vaspera 2.8.0 → 2.9.2

package/CHANGELOG.md

@@ -1,15 +1,90 @@
 # Changelog
 
+## 2.9.2
+
+### Patch Changes
+
+- [#30](https://github.com/RCOLKITT/hardening-mcp/pull/30) [`8110af7`](https://github.com/RCOLKITT/hardening-mcp/commit/8110af76da720332e43f296b7357987e7edec533) Thanks [@RCOLKITT](https://github.com/RCOLKITT)! - ## Telemetry Integration
+
+  - Wired up telemetry tracking to certification tools (`certification_scan`, `agent_cert_scan`, `certification_finalize`)
+  - Added scan registry for persistent analytics storage
+  - Telemetry is opt-in via `VASPERA_TELEMETRY_ENABLED` environment variable
+  - Privacy-respecting: repo URL, org name, and email require explicit opt-in
+  - Backend API endpoint for receiving telemetry events with rate limiting
+
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.9.0] - 2026-05-01
+
+### Added
+
+#### Optimization Plan Modules
+
+##### Corpus Expansion (P0)
+
+- 7 new payload categories bringing total from 220 to 430+ payloads
+- `multi-turn.json` - 30 payloads for context-building attacks across turns
+- `context-manipulation.json` - 30 payloads for conversation history attacks
+- `output-redirection.json` - 30 payloads for forcing specific outputs
+- `token-smuggling.json` - 30 payloads exploiting tokenization boundaries
+- `mcp-attacks.json` - 30 payloads for MCP protocol-specific vectors
+- `tool-chaining.json` - 30 payloads for tool composition exploits
+- `privilege-escalation.json` - 30 payloads for read→write escalation
+- Updated corpus sizes: quick=100, standard=400, thorough=800, exhaustive=1500
+
+##### Usage Telemetry (P0)
+
+- `src/telemetry/usage.ts` - Event tracking with privacy controls
+- `src/telemetry/registry.ts` - Persistent scan registry for analytics
+- Opt-in telemetry for repo URL, org name, user email
+- Analytics methods for dashboard and case study candidates
+
+##### Badge Service (P0)
+
+- `src/badge-service/index.ts` - HTTP handlers for badge serving
+- Badge verification endpoint with Sigstore bundle support
+- `generateBadgeEmbedCode()` for markdown/HTML embedding
+- CertificationStorage interface with memory implementation
+
+##### Frontier Model Interface (P1)
+
+- `src/frontier/types.ts` - Interfaces for Mythos/GPT-5.5-Cyber integration
+- `src/frontier/orchestrator.ts` - Multi-model orchestration with consensus
+- `src/frontier/providers/stub.ts` - Test provider placeholder
+- FrontierModelProvider interface with capabilities, cost estimation
+- ExploitChain and ConsensusResult types
+
+##### Data Flow Analysis (P1)
+
+- `src/analysis/data-flow.ts` - Source→sink tracking for JS/TS/Python
+- Pattern-based detection of user input sources (req.body, event.body, etc.)
+- Dangerous sink detection (SQL, command exec, eval, file write)
+- Risky flow identification (untrusted source → sensitive sink without sanitizer)
+- LLM context formatting for focused analysis
+
+##### Agent Chain Analysis (P2)
+
+- `src/scanners/agent/agent-chain-analysis.ts` - Multi-hop attack paths
+- Trust boundary modeling between agents and MCP servers
+- AgentGraph construction from MCP server configs
+- Attack path detection with severity calculation
+- Mermaid diagram generation for visualization
+
+### Changed
+
+- Extended PayloadCategory type with 7 new categories
+- Updated FuzzerOptions corpus type to include "exhaustive"
+- Increased test count from 2,332 to 2,484 across 104 test files
+
 ## [2.8.0] - 2026-04-29
 
 ### Added
 
 #### Agent Batch Submit Tool
+
 - New `agent_batch_submit` tool for submitting findings from subagent JSON output
 - Solves MCP permission issues when certification agents run as subagents
 - Accepts array of findings and optional summary in one call
@@ -18,6 +93,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 #### CI/CD Improvements
+
 - Lazy Stripe initialization to allow builds without `STRIPE_SECRET_KEY`
 - Fixed TypeScript test timeout for CI environments
 - Synced package-lock.json for CI compatibility
@@ -27,6 +103,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 #### Plan Enforcement
+
 - New plan-limits system for free/pro/enterprise tiers
 - Certification monthly limits enforced at API level
 - Agent count limits based on subscription plan
@@ -35,19 +112,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 #### Plan Limits
 
-| Limit | Free | Pro | Enterprise |
-|-------|------|-----|------------|
-| Certifications/month | 3 | 50 | Unlimited |
-| Projects | 2 | 20 | Unlimited |
-| Agents | 3 | 7 | All |
-| Frameworks | SOC2 | SOC2, HIPAA, NIST | All |
-| Red team | ❌ | ❌ | ✓ |
+| Limit                | Free | Pro               | Enterprise |
+| -------------------- | ---- | ----------------- | ---------- |
+| Certifications/month | 3    | 50                | Unlimited  |
+| Projects             | 2    | 20                | Unlimited  |
+| Agents               | 3    | 7                 | All        |
+| Frameworks           | SOC2 | SOC2, HIPAA, NIST | All        |
+| Red team             | ❌   | ❌                | ✓          |
 
 ## [2.6.0] - 2026-04-26
 
 ### Added
 
 #### Test Coverage
+
 - 147 new tests across 5 test files
 - `agent-integrity.test.ts` - Consensus analysis and outlier detection
 - `agent-privacy.test.ts` - PII detection with Luhn validation
@@ -56,12 +134,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `flags.test.ts` - Feature flags and config loading
 
 #### Feature Flags System
+
 - New `.vaspera/config.yaml` configuration format
 - Per-agent weights and model selection
 - Per-scanner timeouts and custom rules
 - Feature toggles for multiModel, costTracking, autofix, etc.
 
 #### Plugin System
+
 - Scanner plugin architecture with manifest schema
 - Local plugins from `.vaspera/plugins/`
 - npm plugins from `vaspera-scanner-*` packages
@@ -72,6 +152,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 #### Mythos-Class Security Scanners
+
 - New `binary-analysis` scanner for native module security
   - Detects Node.js native addons, shared libraries, Rust FFI, Go CGO
   - Checks RELRO, NX, PIE, CANARY protections via checksec
@@ -89,6 +170,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Java: check-then-act and synchronized patterns
 
 #### Semantic AI Agents
+
 - New `zero-day-hunter` agent for novel vulnerability discovery
   - AI-powered semantic code analysis beyond pattern matching
   - Discovers logic flaws, auth bypasses, cryptographic weaknesses
@@ -105,17 +187,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Severity escalation calculation (medium + medium = critical)
 
 #### New MCP Tools
+
 - `certification_scan_binary` - Scan compiled code and native modules
 - `certification_analyze_chains` - Analyze findings for exploitable chains
 - `certification_semantic_analysis` - Run AI-powered semantic analysis
 
 #### Compliance Enhancements
+
 - Added MITRE ATT&CK technique mapping for AI/ML systems
 - New CWE mappings for memory safety vulnerabilities
 - New CWE mappings for race condition vulnerabilities
 - OWASP LLM Top 10 integration
 
 ### Changed
+
 - Updated scanner count from 9 to 13+ scanners
 - Updated agent count from 4 to 7+ agents
 - Updated frontend marketing pages with Mythos-class capabilities
@@ -126,6 +211,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 #### Cost Tracking
+
 - New `cost_track` tool to start tracking costs for a certification
 - New `cost_estimate` tool to estimate costs before running
 - New `cost_status` tool to get current cost status
@@ -136,6 +222,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Budget limits with automatic warnings and abort capability
 
 #### Multi-Model Consensus
+
 - New `multimodel_record` tool to record findings from model runs
 - New `multimodel_consensus` tool to calculate inter-model agreement
 - New `multimodel_disagreements` tool to identify model disagreements
@@ -148,6 +235,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Disagreement detection by type (existence, severity, location, description)
 
 #### Compliance Mapping
+
 - New `compliance_report` tool for single-framework reports
 - New `compliance_multi_report` tool for multi-framework reports
 - New `compliance_controls` tool to list framework controls
@@ -157,6 +245,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Finding-to-control mapping by category
 
 #### SBOM & Provenance
+
 - New `sbom_generate` tool for CycloneDX SBOM generation
 - New `sbom_provenance` tool for SLSA provenance attestation
 - New `sbom_sign` tool for Sigstore signing
@@ -165,6 +254,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Build attestation with SLSA Level 2 support
 
 #### Documentation
+
 - New `docs/` folder with feature documentation
 - Cost tracking guide (`docs/cost-tracking.md`)
 - Multi-model consensus guide (`docs/multi-model.md`)
@@ -173,11 +263,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Example workflows (`docs/examples/`)
 
 ### Changed
+
 - Updated MCP tool count from 36 to 52
 - Updated package description to highlight enterprise features
 - README now includes v2.0.0 features section
 
 ### Fixed
+
 - Finding type now uses `description` consistently (removed legacy `title`)
 - Multi-model consensus correctly handles partial model agreement
 - Cost calculation uses accurate per-model pricing
@@ -187,58 +279,68 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 #### Deterministic Scanners
+
 - Semgrep integration for OWASP Top 10
 - gitleaks integration for secrets detection
 - npm audit integration for CVE detection
 - TypeScript analysis for type safety
 
 #### GitHub Action
+
 - `action.yml` for CI/CD integration
 - Diff-mode scanning for PRs
 - PR comment formatting
 - SARIF upload to GitHub Code Scanning
 
 #### Evaluation Harness
+
 - Test fixtures for scanner accuracy
 - Precision, recall, F1 metrics
 - Stability testing across runs
 - Target thresholds for publication
 
 #### Custom Rules
+
 - `rules_load` for custom rule loading
 - `rules_templates` for built-in templates
 - `rules_generate_config` for config generation
 - `rules_check_file` for file checking
 
 ### Changed
+
 - Scanner findings now have confidence: 100
 - LLM agents reference scanner findings by ID
 
 ## [1.0.2] - 2023-12-15
 
 ### Added
+
 - Cross-verification system between agents
 - Consensus scoring with certification levels
 - SARIF export for GitHub integration
 
 ### Fixed
+
 - Evidence validation for LLM findings
 - Finding deduplication logic
 
 ## [1.0.1] - 2023-12-01
 
 ### Added
+
 - File hash-based caching
 - Agent finding submission tools
 - Basic certification workflow
 
 ### Fixed
+
 - Project discovery on macOS
 - Command installation paths
 
 ## [1.0.0] - 2023-11-15
 
 ### Added
+
 - Initial release
 - 6 certification agents (security, reliability, typesafety, performance, quality, redteam)
 - Hardening command installation

package/README.md

@@ -2,14 +2,84 @@
 
 Enterprise-grade security certification for codebases **and AI agent systems** with deterministic scanners, LLM-powered analysis, and signed attestations.
 
-![npm version](https://img.shields.io/npm/v/vaspera-hardening-mcp-server)
+![npm version](https://img.shields.io/npm/v/vaspera)
 ![License](https://img.shields.io/badge/License-MIT-green)
-![Tools](https://img.shields.io/badge/MCP_Tools-68+-purple)
+![Tools](https://img.shields.io/badge/MCP_Tools-68-purple)
 ![AI Frameworks](https://img.shields.io/badge/AI_Frameworks-5-blue)
 ![Scanners](https://img.shields.io/badge/Scanners-12-orange)
 
 ---
 
+## What's New in v2.9.0
+
+### Universal Audit-Defensible Compliance Reports
+All 13 compliance frameworks now support audit-defensible report generation:
+
+| Feature | Description |
+|---------|-------------|
+| **Evidence Bundle** | Cryptographically signed artifacts with Sigstore |
+| **Audit Trail Verification** | Hash-chained integrity verification |
+| **Attestation Section** | Framework-specific methodology and scope limitations |
+
+**Supported Frameworks:**
+- **Traditional:** SOC2, ISO27001, PCI-DSS, HIPAA, 42-CFR-PART-2, GDPR, NIST-800-53, CIS
+- **AI/ML:** OWASP-LLM, NIST-AI-RMF, MITRE-ATLAS, EU-AI-ACT, ISO-42001
+
+**New Tool Parameters:**
+```json
+{
+  "collect_evidence": true,
+  "verify_audit_trail": true,
+  "store_evidence": true,
+  "include_attestation": true
+}
+```
+
+### Healthcare Compliance Bundle
+Unified HIPAA + 42 CFR Part 2 assessment for healthcare organizations:
+- Single-command assessment for both frameworks
+- Cross-reference between HIPAA and SUD confidentiality requirements
+- Combined evidence bundle for audit defensibility
+
+### 42 CFR Part 2 Framework
+New compliance framework for Substance Use Disorder (SUD) patient record confidentiality:
+- 15 controls across consent, disclosure, and security categories
+- Cross-mapping to HIPAA Security Rule
+- Healthcare-specific attestation content
+
+---
+
+## What's New in v2.8.0
+
+### Agent Batch Submit Tool
+New tool for submitting findings from subagent JSON output:
+- **`agent_batch_submit`** - Submit all findings in one call when agents run as subagents
+- Fixes MCP permission issues when certification agents don't have direct tool access
+- Updated certification orchestration docs
+
+### CI/CD Improvements
+- Lazy Stripe initialization for builds without env vars
+- TypeScript test timeout fixes for CI environments
+
+---
+
+## What's New in v2.7.0
+
+### Plan Enforcement
+- Plan limits for free/pro/enterprise tiers
+- Certification monthly limits enforced at API level
+- Agent count limits based on subscription plan
+- Compliance framework access gating
+
+| Limit | Free | Pro | Enterprise |
+|-------|------|-----|------------|
+| Certifications/month | 3 | 50 | Unlimited |
+| Projects | 2 | 20 | Unlimited |
+| Agents | 3 | 7 | All |
+| Frameworks | SOC2 | SOC2, HIPAA, NIST | All |
+
+---
+
 ## What's New in v2.5.0
 
 ### Mythos-Class Security Scanners 🔬
@@ -231,8 +301,16 @@ Measure scanner accuracy with labeled test fixtures:
 ### Installation
 
 ```bash
-npm install vaspera-hardening-mcp-server
-# or
+# npm
+npm install vaspera
+
+# pnpm (use -w flag for workspace root)
+pnpm install -w vaspera
+
+# yarn
+yarn add vaspera
+
+# From source
 git clone https://github.com/RCOLKITT/hardening-mcp.git
 cd hardening-mcp
 npm install && npm run build
@@ -356,13 +434,14 @@ Edit `~/Library/Application Support/Claude/claude_desktop_config.json`:
 | `consensus_models` | List model configurations |
 | `consensus_clear` | Clear recorded results |
 
-### Compliance Mapping (v2.0.0)
+### Compliance Mapping (v2.0.0, enhanced v2.9.0)
 
 | Tool | Description |
 |------|-------------|
-| `compliance_report` | Generate compliance report for a framework |
-| `compliance_multi_report` | Generate report for multiple frameworks |
+| `compliance_report` | Generate compliance report for a framework (audit-defensible) |
+| `compliance_multi_report` | Generate report for multiple frameworks (audit-defensible) |
 | `compliance_controls` | List controls for a framework |
+| `healthcare_compliance` | Unified HIPAA + 42 CFR Part 2 assessment (v2.9.0) |
 
 ### SBOM & Provenance (v2.0.0)
 
@@ -613,6 +692,31 @@ You: "Generate GDPR compliance report"
 → Returns control status with gap analysis
 ```
 
+### Audit-Defensible Compliance Report (v2.9.0)
+
+```
+You: "Generate audit-defensible SOC 2 report"
+→ Claude calls compliance_report with:
+   - framework: "SOC2"
+   - collect_evidence: true
+   - verify_audit_trail: true
+   - include_attestation: true
+→ Collects cryptographically signed evidence bundle
+→ Verifies hash-chain integrity of audit trail
+→ Generates report with attestation methodology
+→ Returns audit-ready documentation
+```
+
+### Healthcare Compliance Assessment (v2.9.0)
+
+```
+You: "Run healthcare compliance assessment"
+→ Claude calls healthcare_compliance
+→ Assesses both HIPAA and 42 CFR Part 2 frameworks
+→ Generates unified report with cross-references
+→ Collects evidence bundle for audit defensibility
+```
+
 ### Sigstore Signing (v2.1.1)
 
 ```

package/dist/__tests__/agents/adversary/tactics/api.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Tests for API Security Tactics Module
+ */
+export {};
+//# sourceMappingURL=api.test.d.ts.map

package/dist/__tests__/agents/adversary/tactics/api.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.test.d.ts","sourceRoot":"","sources":["../../../../../src/__tests__/agents/adversary/tactics/api.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}