MCP Shamash

Instructions

Implementation Reference

• src/core/server.ts:157-171 (registration)

  Tool registration including name, description, and input schema in the ListTools response.

  {
    name: 'generate_remediation',
    description: 'Generate actionable remediation advice for findings',
    inputSchema: {
      type: 'object',
      properties: {
        findingIds: {
          type: 'array',
          items: { type: 'string' },
          description: 'IDs of findings to generate remediation for'
        },
      },
      required: [],
    },
  },

• src/core/server.ts:528-552 (handler)

  The main handler function for the 'generate_remediation' tool, which delegates to RemediationAdvisor.

  private async handleGenerateRemediation(_args: any): Promise<any> {
    // Get recent scan results or specific findings
    // For demo, we'll generate advice for sample findings
    const sampleFindings = [
      {
        id: 'sample_001',
        type: 'dependency',
        severity: 'high' as const,
        title: 'Vulnerable dependency: lodash@4.17.19',
        description: 'Known security vulnerability CVE-2021-23337',
        location: { file: 'package.json' },
        cve: 'CVE-2021-23337',
      },
    ];
  
    const plan = await this.remediationAdvisor.generateRemediationPlan(sampleFindings);
    const markdown = this.remediationAdvisor.generateMarkdownReport(plan);
  
    return {
      status: 'success',
      remediations: plan.remediations.length,
      summary: plan.summary,
      report: markdown,
    };
  }

• src/advisor/remediation-advisor.ts:177-209 (handler)

  Core implementation of remediation plan generation, called by the tool handler.

  async generateRemediationPlan(findings: Finding[]): Promise<RemediationPlan> {
    const remediations: RemediationAdvice[] = [];
    
    for (const finding of findings) {
      const advice = await this.generateRemediationAdvice(finding);
      remediations.push(advice);
    }
  
    // Categorize by priority
    const prioritizedActions = {
      immediate: remediations.filter(r => r.priority === 'immediate'),
      high: remediations.filter(r => r.priority === 'high'),
      medium: remediations.filter(r => r.priority === 'medium'),
      low: remediations.filter(r => r.priority === 'low'),
    };
  
    // Calculate summary
    const autoFixable = remediations.filter(r => r.effort === 'trivial').length;
    const immediateActions = prioritizedActions.immediate.length;
    const totalEffort = this.calculateTotalEffort(remediations);
  
    return {
      findings,
      remediations,
      summary: {
        totalFindings: findings.length,
        autoFixable,
        immediateActions,
        estimatedEffort: totalEffort,
      },
      prioritizedActions,
    };
  }

• src/advisor/remediation-advisor.ts:19-34 (schema)

  Type definition for the RemediationPlan output structure.

  export interface RemediationPlan {
    findings: Finding[];
    remediations: RemediationAdvice[];
    summary: {
      totalFindings: number;
      autoFixable: number;
      immediateActions: number;
      estimatedEffort: string;
    };
    prioritizedActions: {
      immediate: RemediationAdvice[];
      high: RemediationAdvice[];
      medium: RemediationAdvice[];
      low: RemediationAdvice[];
    };
  }

• src/advisor/remediation-advisor.ts:211-251 (helper)

  Helper function that generates detailed remediation advice for individual findings.

  private async generateRemediationAdvice(finding: Finding): Promise<RemediationAdvice> {
    // Determine remediation type based on finding
    const remediationType = this.determineRemediationType(finding);
    const baseRemediation = this.remediationDatabase.get(remediationType);
  
    // Determine priority based on severity
    const priority = this.determinePriority(finding);
  
    // Build customized advice
    const advice: RemediationAdvice = {
      findingId: finding.id,
      priority,
      effort: baseRemediation?.effort || this.estimateEffort(finding),
      automaticFix: baseRemediation?.automaticFix,
      manualSteps: baseRemediation?.manualSteps,
      codeExample: baseRemediation?.codeExample,
      references: baseRemediation?.references || this.getDefaultReferences(finding.type),
      estimatedTime: baseRemediation?.estimatedTime || this.estimateTime(finding),
      tools: baseRemediation?.tools,
      preventionTips: this.generatePreventionTips(finding),
    };
  
    // Customize advice based on specific finding details
    if (finding.type === 'dependency' && finding.cve) {
      advice.automaticFix = `Update to version that patches ${finding.cve}`;
      advice.references = [
        `https://nvd.nist.gov/vuln/detail/${finding.cve}`,
        ...advice.references || [],
      ];
    }
  
    if (finding.type === 'secret') {
      advice.priority = 'immediate'; // Secrets are always immediate priority
      advice.manualSteps = [
        `Immediately rotate the exposed ${this.identifySecretType(finding.title)}`,
        ...advice.manualSteps || [],
      ];
    }
  
    return advice;
  }