secops_mcp_get_security_alerts_drops_fields_bug

[barnabys-drew]

get_security_alerts formatted output drops alert.id and feedbackSummary.verdict

secops_mcp 0.1.3. The formatter in secops_mcp/tools/security_alerts.py::get_security_alerts writes out Rule, Created, Status, Severity, and Associated Case per alert but never emits alert['id'] or alert['feedbackSummary']['verdict']. Both fields are present on the alert object — feedbackSummary['status'] and ['severityDisplay'] are already read from the same dict.

Without the de_* ID in the output, get_security_alert_by_id / do_update_security_alert can't be programmatically chained; agents have to fall back to search_rule_alerts and join on (rule_name, timestamp). Without the verdict, FP/TP-ratio analysis at the rule level is not expressible from this tool's output.

Repro — call returns five fields per alert, no ID, no verdict:

Alert 1:
Rule: GW_Phishing_Alert
Created: 2026-05-28T18:58:18.631512Z
Status: OPEN
Severity: Medium
Associated Case: fb3418c2-...

Underlying object contains alert['id'] = 'de_f47e71ca-...' and alert['feedbackSummary']['verdict'].

Fix (security_alerts.py ~line 135):

+alert_id = alert.get('id', 'Unknown')
+verdict = 'Unknown'
+if 'feedbackSummary' in alert and isinstance(alert['feedbackSummary'], dict):
+    verdict = alert['feedbackSummary'].get('verdict', 'Unknown')

+result += f'Alert ID: {alert_id}\n'
 result += f'Rule: {rule_name}\n'
 result += f'Created: {created_time}\n'
 result += f'Status: {status}\n'
+result += f'Verdict: {verdict}\n'
 result += f'Severity: {severity}\n'

Aside: return json.dumps(result) (line 148) ships a JSON-encoded string of a string. Worth switching this and similar tools to return structured Dict[str, Any] so callers don't have to regex out fields.