@cloudcraftwithfranck/govcloud-mcp

bicep_remediate

Auto-remediate Azure Bicep code to meet FedRAMP or DoD IL compliance, returning hardened Bicep with a change log mapping each modification to the NIST 800-53 control it addresses.

Instructions

Auto-remediate Azure Bicep code to meet FedRAMP or DoD IL compliance targets. Returns hardened Bicep with a change log mapping each modification to the NIST 800-53 control it addresses.

Input Schema

TableJSON Schema

Name	Required	Description
`bicepCode`	Yes	The Bicep code to harden
`targetLevel`	No	Compliance target level
`analysisJson`	No	Optional: previous bicep_analyze output to avoid re-analysis

Implementation Reference

src/tools/compliance/bicep-remediate.ts:38-104 (handler)

The main handler function that executes the bicep_remediate tool logic. It first tries the site API (/api/bicep-remediate) for remediation, and falls back to a direct Claude call using the Anthropic API. Returns hardened Bicep code with score improvement and changelog mapping changes to NIST 800-53 controls.

export async function handleBicepRemediate(args: unknown): Promise<string> {
  return runTool('bicep_remediate', args, Schema, async ({ bicepCode, targetLevel, analysisJson }) => {
    // Try site API first; fall back to direct Claude call
    try {
      const data = (await callSiteApi('/api/bicep-remediate', {
        bicepCode,
        targetLevel,
        analysisJson,
      })) as { hardenedBicep?: string; changelog?: unknown[]; scoreBefore?: number; scoreAfter?: number };

      const lines: string[] = [];
      lines.push(`## Hardened Bicep — ${(targetLevel ?? 'fedramp-high').toUpperCase()}`);
      lines.push('');
      if (data.scoreBefore !== undefined && data.scoreAfter !== undefined) {
        lines.push(`**Score:** ${data.scoreBefore}/100 → ${data.scoreAfter}/100`);
        lines.push('');
      }
      if (data.hardenedBicep) {
        lines.push('### Hardened Bicep');
        lines.push('');
        lines.push('```bicep');
        lines.push(data.hardenedBicep);
        lines.push('```');
        lines.push('');
      }
      if (data.changelog && Array.isArray(data.changelog) && data.changelog.length > 0) {
        lines.push('### Change Log');
        lines.push('');
        lines.push('| Change | Control ID | Rationale |');
        lines.push('|--------|-----------|-----------|');
        for (const entry of data.changelog as Array<{ change?: string; controlId?: string; rationale?: string }>) {
          lines.push(`| ${entry.change ?? ''} | ${entry.controlId ?? ''} | ${entry.rationale ?? ''} |`);
        }
      }
      return lines.join('\n');
    } catch {
      // Fall back to Claude for remediation if site API not available
      const contextPrompt = analysisJson
        ? `\n\nPrevious analysis:\n${analysisJson}`
        : '';

      const response = await anthropic.messages.create({
        model: MODEL,
        max_tokens: getTokenBudget('bicep_remediate'),
        system:
          BASE_SYSTEM_PROMPT +
          `\n\nYou are remediating Bicep code for ${targetLevel} compliance. Return:
1. The complete hardened Bicep code block
2. Score improvement estimate (before → after)
3. Changelog table: | Change | Control ID | Rationale |

Map every change to the specific NIST 800-53 Rev 5 control it addresses.`,
        messages: [
          {
            role: 'user',
            content: `Harden this Bicep code for ${targetLevel} compliance:${contextPrompt}

\`\`\`bicep
${bicepCode}
\`\`\``,
          },
        ],
      });
      return response.content[0].type === 'text' ? response.content[0].text : '';
    }
  });
}

src/tools/compliance/bicep-remediate.ts:30-36 (schema)
Zod validation schema for bicep_remediate inputs: bicepCode (required, max 20k chars), targetLevel (enum: fedramp-moderate/high/il4/il5, default fedramp-high), analysisJson (optional, max 20k chars).
```
const Schema = z.object({
  bicepCode: z.string().min(1).max(20000),
  targetLevel: z
    .enum(['fedramp-moderate', 'fedramp-high', 'il4', 'il5'])
    .default('fedramp-high'),
  analysisJson: z.string().max(20000).optional(),
});
```

src/tools/compliance/bicep-remediate.ts:5-28 (registration)

Tool definition/registration object with name 'bicep_remediate', description, and input JSON Schema (type, properties, required fields).

export const bicepRemediateTool = {
  name: 'bicep_remediate',
  description:
    'Auto-remediate Azure Bicep code to meet FedRAMP or DoD IL compliance targets. Returns hardened Bicep with a change log mapping each modification to the NIST 800-53 control it addresses.',
  inputSchema: {
    type: 'object' as const,
    properties: {
      bicepCode: {
        type: 'string',
        description: 'The Bicep code to harden',
      },
      targetLevel: {
        type: 'string',
        enum: ['fedramp-moderate', 'fedramp-high', 'il4', 'il5'],
        description: 'Compliance target level',
      },
      analysisJson: {
        type: 'string',
        description: 'Optional: previous bicep_analyze output to avoid re-analysis',
      },
    },
    required: ['bicepCode'],
  },
};

src/tools/index.ts:2-87 (registration)

Import of bicepRemediateTool and handleBicepRemediate from the compliance module, and line 32 adds it to the allTools array for MCP registration.

import { bicepRemediateTool, handleBicepRemediate } from './compliance/bicep-remediate.js';
import { controlLookupTool, handleControlLookup } from './compliance/control-lookup.js';
import { controlNarrativeTool, handleControlNarrative } from './compliance/control-narrative.js';
import { poamGenerateTool, handlePoamGenerate } from './compliance/poam-generate.js';
import { atoReadinessTool, handleAtoReadiness } from './compliance/ato-readiness.js';
import { oscalFragmentTool, handleOscalFragment } from './compliance/oscal-fragment.js';

import { landingZoneTool, handleLandingZone } from './architecture/landing-zone-design.js';
import { landingZoneReferenceTool, handleLandingZoneReference } from './architecture/landing-zone-reference.js';
import { serviceSelectTool, handleServiceSelect } from './architecture/azure-service-selector.js';
import { gccHighTool, handleGccHigh } from './architecture/gcc-high-guidance.js';
import { privateEndpointTool, handlePrivateEndpoint } from './architecture/private-endpoint-map.js';

import { bigbangValidateTool, handleBigbangValidate } from './platform-one/bigbang-validate.js';
import { bigbangHardenTool, handleBigbangHarden } from './platform-one/bigbang-harden.js';
import { ironbankLookupTool, handleIronbankLookup } from './platform-one/ironbank-lookup.js';
import { addonConfiguratorTool, handleAddonConfigurator } from './platform-one/addon-configurator.js';

import { pipelineAuditTool, handlePipelineAudit } from './pipeline/pipeline-audit.js';
import { signingConfigTool, handleSigningConfig } from './pipeline/signing-config.js';
import { devsecopsScoreCardTool, handleDevsecopsScorecard } from './pipeline/devsecops-scorecard.js';

import { sspSectionTool, handleSspSection } from './documents/ssp-section.js';
import { contingencyPlanTool, handleContingencyPlan } from './documents/contingency-plan.js';

import { govcloudQuickstartTool, handleGovcloudQuickstart } from './govcloud-quickstart.js';

export const allTools = [
  // Compliance
  bicepAnalyzeTool,
  bicepRemediateTool,
  controlLookupTool,
  controlNarrativeTool,
  poamGenerateTool,
  atoReadinessTool,
  oscalFragmentTool,
  // Architecture
  landingZoneTool,
  landingZoneReferenceTool,
  serviceSelectTool,
  gccHighTool,
  privateEndpointTool,
  // Platform One
  bigbangValidateTool,
  bigbangHardenTool,
  ironbankLookupTool,
  addonConfiguratorTool,
  // Pipeline
  pipelineAuditTool,
  signingConfigTool,
  devsecopsScoreCardTool,
  // Documents
  sspSectionTool,
  contingencyPlanTool,
  // Meta
  govcloudQuickstartTool,
];

export async function handleToolCall(name: string, args: unknown): Promise<string> {
  switch (name) {
    case 'bicep_analyze':         return handleBicepAnalyze(args);
    case 'bicep_remediate':       return handleBicepRemediate(args);
    case 'control_lookup':        return handleControlLookup(args);
    case 'control_narrative':     return handleControlNarrative(args);
    case 'poam_generate':         return handlePoamGenerate(args);
    case 'ato_readiness':         return handleAtoReadiness(args);
    case 'oscal_fragment':        return handleOscalFragment(args);
    case 'landing_zone_design':   return handleLandingZone(args);
    case 'landing_zone_reference': return handleLandingZoneReference(args);
    case 'azure_service_selector': return handleServiceSelect(args);
    case 'gcc_high_guidance':     return handleGccHigh(args);
    case 'private_endpoint_map':  return handlePrivateEndpoint(args);
    case 'bigbang_validate':      return handleBigbangValidate(args);
    case 'bigbang_harden':        return handleBigbangHarden(args);
    case 'ironbank_lookup':       return handleIronbankLookup(args);
    case 'addon_configurator':    return handleAddonConfigurator(args);
    case 'pipeline_audit':        return handlePipelineAudit(args);
    case 'signing_config':        return handleSigningConfig(args);
    case 'devsecops_scorecard':   return handleDevsecopsScorecard(args);
    case 'ssp_section':           return handleSspSection(args);
    case 'contingency_plan':      return handleContingencyPlan(args);
    case 'govcloud_quickstart':   return handleGovcloudQuickstart(args);
    default:
      throw new Error(`Unknown tool: ${name}`);
  }
}

src/utils/tool-runner.ts:13-14 (helper)
Token budget configuration for bicep_remediate (8192 tokens) and timeout setting (60000ms on line 54). Also line 82-110 defines the runTool helper used by the handler.
```
bicep_remediate: 8192,
landing_zone_design: 6144,
```

Tool Definition Quality

A3.8/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations, the description carries the full burden for behavioral disclosure. It states the tool returns hardened Bicep with a change log, indicating it modifies code. However, it does not mention potential side effects, auth requirements, or rate limits, leaving some behavioral traits undocumented.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is two sentences, both essential and front-loaded with the core function. Every word adds value, with no redundancy or filler, making it highly efficient.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a tool with 3 parameters and no output schema or annotations, the description adequately explains purpose and output. It covers the main use case and return format, though it could clarify optional parameter usage (analysisJson) and error conditions.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100%, so the schema already documents all three parameters. The description adds context about the output (change log mapping to NIST 800-53) but does not elaborate on parameter semantics beyond the schema, such as how analysisJson affects behavior.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool auto-remediates Azure Bicep code to meet FedRAMP or DoD IL compliance targets, specifying the verb, resource, and compliance scope. It distinguishes itself from siblings like bicep_analyze by explicitly referencing remediation with a change log.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage for hardening Bicep after analysis, but lacks explicit when-to-use or when-not-to-use guidance. It does not mention alternatives like bicep_analyze for analysis or other remediation tools, leaving the decision to the agent's inference.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/cloudcwfranck/govcloud-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server