push("Expo");
+                stack = frameworks.join(" + ") || "Node.js";
+            }
+            catch {
+                stack = "unknown";
+            }
+        }
+        let score = null;
+        let counts = null;
+        if (auditContent) {
+            score = parseAuditScore(auditContent);
+            counts = parseAuditCounts(auditContent);
+        }
+        return {
+            name,
+            path: p,
+            stack,
+            hardening_installed: hasCommands,
+            audited: !!auditContent,
+            readiness_score: score,
+            issue_counts: counts,
+            hardening_complete: !!reportContent,
+            rls_audited: !!rlsContent,
+            status: reportContent
+                ? "hardened"
+                : auditContent
+                    ? "audited"
+                    : hasCommands
+                        ? "commands_installed"
+                        : "not_started",
+        };
+    }));
+    // Sort: not_started first, then by score ascending
+    dashboard.sort((a, b) => {
+        const statusOrder = {
+            not_started: 0,
+            commands_installed: 1,
+            audited: 2,
+            hardened: 3,
+        };
+        const aOrder = statusOrder[a.status] ?? 99;
+        const bOrder = statusOrder[b.status] ?? 99;
+        if (aOrder !== bOrder)
+            return aOrder - bOrder;
+        return (a.readiness_score ?? 0) - (b.readiness_score ?? 0);
+    });
+    const output = {
+        base_dir: dir,
+        total_projects: dashboard.length,
+        summary: {
+            not_started: dashboard.filter((p) => p.status === "not_started").length,
+            commands_installed: dashboard.filter((p) => p.status === "commands_installed").length,
+            audited: dashboard.filter((p) => p.status === "audited").length,
+            hardened: dashboard.filter((p) => p.status === "hardened").length,
+        },
+        projects: dashboard,
+    };
+    return {
+        content: [{ type: "text", text: JSON.stringify(output, null, 2) }],
+        structuredContent: output,
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: List Available Commands
+// ---------------------------------------------------------------------------
+server.registerTool("hardening_list_commands", {
+    title: "List Available Hardening Commands",
+    description: `List all available production hardening commands with their descriptions. Use to understand what commands are available and what order to run them.`,
+    inputSchema: {},
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async () => {
+    const commands = listCommands().map((cmd) => ({
+        name: cmd.name,
+        description: cmd.description,
+    }));
+    const output = {
+        command_count: commands.length,
+        recommended_order: [
+            "audit",
+            "fix-critical",
+            "fix-high",
+            "fix-rls",
+            "fix-medium",
+            "add-tests",
+            "verify",
+        ],
+        full_pipeline: "harden (runs all of the above in sequence)",
+        commands,
+    };
+    return {
+        content: [{ type: "text", text: JSON.stringify(output, null, 2) }],
+        structuredContent: output,
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Start Certification
+// ---------------------------------------------------------------------------
+server.registerTool("certification_start", {
+    title: "Start Enterprise Certification",
+    description: `Initialize an enterprise certification process for a project. Creates certification directory and metadata. Returns certification ID for tracking.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        agents: z
+            .array(z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]))
+            .optional()
+            .describe("Which agents to run. Defaults to all."),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, agents }) => {
+    const allAgents = ["security", "reliability", "typesafety", "performance", "quality", "redteam"];
+    const requestedAgents = agents || allAgents;
+    const certId = generateCertificationId(project_path);
+    const certLogger = createChildLogger({ certId, project: basename(project_path) });
+    certLogger.info("certification.started", { agents: requestedAgents });
+    const metadata = await initializeCertification(project_path, certId, requestedAgents);
+    return {
+        content: [{ type: "text", text: JSON.stringify(metadata, null, 2) }],
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Run Deterministic Scanners
+// ---------------------------------------------------------------------------
+server.registerTool("certification_scan", {
+    title: "Run Deterministic Scanners",
+    description: `Run deterministic security scanners before LLM agents. Returns findings with confidence: 100.
+
+**Scanners**: Semgrep, npm audit, gitleaks, TypeScript, ESLint, Bandit, Gosec, Trivy
+
+**Auto-detection**: When auto_detect is true, automatically enables language-specific scanners based on project files (e.g., Python files → Bandit, Go files → Gosec).`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().optional().describe("Certification ID to associate findings with"),
+        auto_detect: z.boolean().optional().default(false).describe("Auto-detect languages and enable appropriate scanners"),
+        scanners: z
+            .object({
+            semgrep: z.boolean().optional().default(true).describe("Run Semgrep for OWASP patterns"),
+            dependencies: z.boolean().optional().default(true).describe("Run npm audit for dependency vulns"),
+            secrets: z.boolean().optional().default(true).describe("Run gitleaks for secrets"),
+            typescript: z.boolean().optional().default(true).describe("Run TypeScript analysis"),
+            eslint: z.boolean().optional().describe("Run ESLint for code quality"),
+            bandit: z.boolean().optional().describe("Run Bandit for Python security"),
+            gosec: z.boolean().optional().describe("Run Gosec for Go security"),
+            trivy: z.boolean().optional().describe("Run Trivy for container/IaC vulns"),
+        })
+            .optional()
+            .describe("Which scanners to run. Ignored if auto_detect is true."),
+        submit_findings: z.boolean().optional().default(false).describe("Submit findings to certification"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, auto_detect, scanners, submit_findings }) => {
+    const scanLogger = createChildLogger({
+        certId: certification_id,
+        project: basename(project_path),
+    });
+    scanLogger.info("scanners.starting", { scanners, auto_detect });
+    // Use auto-detection or manual scanner selection
+    let result;
+    let detectedLanguages;
+    if (auto_detect) {
+        const { runAllScannersWithAutoDetect } = await import("./scanners/index.js");
+        const autoResult = await runAllScannersWithAutoDetect(project_path);
+        result = autoResult;
+        detectedLanguages = autoResult.detectedLanguages;
+        scanLogger.info("scanners.auto_detected", { languages: detectedLanguages });
+    }
+    else {
+        result = await runAllScanners(project_path, scanners);
+    }
+    // If certification_id provided and submit_findings is true, submit to certification
+    if (certification_id && submit_findings && result.totalFindings > 0) {
+        const certFindings = scannerFindingsToCertificationFindings(result);
+        // Ensure security agent is started for scanner findings
+        let agentFindings = await getAgentFindings(project_path, certification_id, "security");
+        if (!agentFindings) {
+            await startAgent(project_path, certification_id, "security");
+        }
+        // Submit each finding
+        for (const finding of certFindings) {
+            await submitFinding(project_path, certification_id, "security", {
+                id: finding.id,
+                severity: finding.severity,
+                category: finding.category,
+                file: finding.file,
+                line: finding.line,
+                description: finding.description,
+                evidence: finding.evidence,
+                confidence: 100,
+                // Store scanner metadata
+            });
+        }
+        // Update certification metadata
+        await updateCertificationMetadata(project_path, certification_id, {
+            scanners_run: true,
+            scanners_completed_at: new Date().toISOString(),
+            scanner_findings_count: result.totalFindings,
+        });
+        scanLogger.info("scanners.findings_submitted", {
+            count: certFindings.length,
+            certId: certification_id,
+        });
+    }
+    // Generate summary
+    const summary = generateScannerSummary(result);
+    // Add auto-detection info to summary if used
+    let summaryWithDetection = summary;
+    if (detectedLanguages) {
+        const detected = Object.entries(detectedLanguages)
+            .filter(([, v]) => v)
+            .map(([k]) => k);
+        summaryWithDetection = `## Auto-Detected Languages\n\n${detected.join(", ") || "None detected"}\n\n${summary}`;
+    }
+    return {
+        content: [
+            { type: "text", text: summaryWithDetection },
+            { type: "text", text: "\n\n---\n\nRaw results:\n" + JSON.stringify({
+                    totalFindings: result.totalFindings,
+                    bySeverity: result.bySeverity,
+                    byScanner: result.byScanner,
+                    duration: result.totalDuration,
+                    allSucceeded: result.allSucceeded,
+                    failedScanners: result.failedScanners,
+                    detectedLanguages,
+                }, null, 2) },
+        ],
+        structuredContent: {
+            totalFindings: result.totalFindings,
+            bySeverity: result.bySeverity,
+            byScanner: result.byScanner,
+            duration: result.totalDuration,
+            allSucceeded: result.allSucceeded,
+            failedScanners: result.failedScanners,
+            findingsSubmitted: submit_findings && certification_id ? result.totalFindings : 0,
+            detectedLanguages,
+        },
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Check Scanner Availability
+// ---------------------------------------------------------------------------
+server.registerTool("certification_scanners_available", {
+    title: "Check Scanner Availability",
+    description: `Check which deterministic scanners are available on the system.`,
+    inputSchema: {},
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async () => {
+    const availability = await checkScannersAvailable();
+    const lines = [
+        "# Scanner Availability",
+        "",
+        "| Scanner | Available | Version | Notes |",
+        "|---------|-----------|---------|-------|",
+    ];
+    for (const [scanner, info] of Object.entries(availability)) {
+        const status = info.available ? "✅" : "❌";
+        const version = info.version || "-";
+        const notes = info.error || "";
+        lines.push(`| ${scanner} | ${status} | ${version} | ${notes} |`);
+    }
+    lines.push("");
+    lines.push("## Installation");
+    lines.push("");
+    lines.push("- **Semgrep**: `pip install semgrep` or `brew install semgrep`");
+    lines.push("- **gitleaks**: `brew install gitleaks` or download from GitHub releases");
+    lines.push("- **npm**: Built-in with Node.js");
+    lines.push("- **TypeScript**: Included as package dependency");
+    return {
+        content: [{ type: "text", text: lines.join("\n") }],
+        structuredContent: availability,
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Detect Project Languages
+// ---------------------------------------------------------------------------
+server.registerTool("certification_detect_languages", {
+    title: "Detect Project Languages",
+    description: `Automatically detect programming languages and technologies used in a project. Returns which scanners will be auto-enabled based on the detected languages.
+
+**Detection includes:**
+- JavaScript/TypeScript (package.json, *.js, *.ts)
+- Python (requirements.txt, setup.py, *.py)
+- Go (go.mod, *.go)
+- Ruby (Gemfile, *.rb)
+- Java (pom.xml, build.gradle, *.java)
+- Docker (Dockerfile, docker-compose.yml)
+- Terraform (*.tf)`,
+    inputSchema: {
+        project_path: z.string().describe("Path to the project directory to analyze"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path }) => {
+    const { detectProjectLanguages } = await import("./scanners/index.js");
+    const languages = await detectProjectLanguages(project_path);
+    // Build scanner recommendations
+    const recommendedScanners = [];
+    // Always recommended
+    recommendedScanners.push("semgrep (security patterns)");
+    recommendedScanners.push("gitleaks (secrets detection)");
+    if (languages.javascript) {
+        recommendedScanners.push("npm-audit (dependency vulnerabilities)");
+        recommendedScanners.push("tsc (TypeScript type safety)");
+        recommendedScanners.push("eslint (code quality)");
+    }
+    if (languages.python) {
+        recommendedScanners.push("bandit (Python security)");
+    }
+    if (languages.go) {
+        recommendedScanners.push("gosec (Go security)");
+    }
+    if (languages.ruby) {
+        recommendedScanners.push("brakeman (Ruby on Rails security)");
+    }
+    if (languages.docker || languages.terraform) {
+        recommendedScanners.push("trivy (container/IaC vulnerabilities)");
+    }
+    const lines = [
+        "# Project Language Detection",
+        "",
+        `**Project**: ${project_path}`,
+        "",
+        "## Detected Languages",
+        "",
+        `| Language/Tech | Detected |`,
+        `|---------------|----------|`,
+        `| JavaScript/TypeScript | ${languages.javascript ? "✅" : "❌"} |`,
+        `| Python | ${languages.python ? "✅" : "❌"} |`,
+        `| Go | ${languages.go ? "✅" : "❌"} |`,
+        `| Ruby | ${languages.ruby ? "✅" : "❌"} |`,
+        `| Java | ${languages.java ? "✅" : "❌"} |`,
+        `| Docker | ${languages.docker ? "✅" : "❌"} |`,
+        `| Terraform | ${languages.terraform ? "✅" : "❌"} |`,
+        "",
+        "## Recommended Scanners",
+        "",
+        ...recommendedScanners.map(s => `- ${s}`),
+        "",
+        "## Usage",
+        "",
+        "Use `certification_scan` with auto-detect or specify scanners manually:",
+        "```",
+        "certification_scan({ project_path, auto_detect: true })",
+        "```",
+    ];
+    return {
+        content: [{ type: "text", text: lines.join("\n") }],
+        structuredContent: {
+            project_path,
+            languages,
+            recommended_scanners: recommendedScanners,
+        },
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Scanner Install Helper
+// ---------------------------------------------------------------------------
+server.registerTool("certification_install_scanners", {
+    title: "Get Scanner Installation Commands",
+    description: `Get platform-specific installation commands for missing security scanners. Use this to help users install semgrep, gitleaks, trivy, and other scanners. Set run_install: true to execute installation commands (requires confirmation).`,
+    inputSchema: {
+        platform: z.enum(["macos", "linux", "windows"]).optional().describe("Target platform (auto-detected if not specified)"),
+        scanners: z.array(z.enum(["semgrep", "npm-audit", "gitleaks", "tsc", "eslint", "bandit", "gosec", "brakeman", "trivy"])).optional().describe("Specific scanners to get install commands for (all if not specified)"),
+        run_install: z.boolean().optional().describe("Execute the installation commands. Default: false (just show commands)"),
+        confirm_install: z.boolean().optional().describe("Required when run_install is true - confirms you want to install"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: true,
+    },
+}, async ({ platform, scanners, run_install, confirm_install }) => {
+    // Auto-detect platform
+    const detectedPlatform = platform || (process.platform === "darwin" ? "macos" : process.platform === "win32" ? "windows" : "linux");
+    // Get availability status
+    const availability = await checkScannersAvailable();
+    // Get install commands
+    const allCommands = getScannerInstallCommands();
+    // Filter to requested scanners
+    const scannerList = scanners || Object.keys(allCommands);
+    const lines = [
+        "# Scanner Installation Guide",
+        "",
+        `**Platform**: ${detectedPlatform}`,
+        "",
+        "## Missing Scanners",
+        "",
+    ];
+    const missing = [];
+    const installed = [];
+    for (const scanner of scannerList) {
+        const info = availability[scanner];
+        if (!info?.available) {
+            missing.push(scanner);
+        }
+        else {
+            installed.push(scanner);
+        }
+    }
+    if (missing.length === 0) {
+        lines.push("✅ All requested scanners are installed!");
+        lines.push("");
+    }
+    else {
+        for (const scanner of missing) {
+            const cmd = allCommands[scanner];
+            if (!cmd)
+                continue;
+            lines.push(`### ${cmd.name}`);
+            lines.push("");
+            lines.push(`*${cmd.description}*`);
+            lines.push("");
+            lines.push("**Install command:**");
+            lines.push("```bash");
+            lines.push(cmd.installCommands[detectedPlatform]);
+            lines.push("```");
+            lines.push("");
+            lines.push(`📚 [Documentation](${cmd.documentation})`);
+            lines.push("");
+        }
+    }
+    if (installed.length > 0) {
+        lines.push("## Already Installed");
+        lines.push("");
+        for (const scanner of installed) {
+            const info = availability[scanner];
+            lines.push(`- ✅ **${scanner}** (${info?.version || "unknown version"})`);
+        }
+        lines.push("");
+    }
+    // Quick install script for all missing
+    if (missing.length > 0) {
+        lines.push("## Quick Install Script");
+        lines.push("");
+        lines.push("Install all missing scanners at once:");
+        lines.push("");
+        lines.push("```bash");
+        for (const scanner of missing) {
+            const cmd = allCommands[scanner];
+            if (cmd) {
+                lines.push(`# ${cmd.name}`);
+                lines.push(cmd.installCommands[detectedPlatform]);
+                lines.push("");
+            }
+        }
+        lines.push("```");
+    }
+    // Handle run_install option
+    if (run_install && missing.length > 0) {
+        if (!confirm_install) {
+            lines.push("");
+            lines.push("## ⚠️ Confirmation Required");
+            lines.push("");
+            lines.push("To install scanners, run again with `confirm_install: true`");
+            lines.push("");
+            lines.push("This will execute the following commands:");
+            for (const scanner of missing) {
+                const cmd = allCommands[scanner];
+                if (cmd) {
+                    lines.push(`- ${cmd.installCommands[detectedPlatform]}`);
+                }
+            }
+            return {
+                content: [{ type: "text", text: lines.join("\n") }],
+                structuredContent: {
+                    platform: detectedPlatform,
+                    missing,
+                    installed,
+                    requiresConfirmation: true,
+                },
+            };
+        }
+        // Execute installation
+        lines.push("");
+        lines.push("## Installation Results");
+        lines.push("");
+        const installResults = {};
+        for (const scanner of missing) {
+            const cmd = allCommands[scanner];
+            if (!cmd)
+                continue;
+            const installCmd = cmd.installCommands[detectedPlatform];
+            lines.push(`### Installing ${cmd.name}...`);
+            lines.push("");
+            lines.push(`\`${installCmd}\``);
+            lines.push("");
+            try {
+                const { exec } = await import("child_process");
+                const { promisify } = await import("util");
+                const execAsync = promisify(exec);
+                const { stdout, stderr } = await execAsync(installCmd, {
+                    timeout: 300000, // 5 minutes per scanner
+                });
+                installResults[scanner] = { success: true, output: stdout };
+                lines.push("✅ **Success**");
+                if (stdout.trim()) {
+                    lines.push("");
+                    lines.push("```");
+                    lines.push(stdout.trim().slice(0, 500));
+                    lines.push("```");
+                }
+            }
+            catch (error) {
+                const errMsg = error instanceof Error ? error.message : String(error);
+                installResults[scanner] = { success: false, error: errMsg };
+                lines.push(`❌ **Failed**: ${errMsg.slice(0, 200)}`);
+            }
+            lines.push("");
+        }
+        // Verify installations
+        lines.push("## Verification");
+        lines.push("");
+        const newAvailability = await checkScannersAvailable();
+        for (const scanner of missing) {
+            const info = newAvailability[scanner];
+            if (info?.available) {
+                lines.push(`✅ **${scanner}** installed (${info.version || "version unknown"})`);
+            }
+            else {
+                lines.push(`❌ **${scanner}** not available: ${info?.error || "unknown error"}`);
+            }
+        }
+        return {
+            content: [{ type: "text", text: lines.join("\n") }],
+            structuredContent: {
+                platform: detectedPlatform,
+                installResults,
+                newAvailability: Object.fromEntries(missing.map((s) => [s, newAvailability[s]])),
+            },
+        };
+    }
+    return {
+        content: [{ type: "text", text: lines.join("\n") }],
+        structuredContent: {
+            platform: detectedPlatform,
+            missing,
+            installed,
+            installCommands: Object.fromEntries(missing.map((s) => [s, allCommands[s]?.installCommands[detectedPlatform]])),
+        },
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Certification Status
+// ---------------------------------------------------------------------------
+server.registerTool("certification_status", {
+    title: "Get Certification Status",
+    description: `Check the current status of a certification process including which agents have completed.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id }) => {
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return {
+            content: [{ type: "text", text: `Certification ${certification_id} not found` }],
+        };
+    }
+    const status = {
+        metadata: certification.metadata,
+        agents_status: Object.entries(certification.agents).map(([name, data]) => ({
+            agent: name,
+            status: data?.status,
+            findings_count: data?.findings.length ?? 0,
+        })),
+        total_findings: Object.values(certification.agents).reduce((sum, a) => sum + (a?.findings.length ?? 0), 0),
+        cross_verifications: certification.cross_verifications.length,
+        red_team_challenges: certification.red_team_challenges.length,
+    };
+    return {
+        content: [{ type: "text", text: JSON.stringify(status, null, 2) }],
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Submit Finding
+// ---------------------------------------------------------------------------
+server.registerTool("agent_submit_finding", {
+    title: "Submit Agent Finding",
+    description: `Submit a finding from a validation agent during certification. Each finding must have a unique ID, severity, and evidence.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]),
+        finding: z.object({
+            id: z.string().min(1).max(50).regex(/^[a-z]+-\d{3}$/).describe("Unique finding ID (e.g., sec-001, rel-002)"),
+            severity: z.enum(["critical", "high", "medium", "low", "info"]),
+            category: z.string().min(1).max(100).describe("Category of the finding"),
+            file: z.string().max(500).optional().describe("File path where issue found"),
+            line: z.number().int().min(1).max(1000000).optional().describe("Line number"),
+            description: z.string().min(1).max(10000).describe("Description of the issue"),
+            evidence: z.string().min(1).max(50000).describe("Evidence supporting the finding"),
+            confidence: z.number().min(0).max(100).describe("Confidence score 0-100"),
+            cross_references: z.array(z.string().max(50)).max(20).optional().describe("Related finding IDs"),
+        }),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, agent, finding }) => {
+    const certLogger = createChildLogger({ certId: certification_id, agent });
+    // Ensure agent is started
+    let agentFindings = await getAgentFindings(project_path, certification_id, agent);
+    if (!agentFindings) {
+        certLogger.info("agent.started");
+        agentFindings = await startAgent(project_path, certification_id, agent);
+    }
+    const submittedFinding = await submitFinding(project_path, certification_id, agent, finding);
+    certLogger.info("finding.submitted", {
+        findingId: finding.id,
+        severity: finding.severity,
+        confidence: finding.confidence,
+    });
+    return {
+        content: [{ type: "text", text: JSON.stringify({ submitted: submittedFinding }, null, 2) }],
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Complete Agent
+// ---------------------------------------------------------------------------
+server.registerTool("agent_complete", {
+    title: "Complete Agent Run",
+    description: `Signal that an agent has completed its validation run. Must include summary with findings count and confidence score.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]),
+        summary: z.object({
+            total_findings: z.number(),
+            by_severity: z.object({
+                critical: z.number(),
+                high: z.number(),
+                medium: z.number(),
+                low: z.number(),
+                info: z.number(),
+            }),
+            confidence_score: z.number().min(0).max(100),
+            coverage_areas: z.array(z.string()),
+            notes: z.string().optional(),
+        }),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, agent, summary }) => {
+    const certLogger = createChildLogger({ certId: certification_id, agent });
+    const completed = await completeAgent(project_path, certification_id, agent, summary);
+    certLogger.info("agent.completed", {
+        totalFindings: summary.total_findings,
+        confidenceScore: summary.confidence_score,
+        bySeverity: summary.by_severity,
+    });
+    return {
+        content: [{ type: "text", text: JSON.stringify({ completed: agent, summary: completed.summary }, null, 2) }],
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Cross-Verify Finding
+// ---------------------------------------------------------------------------
+server.registerTool("agent_cross_verify", {
+    title: "Cross-Verify Finding",
+    description: `Cross-verify a finding from another agent. Increases or decreases confidence based on verification.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        verifying_agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]),
+        finding_id: z.string().describe("ID of the finding to verify"),
+        verdict: z.enum(["confirmed", "disputed", "inconclusive"]),
+        evidence: z.string().describe("Evidence for the verdict"),
+        adjusted_confidence: z.number().min(0).max(100).optional(),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, verifying_agent, finding_id, verdict, evidence, adjusted_confidence }) => {
+    const verification = await addCrossVerification(project_path, certification_id, {
+        finding_id,
+        verifying_agent,
+        verdict,
+        evidence,
+        adjusted_confidence,
+    });
+    return {
+        content: [{ type: "text", text: JSON.stringify({ verification }, null, 2) }],
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Auto Cross-Verify (Batch)
+// ---------------------------------------------------------------------------
+server.registerTool("certification_cross_verify", {
+    title: "Cross-Verify Critical Findings",
+    description: `Batch cross-verify critical findings. In "auto" mode (default), automatically verifies all critical findings based on agent domain overlap. In "manual" mode, verifies only specified finding IDs. Run this after all agents complete to unblock consensus calculation.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        mode: z.enum(["auto", "manual"]).optional().default("auto").describe("auto: verify all critical findings; manual: verify specific findings"),
+        finding_ids: z.array(z.string()).optional().describe("Specific finding IDs to verify (required for manual mode)"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, mode = "auto", finding_ids }) => {
+    const certLogger = createChildLogger({ certId: certification_id, project: basename(project_path) });
+    // Check if all agents have completed
+    const allComplete = await allAgentsCompleted(project_path, certification_id);
+    if (!allComplete) {
+        certLogger.warn("cross_verify.agents_not_complete");
+        return {
+            content: [{
+                    type: "text",
+                    text: JSON.stringify({
+                        error: "Not all agents have completed. Wait for all agents to finish before cross-verification.",
+                        ready: false,
+                    }, null, 2),
+                }],
+        };
+    }
+    // Validate manual mode has finding_ids
+    if (mode === "manual" && (!finding_ids || finding_ids.length === 0)) {
+        return {
+            content: [{
+                    type: "text",
+                    text: JSON.stringify({
+                        error: "Manual mode requires finding_ids to be specified",
+                        ready: false,
+                    }, null, 2),
+                }],
+        };
+    }
+    const result = await autoCrossVerify(project_path, certification_id, mode, finding_ids);
+    certLogger.info("cross_verify.completed", {
+        mode,
+        criticalFindings: result.criticalFindingsCount,
+        verificationsCreated: result.verificationsCreated,
+        allVerified: result.allCriticalVerified,
+    });
+    return {
+        content: [{
+                type: "text",
+                text: JSON.stringify({
+                    mode,
+                    criticalFindingsCount: result.criticalFindingsCount,
+                    verificationsCreated: result.verificationsCreated,
+                    verifiedFindingIds: result.verifiedFindingIds,
+                    allCriticalVerified: result.allCriticalVerified,
+                    readyForConsensus: result.allCriticalVerified,
+                    nextStep: result.allCriticalVerified
+                        ? "Run certification_consensus to calculate final score"
+                        : "Some critical findings could not be auto-verified. Use agent_cross_verify for manual verification.",
+                }, null, 2),
+            }],
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Red Team Challenge
+// ---------------------------------------------------------------------------
+server.registerTool("redteam_challenge", {
+    title: "Red Team Challenge",
+    description: `Red team challenges an area marked clean by another agent. Used to dispute false negatives.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        target_agent: z.enum(["security", "reliability", "typesafety", "performance", "quality"]),
+        area: z.string().describe("The area being challenged"),
+        challenge_type: z.enum(["missed_issue", "false_negative", "incomplete_coverage", "edge_case"]),
+        evidence: z.string().describe("Evidence for the challenge"),
+        severity_if_valid: z.enum(["critical", "high", "medium", "low"]),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, target_agent, area, challenge_type, evidence, severity_if_valid }) => {
+    const challenge = await addRedTeamChallenge(project_path, certification_id, {
+        target_agent,
+        area,
+        challenge_type,
+        evidence,
+        severity_if_valid,
+    });
+    return {
+        content: [{ type: "text", text: JSON.stringify({ challenge }, null, 2) }],
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Calculate Consensus
+// ---------------------------------------------------------------------------
+server.registerTool("certification_consensus", {
+    title: "Calculate Certification Consensus",
+    description: `Calculate consensus score and certification level from all agent findings. Requires all requested agents to have completed. Set auto_cross_verify: true (default) to automatically cross-verify critical findings if blocked.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        auto_cross_verify: z.boolean().optional().default(true).describe("Automatically cross-verify critical findings if consensus is blocked"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, auto_cross_verify = true }) => {
+    const certLogger = createChildLogger({ certId: certification_id, project: basename(project_path) });
+    let certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        certLogger.warn("consensus.certification_not_found");
+        return {
+            content: [{ type: "text", text: `Certification ${certification_id} not found` }],
+        };
+    }
+    let { ready, missing } = canFinalize(certification);
+    // If not ready due to missing cross-verifications and auto_cross_verify is enabled
+    if (!ready && auto_cross_verify) {
+        const crossVerifyMissing = missing.filter((m) => m.includes("not cross-verified"));
+        if (crossVerifyMissing.length > 0 && missing.length === crossVerifyMissing.length) {
+            // All blockers are cross-verification issues - auto-verify
+            certLogger.info("consensus.auto_cross_verify_triggered", {
+                missingVerifications: crossVerifyMissing.length,
+            });
+            const crossVerifyResult = await autoCrossVerify(project_path, certification_id, "auto");
+            // Reload certification and re-check
+            certification = await getCertification(project_path, certification_id);
+            if (!certification) {
+                return {
+                    content: [{ type: "text", text: `Certification ${certification_id} not found after cross-verify` }],
+                };
+            }
+            const recheck = canFinalize(certification);
+            ready = recheck.ready;
+            missing = recheck.missing;
+            certLogger.info("consensus.auto_cross_verify_complete", {
+                verificationsCreated: crossVerifyResult.verificationsCreated,
+                nowReady: ready,
+            });
+        }
+    }
+    if (!ready) {
+        certLogger.warn("consensus.not_ready", { missing });
+        return {
+            content: [{ type: "text", text: JSON.stringify({ ready: false, missing }, null, 2) }],
+        };
+    }
+    const consensus = calculateConsensus(certification);
+    await saveConsensus(project_path, certification_id, consensus);
+    certLogger.info("consensus.calculated", {
+        level: consensus.certification_level,
+        score: consensus.overall_score,
+        totalFindings: consensus.total_findings,
+    });
+    return {
+        content: [{ type: "text", text: JSON.stringify(consensus, null, 2) }],
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Finalize Certification
+// ---------------------------------------------------------------------------
+server.registerTool("certification_finalize", {
+    title: "Finalize Certification",
+    description: `Finalize certification and generate CERTIFICATION.md and CERTIFICATION.json artifacts.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id }) => {
+    const certLogger = createChildLogger({ certId: certification_id, project: basename(project_path) });
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        certLogger.warn("certification.not_found");
+        return {
+            content: [{ type: "text", text: `Certification ${certification_id} not found` }],
+        };
+    }
+    if (!certification.consensus) {
+        certLogger.warn("certification.no_consensus");
+        return {
+            content: [{ type: "text", text: `Run certification_consensus first` }],
+        };
+    }
+    // Finalize metadata
+    await finalizeCertification(project_path, certification_id, certification.consensus.certification_level, certification.consensus.overall_score);
+    // Get updated certification
+    const finalCert = await getCertification(project_path, certification_id);
+    if (!finalCert) {
+        certLogger.error("certification.finalize_failed");
+        return {
+            content: [{ type: "text", text: `Failed to finalize certification` }],
+        };
+    }
+    // Generate artifacts
+    const artifacts = await writeCertificationArtifacts(project_path, finalCert);
+    certLogger.info("certification.finalized", {
+        level: finalCert.consensus?.certification_level,
+        score: finalCert.consensus?.overall_score,
+        artifacts,
+        expiresAt: finalCert.metadata.expires_at,
+    });
+    return {
+        content: [{ type: "text", text: JSON.stringify({
+                    certification_level: finalCert.consensus?.certification_level,
+                    score: finalCert.consensus?.overall_score,
+                    artifacts,
+                    expires_at: finalCert.metadata.expires_at,
+                }, null, 2) }],
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Certification Dashboard
+// ---------------------------------------------------------------------------
+server.registerTool("certification_dashboard", {
+    title: "Certification Dashboard",
+    description: `Portfolio-wide view of enterprise certifications across all projects. Shows certification status, levels, and expiry.`,
+    inputSchema: {
+        base_dir: z.string().optional().describe("Base directory. Defaults to VASPERA_PROJECTS_DIR"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ base_dir }) => {
+    const dir = base_dir || DEFAULT_PROJECTS_DIR;
+    if (!(await dirExists(dir))) {
+        return {
+            content: [{ type: "text", text: `Error: Directory not found: ${dir}` }],
+        };
+    }
+    const projects = await discoverProjects(dir);
+    const dashboard = await Promise.all(projects.map(async (p) => {
+        const name = basename(p);
+        const latest = await getLatestCertification(p);
+        if (!latest) {
+            return {
+                name,
+                path: p,
+                certification_status: "not_certified",
+                certification_level: null,
+                score: null,
+                certified_at: null,
+                expires_at: null,
+                days_until_expiry: null,
+            };
+        }
+        const validation = await isCertificationValid(p, latest.metadata);
+        const daysUntilExpiry = latest.metadata.expires_at
+            ? Math.ceil((new Date(latest.metadata.expires_at).getTime() - Date.now()) / (1000 * 60 * 60 * 24))
+            : null;
+        // Determine certification status based on validation result
+        let certStatus;
+        if (latest.metadata.status !== "completed") {
+            certStatus = latest.metadata.status;
+        }
+        else if (validation.valid) {
+            certStatus = "certified";
+        }
+        else if (validation.reason === "code_changed") {
+            certStatus = "code_changed";
+        }
+        else {
+            certStatus = "expired";
+        }
+        return {
+            name,
+            path: p,
+            certification_status: certStatus,
+            certification_level: latest.metadata.certification_level,
+            score: latest.metadata.final_score,
+            certified_at: latest.metadata.completed_at,
+            expires_at: latest.metadata.expires_at,
+            days_until_expiry: daysUntilExpiry,
+        };
+    }));
+    // Sort by certification status and expiry
+    dashboard.sort((a, b) => {
+        const statusOrder = {
+            not_certified: 0,
+            code_changed: 1,
+            expired: 2,
+            in_progress: 3,
+            certified: 4,
+        };
+        const aOrder = statusOrder[a.certification_status] ?? 99;
+        const bOrder = statusOrder[b.certification_status] ?? 99;
+        if (aOrder !== bOrder)
+            return aOrder - bOrder;
+        return (a.days_until_expiry ?? 999) - (b.days_until_expiry ?? 999);
+    });
+    const summary = {
+        total_projects: dashboard.length,
+        certified: dashboard.filter((p) => p.certification_status === "certified").length,
+        code_changed: dashboard.filter((p) => p.certification_status === "code_changed").length,
+        expired: dashboard.filter((p) => p.certification_status === "expired").length,
+        in_progress: dashboard.filter((p) => p.certification_status === "in_progress").length,
+        not_certified: dashboard.filter((p) => p.certification_status === "not_certified").length,
+        expiring_soon: dashboard.filter((p) => p.days_until_expiry !== null && p.days_until_expiry <= 7).length,
+    };
+    const output = {
+        base_dir: dir,
+        summary,
+        projects: dashboard,
+    };
+    return {
+        content: [{ type: "text", text: JSON.stringify(output, null, 2) }],
+    };
+});
+// ---------------------------------------------------------------------------
+// Tool: Preview Auto-Fix
+// ---------------------------------------------------------------------------
+server.registerTool("autofix_preview", {
+    title: "Preview Auto-Fix for Finding",
+    description: `Preview an automatic fix for a certification finding without applying it. Returns the before/after diff.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        finding_id: z.string().describe("Finding ID to preview fix for"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, finding_id }) => {
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    // Find the finding
+    let finding = null;
+    for (const agentData of Object.values(certification.agents)) {
+        if (agentData) {
+            finding = agentData.findings.find((f) => f.id === finding_id);
+            if (finding)
+                break;
+        }
+    }
+    if (!finding) {
+        return errorResponse(`Finding ${finding_id} not found`);
+    }
+    const preview = await previewFix(project_path, finding);
+    return jsonResponse({ ...preview });
+});
+// ---------------------------------------------------------------------------
+// Tool: Apply Auto-Fix
+// ---------------------------------------------------------------------------
+server.registerTool("autofix_apply", {
+    title: "Apply Auto-Fix for Finding",
+    description: `Apply an automatic fix for a certification finding. Use autofix_preview first to see what will change.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        finding_id: z.string().describe("Finding ID to fix"),
+        dry_run: z.boolean().optional().describe("If true, show what would be changed without applying"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, finding_id, dry_run }) => {
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    let finding = null;
+    for (const agentData of Object.values(certification.agents)) {
+        if (agentData) {
+            finding = agentData.findings.find((f) => f.id === finding_id);
+            if (finding)
+                break;
+        }
+    }
+    if (!finding) {
+        return errorResponse(`Finding ${finding_id} not found`);
+    }
+    const result = await applyFix(project_path, finding, dry_run);
+    return jsonResponse({ ...result });
+});
+// ---------------------------------------------------------------------------
+// Tool: List Fix Patterns
+// ---------------------------------------------------------------------------
+server.registerTool("autofix_list_patterns", {
+    title: "List Available Fix Patterns",
+    description: `List all available auto-fix patterns that can be applied to findings.`,
+    inputSchema: {},
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async () => {
+    const patterns = listFixPatterns();
+    return jsonResponse({ patterns, count: patterns.length });
+});
+// ---------------------------------------------------------------------------
+// Tool: Batch Apply Safe Fixes
+// ---------------------------------------------------------------------------
+server.registerTool("autofix_batch", {
+    title: "Batch Apply Safe Fixes",
+    description: `Apply all safe auto-fixes to certification findings at once. Only applies fixes marked as "safeToAutoApply" (low risk, no manual review needed). Use dry_run: true to preview what would be changed.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        dry_run: z.boolean().optional().default(true).describe("If true (default), show what would be changed without applying"),
+        include_unsafe: z.boolean().optional().default(false).describe("If true, also apply unsafe fixes (use with caution)"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, dry_run, include_unsafe }) => {
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    // Collect all findings from all agents
+    const allFindings = [];
+    for (const agentData of Object.values(certification.agents)) {
+        if (agentData) {
+            allFindings.push(...agentData.findings);
+        }
+    }
+    if (allFindings.length === 0) {
+        return jsonResponse({
+            message: "No findings to fix",
+            totalFindings: 0,
+            applied: 0,
+        });
+    }
+    const result = await batchApplySafeFixes(project_path, allFindings, {
+        dryRun: dry_run,
+        includeUnsafe: include_unsafe,
+    });
+    // Format output
+    const safePatterns = getSafeFixPatterns();
+    const lines = [
+        `# Batch Auto-Fix ${dry_run ? "(Dry Run)" : "Applied"}`,
+        "",
+        `**Total Findings**: ${result.totalFindings}`,
+        `**Safe Fixes Available**: ${result.safeFixesAvailable}`,
+        `**Applied**: ${result.applied}`,
+        `**Skipped**: ${result.skipped}`,
+        `**Failed**: ${result.failed}`,
+        "",
+    ];
+    if (Object.keys(result.summary.byPattern).length > 0) {
+        lines.push("## Fixes by Pattern");
+        lines.push("");
+        for (const [pattern, count] of Object.entries(result.summary.byPattern)) {
+            lines.push(`- **${pattern}**: ${count} fixes`);
+        }
+        lines.push("");
+    }
+    if (Object.keys(result.summary.byFile).length > 0) {
+        lines.push("## Fixes by File");
+        lines.push("");
+        for (const [file, count] of Object.entries(result.summary.byFile)) {
+            lines.push(`- \`${file}\`: ${count} fixes`);
+        }
+        lines.push("");
+    }
+    if (dry_run && result.applied > 0) {
+        lines.push("## Next Steps");
+        lines.push("");
+        lines.push("Run with `dry_run: false` to apply these fixes.");
+        lines.push("");
+    }
+    lines.push("## Safe Patterns");
+    lines.push("");
+    for (const pattern of safePatterns) {
+        lines.push(`- **${pattern.name}** (${pattern.id}): ${pattern.description}`);
+    }
+    return jsonResponse({
+        message: lines.join("\n"),
+        ...result,
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Certification Summary
+// ---------------------------------------------------------------------------
+server.registerTool("certification_summary", {
+    title: "Get Certification Summary",
+    description: `Get a progressive disclosure summary of certification findings grouped by severity, agent, file, and category.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id }) => {
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    const summary = generateSummary(certification);
+    const actions = getActionItems(certification);
+    return jsonResponse({
+        summary,
+        actionItems: actions,
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Filter Findings
+// ---------------------------------------------------------------------------
+server.registerTool("certification_filter", {
+    title: "Filter Certification Findings",
+    description: `Filter certification findings by severity, agent, category, file, or confidence level.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        severity: z.array(z.enum(["critical", "high", "medium", "low", "info"])).optional(),
+        agents: z.array(z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"])).optional(),
+        categories: z.array(z.string()).optional(),
+        min_confidence: z.number().min(0).max(100).optional(),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, severity, agents, categories, min_confidence }) => {
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    const findings = filterFindings(certification, {
+        severity,
+        agents,
+        categories,
+        minConfidence: min_confidence,
+    });
+    return jsonResponse({
+        count: findings.length,
+        findings: findings.map((f) => ({
+            id: f.id,
+            severity: f.severity,
+            category: f.category,
+            file: f.file,
+            description: f.description,
+            confidence: f.confidence,
+            instances: f.instances?.length,
+        })),
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Export to SARIF
+// ---------------------------------------------------------------------------
+server.registerTool("certification_export_sarif", {
+    title: "Export to SARIF Format",
+    description: `Export certification findings to SARIF format for GitHub Security, SonarQube, or other tools.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        format: z.enum(["sarif", "github", "sonarqube"]).optional().describe("Output format"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, format }) => {
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    let outputPath;
+    if (format === "github") {
+        outputPath = await exportForGitHub(project_path, certification);
+    }
+    else {
+        outputPath = await exportToSarif(project_path, certification);
+    }
+    return jsonResponse({
+        exported: true,
+        format: format || "sarif",
+        outputPath,
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Load Custom Rules
+// ---------------------------------------------------------------------------
+server.registerTool("rules_load", {
+    title: "Load Custom Rules",
+    description: `Load custom validation rules from .vaspera/hardening-rules.yaml or .json`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path }) => {
+    const rules = await loadCustomRules(project_path);
+    return jsonResponse({
+        rulesLoaded: rules.length,
+        rules: rules.map((r) => ({
+            id: r.id,
+            name: r.name,
+            severity: r.severity,
+            enabled: r.enabled,
+        })),
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: List Rule Templates
+// ---------------------------------------------------------------------------
+server.registerTool("rules_templates", {
+    title: "List Rule Templates",
+    description: `List built-in rule templates that can be used in custom rule configuration.`,
+    inputSchema: {},
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async () => {
+    const templates = listRuleTemplates();
+    return jsonResponse({ templates, count: templates.length });
+});
+// ---------------------------------------------------------------------------
+// Tool: Generate Rules Config Sample
+// ---------------------------------------------------------------------------
+server.registerTool("rules_generate_config", {
+    title: "Generate Sample Rules Config",
+    description: `Generate a sample .vaspera/hardening-rules.yaml configuration file.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path }) => {
+    const configContent = generateSampleConfig();
+    const configDir = join(project_path, ".vaspera");
+    const configPath = join(configDir, "hardening-rules.yaml");
+    await mkdir(configDir, { recursive: true });
+    await writeFile(configPath, configContent, "utf-8");
+    return jsonResponse({
+        created: true,
+        path: configPath,
+        content: configContent,
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Check File Against Rules
+// ---------------------------------------------------------------------------
+server.registerTool("rules_check_file", {
+    title: "Check File Against Custom Rules",
+    description: `Run custom rules against a specific file and return matches.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        file_path: z.string().describe("Relative path to the file to check"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, file_path }) => {
+    const rules = await loadCustomRules(project_path);
+    if (rules.length === 0) {
+        return jsonResponse({
+            matches: [],
+            message: "No custom rules configured. Use rules_generate_config to create a sample.",
+        });
+    }
+    const fullPath = join(project_path, file_path);
+    const content = await readFile(fullPath, "utf-8");
+    const matches = await checkFileAgainstRules(file_path, content, rules);
+    const findings = matchesToFindings(matches);
+    return jsonResponse({
+        rulesChecked: rules.length,
+        matchCount: matches.length,
+        findings: findings.map((f) => ({
+            id: f.id,
+            severity: f.severity,
+            file: f.file,
+            line: f.line,
+            description: f.description,
+        })),
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Run Evaluation
+// ---------------------------------------------------------------------------
+server.registerTool("certification_eval", {
+    title: "Run Scanner Evaluation",
+    description: `Run the evaluation harness against labeled test fixtures to measure scanner precision, recall, and F1 score. Use this to verify scanner accuracy before trusting results.`,
+    inputSchema: {
+        scanners: z
+            .array(z.string())
+            .optional()
+            .describe("Scanners to evaluate (semgrep, gitleaks, tsc). Defaults to all."),
+        categories: z
+            .array(z.string())
+            .optional()
+            .describe("Fixture categories to include (sql-injection, xss, secrets, etc.)"),
+        stability_runs: z
+            .number()
+            .min(1)
+            .max(10)
+            .optional()
+            .describe("Number of runs for stability testing. Default 1."),
+        output_format: z
+            .enum(["summary", "markdown", "json"])
+            .optional()
+            .describe("Output format. Default: summary"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ scanners, categories, stability_runs, output_format }) => {
+    const evalLogger = createChildLogger({ component: "eval" });
+    evalLogger.info("eval.starting", { scanners, categories, stability_runs });
+    try {
+        const config = {
+            scanners: scanners || ["semgrep", "gitleaks", "tsc"],
+            includeFixtures: categories,
+            stabilityRuns: stability_runs || 1,
+            timeout: 60000,
+            parallel: true,
+        };
+        let results;
+        let stability;
+        if (stability_runs && stability_runs > 1) {
+            // Run stability test
+            const allRuns = await runStabilityTest(config, stability_runs);
+            results = allRuns[0]; // Use first run for metrics
+            stability = calculateStabilityMetrics(allRuns);
+        }
+        else {
+            results = await runEvaluation(config);
+        }
+        const metrics = calculateMetrics(results);
+        const { meetsAll, results: targetResults } = meetsTargets(metrics);
+        evalLogger.info("eval.completed", {
+            precision: metrics.precision,
+            recall: metrics.recall,
+            f1Score: metrics.f1Score,
+            meetsTargets: meetsAll,
+        });
+        // Generate output based on format
+        if (output_format === "markdown") {
+            const report = generateEvaluationReport(metrics, results, config, stability);
+            const markdown = formatReportAsMarkdown(report);
+            return textResponse(markdown);
+        }
+        else if (output_format === "json") {
+            const report = generateEvaluationReport(metrics, results, config, stability);
+            return jsonResponse(report);
+        }
+        else {
+            // Summary format (default)
+            const summary = generateCompactSummary(metrics);
+            const badges = generateReadmeBadges(metrics);
+            const lines = [
+                "# Scanner Evaluation Results",
+                "",
+                summary,
+                "",
+                "## Badges for README",
+                "",
+                badges,
+                "",
+                "## Target Comparison",
+                "",
+                "| Metric | Target | Actual | Status |",
+                "|--------|--------|--------|--------|",
+            ];
+            for (const [metric, data] of Object.entries(targetResults)) {
+                const icon = data.met ? "✅" : "❌";
+                lines.push(`| ${metric} | ${(data.target * 100).toFixed(1)}% | ${(data.actual * 100).toFixed(1)}% | ${icon} |`);
+            }
+            if (stability) {
+                lines.push("", "## Stability", "", `Runs: ${stability.runs}`, `Stability: ${stability.stabilityPercent.toFixed(1)}%`, `Consistent: ${stability.consistentFindings}`, `Inconsistent: ${stability.inconsistentFindings}`);
+            }
+            lines.push("", "## Fixture Stats", "", `Total fixtures: ${metrics.totalFixtures}`, `Successful: ${metrics.successfulFixtures}`, `Failed: ${metrics.failedFixtures}`, `Total expected findings: ${metrics.totalExpected}`, `Duration: ${(metrics.totalDuration / 1000).toFixed(1)}s`);
+            return textResponse(lines.join("\n"));
+        }
+    }
+    catch (error) {
+        evalLogger.error("eval.failed", { error: error instanceof Error ? error.message : String(error) });
+        return errorResponse(`Evaluation failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Get Fixture Stats
+// ---------------------------------------------------------------------------
+server.registerTool("certification_eval_fixtures", {
+    title: "Get Evaluation Fixture Statistics",
+    description: `Get statistics about available evaluation fixtures including categories and expected findings.`,
+    inputSchema: {},
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async () => {
+    const stats = getFixtureStats();
+    const fixtures = ALL_FIXTURES.map((f) => ({
+        id: f.id,
+        name: f.name,
+        category: f.category,
+        expectedFindings: f.expectedFindings.length,
+        tags: f.tags,
+    }));
+    return jsonResponse({
+        ...stats,
+        targetMetrics: TARGET_METRICS,
+        fixtures,
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Generate Compliance Report
+// ---------------------------------------------------------------------------
+server.registerTool("compliance_report", {
+    title: "Generate Compliance Report",
+    description: `Generate a compliance report mapping certification findings to framework controls (SOC 2, ISO 27001). Shows which controls are at risk or non-compliant based on security findings.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID to assess"),
+        framework: z
+            .enum(["SOC2", "ISO27001"])
+            .describe("Compliance framework to assess"),
+        output_format: z
+            .enum(["markdown", "json", "summary"])
+            .optional()
+            .describe("Output format. Default: markdown"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, framework, output_format }) => {
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    // Collect all findings from all agents
+    const allFindings = Object.values(certification.agents)
+        .filter(Boolean)
+        .flatMap((a) => a.findings);
+    if (allFindings.length === 0) {
+        return errorResponse("No findings to assess. Run certification agents first.");
+    }
+    const report = generateComplianceReport(allFindings, framework, project_path, certification_id);
+    if (output_format === "json") {
+        return jsonResponse(report);
+    }
+    else if (output_format === "summary") {
+        return textResponse(generateCompactComplianceSummary(report));
+    }
+    else {
+        return textResponse(formatComplianceReportAsMarkdown(report));
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Multi-Framework Compliance Report
+// ---------------------------------------------------------------------------
+server.registerTool("compliance_multi_report", {
+    title: "Multi-Framework Compliance Report",
+    description: `Generate a compliance report across multiple frameworks (SOC 2 and ISO 27001). Shows comparative status and prioritized recommendations.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID to assess"),
+        frameworks: z
+            .array(z.enum(["SOC2", "ISO27001"]))
+            .optional()
+            .describe("Frameworks to assess. Default: both"),
+        output_format: z
+            .enum(["markdown", "json"])
+            .optional()
+            .describe("Output format. Default: markdown"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, frameworks, output_format }) => {
+    const certification = await getCertification(project_path, certification_id);
+    if (!certification) {
+        return errorResponse(`Certification ${certification_id} not found`);
+    }
+    const allFindings = Object.values(certification.agents)
+        .filter(Boolean)
+        .flatMap((a) => a.findings);
+    if (allFindings.length === 0) {
+        return errorResponse("No findings to assess. Run certification agents first.");
+    }
+    const selectedFrameworks = (frameworks || ["SOC2", "ISO27001"]);
+    const report = generateMultiFrameworkReport(allFindings, selectedFrameworks, project_path, certification_id);
+    if (output_format === "json") {
+        return jsonResponse(report);
+    }
+    else {
+        return textResponse(formatMultiFrameworkReportAsMarkdown(report));
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: List Compliance Controls
+// ---------------------------------------------------------------------------
+server.registerTool("compliance_controls", {
+    title: "List Compliance Controls",
+    description: `List available compliance controls for a framework. Use to understand what controls are assessed and their mapping to finding categories.`,
+    inputSchema: {
+        framework: z
+            .enum(["SOC2", "ISO27001"])
+            .describe("Compliance framework"),
+        category: z
+            .string()
+            .optional()
+            .describe("Filter by category"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ framework, category }) => {
+    let controls = getControlsForFramework(framework);
+    if (category) {
+        controls = controls.filter((c) => c.category === category);
+    }
+    const categories = framework === "SOC2" ? getSOC2Categories() : getISO27001Categories();
+    return jsonResponse({
+        framework,
+        totalControls: controls.length,
+        categories,
+        controls: controls.map((c) => ({
+            id: c.id,
+            category: c.category,
+            title: c.title,
+            findingCategories: c.findingCategories,
+            cweIds: c.cweIds,
+            severityThreshold: c.severityThreshold,
+        })),
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Generate SBOM
+// ---------------------------------------------------------------------------
+server.registerTool("sbom_generate", {
+    title: "Generate CycloneDX SBOM",
+    description: `Generate a CycloneDX 1.5 Software Bill of Materials (SBOM) for a project. Includes all dependencies from package.json/package-lock.json with integrity hashes. Use output_file to write directly to a file.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        include_dev: z.boolean().optional().describe("Include dev dependencies. Default: false"),
+        include_vulnerabilities: z.boolean().optional().describe("Include vulnerabilities from certification. Default: false"),
+        certification_id: z.string().optional().describe("Certification ID to include vulnerabilities from"),
+        output_format: z.enum(["json", "summary"]).optional().describe("Output format. Default: json"),
+        output_file: z.string().optional().describe("Write SBOM to this file path (e.g., 'sbom.json' or 'sbom.cdx.json')"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, include_dev, include_vulnerabilities, certification_id, output_format, output_file }) => {
+    try {
+        // Get findings if including vulnerabilities
+        let findings;
+        if (include_vulnerabilities && certification_id) {
+            const certification = await getCertification(project_path, certification_id);
+            if (certification) {
+                // Get scanner findings (deterministic)
+                const securityAgent = certification.agents.security;
+                if (securityAgent) {
+                    findings = securityAgent.findings
+                        .filter((f) => f.confidence === 100 && f.scanner_source)
+                        .map((f) => ({
+                        scanner: f.scanner_source,
+                        ruleId: f.scanner_rule_id || f.id,
+                        file: f.file || "",
+                        line: f.line || 0,
+                        message: f.description,
+                        severity: f.severity,
+                        confidence: 100,
+                        cweIds: f.cwe_ids,
+                        cveIds: f.cve_ids,
+                    }));
+                }
+            }
+        }
+        const sbom = await generateSBOM(project_path, {
+            includeDevDependencies: include_dev,
+            includeVulnerabilities: include_vulnerabilities,
+        }, findings);
+        // Write to file if requested
+        if (output_file) {
+            const filePath = output_file.startsWith("/") ? output_file : join(project_path, output_file);
+            const content = output_format === "summary"
+                ? generateSBOMSummary(sbom)
+                : JSON.stringify(sbom, null, 2);
+            await writeFile(filePath, content, "utf-8");
+            return textResponse(`SBOM written to: ${filePath}\n\nComponents: ${sbom.components?.length || 0}`);
+        }
+        if (output_format === "summary") {
+            const summary = generateSBOMSummary(sbom);
+            return textResponse(summary);
+        }
+        return jsonResponse(sbom);
+    }
+    catch (error) {
+        return errorResponse(`Failed to generate SBOM: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Generate SLSA Provenance
+// ---------------------------------------------------------------------------
+server.registerTool("sbom_provenance", {
+    title: "Generate SLSA Provenance",
+    description: `Generate SLSA v1.0 provenance for a certification. Creates an in-toto statement with build metadata and subject digests.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID to generate provenance for"),
+        artifact_content: z.string().optional().describe("Content to generate provenance for. Defaults to certification JSON."),
+        builder_id: z.string().optional().describe("Builder ID URL. Default: https://github.com/RCOLKITT/vaspera-hardening-mcp"),
+        output_format: z.enum(["json", "summary"]).optional().describe("Output format. Default: json"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, artifact_content, builder_id, output_format }) => {
+    try {
+        const certification = await getCertification(project_path, certification_id);
+        if (!certification) {
+            return errorResponse(`Certification ${certification_id} not found`);
+        }
+        // Use certification JSON as default artifact
+        const content = artifact_content || JSON.stringify(certification, null, 2);
+        const provenance = await generateProvenance(certification, content, {
+            builderId: builder_id,
+        });
+        if (output_format === "summary") {
+            const summary = generateProvenanceSummary(provenance);
+            return textResponse(summary);
+        }
+        return jsonResponse(provenance);
+    }
+    catch (error) {
+        return errorResponse(`Failed to generate provenance: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Sign Artifact with Sigstore
+// ---------------------------------------------------------------------------
+server.registerTool("sbom_sign", {
+    title: "Sign Artifact with Sigstore",
+    description: `Sign an artifact using Sigstore (Fulcio + Rekor) for supply chain security.
+
+Requires OIDC identity token:
+- GitHub Actions: Add 'permissions: id-token: write' to your workflow
+- GitLab CI: Enable CI_JOB_JWT_V2
+- Manual: Set SIGSTORE_ID_TOKEN environment variable
+
+Returns a Sigstore bundle with:
+- Short-lived certificate from Fulcio
+- Entry in Rekor transparency log
+- Cryptographic signature`,
+    inputSchema: {
+        content: z.string().describe("Content to sign (JSON string, SBOM, or provenance)"),
+        skip_signing: z.boolean().optional().describe("Skip signing and return unsigned artifact (for testing). Default: false"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: false, // Signing creates new log entries
+        openWorldHint: true, // Contacts Sigstore services
+    },
+}, async ({ content, skip_signing }) => {
+    try {
+        // Detect CI environment
+        const ciEnv = detectCIEnvironment();
+        // Check if signing is available
+        const available = isSigningAvailable({ skipSigning: skip_signing });
+        if (!available && !skip_signing) {
+            return jsonResponse({
+                signed: false,
+                available: false,
+                ciEnvironment: ciEnv,
+                message: ciEnv.setupInstructions ||
+                    "Sigstore signing requires OIDC identity. Run in CI with OIDC support or set SIGSTORE_ID_TOKEN.",
+                hint: "Use skip_signing: true to generate unsigned artifacts for testing.",
+            });
+        }
+        // Perform signing
+        const signedArtifact = await signContent(content, { skipSigning: skip_signing });
+        return jsonResponse({
+            signed: signedArtifact.signed,
+            digest: signedArtifact.digest,
+            signedAt: signedArtifact.signedAt,
+            error: signedArtifact.error,
+            hasBundle: !!signedArtifact.bundle,
+            bundleMediaType: signedArtifact.bundle?.mediaType,
+            transparencyLogEntry: signedArtifact.bundle?.verificationMaterial?.tlogEntries?.[0]
+                ? {
+                    logIndex: signedArtifact.bundle.verificationMaterial.tlogEntries[0].logIndex,
+                    integratedTime: signedArtifact.bundle.verificationMaterial.tlogEntries[0].integratedTime,
+                }
+                : null,
+            summary: generateSigningSummary(signedArtifact),
+            ciEnvironment: ciEnv,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to sign content: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Verify Provenance
+// ---------------------------------------------------------------------------
+server.registerTool("sbom_verify_provenance", {
+    title: "Verify SLSA Provenance",
+    description: `Verify that SLSA provenance matches a certification and artifact content.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        provenance_json: z.string().describe("Provenance JSON to verify"),
+        artifact_content: z.string().optional().describe("Artifact content to verify against. Defaults to certification JSON."),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, provenance_json, artifact_content }) => {
+    try {
+        const certification = await getCertification(project_path, certification_id);
+        if (!certification) {
+            return errorResponse(`Certification ${certification_id} not found`);
+        }
+        const provenance = JSON.parse(provenance_json);
+        const content = artifact_content || JSON.stringify(certification, null, 2);
+        const result = verifyProvenance(provenance, certification, content);
+        return jsonResponse({
+            valid: result.valid,
+            errors: result.errors,
+            certificationId: certification_id,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to verify provenance: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Estimate Cost
+// ---------------------------------------------------------------------------
+server.registerTool("cost_estimate", {
+    title: "Estimate API Cost",
+    description: `Estimate the cost of an API call based on token count or content. Supports Anthropic, OpenAI, and Google models.`,
+    inputSchema: {
+        model: z.string().optional().describe("Model ID (e.g., claude-3.5-sonnet, gpt-4-turbo). Default: claude-3.5-sonnet"),
+        input_tokens: z.number().optional().describe("Number of input tokens"),
+        output_tokens: z.number().optional().describe("Number of output tokens"),
+        content: z.string().optional().describe("Content to estimate tokens for (alternative to input_tokens)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ model, input_tokens, output_tokens, content }) => {
+    const modelId = (model || "claude-3.5-sonnet");
+    // Get model pricing
+    const pricing = MODEL_PRICING[modelId];
+    if (!pricing) {
+        const supported = getSupportedModels();
+        return errorResponse(`Unknown model: ${modelId}. Supported models: ${supported.join(", ")}`);
+    }
+    // Estimate tokens from content if provided
+    let estimatedInputTokens = input_tokens || 0;
+    if (content && !input_tokens) {
+        // Rough estimate: ~4 chars per token
+        estimatedInputTokens = Math.ceil(content.length / 4);
+    }
+    const estimatedOutputTokens = output_tokens || 0;
+    const estimate = estimateCost(modelId, estimatedInputTokens, estimatedOutputTokens);
+    return jsonResponse({
+        model: modelId,
+        provider: pricing.provider,
+        inputTokens: estimatedInputTokens,
+        outputTokens: estimatedOutputTokens,
+        totalTokens: estimatedInputTokens + estimatedOutputTokens,
+        estimatedCost: formatCost(estimate),
+        breakdown: {
+            inputCost: formatCost((estimatedInputTokens / 1_000_000) * pricing.inputPer1M),
+            outputCost: formatCost((estimatedOutputTokens / 1_000_000) * pricing.outputPer1M),
+        },
+        pricing: {
+            inputPer1M: `$${pricing.inputPer1M}`,
+            outputPer1M: `$${pricing.outputPer1M}`,
+            cachedInputPer1M: pricing.cachedInputPer1M ? `$${pricing.cachedInputPer1M}` : undefined,
+        },
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Track API Call Cost
+// ---------------------------------------------------------------------------
+server.registerTool("cost_track", {
+    title: "Track API Call Cost",
+    description: `Record an API call's token usage and cost for a certification. Creates or updates a cost tracker for the certification.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID to track costs for"),
+        model: z.string().describe("Model ID used for the API call"),
+        input_tokens: z.number().describe("Number of input tokens used"),
+        output_tokens: z.number().describe("Number of output tokens used"),
+        cached_tokens: z.number().optional().describe("Number of cached input tokens"),
+        agent: z.string().optional().describe("Agent name making the call"),
+        operation: z.string().optional().describe("Operation description"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, model, input_tokens, output_tokens, cached_tokens, agent, operation }) => {
+    try {
+        const modelId = model;
+        // Verify model is supported
+        if (!MODEL_PRICING[modelId]) {
+            const supported = getSupportedModels();
+            return errorResponse(`Unknown model: ${modelId}. Supported: ${supported.join(", ")}`);
+        }
+        // Get or create tracker
+        const tracker = getTracker(certification_id, project_path);
+        // Record the call
+        const record = tracker.recordCall(modelId, {
+            inputTokens: input_tokens,
+            outputTokens: output_tokens,
+            cachedInputTokens: cached_tokens,
+            totalTokens: input_tokens + output_tokens + (cached_tokens || 0),
+        }, {
+            agent,
+            operation,
+        });
+        // Check budget
+        try {
+            tracker.checkBudget();
+        }
+        catch (budgetError) {
+            // Budget exceeded, persist state and report
+            await tracker.persist();
+            return jsonResponse({
+                recorded: true,
+                budgetExceeded: true,
+                error: budgetError instanceof Error ? budgetError.message : String(budgetError),
+                record: {
+                    id: record.id,
+                    cost: formatCost(record.cost.totalCost),
+                    tokens: formatTokens(record.usage.totalTokens),
+                },
+                summary: tracker.generateCompactSummary(),
+            });
+        }
+        // Persist state
+        await tracker.persist();
+        return jsonResponse({
+            recorded: true,
+            budgetExceeded: false,
+            record: {
+                id: record.id,
+                model: record.model,
+                cost: formatCost(record.cost.totalCost),
+                tokens: formatTokens(record.usage.totalTokens),
+                agent: record.agent,
+            },
+            summary: tracker.generateCompactSummary(),
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to track cost: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Get Cost Status
+// ---------------------------------------------------------------------------
+server.registerTool("cost_status", {
+    title: "Get Cost Status",
+    description: `Get current cost tracking status for a certification, including budget status and usage summary.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID to get status for"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id }) => {
+    try {
+        const tracker = getTracker(certification_id, project_path);
+        // Try to load existing state
+        await tracker.load();
+        const summary = tracker.getSummary();
+        const status = tracker.getStatus();
+        const budget = tracker.getBudget();
+        return jsonResponse({
+            certificationId: certification_id,
+            summary: {
+                totalCost: formatCost(summary.totalCost),
+                totalTokens: formatTokens(summary.totalInputTokens + summary.totalOutputTokens),
+                inputTokens: formatTokens(summary.totalInputTokens),
+                outputTokens: formatTokens(summary.totalOutputTokens),
+                cachedTokens: formatTokens(summary.totalCachedTokens),
+                totalCalls: summary.totalCalls,
+                startedAt: summary.startedAt,
+                updatedAt: summary.updatedAt,
+            },
+            budget: {
+                maxCost: budget.maxCost ? formatCost(budget.maxCost) : "unlimited",
+                maxTokens: budget.maxTotalTokens ? formatTokens(budget.maxTotalTokens) : "unlimited",
+                maxCalls: budget.maxCalls || "unlimited",
+                warnAtPercent: budget.warnAtPercent,
+                abortOnExceeded: budget.abortOnExceeded,
+            },
+            status: {
+                withinBudget: status.withinBudget,
+                costUsedPercent: `${status.costUsedPercent.toFixed(1)}%`,
+                warnings: status.warnings,
+                exceeded: status.exceeded,
+            },
+            compactSummary: tracker.generateCompactSummary(),
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to get cost status: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Generate Cost Report
+// ---------------------------------------------------------------------------
+server.registerTool("cost_report", {
+    title: "Generate Cost Report",
+    description: `Generate a detailed cost report for a certification, including breakdown by model and agent.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID to generate report for"),
+        output_format: z.enum(["markdown", "json"]).optional().describe("Output format. Default: markdown"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, output_format }) => {
+    try {
+        const tracker = getTracker(certification_id, project_path);
+        // Try to load existing state
+        const loaded = await tracker.load();
+        if (!loaded) {
+            return errorResponse(`No cost tracking data found for certification ${certification_id}`);
+        }
+        if (output_format === "json") {
+            const state = tracker.getState();
+            return jsonResponse({
+                certificationId: state.certificationId,
+                summary: state.summary,
+                budget: state.budget,
+                status: state.status,
+                callCount: state.calls.length,
+            });
+        }
+        return textResponse(tracker.generateReport());
+    }
+    catch (error) {
+        return errorResponse(`Failed to generate cost report: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Set Budget Configuration
+// ---------------------------------------------------------------------------
+server.registerTool("cost_budget", {
+    title: "Configure Cost Budget",
+    description: `Set or get budget configuration for cost tracking. Can set limits on total cost, tokens, or API calls.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID to configure budget for"),
+        max_cost: z.number().optional().describe("Maximum cost in dollars. Default: 10.00"),
+        max_tokens: z.number().optional().describe("Maximum total tokens"),
+        max_calls: z.number().optional().describe("Maximum API calls"),
+        warn_at_percent: z.number().optional().describe("Warn when budget used exceeds this percent. Default: 80"),
+        abort_on_exceeded: z.boolean().optional().describe("Abort certification when budget exceeded. Default: true"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, max_cost, max_tokens, max_calls, warn_at_percent, abort_on_exceeded }) => {
+    try {
+        const tracker = getTracker(certification_id, project_path);
+        // Try to load existing state
+        await tracker.load();
+        // Update budget if any values provided
+        const updates = {};
+        if (max_cost !== undefined)
+            updates.maxCost = max_cost;
+        if (max_tokens !== undefined)
+            updates.maxTotalTokens = max_tokens;
+        if (max_calls !== undefined)
+            updates.maxCalls = max_calls;
+        if (warn_at_percent !== undefined)
+            updates.warnAtPercent = warn_at_percent;
+        if (abort_on_exceeded !== undefined)
+            updates.abortOnExceeded = abort_on_exceeded;
+        if (Object.keys(updates).length > 0) {
+            tracker.setBudget(updates);
+            await tracker.persist();
+        }
+        const budget = tracker.getBudget();
+        const status = tracker.getStatus();
+        return jsonResponse({
+            certificationId: certification_id,
+            budget: {
+                maxCost: budget.maxCost ? formatCost(budget.maxCost) : "unlimited",
+                maxTokens: budget.maxTotalTokens ? formatTokens(budget.maxTotalTokens) : "unlimited",
+                maxCalls: budget.maxCalls || "unlimited",
+                warnAtPercent: budget.warnAtPercent,
+                abortOnExceeded: budget.abortOnExceeded,
+            },
+            currentStatus: {
+                withinBudget: status.withinBudget,
+                costUsedPercent: `${status.costUsedPercent.toFixed(1)}%`,
+                warnings: status.warnings,
+            },
+            updated: Object.keys(updates).length > 0,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to configure budget: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: List Supported Models
+// ---------------------------------------------------------------------------
+server.registerTool("cost_models", {
+    title: "List Supported Models",
+    description: `List all supported models and their pricing for cost tracking.`,
+    inputSchema: {
+        provider: z.enum(["anthropic", "openai", "google"]).optional().describe("Filter by provider"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ provider }) => {
+    const models = getSupportedModels();
+    const modelList = models
+        .filter((modelId) => {
+        if (!provider)
+            return true;
+        const pricing = MODEL_PRICING[modelId];
+        return pricing?.provider === provider;
+    })
+        .map((modelId) => {
+        const pricing = MODEL_PRICING[modelId];
+        return {
+            id: modelId,
+            provider: pricing.provider,
+            inputPer1M: `$${pricing.inputPer1M}`,
+            outputPer1M: `$${pricing.outputPer1M}`,
+            cachedInputPer1M: pricing.cachedInputPer1M ? `$${pricing.cachedInputPer1M}` : undefined,
+        };
+    });
+    return jsonResponse({
+        totalModels: modelList.length,
+        models: modelList,
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Record Findings for Consensus Aggregation
+// ---------------------------------------------------------------------------
+// NOTE: These tools aggregate findings from EXTERNAL model runs. They do NOT
+// call LLM APIs directly. Run agents externally, then record results here.
+server.registerTool("consensus_record", {
+    title: "Record Findings for Consensus",
+    description: `Record findings from an EXTERNAL agent run for consensus aggregation. This tool does NOT call LLM APIs - you must run agents separately (via MCP client, API, etc.) and record the results here. Call once per model/agent combination.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]).describe("Agent type"),
+        model: z.string().describe("Model ID (e.g., claude-3.5-sonnet, gpt-4-turbo, gemini-1.5-pro)"),
+        findings: z.array(z.object({
+            id: z.string(),
+            description: z.string(),
+            severity: z.enum(["critical", "high", "medium", "low", "info"]),
+            category: z.string(),
+            evidence: z.string().optional(),
+            file: z.string().optional(),
+            line: z.number().optional(),
+            confidence: z.number().optional(),
+        })).describe("Findings from this model run"),
+        duration: z.number().describe("Duration in milliseconds"),
+        input_tokens: z.number().describe("Input tokens used"),
+        output_tokens: z.number().describe("Output tokens used"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ certification_id, agent, model, findings, duration, input_tokens, output_tokens }) => {
+    try {
+        const runner = getRunner();
+        const result = runner.recordResult(certification_id, agent, model, findings.map((f) => ({
+            id: f.id,
+            description: f.description,
+            severity: f.severity,
+            category: f.category,
+            evidence: f.evidence || "",
+            file: f.file,
+            line: f.line,
+            confidence: f.confidence ?? 80,
+            verifications: [],
+            created_at: new Date().toISOString(),
+        })), {
+            duration,
+            inputTokens: input_tokens,
+            outputTokens: output_tokens,
+        });
+        const hasEnough = runner.hasEnoughResults(certification_id, agent);
+        return jsonResponse({
+            recorded: true,
+            model: result.model,
+            provider: result.provider,
+            findings: result.findings.length,
+            cost: formatCost(result.cost),
+            tokens: formatTokens(result.tokens.total),
+            hasEnoughForConsensus: hasEnough,
+            message: hasEnough
+                ? "Ready to calculate multi-model consensus"
+                : "Need more model results for consensus",
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to record result: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Calculate Consensus from Recorded Findings
+// ---------------------------------------------------------------------------
+server.registerTool("consensus_calculate", {
+    title: "Calculate Consensus",
+    description: `Calculate consensus from previously recorded findings (via consensus_record). Uses Fleiss' kappa for inter-rater reliability. Identifies agreements, disagreements, and merges findings with confidence scores.`,
+    inputSchema: {
+        certification_id: z.string().describe("Certification ID"),
+        agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]).describe("Agent type"),
+        match_threshold: z.number().optional().describe("Threshold for matching findings (0-100). Default: 70"),
+        require_majority: z.boolean().optional().describe("Only include findings with majority agreement. Default: false"),
+        output_format: z.enum(["json", "markdown"]).optional().describe("Output format. Default: json"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ certification_id, agent, match_threshold, require_majority, output_format }) => {
+    try {
+        const runner = getRunner();
+        const consensus = runner.calculateConsensus(certification_id, agent, { matchThreshold: match_threshold, requireMajority: require_majority });
+        if (!consensus) {
+            return errorResponse(`No results found for ${certification_id}/${agent}. Record model results first.`);
+        }
+        if (output_format === "markdown") {
+            return textResponse(runner.generateReport(certification_id, agent));
+        }
+        return jsonResponse({
+            certificationId: consensus.certificationId,
+            agent: consensus.agent,
+            models: consensus.models,
+            metrics: {
+                agreementRate: `${consensus.metrics.agreementRate}%`,
+                fleissKappa: consensus.metrics.fleissKappa,
+                reliability: interpretKappa(consensus.metrics.fleissKappa),
+                unanimousFindings: consensus.metrics.unanimousFindings,
+                majorityFindings: consensus.metrics.majorityFindings,
+                disputedFindings: consensus.metrics.disputedFindings,
+                uniqueFindings: consensus.metrics.uniqueFindings,
+            },
+            disagreements: consensus.disagreements.length,
+            mergedFindings: consensus.mergedFindings.length,
+            bySeverity: consensus.metrics.bySeverity,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to calculate consensus: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Get Disagreements from Consensus
+// ---------------------------------------------------------------------------
+server.registerTool("consensus_disagreements", {
+    title: "Get Disagreements",
+    description: `Get detailed disagreements from recorded findings. Shows where different runs/models produced conflicting results. Useful for manual review.`,
+    inputSchema: {
+        certification_id: z.string().describe("Certification ID"),
+        agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]).describe("Agent type"),
+        severity_filter: z.enum(["high", "medium", "low"]).optional().describe("Filter by disagreement severity"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ certification_id, agent, severity_filter }) => {
+    try {
+        const runner = getRunner();
+        const consensus = runner.calculateConsensus(certification_id, agent);
+        if (!consensus) {
+            return errorResponse(`No results found for ${certification_id}/${agent}`);
+        }
+        let disagreements = consensus.disagreements;
+        if (severity_filter) {
+            disagreements = disagreements.filter((d) => d.severity === severity_filter);
+        }
+        return jsonResponse({
+            certificationId: certification_id,
+            agent,
+            totalDisagreements: consensus.disagreements.length,
+            filtered: disagreements.length,
+            disagreements: disagreements.map((d) => ({
+                type: d.type,
+                findingId: d.findingId,
+                severity: d.severity,
+                models: d.models,
+                values: d.details.values,
+                resolution: d.details.resolution,
+            })),
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to get disagreements: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Get Merged Findings from Consensus
+// ---------------------------------------------------------------------------
+server.registerTool("consensus_merged", {
+    title: "Get Merged Findings",
+    description: `Get deduplicated findings after consensus calculation. Returns high-confidence findings that were agreed upon by multiple recorded runs.`,
+    inputSchema: {
+        certification_id: z.string().describe("Certification ID"),
+        agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]).describe("Agent type"),
+        require_majority: z.boolean().optional().describe("Only include findings with majority agreement. Default: true"),
+        min_confidence: z.number().optional().describe("Minimum confidence score (0-100). Default: 50"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ certification_id, agent, require_majority, min_confidence }) => {
+    try {
+        const runner = getRunner();
+        const consensus = runner.calculateConsensus(certification_id, agent, { requireMajority: require_majority ?? true });
+        if (!consensus) {
+            return errorResponse(`No results found for ${certification_id}/${agent}`);
+        }
+        let findings = consensus.mergedFindings;
+        if (min_confidence !== undefined) {
+            findings = findings.filter((f) => (f.confidence ?? 0) >= min_confidence);
+        }
+        return jsonResponse({
+            certificationId: certification_id,
+            agent,
+            models: consensus.models,
+            totalMerged: consensus.mergedFindings.length,
+            filtered: findings.length,
+            agreementRate: `${consensus.metrics.agreementRate}%`,
+            findings: findings.map((f) => ({
+                id: f.id,
+                description: f.description,
+                severity: f.severity,
+                category: f.category,
+                file: f.file,
+                line: f.line,
+                confidence: f.confidence,
+            })),
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to get merged findings: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Consensus Summary
+// ---------------------------------------------------------------------------
+server.registerTool("consensus_summary", {
+    title: "Consensus Summary",
+    description: `Get a summary of consensus results from recorded findings. Includes agreement rates, Fleiss' kappa reliability, and cost tracking.`,
+    inputSchema: {
+        certification_id: z.string().describe("Certification ID"),
+        agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]).describe("Agent type"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ certification_id, agent }) => {
+    try {
+        const runner = getRunner();
+        const summary = runner.generateSummary(certification_id, agent);
+        if (!summary) {
+            return errorResponse(`No results found for ${certification_id}/${agent}`);
+        }
+        return jsonResponse({
+            certificationId: certification_id,
+            agent,
+            models: {
+                total: summary.totalModels,
+                successful: summary.successfulModels,
+            },
+            findings: {
+                total: summary.totalFindings,
+                unique: summary.uniqueFindings,
+                highConfidence: summary.highConfidenceFindings,
+                disputed: summary.disputedFindings,
+            },
+            consensus: {
+                agreementRate: `${summary.agreementRate}%`,
+                reliability: summary.reliability,
+                interpretation: interpretKappa(summary.reliability),
+            },
+            cost: {
+                total: formatCost(summary.totalCost),
+                tokens: formatTokens(summary.totalTokens),
+            },
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to get summary: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: List Model Configurations
+// ---------------------------------------------------------------------------
+server.registerTool("consensus_models", {
+    title: "List Model Configurations",
+    description: `List model configurations for consensus aggregation. These are models you can record results from - this tool does NOT run models.`,
+    inputSchema: {
+        enabled_only: z.boolean().optional().describe("Only show enabled models. Default: false"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ enabled_only }) => {
+    const runner = getRunner();
+    let models = enabled_only ? runner.getEnabledModels() : DEFAULT_MODELS;
+    return jsonResponse({
+        totalModels: models.length,
+        models: models.map((m) => ({
+            id: m.id,
+            provider: formatProvider(m.provider),
+            weight: m.weight ?? 1.0,
+            enabled: m.enabled ?? true,
+        })),
+        recommended: DEFAULT_MODELS.map((m) => m.id),
+    });
+});
+// ---------------------------------------------------------------------------
+// Tool: Clear Recorded Results
+// ---------------------------------------------------------------------------
+server.registerTool("consensus_clear", {
+    title: "Clear Recorded Results",
+    description: `Clear previously recorded findings for a certification. Use before re-recording results for fresh consensus calculation.`,
+    inputSchema: {
+        certification_id: z.string().describe("Certification ID"),
+        agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]).optional().describe("Specific agent to clear, or all if not specified"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: true,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ certification_id, agent }) => {
+    try {
+        const runner = getRunner();
+        runner.clearResults(certification_id, agent);
+        return jsonResponse({
+            cleared: true,
+            certificationId: certification_id,
+            agent: agent || "all",
+        });
+    }
+    catch (error) {
+        return errorResponse(`Failed to clear results: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+/**
+ * Interpret Fleiss' kappa value
+ */
+function interpretKappa(kappa) {
+    if (kappa < 0)
+        return "Poor (less than chance)";
+    if (kappa < 0.2)
+        return "Slight";
+    if (kappa < 0.4)
+        return "Fair";
+    if (kappa < 0.6)
+        return "Moderate";
+    if (kappa < 0.8)
+        return "Substantial";
+    return "Almost Perfect";
+}
+// ===========================================================================
+// M6: Agent & MCP Security Certification Tools
+// ===========================================================================
+// ---------------------------------------------------------------------------
+// Tool: Agent Cert Scan - Full agent system certification
+// ---------------------------------------------------------------------------
+server.registerTool("agent_cert_scan", {
+    title: "Run Agent System Certification",
+    description: `Full agent-system security certification against MCP servers and AI tool chains.
+
+Runs all 8 agent scanners:
+- Manifest Audit: Validates MCP manifest security (hints, schemas, origins)
+- Tool Description Drift: Detects silent changes to tool definitions ("rug-pull detector")
+- Prompt Injection Fuzzer: Tests tools against 200+ injection payloads
+- Exfiltration Path Graph: Maps secret→network data flow paths
+- Permission Minimiser: Proposes tightened permissions based on actual usage
+- Supply Chain MCP: CVE scan, license compliance, typosquatting detection
+- Sandbox Audit: Detects sandbox escapes (eval, child_process, etc.)
+- Credential Scope Audit: Checks for over-scoped tokens and credentials
+
+Maps findings to AI compliance frameworks (OWASP LLM, NIST AI RMF, EU AI Act).`,
+    inputSchema: {
+        target: z.string().describe("MCP server URL, config file path, or npm package name"),
+        certification_id: z.string().optional().describe("Existing certification ID to add findings to"),
+        scanners: z.array(z.enum([
+            "manifest-audit",
+            "tool-description-drift",
+            "prompt-injection-fuzzer",
+            "exfil-path-graph",
+            "permission-minimiser",
+            "supply-chain-mcp",
+            "sandbox-audit",
+            "credential-scope-audit",
+        ])).optional().describe("Specific scanners to run (default: all)"),
+        frameworks: z.array(z.enum([
+            "OWASP-LLM",
+            "NIST-AI-RMF",
+            "MITRE-ATLAS",
+            "EU-AI-ACT",
+            "ISO-42001",
+        ])).optional().describe("AI compliance frameworks to map findings against"),
+        authorized: z.boolean().describe("Explicit authorization for scanning (required)"),
+        source_path: z.string().optional().describe("Path to MCP server source code for sandbox audit"),
+        traces_dir: z.string().optional().describe("Path to tool usage traces for permission analysis"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: true,
+    },
+}, async ({ target, certification_id, scanners, frameworks, authorized, source_path, traces_dir }) => {
+    if (!authorized) {
+        return errorResponse("Agent scanning requires explicit authorization. Set authorized=true to confirm you have permission to scan this target.");
+    }
+    try {
+        // Build scan target
+        const scanTarget = {};
+        if (target.startsWith("http://") || target.startsWith("https://")) {
+            scanTarget.url = target;
+        }
+        else if (target.endsWith(".json")) {
+            scanTarget.configFile = target;
+        }
+        else if (target.includes("/") || target.includes("\\")) {
+            scanTarget.configFile = target;
+        }
+        else {
+            scanTarget.npmPackage = target;
+        }
+        // Build scanner options
+        const enabledScanners = scanners || AGENT_SCANNER_TYPES;
+        const scannerFlags = {
+            manifestAudit: enabledScanners.includes("manifest-audit"),
+            toolDrift: enabledScanners.includes("tool-description-drift"),
+            promptInjection: enabledScanners.includes("prompt-injection-fuzzer"),
+            exfilPath: enabledScanners.includes("exfil-path-graph"),
+            permissionMinimiser: enabledScanners.includes("permission-minimiser"),
+            supplyChain: enabledScanners.includes("supply-chain-mcp"),
+            sandboxAudit: enabledScanners.includes("sandbox-audit"),
+            credentialScope: enabledScanners.includes("credential-scope-audit"),
+        };
+        const options = {
+            target: scanTarget,
+            authorized: true,
+            scanners: scannerFlags,
+            sandboxSourcePath: source_path,
+            tracesDir: traces_dir,
+        };
+        // Run agent scanners
+        const result = await runAgentScanners(options);
+        // Flatten all findings from scanners
+        const allFindings = result.scanners.flatMap((s) => s.findings);
+        // Generate compliance mapping if frameworks specified
+        let complianceMapping;
+        if (frameworks && frameworks.length > 0) {
+            complianceMapping = {};
+            for (const fw of frameworks) {
+                const controls = getAIFrameworkControls(fw);
+                const meta = AI_FRAMEWORKS_METADATA[fw];
+                complianceMapping[fw] = {
+                    framework: meta?.name || fw,
+                    version: meta?.version,
+                    controlCount: controls.length,
+                    relevantFindings: allFindings.filter((f) => controls.some((c) => c.findingCategories.includes(f.ruleId.split(":")[0]))).length,
+                };
+            }
+        }
+        // Generate summary
+        const summary = generateAgentScannerSummary(result);
+        return jsonResponse({
+            success: result.allSucceeded,
+            target,
+            certificationId: certification_id,
+            manifestHash: result.manifestHash,
+            mcpServer: result.manifest?.name,
+            mcpVersion: result.manifest?.version,
+            duration: result.totalDuration,
+            timestamp: result.timestamp,
+            scannersRun: result.scanners.map((s) => s.scanner),
+            scannersFailed: result.failedScanners,
+            totalFindings: result.totalFindings,
+            bySeverity: result.bySeverity,
+            byScanner: result.byScanner,
+            riskScore: result.riskScore,
+            certificationReadiness: result.certificationReadiness,
+            complianceMapping,
+            summary,
+            findings: allFindings.slice(0, 50), // First 50 findings
+            hasMore: allFindings.length > 50,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Agent certification failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Agent Cert Fuzz - Fast prompt injection fuzzing
+// ---------------------------------------------------------------------------
+server.registerTool("agent_cert_fuzz", {
+    title: "Run Prompt Injection Fuzzer",
+    description: `Quick CI-friendly prompt injection fuzzing for MCP tools.
+
+Tests tool inputs against injection payloads to detect:
+- Direct instruction overrides ("Ignore previous instructions...")
+- Indirect injections via file/URL content
+- Exfiltration attempts ("Send to http://...")
+- Jailbreaks and safety bypasses
+- Unicode obfuscation and homoglyphs
+
+Corpus sizes:
+- quick: ~50 payloads (<30s)
+- standard: ~100 payloads (~60s)
+- thorough: 200+ payloads (~2min)`,
+    inputSchema: {
+        target: z.string().describe("MCP server config file, URL, or npm package"),
+        corpus: z.enum(["quick", "standard", "thorough"]).default("quick").describe("Payload corpus size"),
+        custom_payloads: z.string().optional().describe("Path to custom payload file (JSON array)"),
+        authorized: z.boolean().describe("Explicit authorization for fuzzing (required)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: true,
+    },
+}, async ({ target, corpus, custom_payloads, authorized }) => {
+    if (!authorized) {
+        return errorResponse("Fuzzing requires explicit authorization. Set authorized=true to confirm you have permission to test this target.");
+    }
+    try {
+        // Build scan target
+        const scanTarget = {};
+        if (target.startsWith("http://") || target.startsWith("https://")) {
+            scanTarget.url = target;
+        }
+        else if (target.endsWith(".json")) {
+            scanTarget.configFile = target;
+        }
+        else {
+            scanTarget.npmPackage = target;
+        }
+        // Discover manifest
+        const manifest = await discoverManifest(scanTarget);
+        if (!manifest) {
+            return errorResponse("Could not discover MCP manifest from target");
+        }
+        // Run fuzzer
+        const result = await runPromptInjectionFuzzer(manifest, {
+            corpus: corpus,
+            customCorpus: custom_payloads,
+        });
+        const passedCount = result.findings.filter((f) => f.severity === "info").length;
+        const failedCount = result.findings.filter((f) => f.severity !== "info").length;
+        return jsonResponse({
+            success: result.success,
+            target,
+            corpus,
+            duration: result.duration,
+            mcpServer: result.mcpServerName,
+            toolsTested: manifest.tools.length,
+            totalTests: passedCount + failedCount,
+            passed: passedCount,
+            failed: failedCount,
+            passRate: ((passedCount / (passedCount + failedCount)) * 100).toFixed(1) + "%",
+            findings: result.findings.filter((f) => f.severity !== "info").slice(0, 20),
+            recommendation: failedCount === 0
+                ? "All injection tests passed. Consider running 'thorough' corpus for comprehensive coverage."
+                : `${failedCount} injection(s) detected. Review findings and implement input validation.`,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Fuzzing failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Agent Cert Attest - Generate signed attestation bundle
+// ---------------------------------------------------------------------------
+server.registerTool("agent_cert_attest", {
+    title: "Generate Signed Attestation",
+    description: `Create a Sigstore-signed attestation bundle for agent certification.
+
+The attestation includes:
+- Manifest hash (SHA-256)
+- Scanner results summary
+- Compliance mapping
+- Sigstore signature (keyless)
+- in-toto provenance statement
+
+Attestation can be verified with: cosign verify-blob`,
+    inputSchema: {
+        certification_id: z.string().describe("Certification ID from agent_cert_scan"),
+        project_path: z.string().describe("Path to MCP server project"),
+        output_file: z.string().optional().describe("Output path for attestation bundle (default: .vaspera/attestations/)"),
+        include_findings: z.boolean().optional().describe("Include finding details in attestation (default: false)"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ certification_id, project_path, output_file, include_findings }) => {
+    try {
+        // Check if signing is available
+        const signingAvailable = await isSigningAvailable();
+        if (!signingAvailable) {
+            return errorResponse("Sigstore signing not available. Ensure you have @sigstore/sign installed and network access to Fulcio/Rekor.");
+        }
+        // Get certification data
+        const cert = await getCertification(project_path, certification_id);
+        if (!cert) {
+            return errorResponse(`Certification not found: ${certification_id}`);
+        }
+        // Build attestation payload
+        const attestation = {
+            _type: "https://in-toto.io/Statement/v0.1",
+            predicateType: "https://vaspera.dev/attestation/agent-cert/v1",
+            subject: [{
+                    name: cert.metadata.project_name,
+                    digest: { sha256: cert.metadata.project_hash || "unknown" },
+                }],
+            predicate: {
+                certificationId: certification_id,
+                certificationLevel: cert.consensus?.certification_level || "REVIEW_REQUIRED",
+                score: cert.consensus?.overall_score || 0,
+                timestamp: new Date().toISOString(),
+                expiresAt: cert.metadata.expires_at,
+                scannersRun: cert.metadata.scanners_run,
+                findingsCount: cert.metadata.scanner_findings_count,
+                bySeverity: cert.consensus?.by_severity,
+                agentsCompleted: cert.metadata.agents_completed,
+                ...(include_findings ? { findings: Object.values(cert.agents).flatMap((a) => a?.findings || []).slice(0, 100) } : {}),
+            },
+        };
+        // Sign the attestation
+        const attestationJson = JSON.stringify(attestation, null, 2);
+        const signature = await signContent(attestationJson);
+        // Build output path
+        const attestDir = join(project_path, ".vaspera", "attestations");
+        await mkdir(attestDir, { recursive: true });
+        const outputPath = output_file || join(attestDir, `${certification_id}.sigstore.json`);
+        // Create bundle
+        const bundle = {
+            attestation,
+            signature,
+            signedAt: new Date().toISOString(),
+            verifyWith: "cosign verify-blob --certificate-identity-regexp=.* --certificate-oidc-issuer-regexp=.*",
+        };
+        await writeFile(outputPath, JSON.stringify(bundle, null, 2));
+        return jsonResponse({
+            success: true,
+            certificationId: certification_id,
+            attestationPath: outputPath,
+            certificationLevel: cert.consensus?.certification_level,
+            score: cert.consensus?.overall_score,
+            signedAt: bundle.signedAt,
+            expiresAt: cert.metadata.expires_at,
+            verifyCommand: `cosign verify-blob --bundle ${outputPath}`,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Attestation generation failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Agent Cert Verify - Verify attestation against live server
+// ---------------------------------------------------------------------------
+server.registerTool("agent_cert_verify", {
+    title: "Verify Attestation Bundle",
+    description: `Verify an attestation bundle against a live MCP server.
+
+Checks:
+- Sigstore signature validity
+- Manifest drift from attested state
+- Certification expiration
+- Revocation status (if applicable)
+
+Returns verification status and any detected changes.`,
+    inputSchema: {
+        attestation: z.string().describe("Path to attestation bundle (.sigstore.json)"),
+        target: z.string().describe("Live MCP server config, URL, or package to verify against"),
+        strict: z.boolean().optional().describe("Fail on any drift, not just security-relevant changes (default: false)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: true,
+    },
+}, async ({ attestation, target, strict }) => {
+    try {
+        // Load attestation
+        const attestationContent = await safeReadFile(attestation);
+        if (!attestationContent) {
+            return errorResponse(`Attestation file not found: ${attestation}`);
+        }
+        const bundle = JSON.parse(attestationContent);
+        const attestedData = bundle.attestation;
+        // Verify signature (basic check - full Sigstore verification requires cosign)
+        if (!bundle.signature) {
+            return jsonResponse({
+                verified: false,
+                error: "Attestation is unsigned",
+                recommendation: "Re-generate attestation with agent_cert_attest",
+            });
+        }
+        // Check expiration
+        const expiresAt = attestedData.predicate?.expiresAt;
+        const isExpired = expiresAt ? new Date(expiresAt) < new Date() : false;
+        // Discover current manifest
+        const scanTarget = {};
+        if (target.startsWith("http://") || target.startsWith("https://")) {
+            scanTarget.url = target;
+        }
+        else if (target.endsWith(".json")) {
+            scanTarget.configFile = target;
+        }
+        else {
+            scanTarget.npmPackage = target;
+        }
+        const currentManifest = await discoverManifest(scanTarget);
+        if (!currentManifest) {
+            return errorResponse("Could not discover current MCP manifest from target");
+        }
+        // Compare manifests (basic drift detection)
+        const attestedSubject = attestedData.subject?.[0];
+        const attestedName = attestedSubject?.name;
+        const attestedHash = attestedSubject?.digest?.sha256;
+        const driftDetected = [];
+        if (attestedName && attestedName !== currentManifest.name) {
+            driftDetected.push(`Server name changed: ${attestedName} → ${currentManifest.name}`);
+        }
+        // Simple tool count check (full drift detection via tool-description-drift scanner)
+        const attestedToolCount = attestedData.predicate?.toolCount;
+        if (attestedToolCount && attestedToolCount !== currentManifest.tools.length) {
+            driftDetected.push(`Tool count changed: ${attestedToolCount} → ${currentManifest.tools.length}`);
+        }
+        const verified = !isExpired && (driftDetected.length === 0 || !strict);
+        return jsonResponse({
+            verified,
+            attestation: {
+                certificationId: attestedData.predicate?.certificationId,
+                certificationLevel: attestedData.predicate?.certificationLevel,
+                score: attestedData.predicate?.score,
+                signedAt: bundle.signedAt,
+                expiresAt,
+            },
+            checks: {
+                signaturePresent: !!bundle.signature,
+                expired: isExpired,
+                driftDetected: driftDetected.length > 0,
+                driftDetails: driftDetected,
+            },
+            currentServer: {
+                name: currentManifest.name,
+                version: currentManifest.version,
+                toolCount: currentManifest.tools.length,
+            },
+            recommendation: isExpired
+                ? "Attestation expired. Run agent_cert_scan and agent_cert_attest to renew."
+                : driftDetected.length > 0
+                    ? "Drift detected. Run agent_cert_scan to re-certify current state."
+                    : "Attestation valid. Server matches certified state.",
+        });
+    }
+    catch (error) {
+        return errorResponse(`Verification failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Agent Cert Watch - Continuous monitoring with webhooks
+// ---------------------------------------------------------------------------
+server.registerTool("agent_cert_watch", {
+    title: "Continuous Agent Monitoring",
+    description: `Subscribe to tool-use telemetry and detect drift in MCP servers.
+
+Monitors for:
+- Manifest changes (tool additions/removals/modifications)
+- Unusual tool invocation patterns
+- Permission escalation attempts
+- Certification expiration warnings
+
+Note: This tool sets up monitoring configuration. Actual continuous monitoring
+requires a separate daemon process or integration with your observability stack.`,
+    inputSchema: {
+        target: z.string().describe("MCP server config, URL, or package to monitor"),
+        project_path: z.string().describe("Project path for storing monitoring config"),
+        webhook_url: z.string().optional().describe("Webhook URL for drift notifications"),
+        interval_minutes: z.number().optional().describe("Check interval in minutes (default: 60)"),
+        alert_on: z.array(z.enum([
+            "manifest-drift",
+            "tool-drift",
+            "permission-change",
+            "expiration-warning",
+            "security-finding",
+        ])).optional().describe("Events to alert on"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: true,
+    },
+}, async ({ target, project_path, webhook_url, interval_minutes, alert_on }) => {
+    try {
+        // Build scan target and discover manifest
+        const scanTarget = {};
+        if (target.startsWith("http://") || target.startsWith("https://")) {
+            scanTarget.url = target;
+        }
+        else if (target.endsWith(".json")) {
+            scanTarget.configFile = target;
+        }
+        else {
+            scanTarget.npmPackage = target;
+        }
+        const manifest = await discoverManifest(scanTarget);
+        if (!manifest) {
+            return errorResponse("Could not discover MCP manifest from target");
+        }
+        // Create monitoring config
+        const monitoringConfig = {
+            version: "1.0.0",
+            target,
+            mcpServer: manifest.name,
+            mcpVersion: manifest.version,
+            createdAt: new Date().toISOString(),
+            interval: interval_minutes || 60,
+            webhookUrl: webhook_url,
+            alertOn: alert_on || ["manifest-drift", "security-finding", "expiration-warning"],
+            baseline: {
+                toolCount: manifest.tools.length,
+                tools: manifest.tools.map((t) => ({
+                    name: t.name,
+                    hash: Buffer.from(JSON.stringify({ name: t.name, description: t.description })).toString("base64").slice(0, 16),
+                })),
+                capturedAt: new Date().toISOString(),
+            },
+        };
+        // Save config
+        const configDir = join(project_path, ".vaspera", "monitoring");
+        await mkdir(configDir, { recursive: true });
+        const configPath = join(configDir, `${manifest.name.replace(/[^a-zA-Z0-9]/g, "-")}.json`);
+        await writeFile(configPath, JSON.stringify(monitoringConfig, null, 2));
+        return jsonResponse({
+            success: true,
+            target,
+            mcpServer: manifest.name,
+            configPath,
+            interval: `${interval_minutes || 60} minutes`,
+            webhookConfigured: !!webhook_url,
+            alertEvents: monitoringConfig.alertOn,
+            baseline: {
+                toolCount: manifest.tools.length,
+                capturedAt: monitoringConfig.baseline.capturedAt,
+            },
+            nextSteps: [
+                "Run a cron job or daemon to execute drift checks at the configured interval",
+                "Use agent_cert_verify with the attestation to check for drift",
+                "Integrate webhook notifications with your alerting system (Slack, PagerDuty, etc.)",
+            ],
+            exampleCron: `*/${interval_minutes || 60} * * * * cd ${project_path} && npx vaspera agent-check ${target}`,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Watch setup failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Agent Scanners Available - Check which scanners are installed
+// ---------------------------------------------------------------------------
+server.registerTool("agent_scanners_available", {
+    title: "Check Agent Scanners",
+    description: `Check which agent security scanners are available and their versions.`,
+    inputSchema: {},
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async () => {
+    try {
+        const availability = await checkAgentScannersAvailable();
+        const available = availability.filter((a) => a.available);
+        const unavailable = availability.filter((a) => !a.available);
+        return jsonResponse({
+            totalScanners: AGENT_SCANNER_TYPES.length,
+            available: available.length,
+            unavailable: unavailable.length,
+            scanners: availability.map((a) => ({
+                scanner: a.scanner,
+                available: a.available,
+                version: a.version,
+                error: a.error,
+            })),
+            aiFrameworks: Object.entries(AI_FRAMEWORKS_METADATA).map(([id, meta]) => ({
+                id,
+                name: meta.name,
+                version: meta.version,
+                controlCount: meta.controlCount,
+            })),
+        });
+    }
+    catch (error) {
+        return errorResponse(`Scanner check failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ===========================================================================
+// Mythos-Class Security Scanners & Agents
+// ===========================================================================
+// ---------------------------------------------------------------------------
+// Tool: Binary Analysis Scanner
+// ---------------------------------------------------------------------------
+server.registerTool("certification_scan_binary", {
+    title: "Scan Binary/Native Modules",
+    description: `Analyze compiled code and native modules for security hardening flags.
+
+Checks:
+- Stack canary protection (CWE-121)
+- NX (No Execute) bit (CWE-119)
+- PIE (Position Independent Executable) (CWE-120)
+- RELRO (Relocation Read-Only) (CWE-134)
+- FORTIFY_SOURCE
+- RPATH/RUNPATH (library injection risk)
+
+Targets:
+- Node.js native addons (binding.gyp, *.node)
+- Shared libraries (*.so, *.dll, *.dylib)
+- Rust FFI (Cargo.toml with cdylib)
+- Go CGO (import "C")
+
+Requires checksec for full analysis, falls back to nm/pattern analysis.`,
+    inputSchema: {
+        project_path: z.string().describe("Path to project directory"),
+        timeout: z.number().optional().describe("Timeout in ms (default: 120000)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, timeout }) => {
+    try {
+        const result = await runBinaryAnalysis(project_path, { timeout });
+        return jsonResponse({
+            scanner: "binary-analysis",
+            success: result.success,
+            duration: result.duration,
+            targetsScanned: result.metadata?.targetsScanned || 0,
+            toolsAvailable: result.metadata?.toolsAvailable,
+            totalFindings: result.findings.length,
+            bySeverity: {
+                critical: result.findings.filter(f => f.severity === "critical").length,
+                high: result.findings.filter(f => f.severity === "high").length,
+                medium: result.findings.filter(f => f.severity === "medium").length,
+                low: result.findings.filter(f => f.severity === "low").length,
+                info: result.findings.filter(f => f.severity === "info").length,
+            },
+            findings: result.findings.slice(0, 30),
+            hasMore: result.findings.length > 30,
+            error: result.error,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Binary analysis failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Memory Safety Scanner
+// ---------------------------------------------------------------------------
+server.registerTool("certification_scan_memory", {
+    title: "Scan for Memory Safety Issues",
+    description: `Detect memory corruption vulnerabilities in C/C++/Rust code.
+
+Vulnerability types:
+- Buffer overflow (CWE-120, CWE-787)
+- Use-after-free (CWE-416)
+- Double free (CWE-415)
+- Null dereference (CWE-476)
+- Uninitialized memory (CWE-908)
+- Format string (CWE-134)
+
+Uses:
+- cppcheck for C/C++ (if available)
+- cargo-geiger for Rust unsafe code audit
+- Pattern matching for dangerous function calls (strcpy, gets, etc.)`,
+    inputSchema: {
+        project_path: z.string().describe("Path to project directory"),
+        timeout: z.number().optional().describe("Timeout in ms (default: 120000)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, timeout }) => {
+    try {
+        const result = await runMemorySafetyAnalysis(project_path, { timeout });
+        return jsonResponse({
+            scanner: "memory-safety",
+            success: result.success,
+            duration: result.duration,
+            languages: result.metadata?.languages,
+            toolsUsed: result.metadata?.toolsUsed,
+            totalFindings: result.findings.length,
+            bySeverity: {
+                critical: result.findings.filter(f => f.severity === "critical").length,
+                high: result.findings.filter(f => f.severity === "high").length,
+                medium: result.findings.filter(f => f.severity === "medium").length,
+                low: result.findings.filter(f => f.severity === "low").length,
+                info: result.findings.filter(f => f.severity === "info").length,
+            },
+            findings: result.findings.slice(0, 30),
+            hasMore: result.findings.length > 30,
+            error: result.error,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Memory safety analysis failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Race Condition Scanner
+// ---------------------------------------------------------------------------
+server.registerTool("certification_scan_race", {
+    title: "Scan for Race Conditions",
+    description: `Detect concurrency bugs that could lead to security vulnerabilities.
+
+Detection targets:
+- TOCTOU (Time-of-check to time-of-use) - CWE-367
+- Data races - CWE-362
+- Missing synchronization - CWE-820
+- Check-then-act bugs - CWE-366
+
+Languages:
+- Go: go vet -race detection, goroutine patterns
+- Node.js: Shared state + async, fs.exists TOCTOU
+- Python: threading issues, GIL bypass
+- Java: Non-atomic operations, HashMap concurrency`,
+    inputSchema: {
+        project_path: z.string().describe("Path to project directory"),
+        timeout: z.number().optional().describe("Timeout in ms (default: 60000)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, timeout }) => {
+    try {
+        const result = await runRaceConditionAnalysis(project_path, { timeout });
+        return jsonResponse({
+            scanner: "race-condition",
+            success: result.success,
+            duration: result.duration,
+            languages: result.metadata?.languages,
+            toolsUsed: result.metadata?.toolsUsed,
+            totalFindings: result.findings.length,
+            bySeverity: {
+                critical: result.findings.filter(f => f.severity === "critical").length,
+                high: result.findings.filter(f => f.severity === "high").length,
+                medium: result.findings.filter(f => f.severity === "medium").length,
+                low: result.findings.filter(f => f.severity === "low").length,
+                info: result.findings.filter(f => f.severity === "info").length,
+            },
+            findings: result.findings.slice(0, 30),
+            hasMore: result.findings.length > 30,
+            error: result.error,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Race condition analysis failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Zero-Day Hunter Agent
+// ---------------------------------------------------------------------------
+server.registerTool("certification_semantic_analysis", {
+    title: "AI Semantic Security Analysis",
+    description: `Run AI-powered semantic code analysis for zero-day vulnerabilities.
+
+Focus areas:
+- Logic flaws: Inconsistent state handling, broken assumptions
+- Authentication bypasses: Ways to skip auth checks
+- Authorization issues: Privilege escalation paths
+- Cryptographic weaknesses: Weak algorithms, key management
+- Injection vectors: Novel injection patterns beyond OWASP
+
+Uses pattern-based detection with AI reasoning.`,
+    inputSchema: {
+        project_path: z.string().describe("Path to project directory"),
+        focus_areas: z.array(z.enum([
+            "auth", "crypto", "injection", "logic", "state",
+            "access-control", "data-validation", "session", "api"
+        ])).optional().describe("Focus areas for analysis"),
+        analysis_depth: z.enum(["quick", "standard", "thorough"]).optional().describe("Analysis depth (default: standard)"),
+        max_files: z.number().optional().describe("Max files to analyze (default: 50)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, focus_areas, analysis_depth, max_files }) => {
+    try {
+        const config = {
+            analysisDepth: analysis_depth || "standard",
+            focusAreas: focus_areas || ["auth", "crypto", "injection", "logic"],
+            maxFilesToAnalyze: max_files,
+        };
+        const result = await runZeroDayHunter(project_path, config);
+        return jsonResponse({
+            agent: "zero-day-hunter",
+            filesAnalyzed: result.filesAnalyzed,
+            analysisDepth: result.analysisDepth,
+            focusAreas: result.focusAreas,
+            modelUsed: result.modelUsed,
+            totalFindings: result.findings.length,
+            bySeverity: {
+                critical: result.findings.filter(f => f.severity === "critical").length,
+                high: result.findings.filter(f => f.severity === "high").length,
+                medium: result.findings.filter(f => f.severity === "medium").length,
+                low: result.findings.filter(f => f.severity === "low").length,
+            },
+            recommendations: result.recommendations,
+            findings: result.findings.slice(0, 20).map(f => ({
+                id: f.id,
+                title: f.title,
+                severity: f.severity,
+                confidence: f.confidence,
+                category: f.category,
+                file: f.file,
+                line: f.line,
+                attackScenario: f.attackScenario,
+                cweIds: f.cweIds,
+            })),
+            hasMore: result.findings.length > 20,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Semantic analysis failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Logic Flaw Detector
+// ---------------------------------------------------------------------------
+server.registerTool("certification_logic_analysis", {
+    title: "Logic Flaw Detection",
+    description: `Detect business logic vulnerabilities that pattern-based scanners miss.
+
+Categories:
+- State inconsistency: Mutable when should be immutable
+- Race conditions: Check-then-act without locks
+- Boundary violations: Off-by-one, integer overflow
+- Error handling: Swallowed exceptions, incomplete cleanup
+- Trust boundary: Client-supplied data used unsafely
+- Business logic: Incorrect rule implementations`,
+    inputSchema: {
+        project_path: z.string().describe("Path to project directory"),
+        focus_files: z.array(z.string()).optional().describe("Specific files to analyze"),
+        analysis_depth: z.enum(["quick", "standard", "thorough"]).optional().describe("Analysis depth (default: standard)"),
+        categories: z.array(z.enum([
+            "state-inconsistency", "race-condition", "boundary-violation",
+            "error-handling", "trust-boundary", "business-logic",
+            "null-safety", "resource-leak", "invariant-violation"
+        ])).optional().describe("Categories to focus on"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, focus_files, analysis_depth, categories }) => {
+    try {
+        const config = {
+            analysisDepth: analysis_depth || "standard",
+            focusFiles: focus_files,
+            categories: categories,
+        };
+        const result = await runLogicFlawDetector(project_path, config);
+        return jsonResponse({
+            agent: "logic-flaw-detector",
+            filesAnalyzed: result.filesAnalyzed,
+            categoriesDetected: result.categories,
+            totalFindings: result.findings.length,
+            bySeverity: {
+                critical: result.findings.filter(f => f.severity === "critical").length,
+                high: result.findings.filter(f => f.severity === "high").length,
+                medium: result.findings.filter(f => f.severity === "medium").length,
+                low: result.findings.filter(f => f.severity === "low").length,
+            },
+            byCategory: Object.fromEntries(result.categories.map(cat => [cat, result.findings.filter(f => f.category === cat).length])),
+            recommendations: result.recommendations,
+            findings: result.findings.slice(0, 20).map(f => ({
+                id: f.id,
+                title: f.title,
+                severity: f.severity,
+                confidence: f.confidence,
+                category: f.category,
+                file: f.file,
+                line: f.line,
+                impact: f.impact,
+                cweIds: f.cweIds,
+            })),
+            hasMore: result.findings.length > 20,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Logic flaw detection failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Exploit Chain Analyzer
+// ---------------------------------------------------------------------------
+server.registerTool("certification_analyze_chains", {
+    title: "Analyze Exploit Chains",
+    description: `Analyze findings for exploitable vulnerability chains.
+
+Chain types detected:
+- Information Disclosure → RCE
+- SSRF → Internal Network Access
+- XSS → Session Hijacking
+- Auth Bypass → Data Exfiltration
+- SQL Injection → Database Takeover
+- Path Traversal → Secret Exposure
+- Insecure Deserialization → RCE
+- Race Condition → Privilege Escalation
+
+Calculates escalated severity based on chain impact.`,
+    inputSchema: {
+        project_path: z.string().describe("Path to the project being certified"),
+        certification_id: z.string().describe("Certification ID with existing findings"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id }) => {
+    try {
+        // Get certification and all findings
+        const cert = await getCertification(project_path, certification_id);
+        if (!cert) {
+            return errorResponse(`Certification ${certification_id} not found`);
+        }
+        // Collect all findings from all agents
+        const allFindings = Object.values(cert.agents)
+            .filter((a) => a !== undefined)
+            .flatMap(a => a.findings);
+        if (allFindings.length < 2) {
+            return jsonResponse({
+                certificationId: certification_id,
+                totalFindings: allFindings.length,
+                chainsDetected: 0,
+                message: "Need at least 2 findings to detect chains",
+                chains: [],
+            });
+        }
+        // Run chain analysis
+        const result = await analyzeExploitChains(allFindings);
+        return jsonResponse({
+            certificationId: certification_id,
+            totalFindings: result.totalFindings,
+            chainsDetected: result.chainsDetected,
+            riskScore: result.riskScore,
+            summary: getChainSummary(result),
+            recommendations: result.recommendations,
+            chains: result.chains.slice(0, 10).map(chain => ({
+                id: chain.id,
+                name: chain.name,
+                totalSeverity: chain.totalSeverity,
+                originalSeverities: chain.originalSeverities,
+                confidence: chain.confidence,
+                difficulty: chain.difficulty,
+                attackScenario: chain.attackScenario,
+                impact: chain.impact,
+                steps: chain.steps.map(s => ({
+                    findingId: s.findingId,
+                    role: s.role,
+                    category: s.finding.category,
+                    enables: s.enables,
+                })),
+                mitreAttackIds: chain.mitreAttackIds,
+            })),
+            hasMore: result.chains.length > 10,
+        });
+    }
+    catch (error) {
+        return errorResponse(`Chain analysis failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Exports (for HTTP server and client integration)
+// ---------------------------------------------------------------------------
+export { server, textResponse, jsonResponse, errorResponse };
+// ---------------------------------------------------------------------------
+// Start (stdio mode - only when run directly)
+// ---------------------------------------------------------------------------
+async function main() {
+    logger.info("server.starting", { version: "2.0.0" });
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    logger.info("server.started", { transport: "stdio" });
+}
+// Only run main() when this file is executed directly (not imported)
+const isDirectRun = process.argv[1]?.endsWith("index.js") || process.argv[1]?.endsWith("index.ts");
+if (isDirectRun) {
+    main().catch((error) => {
+        logger.error("server.fatal", { error: error instanceof Error ? error.message : String(error) });
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=index.js.map