@ansvar/us-regulations-mcp 1.0.0

package/data/seed/mappings/hipaa-nist-800-53.json

@@ -0,0 +1,377 @@
+{
+  "framework": "NIST_800_53_R5",
+  "regulation": "HIPAA",
+  "generated_at": "2026-01-29",
+  "generated_by": "claude-sonnet-4-5",
+  "description": "Mapping of HIPAA Security Rule requirements to NIST 800-53 Rev 5 controls",
+  "mappings": [
+    {
+      "section_number": "164.308(a)(1)",
+      "control_id": "RA-1",
+      "control_name": "Risk Assessment Policy and Procedures",
+      "coverage": "full",
+      "confidence": 95,
+      "rationale": "HIPAA requires security management process including risk analysis"
+    },
+    {
+      "section_number": "164.308(a)(1)(ii)(A)",
+      "control_id": "RA-3",
+      "control_name": "Risk Assessment",
+      "coverage": "full",
+      "confidence": 98,
+      "rationale": "Directly requires risk assessment of ePHI threats and vulnerabilities"
+    },
+    {
+      "section_number": "164.308(a)(1)(ii)(B)",
+      "control_id": "RA-5",
+      "control_name": "Vulnerability Monitoring and Scanning",
+      "coverage": "partial",
+      "confidence": 85,
+      "rationale": "Risk management requires ongoing vulnerability identification"
+    },
+    {
+      "section_number": "164.308(a)(3)",
+      "control_id": "AC-1",
+      "control_name": "Access Control Policy and Procedures",
+      "coverage": "full",
+      "confidence": 97,
+      "rationale": "HIPAA requires workforce access control policies and procedures"
+    },
+    {
+      "section_number": "164.308(a)(3)(ii)(A)",
+      "control_id": "AC-2",
+      "control_name": "Account Management",
+      "coverage": "partial",
+      "confidence": 90,
+      "rationale": "Requires procedures for granting access to ePHI"
+    },
+    {
+      "section_number": "164.308(a)(3)(ii)(B)",
+      "control_id": "AC-5",
+      "control_name": "Separation of Duties",
+      "coverage": "related",
+      "confidence": 75,
+      "rationale": "Workforce clearance procedures relate to separation of duties"
+    },
+    {
+      "section_number": "164.308(a)(3)(ii)(C)",
+      "control_id": "AC-6",
+      "control_name": "Least Privilege",
+      "coverage": "partial",
+      "confidence": 88,
+      "rationale": "Requires termination procedures limiting access rights"
+    },
+    {
+      "section_number": "164.308(a)(4)",
+      "control_id": "AT-1",
+      "control_name": "Security Awareness and Training Policy",
+      "coverage": "full",
+      "confidence": 96,
+      "rationale": "HIPAA mandates security awareness and training program"
+    },
+    {
+      "section_number": "164.308(a)(5)(ii)(B)",
+      "control_id": "AU-6",
+      "control_name": "Audit Record Review, Analysis, and Reporting",
+      "coverage": "partial",
+      "confidence": 82,
+      "rationale": "Protection from malicious software requires log monitoring"
+    },
+    {
+      "section_number": "164.308(a)(5)(ii)(C)",
+      "control_id": "AU-2",
+      "control_name": "Event Logging",
+      "coverage": "partial",
+      "confidence": 85,
+      "rationale": "Log-in monitoring procedures require event logging"
+    },
+    {
+      "section_number": "164.308(a)(6)",
+      "control_id": "IR-1",
+      "control_name": "Incident Response Policy and Procedures",
+      "coverage": "full",
+      "confidence": 94,
+      "rationale": "HIPAA requires security incident procedures"
+    },
+    {
+      "section_number": "164.308(a)(6)(ii)",
+      "control_id": "IR-4",
+      "control_name": "Incident Handling",
+      "coverage": "full",
+      "confidence": 93,
+      "rationale": "Requires identifying and responding to security incidents"
+    },
+    {
+      "section_number": "164.308(a)(7)",
+      "control_id": "CP-1",
+      "control_name": "Contingency Planning Policy and Procedures",
+      "coverage": "full",
+      "confidence": 95,
+      "rationale": "HIPAA mandates contingency plan for emergencies"
+    },
+    {
+      "section_number": "164.308(a)(7)(ii)(A)",
+      "control_id": "CP-2",
+      "control_name": "Contingency Plan",
+      "coverage": "full",
+      "confidence": 94,
+      "rationale": "Requires data backup plan"
+    },
+    {
+      "section_number": "164.308(a)(7)(ii)(B)",
+      "control_id": "CP-9",
+      "control_name": "System Backup",
+      "coverage": "full",
+      "confidence": 96,
+      "rationale": "Requires disaster recovery plan with backups"
+    },
+    {
+      "section_number": "164.308(a)(7)(ii)(D)",
+      "control_id": "CP-10",
+      "control_name": "System Recovery and Reconstitution",
+      "coverage": "full",
+      "confidence": 92,
+      "rationale": "Requires emergency mode operation plan"
+    },
+    {
+      "section_number": "164.308(a)(8)",
+      "control_id": "CA-2",
+      "control_name": "Control Assessments",
+      "coverage": "partial",
+      "confidence": 80,
+      "rationale": "Evaluation standard requires periodic technical and non-technical assessments"
+    },
+    {
+      "section_number": "164.308(b)(1)",
+      "control_id": "SA-9",
+      "control_name": "External System Services",
+      "coverage": "partial",
+      "confidence": 87,
+      "rationale": "Business associate contracts govern external service providers"
+    },
+    {
+      "section_number": "164.312(a)(1)",
+      "control_id": "AC-3",
+      "control_name": "Access Enforcement",
+      "coverage": "full",
+      "confidence": 95,
+      "rationale": "Technical controls must enforce access authorization"
+    },
+    {
+      "section_number": "164.312(a)(2)(i)",
+      "control_id": "IA-2",
+      "control_name": "Identification and Authentication",
+      "coverage": "full",
+      "confidence": 97,
+      "rationale": "Requires unique user identification for ePHI access"
+    },
+    {
+      "section_number": "164.312(a)(2)(iii)",
+      "control_id": "AC-12",
+      "control_name": "Session Termination",
+      "coverage": "full",
+      "confidence": 91,
+      "rationale": "Requires automatic logoff after predetermined time"
+    },
+    {
+      "section_number": "164.312(a)(2)(iv)",
+      "control_id": "SC-10",
+      "control_name": "Network Disconnect",
+      "coverage": "partial",
+      "confidence": 78,
+      "rationale": "Encryption and decryption relates to secure connections"
+    },
+    {
+      "section_number": "164.312(b)",
+      "control_id": "AU-9",
+      "control_name": "Protection of Audit Information",
+      "coverage": "partial",
+      "confidence": 86,
+      "rationale": "Audit controls protect log integrity"
+    },
+    {
+      "section_number": "164.312(c)(1)",
+      "control_id": "SC-13",
+      "control_name": "Cryptographic Protection",
+      "coverage": "partial",
+      "confidence": 88,
+      "rationale": "Integrity controls for ePHI authentication"
+    },
+    {
+      "section_number": "164.312(d)",
+      "control_id": "PE-3",
+      "control_name": "Physical Access Control",
+      "coverage": "related",
+      "confidence": 72,
+      "rationale": "Person or entity authentication relates to physical access"
+    },
+    {
+      "section_number": "164.312(e)(1)",
+      "control_id": "SC-8",
+      "control_name": "Transmission Confidentiality and Integrity",
+      "coverage": "full",
+      "confidence": 94,
+      "rationale": "Technical security measures for ePHI transmission"
+    },
+    {
+      "section_number": "164.312(e)(2)(i)",
+      "control_id": "IA-5",
+      "control_name": "Authenticator Management",
+      "coverage": "partial",
+      "confidence": 83,
+      "rationale": "Integrity controls ensure authentication mechanisms"
+    },
+    {
+      "section_number": "164.312(e)(2)(ii)",
+      "control_id": "SC-8(1)",
+      "control_name": "Transmission Confidentiality - Cryptographic Protection",
+      "coverage": "partial",
+      "confidence": 89,
+      "rationale": "Encryption addressable specification for transmission security"
+    },
+    {
+      "section_number": "164.310(a)(1)",
+      "control_id": "PE-2",
+      "control_name": "Physical Access Authorizations",
+      "coverage": "full",
+      "confidence": 93,
+      "rationale": "HIPAA requires facility access controls"
+    },
+    {
+      "section_number": "164.310(a)(2)(ii)",
+      "control_id": "PE-6",
+      "control_name": "Monitoring Physical Access",
+      "coverage": "partial",
+      "confidence": 84,
+      "rationale": "Facility security plan includes access monitoring"
+    },
+    {
+      "section_number": "164.310(b)",
+      "control_id": "PE-16",
+      "control_name": "Delivery and Removal",
+      "coverage": "related",
+      "confidence": 74,
+      "rationale": "Workstation use standard relates to equipment controls"
+    },
+    {
+      "section_number": "164.310(c)",
+      "control_id": "PE-17",
+      "control_name": "Alternate Work Site",
+      "coverage": "partial",
+      "confidence": 79,
+      "rationale": "Workstation security addresses location-based controls"
+    },
+    {
+      "section_number": "164.310(d)(1)",
+      "control_id": "MP-6",
+      "control_name": "Media Sanitization",
+      "coverage": "full",
+      "confidence": 92,
+      "rationale": "Device and media controls require sanitization procedures"
+    },
+    {
+      "section_number": "164.310(d)(2)(i)",
+      "control_id": "MP-5",
+      "control_name": "Media Transport",
+      "coverage": "partial",
+      "confidence": 81,
+      "rationale": "Disposal procedures include secure media handling"
+    },
+    {
+      "section_number": "164.310(d)(2)(iii)",
+      "control_id": "MP-2",
+      "control_name": "Media Access",
+      "coverage": "partial",
+      "confidence": 76,
+      "rationale": "Accountability standard relates to media access controls"
+    },
+    {
+      "section_number": "164.308(a)(4)(ii)(A)",
+      "control_id": "AT-2",
+      "control_name": "Literacy Training and Awareness",
+      "coverage": "full",
+      "confidence": 91,
+      "rationale": "Security reminders required for workforce"
+    },
+    {
+      "section_number": "164.308(a)(4)(ii)(B)",
+      "control_id": "AT-3",
+      "control_name": "Role-Based Training",
+      "coverage": "partial",
+      "confidence": 85,
+      "rationale": "Protection from malicious software training relates to role-based security"
+    },
+    {
+      "section_number": "164.308(a)(4)(ii)(C)",
+      "control_id": "AT-4",
+      "control_name": "Training Records",
+      "coverage": "related",
+      "confidence": 70,
+      "rationale": "Log-in monitoring relates to documenting training"
+    },
+    {
+      "section_number": "164.314(a)(1)",
+      "control_id": "SA-9(2)",
+      "control_name": "External System Services - Identification of Functions",
+      "coverage": "partial",
+      "confidence": 82,
+      "rationale": "Business associate agreements specify service functions"
+    },
+    {
+      "section_number": "164.314(a)(2)(i)",
+      "control_id": "CA-3",
+      "control_name": "Information Exchange",
+      "coverage": "partial",
+      "confidence": 78,
+      "rationale": "Data use agreements govern information exchange"
+    },
+    {
+      "section_number": "164.316(a)",
+      "control_id": "PL-1",
+      "control_name": "Policy and Procedures",
+      "coverage": "full",
+      "confidence": 96,
+      "rationale": "HIPAA mandates security policies and procedures"
+    },
+    {
+      "section_number": "164.316(b)(1)",
+      "control_id": "CM-3",
+      "control_name": "Configuration Change Control",
+      "coverage": "partial",
+      "confidence": 77,
+      "rationale": "Documentation requirements include change management"
+    },
+    {
+      "section_number": "164.316(b)(2)(i)",
+      "control_id": "AU-11",
+      "control_name": "Audit Record Retention",
+      "coverage": "full",
+      "confidence": 90,
+      "rationale": "HIPAA requires 6-year retention of documentation"
+    },
+    {
+      "section_number": "164.308(a)(2)",
+      "control_id": "PS-2",
+      "control_name": "Position Risk Designation",
+      "coverage": "related",
+      "confidence": 73,
+      "rationale": "Assigned security responsibility relates to position risk"
+    },
+    {
+      "section_number": "164.308(a)(3)(i)",
+      "control_id": "AC-1",
+      "control_name": "Access Control Policy",
+      "coverage": "full",
+      "confidence": 94,
+      "rationale": "Authorization/supervision standard requires access policies"
+    },
+    {
+      "section_number": "164.308(a)(5)(ii)(A)",
+      "control_id": "SI-3",
+      "control_name": "Malicious Code Protection",
+      "coverage": "partial",
+      "confidence": 87,
+      "rationale": "Protection from malicious software procedures"
+    }
+  ]
+}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,41 @@
+#!/usr/bin/env node
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import Database from 'better-sqlite3';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+import { registerTools } from './tools/registry.js';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+// Database path - look for regulations.db in data folder
+const DB_PATH = process.env.US_COMPLIANCE_DB_PATH || join(__dirname, '..', 'data', 'regulations.db');
+function getDatabase() {
+    try {
+        return new Database(DB_PATH, { readonly: true });
+    }
+    catch (error) {
+        throw new Error(`Failed to open database at ${DB_PATH}: ${error}`);
+    }
+}
+const db = getDatabase();
+const server = new Server({
+    name: 'us-regulations-mcp',
+    version: '0.1.0',
+}, {
+    capabilities: {
+        tools: {},
+    },
+});
+// Register all tools using shared registry
+registerTools(server, db);
+// Start the server
+async function main() {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    console.error('US Regulations MCP server started');
+}
+main().catch((error) => {
+    console.error('Fatal error:', error);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AAKjF,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAErC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AAEtC,yDAAyD;AACzD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,gBAAgB,CAAC,CAAC;AAErG,SAAS,WAAW;IAClB,IAAI,CAAC;QACH,OAAO,IAAI,QAAQ,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,8BAA8B,OAAO,KAAK,KAAK,EAAE,CAAC,CAAC;IACrE,CAAC;AACH,CAAC;AAED,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;AACzB,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB;IACE,IAAI,EAAE,oBAAoB;IAC1B,OAAO,EAAE,OAAO;CACjB,EACD;IACE,YAAY,EAAE;QACZ,KAAK,EAAE,EAAE;KACV;CACF,CACF,CAAC;AAEF,2CAA2C;AAC3C,aAAa,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAE1B,mBAAmB;AACnB,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;AACrD,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/ingest/adapters/california-leginfo.d.ts

@@ -0,0 +1,72 @@
+/**
+ * California Legislative Information Adapter
+ *
+ * Fetches CCPA/CPRA regulations from California LegInfo.
+ * Source: California Civil Code § 1798.100-1798.199
+ *
+ * PRODUCTION IMPLEMENTATION
+ * Uses HTML scraping with fail-fast DOM validation
+ */
+import { SourceAdapter, RegulationMetadata, Section, Definition, UpdateStatus } from '../framework.js';
+/**
+ * Adapter for fetching CCPA/CPRA from California Legislative Information
+ */
+export declare class CaliforniaLeginfoAdapter implements SourceAdapter {
+    private readonly regulationId;
+    private readonly civilCodeStart;
+    private readonly civilCodeEnd;
+    constructor(regulationId: string, civilCodeStart: number, civilCodeEnd: number);
+    /**
+     * Fetch CCPA metadata
+     *
+     * PLACEHOLDER: Returns hardcoded CCPA metadata
+     * TODO: Integrate with California LegInfo to fetch live metadata
+     */
+    fetchMetadata(): Promise<RegulationMetadata>;
+    /**
+     * Fetch all CCPA sections
+     *
+     * Scrapes HTML from California LegInfo with fail-fast validation
+     * Source: https://leginfo.legislature.ca.gov/faces/codes.xhtml
+     */
+    fetchSections(): AsyncGenerator<Section[]>;
+    /**
+     * Validate DOM structure with fail-fast assertions
+     */
+    private validateDOM;
+    /**
+     * Parse section from HTML
+     */
+    private parseSection;
+    /**
+     * Extract cross-references from text
+     */
+    private extractCrossReferences;
+    /**
+     * Fetch with retry logic and exponential backoff
+     */
+    private fetchWithRetry;
+    /**
+     * Sleep helper
+     */
+    private sleep;
+    /**
+     * Check for updates since last fetch
+     *
+     * Checks California LegInfo for amendments to Civil Code § 1798
+     * Note: This is best-effort since there's no official API
+     */
+    checkForUpdates(lastFetched: Date): Promise<UpdateStatus>;
+    /**
+     * Extract definitions from CCPA sections
+     *
+     * Future enhancement: Parse definition sections (primarily § 1798.140)
+     * For now, returns empty array - definitions can be added manually if needed
+     */
+    extractDefinitions(): Promise<Definition[]>;
+}
+/**
+ * Factory function to create CCPA adapter
+ */
+export declare function createCcpaAdapter(): CaliforniaLeginfoAdapter;
+//# sourceMappingURL=california-leginfo.d.ts.map

package/dist/ingest/adapters/california-leginfo.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"california-leginfo.d.ts","sourceRoot":"","sources":["../../../src/ingest/adapters/california-leginfo.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,OAAO,EACP,UAAU,EACV,YAAY,EACb,MAAM,iBAAiB,CAAC;AAqBzB;;GAEG;AACH,qBAAa,wBAAyB,YAAW,aAAa;IAC5D,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;gBAE1B,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM;IAM9E;;;;;OAKG;IACG,aAAa,IAAI,OAAO,CAAC,kBAAkB,CAAC;IAclD;;;;;OAKG;IACI,aAAa,IAAI,cAAc,CAAC,OAAO,EAAE,CAAC;IA2DjD;;OAEG;IACH,OAAO,CAAC,WAAW;IAgBnB;;OAEG;IACH,OAAO,CAAC,YAAY;IA0CpB;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAmB9B;;OAEG;YACW,cAAc;IA4B5B;;OAEG;IACH,OAAO,CAAC,KAAK;IAIb;;;;;OAKG;IACG,eAAe,CAAC,WAAW,EAAE,IAAI,GAAG,OAAO,CAAC,YAAY,CAAC;IAmC/D;;;;;OAKG;IACG,kBAAkB,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;CAOlD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,wBAAwB,CAE5D"}