getSecureCodingChecklist

Implementation Reference

• server.ts:239-257 (handler)

  The async handler function for the 'getSecureCodingChecklist' tool, which returns a static markdown checklist for HIPAA-compliant secure coding practices.

      async () => {
          return {
              content: [{
                  type: 'text',
                  text: `
  # HIPAA Secure SDLC Checklist
  
  1.  **Data Minimization:** Does this feature only collect the minimum necessary PHI to function?
  2.  **Input Validation:** Are all inputs that could potentially contain PHI (e.g., text fields, file uploads) properly validated and sanitized to prevent injection attacks?
  3.  **Authentication & Authorization:** Is every endpoint that touches PHI protected with authentication? Does the code check if the authenticated user is authorized to access the specific record they are requesting?
  4.  **Secure Data Transmission:** Is all data, especially PHI, transmitted using strong, modern TLS (1.2+)?
  5.  **Secure Data Storage:** Is sensitive data encrypted at rest? Are you using platform-recommended secure storage APIs for tokens and keys?
  6.  **Audit Logging:** Does the code generate a detailed, immutable audit log for any action that creates, reads, updates, or deletes PHI? The log must include user ID, timestamp, and action taken.
  7.  **Error Handling & Information Disclosure:** Do error messages avoid revealing sensitive information (e.g., "User 'john.doe@email.com' not found" is a disclosure; "Invalid username or password" is not).
  8.  **Dependency Scanning:** Are you regularly scanning third-party libraries for known vulnerabilities?
  `
              }]
          };
      }

• server.ts:233-258 (registration)

  The registration of the 'getSecureCodingChecklist' tool using server.tool(), including schema (empty input) and inline handler.

  server.tool(
      'getSecureCodingChecklist',
      {
          description: 'Provides a checklist for developers to ensure HIPAA compliance throughout the Software Development Lifecycle (SDLC).',
          schema: z.object({}),
      },
      async () => {
          return {
              content: [{
                  type: 'text',
                  text: `
  # HIPAA Secure SDLC Checklist
  
  1.  **Data Minimization:** Does this feature only collect the minimum necessary PHI to function?
  2.  **Input Validation:** Are all inputs that could potentially contain PHI (e.g., text fields, file uploads) properly validated and sanitized to prevent injection attacks?
  3.  **Authentication & Authorization:** Is every endpoint that touches PHI protected with authentication? Does the code check if the authenticated user is authorized to access the specific record they are requesting?
  4.  **Secure Data Transmission:** Is all data, especially PHI, transmitted using strong, modern TLS (1.2+)?
  5.  **Secure Data Storage:** Is sensitive data encrypted at rest? Are you using platform-recommended secure storage APIs for tokens and keys?
  6.  **Audit Logging:** Does the code generate a detailed, immutable audit log for any action that creates, reads, updates, or deletes PHI? The log must include user ID, timestamp, and action taken.
  7.  **Error Handling & Information Disclosure:** Do error messages avoid revealing sensitive information (e.g., "User 'john.doe@email.com' not found" is a disclosure; "Invalid username or password" is not).
  8.  **Dependency Scanning:** Are you regularly scanning third-party libraries for known vulnerabilities?
  `
              }]
          };
      }
  );

• server.ts:237-237 (schema)

  The Zod schema for the tool, which accepts no input parameters.

  schema: z.object({}),