framework-mcp 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,11 @@
1
+ {
2
+ "mcpServers": {
3
+ "sequential-thinking": {
4
+ "command": "npx",
5
+ "args": [
6
+ "-y",
7
+ "@modelcontextprotocol/server-sequential-thinking"
8
+ ]
9
+ }
10
+ }
11
+ }
@@ -0,0 +1,11 @@
1
+ {
2
+ "mcpServers": {
3
+ "sequential-thinking": {
4
+ "command": "npx",
5
+ "args": [
6
+ "-y",
7
+ "@modelcontextprotocol/server-sequential-thinking"
8
+ ]
9
+ }
10
+ }
11
+ }
@@ -0,0 +1,30 @@
1
+ name: Release
2
+
3
+ on:
4
+ push:
5
+ tags:
6
+ - 'v*'
7
+
8
+ jobs:
9
+ publish:
10
+ runs-on: ubuntu-latest
11
+
12
+ steps:
13
+ - uses: actions/checkout@v4
14
+
15
+ - name: Use Node.js
16
+ uses: actions/setup-node@v4
17
+ with:
18
+ node-version: '20.x'
19
+ registry-url: 'https://registry.npmjs.org'
20
+
21
+ - name: Install dependencies
22
+ run: npm ci
23
+
24
+ - name: Build
25
+ run: npm run build
26
+
27
+ - name: Publish to npm
28
+ run: npm publish
29
+ env:
30
+ NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
package/.mcp.json ADDED
@@ -0,0 +1,11 @@
1
+ {
2
+ "mcpServers": {
3
+ "sequential-thinking": {
4
+ "command": "npx",
5
+ "args": [
6
+ "-y",
7
+ "@modelcontextprotocol/server-sequential-thinking"
8
+ ]
9
+ }
10
+ }
11
+ }
@@ -0,0 +1,220 @@
1
+ # CIS Controls v8.1 Implementation Plan
2
+
3
+ ## Current Status
4
+ - **Completed**: 59 safeguards implemented (Controls 1-7 complete)
5
+ - **Remaining**: Controls 8-18 (11 controls, estimated 40+ additional safeguards)
6
+ - **Available Resources**: Individual PDF documents for each control in docs/ folder
7
+
8
+ ## Implementation Strategy
9
+
10
+ ### Sequential Processing Order
11
+ Process controls in this specific order for optimal dependency management:
12
+
13
+ #### Phase 1: Technical Infrastructure Controls (High Priority)
14
+ 1. **Control 8: Audit Log Management**
15
+ - Foundation for security monitoring and detection
16
+ - PDF: `CISv8.1-Control 8.pdf`
17
+ - Estimated safeguards: 6-8
18
+
19
+ 2. **Control 10: Malware Defenses**
20
+ - Critical protection control
21
+ - PDF: `CISv8.1-Control 10.pdf`
22
+ - Estimated safeguards: 6-8
23
+
24
+ 3. **Control 12: Network Infrastructure Management**
25
+ - Network security foundation
26
+ - PDF: `CISv8.1-Control 12.pdf`
27
+ - Estimated safeguards: 6-8
28
+
29
+ 4. **Control 13: Network Monitoring and Defense**
30
+ - Builds on Control 12, detection capabilities
31
+ - PDF: `CISv8.1-Control 13.pdf`
32
+ - Estimated safeguards: 6-8
33
+
34
+ #### Phase 2: Data and Application Controls (Medium-High Priority)
35
+ 5. **Control 9: Email and Web Browser Protections**
36
+ - Common attack vectors
37
+ - PDF: `CISv8.1-Control 9.pdf`
38
+ - Estimated safeguards: 4-6
39
+
40
+ 6. **Control 11: Data Recovery**
41
+ - Business continuity foundation
42
+ - PDF: `CISv8.1-Control 11.pdf`
43
+ - Estimated safeguards: 3-5
44
+
45
+ 7. **Control 16: Application Software Security**
46
+ - Application layer security
47
+ - PDF: `CISv8.1-Control 16.pdf`
48
+ - Estimated safeguards: 6-8
49
+
50
+ #### Phase 3: Process and Governance Controls (Medium Priority)
51
+ 8. **Control 14: Security Awareness and Skills Training**
52
+ - Human element, process-focused
53
+ - PDF: `CISv8.1-Control 14.pdf`
54
+ - Estimated safeguards: 4-6
55
+
56
+ 9. **Control 15: Service Provider Management**
57
+ - Third-party risk management
58
+ - PDF: `CISv8.1-Control 15.pdf`
59
+ - Estimated safeguards: 4-6
60
+
61
+ 10. **Control 17: Incident Response Management**
62
+ - Response processes and capabilities
63
+ - PDF: `CISv8.1-Control 17.pdf`
64
+ - Estimated safeguards: 6-8
65
+
66
+ 11. **Control 18: Penetration Testing**
67
+ - Validation and testing processes
68
+ - PDF: `CISv8.1-Control 18.pdf`
69
+ - Estimated safeguards: 3-5
70
+
71
+ ## Standard Session Template
72
+
73
+ For each control, follow this systematic approach:
74
+
75
+ ### 1. Initialize Session
76
+ ```bash
77
+ # Update todo list with current control
78
+ # Example: "Process Control 8: Audit Log Management"
79
+ ```
80
+
81
+ ### 2. Read and Analyze PDF
82
+ - Read the complete control PDF document
83
+ - Identify all safeguards in the control (e.g., 8.1, 8.2, 8.3, etc.)
84
+ - Note control title, description, and overall purpose
85
+ - Extract Implementation Group classifications
86
+
87
+ ### 3. Extract Safeguard Elements
88
+ For each safeguard, categorize elements using the color-coding system:
89
+
90
+ - **🟠 Orange (Governance Elements)**: Process/policy requirements that MUST be met
91
+ - **🟢 Green (Core Requirements)**: The essential "what" of the safeguard
92
+ - **🟡 Yellow (Sub-taxonomical Elements)**: Detailed sub-components
93
+ - **⚫ Gray (Implementation Suggestions)**: Suggested methods and tools
94
+
95
+ Additional metadata:
96
+ - Asset types (devices, applications, users, etc.)
97
+ - Security functions (Identify, Protect, Detect, Respond, Recover)
98
+ - Relevant keywords for analysis engine
99
+
100
+ ### 4. Implement in Code
101
+ ```typescript
102
+ // Add to CIS_SAFEGUARDS object in src/index.ts
103
+ "X.Y": {
104
+ id: "X.Y",
105
+ title: "Safeguard Title",
106
+ description: "Description...",
107
+ implementationGroup: "IG1" | "IG2" | "IG3",
108
+ assetType: [...],
109
+ securityFunction: [...],
110
+ governanceElements: [...], // Orange
111
+ coreRequirements: [...], // Green
112
+ subTaxonomicalElements: [...], // Yellow
113
+ implementationSuggestions: [...], // Gray
114
+ relatedSafeguards: [...],
115
+ keywords: [...]
116
+ }
117
+ ```
118
+
119
+ ### 5. Test and Validate
120
+ ```bash
121
+ npm run build # Verify compilation
122
+ # Test with sample vendor responses
123
+ # Verify analysis engine processes new safeguards correctly
124
+ ```
125
+
126
+ ### 6. Document and Commit
127
+ ```bash
128
+ git add .
129
+ git commit -m "Add Control X: [Control Name] - implemented X.1 through X.Y safeguards
130
+
131
+ - Extracted all safeguards from CISv8.1-Control X.pdf
132
+ - Categorized elements using color-coding system
133
+ - Added appropriate keywords and metadata
134
+ - Tested with analysis engine
135
+
136
+ 🤖 Generated with [Claude Code](https://claude.ai/code)
137
+
138
+ Co-Authored-By: Claude <noreply@anthropic.com>"
139
+
140
+ git push origin main
141
+ ```
142
+
143
+ ## Success Criteria for Each Control
144
+
145
+ ✅ **Extraction Complete**
146
+ - [ ] All safeguards identified and extracted from PDF
147
+ - [ ] Elements properly categorized (Orange/Green/Yellow/Gray)
148
+ - [ ] Implementation Groups assigned correctly
149
+
150
+ ✅ **Code Implementation**
151
+ - [ ] All safeguards added to CIS_SAFEGUARDS object
152
+ - [ ] Consistent formatting with existing controls
153
+ - [ ] Code compiles without errors
154
+ - [ ] Proper TypeScript typing maintained
155
+
156
+ ✅ **Testing and Validation**
157
+ - [ ] Analysis engine correctly processes new safeguards
158
+ - [ ] Capability categorization works appropriately
159
+ - [ ] Sample vendor responses produce expected results
160
+
161
+ ✅ **Documentation and Commit**
162
+ - [ ] Progress tracking updated
163
+ - [ ] Detailed commit message with control summary
164
+ - [ ] Changes committed and pushed to repository
165
+
166
+ ## Progress Tracking
167
+
168
+ ### Completed Controls
169
+ - ✅ Control 1: Inventory and Control of Enterprise Assets
170
+ - ✅ Control 2: Inventory and Control of Software Assets
171
+ - ✅ Control 3: Data Protection
172
+ - ✅ Control 4: Secure Configuration of Enterprise Assets and Software
173
+ - ✅ Control 5: Account Management
174
+ - ✅ Control 6: Access Control Management
175
+ - ✅ Control 7: Continuous Vulnerability Management
176
+ - ✅ **Control 8: Audit Log Management** (12 safeguards: 8.1-8.12)
177
+ - ✅ **Control 10: Malware Defenses** (7 safeguards: 10.1-10.7)
178
+ - ✅ **Control 11: Data Recovery** (5 safeguards: 11.1-11.5)
179
+ - ✅ **Control 9: Email and Web Browser Protections** (7 safeguards: 9.1-9.7)
180
+ - ✅ **Control 12: Network Infrastructure Management** (8 safeguards: 12.1-12.8)
181
+ - ✅ **Control 13: Network Monitoring and Defense** (11 safeguards: 13.1-13.11)
182
+ - ✅ **Control 14: Security Awareness and Skills Training** (9 safeguards: 14.1-14.9)
183
+ - ✅ **Control 15: Service Provider Management** (7 safeguards: 15.1-15.7)
184
+ - ✅ **Control 16: Application Software Security** (14 safeguards: 16.1-16.14)
185
+ - ✅ **Control 17: Incident Response Management** (9 safeguards: 17.1-17.9)
186
+ - ✅ **Control 18: Penetration Testing** (5 safeguards: 18.1-18.5)
187
+
188
+ ### ✅ ALL CONTROLS COMPLETE
189
+ **Total Implementation**: 153 safeguards across all 18 CIS Controls v8.1
190
+
191
+ ### Final Status
192
+ - [ ] **COMPLETE**: All CIS Controls v8.1 safeguards implemented
193
+ - [ ] **Framework Ready**: Full vendor analysis capability enabled
194
+
195
+ ## Risk Mitigation
196
+
197
+ ### Context Limit Management
198
+ - Process only one control per session to avoid PDF context limits
199
+ - Use targeted reading with offsets if PDFs are very large
200
+ - Focus on extracting structured information efficiently
201
+
202
+ ### Quality Assurance
203
+ - Reference existing controls 1-7 as formatting templates
204
+ - Validate element categorization against established patterns
205
+ - Test each implementation before moving to next control
206
+
207
+ ### Recovery Strategy
208
+ - Detailed progress tracking enables restart from any point
209
+ - Each control is independent (no cascading failures)
210
+ - Commit after each successful control completion
211
+ - Can skip complex controls and return later if needed
212
+
213
+ ## Estimated Timeline
214
+ - **Per Control**: 1-2 hours (extraction + implementation + testing)
215
+ - **Total Remaining**: ~15-20 hours of focused work
216
+ - **Completion Target**: Can be spread across multiple sessions safely
217
+
218
+ ---
219
+
220
+ **Next Action**: Begin with Control 8 (Audit Log Management) using the standard session template.
package/dist/index.d.ts CHANGED
@@ -1,3 +1,20 @@
1
1
  #!/usr/bin/env node
2
- export {};
2
+ export declare class GRCAnalysisServer {
3
+ private server;
4
+ constructor();
5
+ private setupToolHandlers;
6
+ private getSafeguardDetails;
7
+ private listAvailableSafeguards;
8
+ private analyzeVendorResponse;
9
+ private validateCoverageClaim;
10
+ private performEnhancedSafeguardAnalysis;
11
+ private calculateKeywordScore;
12
+ private analyzeElementCoverage;
13
+ private analyzeBinaryElementCoverage;
14
+ private extractEnhancedEvidence;
15
+ private generateEnhancedReasoning;
16
+ private generateCapabilityReasoning;
17
+ private validateClaim;
18
+ run(): Promise<void>;
19
+ }
3
20
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAo5KA,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAS;;IAavB,OAAO,CAAC,iBAAiB;YAkIX,mBAAmB;YA8CnB,uBAAuB;YAuCvB,qBAAqB;YAoBrB,qBAAqB;IA8BnC,OAAO,CAAC,gCAAgC;IAqJxC,OAAO,CAAC,qBAAqB;IAgB7B,OAAO,CAAC,sBAAsB;IA0C9B,OAAO,CAAC,4BAA4B;IAwCpC,OAAO,CAAC,uBAAuB;IA6B/B,OAAO,CAAC,yBAAyB;IA4BjC,OAAO,CAAC,2BAA2B;IAuEnC,OAAO,CAAC,aAAa;IAsFf,GAAG;CAKV"}