vaspera 2.8.0 → 2.9.2

package/dist/index.js

@@ -30,13 +30,25 @@ import { getAIFrameworkControls, AI_FRAMEWORKS_METADATA, } from "./compliance/fr
 // Evaluation harness
 import { runEvaluation, runStabilityTest, calculateMetrics, calculateStabilityMetrics, meetsTargets, generateEvaluationReport, formatReportAsMarkdown, generateCompactSummary, generateReadmeBadges, getFixtureStats, ALL_FIXTURES, TARGET_METRICS, } from "./eval/index.js";
 // Compliance frameworks
-import { generateComplianceReport, generateMultiFrameworkReport, formatComplianceReportAsMarkdown, formatMultiFrameworkReportAsMarkdown, generateCompactComplianceSummary, getControlsForFramework, getSOC2Categories, getISO27001Categories, } from "./compliance/index.js";
+import { generateComplianceReport, generateMultiFrameworkReport, formatComplianceReportAsMarkdown, formatMultiFrameworkReportAsMarkdown, generateCompactComplianceSummary, getControlsForFramework, 
+// Healthcare compliance
+runHealthcareComplianceAssessment, generateHealthcareComplianceSummary, 
+// Universal audit-defensible compliance
+runSingleFrameworkAssessment, runComplianceAssessment, generateComplianceSummary, } from "./compliance/index.js";
+// Evidence collection and audit trail verification
+import { collectEvidence, storeEvidenceBundle, formatEvidenceBundleAsMarkdown, } from "./evidence/index.js";
+import { verifyHistoryIntegrity, formatVerificationResultAsMarkdown, } from "./history/verify.js";
 // SBOM, Provenance, and Sigstore Signing (uses @sigstore/sign for real signing)
 import { generateSBOM, generateSBOMSummary, generateProvenance, generateProvenanceSummary, verifyProvenance, signContent, isSigningAvailable, generateSigningSummary, detectCIEnvironment, } from "./sbom/index.js";
 // Cost tracking
 import { getTracker, formatCost, formatTokens, estimateCost, getSupportedModels, MODEL_PRICING, } from "./cost/index.js";
 // Multi-model consensus
 import { getRunner, DEFAULT_MODELS, formatProvider, } from "./multimodel/index.js";
+// Path validation utilities
+import { validateProjectPath, PathValidationError } from "./util/paths.js";
+// Telemetry and scan registry
+import { trackCertificationStarted, trackCertificationCompleted, trackScannerRun, } from "./telemetry/usage.js";
+import { getRegistry } from "./telemetry/registry.js";
 // ---------------------------------------------------------------------------
 // Config
 // ---------------------------------------------------------------------------
@@ -221,7 +233,17 @@ server.registerTool("hardening_install", {
         openWorldHint: false,
     },
 }, async ({ project_path }) => {
-    if (!(await dirExists(project_path))) {
+    // Validate path to prevent traversal attacks
+    let validatedPath;
+    try {
+        validatedPath = await validateProjectPath(project_path);
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return {
+                content: [{ type: "text", text: `Error: ${error.message}` }],
+            };
+        }
         return {
             content: [
                 {
@@ -232,7 +254,7 @@ server.registerTool("hardening_install", {
         };
     }
     try {
-        const commandsDir = join(project_path, ".claude", "commands");
+        const commandsDir = join(validatedPath, ".claude", "commands");
         await mkdir(commandsDir, { recursive: true });
         const installed = [];
         const errors = [];
@@ -248,7 +270,7 @@ server.registerTool("hardening_install", {
             }
         }
         const output = {
-            project: project_path,
+            project: validatedPath,
             commands_dir: commandsDir,
             installed_commands: installed,
             errors: errors.length > 0 ? errors : undefined,
@@ -295,7 +317,17 @@ server.registerTool("hardening_install_all", {
     },
 }, async ({ base_dir, dry_run = true }) => {
     const dir = base_dir || DEFAULT_PROJECTS_DIR;
-    if (!(await dirExists(dir))) {
+    // Validate path to prevent traversal attacks
+    let validatedDir;
+    try {
+        validatedDir = await validateProjectPath(dir);
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return {
+                content: [{ type: "text", text: `Error: ${error.message}` }],
+            };
+        }
         return {
             content: [
                 {
@@ -306,7 +338,7 @@ server.registerTool("hardening_install_all", {
         };
     }
     try {
-        const projects = await discoverProjects(dir);
+        const projects = await discoverProjects(validatedDir);
         const commandCount = Object.keys(COMMANDS).length;
         const results = [];
         for (const projectPath of projects) {
@@ -347,7 +379,7 @@ server.registerTool("hardening_install_all", {
         }
         const output = {
             mode: dry_run ? "dry-run" : "applied",
-            base_dir: dir,
+            base_dir: validatedDir,
             projects_scanned: projects.length,
             commands_per_project: commandCount,
             projects_updated: dry_run ? 0 : results.filter((r) => !r.error && r.commands_installed).length,
@@ -726,6 +758,12 @@ server.registerTool("certification_scan", {
         project: basename(project_path),
     });
     scanLogger.info("scanners.starting", { scanners, auto_detect });
+    const startTime = Date.now();
+    // Track scan start via telemetry
+    const scannersToRun = auto_detect
+        ? ["auto-detect"]
+        : Object.entries(scanners || {}).filter(([, v]) => v).map(([k]) => k);
+    await trackCertificationStarted(project_path, scannersToRun, [], auto_detect ? "auto" : "manual");
     // Use auto-detection or manual scanner selection
     let result;
     let detectedLanguages;
@@ -739,6 +777,24 @@ server.registerTool("certification_scan", {
     else {
         result = await runAllScanners(project_path, scanners);
     }
+    // Track scanner runs in telemetry
+    for (const scanner of Object.keys(result.byScanner)) {
+        await trackScannerRun(project_path, scanner, result.totalDuration / Object.keys(result.byScanner).length, // Approximate per-scanner duration
+        result.byScanner[scanner] || 0, !result.failedScanners.includes(scanner));
+    }
+    // Record scan in registry for analytics
+    const registry = getRegistry();
+    await registry.recordScan({
+        certificationId: certification_id,
+        projectPath: project_path,
+        scanDate: new Date().toISOString(),
+        duration: Date.now() - startTime,
+        findingsSummary: result.bySeverity,
+        totalFindings: result.totalFindings,
+        scannersRun: Object.keys(result.byScanner),
+        frameworksAssessed: [],
+        success: result.allSucceeded,
+    });
     // If certification_id provided and submit_findings is true, submit to certification
     if (certification_id && submit_findings && result.totalFindings > 0) {
         const certFindings = scannerFindingsToCertificationFindings(result);
@@ -1247,6 +1303,87 @@ server.registerTool("agent_complete", {
     };
 });
 // ---------------------------------------------------------------------------
+// Tool: Batch Submit Findings (for subagent JSON output)
+// ---------------------------------------------------------------------------
+server.registerTool("agent_batch_submit", {
+    title: "Batch Submit Agent Findings",
+    description: `Submit multiple findings from a subagent's JSON output. Use this when certification agents run as subagents (via Task tool) and output JSON instead of calling agent_submit_finding directly. Parses the agent's JSON output and submits all findings at once.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().describe("Certification ID"),
+        agent: z.enum(["security", "reliability", "typesafety", "performance", "quality", "redteam"]),
+        findings: z.array(z.object({
+            id: z.string().describe("Finding ID (e.g., sec-001)"),
+            severity: z.enum(["critical", "high", "medium", "low", "info"]),
+            category: z.string().describe("Category of the finding"),
+            file: z.string().optional().describe("File path where issue found"),
+            line: z.number().optional().describe("Line number"),
+            description: z.string().describe("Description of the issue"),
+            evidence: z.string().describe("Evidence supporting the finding"),
+            confidence: z.number().min(0).max(100).describe("Confidence score 0-100"),
+        })).describe("Array of findings from subagent JSON output"),
+        summary: z.object({
+            total_findings: z.number(),
+            by_severity: z.object({
+                critical: z.number(),
+                high: z.number(),
+                medium: z.number(),
+                low: z.number(),
+                info: z.number(),
+            }),
+            confidence_score: z.number().min(0).max(100),
+            coverage_areas: z.array(z.string()),
+            notes: z.string().optional(),
+        }).optional().describe("Optional summary to complete the agent run"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: false,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, agent, findings, summary }) => {
+    const certLogger = createChildLogger({ certId: certification_id, agent });
+    // Ensure agent is started
+    let agentFindings = await getAgentFindings(project_path, certification_id, agent);
+    if (!agentFindings) {
+        certLogger.info("agent.started");
+        agentFindings = await startAgent(project_path, certification_id, agent);
+    }
+    // Submit all findings
+    const submitted = [];
+    for (const finding of findings) {
+        await submitFinding(project_path, certification_id, agent, finding);
+        submitted.push({ id: finding.id, severity: finding.severity });
+        certLogger.info("finding.submitted", {
+            findingId: finding.id,
+            severity: finding.severity,
+            confidence: finding.confidence,
+        });
+    }
+    // Complete agent if summary provided
+    let completionResult = null;
+    if (summary) {
+        completionResult = await completeAgent(project_path, certification_id, agent, summary);
+        certLogger.info("agent.completed", {
+            totalFindings: summary.total_findings,
+            confidenceScore: summary.confidence_score,
+        });
+    }
+    return {
+        content: [{
+                type: "text",
+                text: JSON.stringify({
+                    agent,
+                    findingsSubmitted: submitted.length,
+                    findings: submitted,
+                    completed: !!summary,
+                    summary: completionResult?.summary,
+                }, null, 2),
+            }],
+    };
+});
+// ---------------------------------------------------------------------------
 // Tool: Cross-Verify Finding
 // ---------------------------------------------------------------------------
 server.registerTool("agent_cross_verify", {
@@ -1469,6 +1606,7 @@ server.registerTool("certification_finalize", {
     },
 }, async ({ project_path, certification_id }) => {
     const certLogger = createChildLogger({ certId: certification_id, project: basename(project_path) });
+    const startTime = Date.now();
     const certification = await getCertification(project_path, certification_id);
     if (!certification) {
         certLogger.warn("certification.not_found");
@@ -1494,6 +1632,36 @@ server.registerTool("certification_finalize", {
     }
     // Generate artifacts
     const artifacts = await writeCertificationArtifacts(project_path, finalCert);
+    // Track certification completion via telemetry
+    const severityCounts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+    let totalFindings = 0;
+    for (const agentType of Object.keys(certification.agents || {})) {
+        const agent = certification.agents[agentType];
+        if (agent?.findings) {
+            for (const finding of agent.findings) {
+                severityCounts[finding.severity]++;
+                totalFindings++;
+            }
+        }
+    }
+    await trackCertificationCompleted(project_path, certification_id, finalCert.consensus?.certification_level || "BLOCKED", finalCert.consensus?.overall_score || 0, Date.now() - new Date(certification.metadata.started_at).getTime(), severityCounts, totalFindings, [] // frameworks
+    );
+    // Record in registry
+    const registry = getRegistry();
+    await registry.recordScan({
+        certificationId: certification_id,
+        projectPath: project_path,
+        scanDate: new Date().toISOString(),
+        level: finalCert.consensus?.certification_level || "BLOCKED",
+        score: finalCert.consensus?.overall_score || 0,
+        duration: Date.now() - startTime,
+        findingsSummary: severityCounts,
+        totalFindings,
+        scannersRun: Object.keys(certification.agents || {}),
+        frameworksAssessed: [],
+        success: true,
+        tags: ["certification-finalized"],
+    });
     certLogger.info("certification.finalized", {
         level: finalCert.consensus?.certification_level,
         score: finalCert.consensus?.overall_score,
@@ -2142,13 +2310,17 @@ server.registerTool("certification_eval_fixtures", {
 // ---------------------------------------------------------------------------
 server.registerTool("compliance_report", {
     title: "Generate Compliance Report",
-    description: `Generate a compliance report mapping certification findings to framework controls (SOC 2, ISO 27001). Shows which controls are at risk or non-compliant based on security findings.`,
+    description: `Generate a compliance report mapping certification findings to framework controls. Supports all major frameworks (SOC 2, ISO 27001, PCI-DSS, HIPAA, 42 CFR Part 2, GDPR, NIST 800-53, CIS). Enable audit-defensibility options for evidence collection and audit trail verification.`,
     inputSchema: {
         project_path: z.string().describe("Absolute path to the project root"),
         certification_id: z.string().describe("Certification ID to assess"),
         framework: z
-            .enum(["SOC2", "ISO27001"])
+            .enum(["SOC2", "ISO27001", "PCI-DSS", "HIPAA", "42-CFR-PART-2", "GDPR", "NIST-800-53", "CIS"])
             .describe("Compliance framework to assess"),
+        collect_evidence: z.boolean().optional().describe("Collect evidence bundle for audit defensibility. Default: false"),
+        verify_audit_trail: z.boolean().optional().describe("Verify audit trail integrity. Default: false"),
+        store_evidence: z.boolean().optional().describe("Store evidence bundle to disk. Default: true if collecting"),
+        include_attestation: z.boolean().optional().describe("Include attestation section with methodology and scope. Default: true when audit features enabled"),
         output_format: z
             .enum(["markdown", "json", "summary"])
             .optional()
@@ -2160,7 +2332,7 @@ server.registerTool("compliance_report", {
         idempotentHint: true,
         openWorldHint: false,
     },
-}, async ({ project_path, certification_id, framework, output_format }) => {
+}, async ({ project_path, certification_id, framework, collect_evidence, verify_audit_trail, store_evidence, include_attestation, output_format }) => {
     const certification = await getCertification(project_path, certification_id);
     if (!certification) {
         return errorResponse(`Certification ${certification_id} not found`);
@@ -2172,6 +2344,46 @@ server.registerTool("compliance_report", {
     if (allFindings.length === 0) {
         return errorResponse("No findings to assess. Run certification agents first.");
     }
+    // Check if audit-defensibility features are requested
+    const useAuditFeatures = collect_evidence || verify_audit_trail;
+    if (useAuditFeatures) {
+        // Use the full compliance bundle for audit-defensible reports
+        const result = await runSingleFrameworkAssessment({
+            projectPath: project_path,
+            findings: allFindings,
+            framework: framework,
+            certificationId: certification_id,
+            collectEvidence: collect_evidence ?? false,
+            verifyAuditTrail: verify_audit_trail ?? false,
+            storeEvidence: store_evidence !== false,
+            includeAttestation: include_attestation !== false,
+        });
+        if (output_format === "json") {
+            return jsonResponse({
+                status: result.status,
+                complianceScore: result.report.status.complianceScore,
+                riskScore: result.report.status.riskScore,
+                auditVerification: result.auditVerification ? {
+                    verified: result.auditVerification.verified,
+                    chainIntegrity: result.auditVerification.chainIntegrity,
+                } : undefined,
+                evidenceBundle: result.evidenceBundle ? {
+                    id: result.evidenceBundle.id,
+                    bundleDigest: result.evidenceBundle.bundleDigest,
+                    signed: !!result.evidenceBundle.signature,
+                } : undefined,
+                evidencePath: result.evidencePath,
+                report: result.report,
+            });
+        }
+        else if (output_format === "summary") {
+            return textResponse(generateCompactComplianceSummary(result.report));
+        }
+        else {
+            return textResponse(result.markdownReport);
+        }
+    }
+    // Standard report without audit features
     const report = generateComplianceReport(allFindings, framework, project_path, certification_id);
     if (output_format === "json") {
         return jsonResponse(report);
@@ -2188,16 +2400,20 @@ server.registerTool("compliance_report", {
 // ---------------------------------------------------------------------------
 server.registerTool("compliance_multi_report", {
     title: "Multi-Framework Compliance Report",
-    description: `Generate a compliance report across multiple frameworks (SOC 2 and ISO 27001). Shows comparative status and prioritized recommendations.`,
+    description: `Generate a compliance report across multiple frameworks. Supports all major frameworks (SOC 2, ISO 27001, PCI-DSS, HIPAA, 42 CFR Part 2, GDPR, NIST 800-53, CIS). Shows comparative status and prioritized recommendations. Enable audit-defensibility options for evidence collection and audit trail verification.`,
     inputSchema: {
         project_path: z.string().describe("Absolute path to the project root"),
         certification_id: z.string().describe("Certification ID to assess"),
         frameworks: z
-            .array(z.enum(["SOC2", "ISO27001"]))
+            .array(z.enum(["SOC2", "ISO27001", "PCI-DSS", "HIPAA", "42-CFR-PART-2", "GDPR", "NIST-800-53", "CIS"]))
             .optional()
-            .describe("Frameworks to assess. Default: both"),
+            .describe("Frameworks to assess. Default: SOC2, ISO27001"),
+        collect_evidence: z.boolean().optional().describe("Collect evidence bundle for audit defensibility. Default: false"),
+        verify_audit_trail: z.boolean().optional().describe("Verify audit trail integrity. Default: false"),
+        store_evidence: z.boolean().optional().describe("Store evidence bundle to disk. Default: true if collecting"),
+        include_attestation: z.boolean().optional().describe("Include attestation section with methodology and scope. Default: true when audit features enabled"),
         output_format: z
-            .enum(["markdown", "json"])
+            .enum(["markdown", "json", "summary"])
             .optional()
             .describe("Output format. Default: markdown"),
     },
@@ -2207,7 +2423,7 @@ server.registerTool("compliance_multi_report", {
         idempotentHint: true,
         openWorldHint: false,
     },
-}, async ({ project_path, certification_id, frameworks, output_format }) => {
+}, async ({ project_path, certification_id, frameworks, collect_evidence, verify_audit_trail, store_evidence, include_attestation, output_format }) => {
     const certification = await getCertification(project_path, certification_id);
     if (!certification) {
         return errorResponse(`Certification ${certification_id} not found`);
@@ -2219,6 +2435,53 @@ server.registerTool("compliance_multi_report", {
         return errorResponse("No findings to assess. Run certification agents first.");
     }
     const selectedFrameworks = (frameworks || ["SOC2", "ISO27001"]);
+    // Check if audit-defensibility features are requested
+    const useAuditFeatures = collect_evidence || verify_audit_trail;
+    if (useAuditFeatures) {
+        // Use the full compliance bundle for audit-defensible reports
+        const result = await runComplianceAssessment({
+            projectPath: project_path,
+            findings: allFindings,
+            frameworks: selectedFrameworks,
+            certificationId: certification_id,
+            collectEvidence: collect_evidence ?? false,
+            verifyAuditTrail: verify_audit_trail ?? false,
+            storeEvidence: store_evidence !== false,
+            includeAttestation: include_attestation !== false,
+        });
+        if (output_format === "json") {
+            return jsonResponse({
+                status: result.status,
+                combinedScore: result.combinedScore,
+                frameworks: Object.fromEntries(Object.entries(result.reports).map(([fw, report]) => [
+                    fw,
+                    report ? {
+                        complianceScore: report.status.complianceScore,
+                        riskScore: report.status.riskScore,
+                        controlsNonCompliant: report.status.controlsNonCompliant,
+                    } : null,
+                ])),
+                auditVerification: result.auditVerification ? {
+                    verified: result.auditVerification.verified,
+                    chainIntegrity: result.auditVerification.chainIntegrity,
+                } : undefined,
+                evidenceBundle: result.evidenceBundle ? {
+                    id: result.evidenceBundle.id,
+                    bundleDigest: result.evidenceBundle.bundleDigest,
+                    signed: !!result.evidenceBundle.signature,
+                } : undefined,
+                evidencePath: result.evidencePath,
+                multiFrameworkReport: result.multiFrameworkReport,
+            });
+        }
+        else if (output_format === "summary") {
+            return textResponse(generateComplianceSummary(result));
+        }
+        else {
+            return textResponse(result.markdownReport);
+        }
+    }
+    // Standard report without audit features
     const report = generateMultiFrameworkReport(allFindings, selectedFrameworks, project_path, certification_id);
     if (output_format === "json") {
         return jsonResponse(report);
@@ -2232,10 +2495,10 @@ server.registerTool("compliance_multi_report", {
 // ---------------------------------------------------------------------------
 server.registerTool("compliance_controls", {
     title: "List Compliance Controls",
-    description: `List available compliance controls for a framework. Use to understand what controls are assessed and their mapping to finding categories.`,
+    description: `List available compliance controls for a framework. Use to understand what controls are assessed and their mapping to finding categories. Supports all major frameworks.`,
     inputSchema: {
         framework: z
-            .enum(["SOC2", "ISO27001"])
+            .enum(["SOC2", "ISO27001", "PCI-DSS", "HIPAA", "42-CFR-PART-2", "GDPR", "NIST-800-53", "CIS"])
             .describe("Compliance framework"),
         category: z
             .string()
@@ -2253,7 +2516,8 @@ server.registerTool("compliance_controls", {
     if (category) {
         controls = controls.filter((c) => c.category === category);
     }
-    const categories = framework === "SOC2" ? getSOC2Categories() : getISO27001Categories();
+    // Get unique categories from controls
+    const categories = [...new Set(controls.map((c) => c.category))].sort();
     return jsonResponse({
         framework,
         totalControls: controls.length,
@@ -2269,6 +2533,213 @@ server.registerTool("compliance_controls", {
     });
 });
 // ---------------------------------------------------------------------------
+// Tool: Healthcare Compliance Scan (HIPAA + 42 CFR Part 2)
+// ---------------------------------------------------------------------------
+server.registerTool("healthcare_compliance_scan", {
+    title: "Healthcare Compliance Assessment",
+    description: `Run a combined HIPAA and 42 CFR Part 2 compliance assessment. Generates audit-defensible reports with evidence collection and audit trail verification. Designed for SUD (Substance Use Disorder) and healthcare applications.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().optional().describe("Certification ID to use findings from"),
+        collect_evidence: z.boolean().optional().describe("Collect evidence bundle. Default: true"),
+        verify_audit_trail: z.boolean().optional().describe("Verify audit trail integrity. Default: true"),
+        store_evidence: z.boolean().optional().describe("Store evidence bundle to disk. Default: true"),
+        output_format: z.enum(["markdown", "json", "summary"]).optional().describe("Output format. Default: markdown"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, collect_evidence, verify_audit_trail, store_evidence, output_format }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const allFindings = [];
+        const certId = certification_id || undefined;
+        let certificationToUse;
+        if (certId) {
+            certificationToUse = await getCertification(validatedPath, certId);
+        }
+        else {
+            certificationToUse = await getLatestCertification(validatedPath);
+        }
+        if (certificationToUse) {
+            const agents = Object.keys(certificationToUse.agents);
+            for (const agent of agents) {
+                const agentData = certificationToUse.agents[agent];
+                if (agentData?.findings) {
+                    // Cast to any to avoid type conflicts between local and imported types
+                    allFindings.push(...agentData.findings);
+                }
+            }
+        }
+        // Run healthcare compliance assessment
+        const result = await runHealthcareComplianceAssessment({
+            projectPath: validatedPath,
+            // Healthcare bundle expects Finding[] from certification/types
+            findings: allFindings,
+            certificationId: certificationToUse?.metadata.id,
+            collectEvidence: collect_evidence !== false,
+            verifyAuditTrail: verify_audit_trail !== false,
+            storeEvidence: store_evidence !== false,
+        });
+        if (output_format === "json") {
+            return jsonResponse({
+                status: result.status,
+                combinedScore: result.combinedScore,
+                hipaaScore: result.hipaaReport.status.complianceScore,
+                cfr42Score: result.cfr42Report.status.complianceScore,
+                hipaaControls: {
+                    total: result.hipaaReport.status.totalControls,
+                    compliant: result.hipaaReport.status.controlsCovered,
+                    atRisk: result.hipaaReport.status.controlsAtRisk,
+                    nonCompliant: result.hipaaReport.status.controlsNonCompliant,
+                },
+                cfr42Controls: {
+                    total: result.cfr42Report.status.totalControls,
+                    compliant: result.cfr42Report.status.controlsCovered,
+                    atRisk: result.cfr42Report.status.controlsAtRisk,
+                    nonCompliant: result.cfr42Report.status.controlsNonCompliant,
+                },
+                auditTrailVerified: result.auditVerification?.verified,
+                evidenceBundleId: result.evidenceBundle?.id,
+                evidencePath: result.evidencePath,
+            });
+        }
+        else if (output_format === "summary") {
+            return textResponse(generateHealthcareComplianceSummary(result));
+        }
+        return textResponse(result.markdownReport);
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(error.message);
+        }
+        return errorResponse(`Healthcare compliance scan failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Verify Audit Trail
+// ---------------------------------------------------------------------------
+server.registerTool("verify_audit_trail", {
+    title: "Verify Audit Trail Integrity",
+    description: `Verify the tamper-evident audit trail by checking hash chains. Detects if any historical entries have been modified. Critical for healthcare compliance (HIPAA, 42 CFR Part 2) audit defensibility.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        output_format: z.enum(["markdown", "json"]).optional().describe("Output format. Default: markdown"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, output_format }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const result = await verifyHistoryIntegrity(validatedPath);
+        if (output_format === "json") {
+            return jsonResponse({
+                verified: result.verified,
+                projectPath: result.projectPath,
+                verifiedAt: result.verifiedAt,
+                totalEntries: result.totalEntries,
+                entriesVerified: result.entriesVerified,
+                entriesPassed: result.entriesPassed,
+                entriesFailed: result.entriesFailed,
+                chainIntegrity: result.chainIntegrity,
+                genesisHash: result.genesisHash,
+                headHash: result.headHash,
+                failures: result.failures,
+            });
+        }
+        return textResponse(formatVerificationResultAsMarkdown(result));
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(error.message);
+        }
+        return errorResponse(`Audit trail verification failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
+// Tool: Collect Evidence Bundle
+// ---------------------------------------------------------------------------
+server.registerTool("collect_evidence_bundle", {
+    title: "Collect Evidence Bundle",
+    description: `Collect and package audit evidence for compliance. Creates a cryptographically attested bundle of scan results, compliance reports, SBOM, and history snapshots. Essential for audit defensibility.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        certification_id: z.string().optional().describe("Certification ID to associate with"),
+        frameworks: z
+            .array(z.enum(["HIPAA", "42-CFR-PART-2", "SOC2", "ISO27001", "PCI-DSS", "GDPR", "NIST-800-53", "CIS"]))
+            .optional()
+            .describe("Compliance frameworks to include reports for"),
+        include_sbom: z.boolean().optional().describe("Include SBOM. Default: true"),
+        include_history: z.boolean().optional().describe("Include history snapshot. Default: true"),
+        include_scans: z.boolean().optional().describe("Include scan results. Default: true"),
+        store: z.boolean().optional().describe("Store bundle to disk. Default: true"),
+        output_format: z.enum(["markdown", "json"]).optional().describe("Output format. Default: markdown"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, certification_id, frameworks, include_sbom, include_history, include_scans, store, output_format }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const result = await collectEvidence({
+            projectPath: validatedPath,
+            certificationId: certification_id,
+            frameworks: frameworks,
+            includeSbom: include_sbom !== false,
+            includeHistory: include_history !== false,
+            includeScanResults: include_scans !== false,
+        });
+        if (!result.success || !result.bundle) {
+            return errorResponse(result.error || "Evidence collection failed");
+        }
+        let storedPath;
+        if (store !== false) {
+            storedPath = await storeEvidenceBundle(validatedPath, result.bundle);
+        }
+        if (output_format === "json") {
+            return jsonResponse({
+                success: true,
+                bundleId: result.bundle.id,
+                createdAt: result.bundle.createdAt,
+                artifactCount: result.bundle.artifacts.length,
+                bundleDigest: result.bundle.bundleDigest,
+                storedPath,
+                warnings: result.warnings,
+                artifacts: result.bundle.artifacts.map((a) => ({
+                    type: a.type,
+                    name: a.name,
+                    sizeBytes: a.sizeBytes,
+                    digest: a.contentDigest,
+                })),
+            });
+        }
+        let output = formatEvidenceBundleAsMarkdown(result.bundle);
+        if (storedPath) {
+            output += `\n\n**Stored at:** \`${storedPath}\``;
+        }
+        if (result.warnings.length > 0) {
+            output += `\n\n**Warnings:**\n${result.warnings.map((w) => `- ${w}`).join("\n")}`;
+        }
+        return textResponse(output);
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(error.message);
+        }
+        return errorResponse(`Evidence collection failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+});
+// ---------------------------------------------------------------------------
 // Tool: Generate SBOM
 // ---------------------------------------------------------------------------
 server.registerTool("sbom_generate", {
@@ -3212,7 +3683,11 @@ Maps findings to AI compliance frameworks (OWASP LLM, NIST AI RMF, EU AI Act).`,
     if (!authorized) {
         return errorResponse("Agent scanning requires explicit authorization. Set authorized=true to confirm you have permission to scan this target.");
     }
+    const startTime = Date.now();
     try {
+        // Track scan start via telemetry
+        const enabledScanners = scanners || AGENT_SCANNER_TYPES;
+        await trackCertificationStarted(target, enabledScanners, frameworks || [], "agent-cert");
         // Build scan target
         const scanTarget = {};
         if (target.startsWith("http://") || target.startsWith("https://")) {
@@ -3228,7 +3703,6 @@ Maps findings to AI compliance frameworks (OWASP LLM, NIST AI RMF, EU AI Act).`,
             scanTarget.npmPackage = target;
         }
         // Build scanner options
-        const enabledScanners = scanners || AGENT_SCANNER_TYPES;
         const scannerFlags = {
             manifestAudit: enabledScanners.includes("manifest-audit"),
             toolDrift: enabledScanners.includes("tool-description-drift"),
@@ -3267,6 +3741,28 @@ Maps findings to AI compliance frameworks (OWASP LLM, NIST AI RMF, EU AI Act).`,
         }
         // Generate summary
         const summary = generateAgentScannerSummary(result);
+        // Record scan in registry for analytics
+        const registry = getRegistry();
+        await registry.recordScan({
+            certificationId: certification_id,
+            projectPath: target,
+            scanDate: new Date().toISOString(),
+            level: result.certificationReadiness === "ready" ? "CERTIFIED"
+                : result.certificationReadiness === "needs-review" ? "REVIEW_REQUIRED"
+                    : "BLOCKED",
+            score: 100 - result.riskScore,
+            duration: Date.now() - startTime,
+            findingsSummary: result.bySeverity,
+            totalFindings: result.totalFindings,
+            scannersRun: result.scanners.map((s) => s.scanner),
+            frameworksAssessed: frameworks || [],
+            success: result.allSucceeded,
+            tags: ["agent-cert", "mcp-security"],
+        });
+        // Track individual scanner runs
+        for (const scanner of result.scanners) {
+            await trackScannerRun(target, scanner.scanner, scanner.duration || 0, scanner.findings.length, scanner.success);
+        }
         return jsonResponse({
             success: result.allSucceeded,
             target,